442 files changed, 18403 insertions, 13458 deletions

diff --git a/lib/libcrypto/Makefile.ssl b/lib/libcrypto/Makefile.ssl
index 2fcbf185459..cab75d9f802 100644
--- a/lib/libcrypto/Makefile.ssl
+++ b/lib/libcrypto/Makefile.ssl
@@ -34,8 +34,8 @@ SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 GENERAL=Makefile README crypto-lib.com install.com
 
 LIB= $(TOP)/libcrypto.a
-LIBSRC=	cryptlib.c mem.c cversion.c ex_data.c tmdiff.c cpt_err.c
-LIBOBJ= cryptlib.o mem.o cversion.o ex_data.o tmdiff.o cpt_err.o
+LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c
+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o
 
 SRC= $(LIBSRC)
 
@@ -57,6 +57,11 @@ buildinf.h: ../Makefile.ssl
 	echo "  #define DATE \"`date`\""; \
 	echo "#endif" ) >buildinf.h
 
+testapps:
+	if echo ${SDIRS} | fgrep ' des '; \
+	then cd des && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' des; fi
+	cd pkcs7 && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps
+
 subdirs:
 	@for i in $(SDIRS) ;\
 	do \
@@ -122,7 +127,7 @@ lint:
 	done;
 
 depend:
-	if [ ! -e buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
+	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
 	$(MAKEDEPEND) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
 	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
 	@for i in $(SDIRS) ;\
@@ -151,29 +156,40 @@ dclean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 cpt_err.o: ../include/openssl/crypto.h ../include/openssl/err.h
-cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/stack.h
+cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+cpt_err.o: ../include/openssl/stack.h
 cryptlib.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 cryptlib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 cryptlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-cryptlib.o: ../include/openssl/stack.h cryptlib.h
+cryptlib.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cryptlib.o: cryptlib.h
 cversion.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 cversion.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-cversion.o: ../include/openssl/stack.h buildinf.h cryptlib.h
+cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cversion.o: buildinf.h cryptlib.h
 ex_data.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 ex_data.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 ex_data.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-ex_data.o: ../include/openssl/opensslv.h ../include/openssl/stack.h cryptlib.h
+ex_data.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+ex_data.o: ../include/openssl/stack.h cryptlib.h
 mem.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 mem.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-mem.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-mem.o: ../include/openssl/opensslv.h ../include/openssl/stack.h cryptlib.h
+mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h cryptlib.h
+mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+mem_dbg.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+mem_dbg.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+mem_dbg.o: ../include/openssl/stack.h cryptlib.h
 tmdiff.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 tmdiff.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 tmdiff.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-tmdiff.o: ../include/openssl/stack.h ../include/openssl/tmdiff.h cryptlib.h
+tmdiff.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h
diff --git a/lib/libcrypto/asn1/Makefile.ssl b/lib/libcrypto/asn1/Makefile.ssl
index 5d668411f6a..a17a713a75a 100644
--- a/lib/libcrypto/asn1/Makefile.ssl
+++ b/lib/libcrypto/asn1/Makefile.ssl
@@ -23,34 +23,34 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC=	a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
-	a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c a_bmp.c \
-	a_enum.c a_vis.c a_utf8.c a_sign.c a_digest.c a_verify.c \
+	a_null.c a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c a_bmp.c \
+	a_enum.c a_vis.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c \
 	x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c \
-	x_name.c x_cinf.c x_x509.c x_crl.c x_info.c x_spki.c nsseq.c \
+	x_name.c x_cinf.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \
 	d2i_r_pr.c i2d_r_pr.c d2i_r_pu.c i2d_r_pu.c \
 	d2i_s_pr.c i2d_s_pr.c d2i_s_pu.c i2d_s_pu.c \
 	d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\
-	t_req.c t_x509.c t_crl.c t_pkey.c \
+	t_req.c t_x509.c t_x509a.c t_crl.c t_pkey.c t_spki.c t_bitst.c \
 	p7_i_s.c p7_signi.c p7_signd.c p7_recip.c p7_enc_c.c p7_evp.c \
 	p7_dgst.c p7_s_e.c p7_enc.c p7_lib.c \
 	f_int.c f_string.c i2d_dhp.c i2d_dsap.c d2i_dhp.c d2i_dsap.c n_pkey.c \
 	f_enum.c a_hdr.c x_pkey.c a_bool.c x_exten.c \
-	asn1_par.c asn1_lib.c asn1_err.c a_meth.c a_bytes.c \
+	asn1_par.c asn1_lib.c asn1_err.c a_meth.c a_bytes.c a_strnid.c \
 	evp_asn1.c asn_pack.c p5_pbe.c p5_pbev2.c p8_pkey.c
 LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \
-	a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o a_bmp.o \
-	a_enum.o a_vis.o a_utf8.o a_sign.o a_digest.o a_verify.o \
+	a_null.o a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o a_bmp.o \
+	a_enum.o a_vis.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o \
 	x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o \
-	x_name.o x_cinf.o x_x509.o x_crl.o x_info.o x_spki.o nsseq.o \
+	x_name.o x_cinf.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \
 	d2i_r_pr.o i2d_r_pr.o d2i_r_pu.o i2d_r_pu.o \
 	d2i_s_pr.o i2d_s_pr.o d2i_s_pu.o i2d_s_pu.o \
 	d2i_pu.o d2i_pr.o i2d_pu.o i2d_pr.o \
-	t_req.o t_x509.o t_crl.o t_pkey.o \
+	t_req.o t_x509.o t_x509a.o t_crl.o t_pkey.o t_spki.o t_bitst.o \
 	p7_i_s.o p7_signi.o p7_signd.o p7_recip.o p7_enc_c.o p7_evp.o \
 	p7_dgst.o p7_s_e.o p7_enc.o p7_lib.o \
 	f_int.o f_string.o i2d_dhp.o i2d_dsap.o d2i_dhp.o d2i_dsap.o n_pkey.o \
 	f_enum.o a_hdr.o x_pkey.o a_bool.o x_exten.o \
-	asn1_par.o asn1_lib.o asn1_err.o a_meth.o a_bytes.o \
+	asn1_par.o asn1_lib.o asn1_err.o a_meth.o a_bytes.o a_strnid.o \
 	evp_asn1.o asn_pack.o p5_pbe.o p5_pbev2.o p8_pkey.o
 
 SRC= $(LIBSRC)
@@ -160,11 +160,13 @@ a_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 a_digest.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
 a_digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
 a_digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-a_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
-a_digest.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-a_digest.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-a_digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-a_digest.o: ../../include/openssl/stack.h ../cryptlib.h
+a_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+a_digest.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+a_digest.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+a_digest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+a_digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_digest.o: ../cryptlib.h
 a_dup.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 a_dup.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 a_dup.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -207,6 +209,13 @@ a_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 a_int.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 a_int.o: ../cryptlib.h
+a_mbstr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_mbstr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_mbstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_mbstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_mbstr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_mbstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_mbstr.o: ../cryptlib.h
 a_meth.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_meth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 a_meth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
@@ -214,6 +223,13 @@ a_meth.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_meth.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 a_meth.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 a_meth.o: ../cryptlib.h
+a_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_null.o: ../cryptlib.h
 a_object.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_object.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 a_object.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
@@ -259,6 +275,13 @@ a_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 a_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 a_sign.o: ../cryptlib.h
+a_strnid.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_strnid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_strnid.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_strnid.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_strnid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_strnid.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_strnid.o: ../../include/openssl/stack.h ../cryptlib.h
 a_time.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_time.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 a_time.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
@@ -788,6 +811,24 @@ p8_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 p8_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 p8_pkey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
 p8_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+t_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+t_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+t_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h
 t_crl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_crl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 t_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -812,15 +853,17 @@ t_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 t_pkey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 t_pkey.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 t_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-t_pkey.o: ../../include/openssl/stack.h ../cryptlib.h
+t_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+t_pkey.o: ../cryptlib.h
 t_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 t_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-t_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-t_req.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-t_req.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-t_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_req.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+t_req.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+t_req.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_req.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_req.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_req.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 t_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
 t_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 t_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
@@ -829,7 +872,24 @@ t_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 t_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 t_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 t_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-t_req.o: ../cryptlib.h
+t_req.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+t_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+t_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+t_spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+t_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+t_spki.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+t_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_spki.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+t_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 t_x509.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_x509.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 t_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -848,6 +908,23 @@ t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 t_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 t_x509.o: ../../include/openssl/x509v3.h ../cryptlib.h
+t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+t_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+t_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+t_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+t_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+t_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+t_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+t_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+t_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+t_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x_algor.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 x_algor.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 x_algor.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -1088,3 +1165,20 @@ x_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 x_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 x_x509.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
 x_x509.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_x509a.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+x_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
diff --git a/lib/libcrypto/asn1/a_bitstr.c b/lib/libcrypto/asn1/a_bitstr.c
index 38ea802be81..c77456b315b 100644
--- a/lib/libcrypto/asn1/a_bitstr.c
+++ b/lib/libcrypto/asn1/a_bitstr.c
@@ -60,6 +60,15 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_BIT_STRING *ASN1_BIT_STRING_new(void)
+{ return M_ASN1_BIT_STRING_new(); }
+
+void ASN1_BIT_STRING_free(ASN1_BIT_STRING *x)
+{ M_ASN1_BIT_STRING_free(x); }
+
+int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
+{ return M_ASN1_BIT_STRING_set(x, d, len); }
+
 int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	{
 	int ret,j,r,bits,len;
@@ -121,7 +130,7 @@ ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 
 	if ((a == NULL) || ((*a) == NULL))
 		{
-		if ((ret=ASN1_BIT_STRING_new()) == NULL) return(NULL);
+		if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
 		}
 	else
 		ret=(*a);
@@ -164,7 +173,7 @@ ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 		s=NULL;
 
 	ret->length=(int)len;
-	if (ret->data != NULL) Free((char *)ret->data);
+	if (ret->data != NULL) Free(ret->data);
 	ret->data=s;
 	ret->type=V_ASN1_BIT_STRING;
 	if (a != NULL) (*a)=ret;
@@ -173,7 +182,7 @@ ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 err:
 	ASN1err(ASN1_F_D2I_ASN1_BIT_STRING,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
-		ASN1_BIT_STRING_free(ret);
+		M_ASN1_BIT_STRING_free(ret);
 	return(NULL);
 	}
 
diff --git a/lib/libcrypto/asn1/a_bmp.c b/lib/libcrypto/asn1/a_bmp.c
index 6075871984f..d9ac5a0475b 100644
--- a/lib/libcrypto/asn1/a_bmp.c
+++ b/lib/libcrypto/asn1/a_bmp.c
@@ -60,6 +60,12 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_BMPSTRING *ASN1_BMPSTRING_new(void)
+{ return M_ASN1_BMPSTRING_new(); }
+
+void ASN1_BMPSTRING_free(ASN1_BMPSTRING *x)
+{ M_ASN1_BMPSTRING_free(x); }
+
 int i2d_ASN1_BMPSTRING(ASN1_BMPSTRING *a, unsigned char **pp)
 	{
 	return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
diff --git a/lib/libcrypto/asn1/a_bytes.c b/lib/libcrypto/asn1/a_bytes.c
index e452e03b88f..8cde6958040 100644
--- a/lib/libcrypto/asn1/a_bytes.c
+++ b/lib/libcrypto/asn1/a_bytes.c
@@ -71,7 +71,7 @@ B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING,0,
 B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN,
 	};
 
-static int asn1_collate_primative(ASN1_STRING *a, ASN1_CTX *c);
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c);
 /* type is a 'bitmap' of acceptable string types.
  */
 ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp,
@@ -124,7 +124,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp,
 	else
 		s=NULL;
 
-	if (ret->data != NULL) Free((char *)ret->data);
+	if (ret->data != NULL) Free(ret->data);
 	ret->length=(int)len;
 	ret->data=s;
 	ret->type=tag;
@@ -205,7 +205,7 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
 		c.tag=Ptag;
 		c.xclass=Pclass;
 		c.max=(length == 0)?0:(p+length);
-		if (!asn1_collate_primative(ret,&c)) 
+		if (!asn1_collate_primitive(ret,&c)) 
 			goto err; 
 		else
 			{
@@ -218,8 +218,8 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
 			{
 			if ((ret->length < len) || (ret->data == NULL))
 				{
-				if (ret->data != NULL) Free((char *)ret->data);
-				s=(unsigned char *)Malloc((int)len);
+				if (ret->data != NULL) Free(ret->data);
+				s=(unsigned char *)Malloc((int)len + 1);
 				if (s == NULL)
 					{
 					i=ERR_R_MALLOC_FAILURE;
@@ -229,12 +229,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
 			else
 				s=ret->data;
 			memcpy(s,p,(int)len);
+			s[len] = '\0';
 			p+=len;
 			}
 		else
 			{
 			s=NULL;
-			if (ret->data != NULL) Free((char *)ret->data);
+			if (ret->data != NULL) Free(ret->data);
 			}
 
 		ret->length=(int)len;
@@ -253,11 +254,11 @@ err:
 	}
 
 
-/* We are about to parse 0..n d2i_ASN1_bytes objects, we are to collapes
- * them into the one struture that is then returned */
+/* We are about to parse 0..n d2i_ASN1_bytes objects, we are to collapse
+ * them into the one structure that is then returned */
 /* There have been a few bug fixes for this function from
  * Paul Keogh <paul.keogh@sse.ie>, many thanks to him */
-static int asn1_collate_primative(ASN1_STRING *a, ASN1_CTX *c)
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 	{
 	ASN1_STRING *os=NULL;
 	BUF_MEM b;
diff --git a/lib/libcrypto/asn1/a_digest.c b/lib/libcrypto/asn1/a_digest.c
index 8c45add5576..3370aae998d 100644
--- a/lib/libcrypto/asn1/a_digest.c
+++ b/lib/libcrypto/asn1/a_digest.c
@@ -58,16 +58,19 @@
 
 #include <stdio.h>
 #include <time.h>
-#include <sys/types.h>
-#include <sys/stat.h>
 
 #include "cryptlib.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/x509.h>
 
-int ASN1_digest(int (*i2d)(), EVP_MD *type, char *data, unsigned char *md,
-	     unsigned int *len)
+int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
+		unsigned char *md, unsigned int *len)
 	{
 	EVP_MD_CTX ctx;
 	int i;
diff --git a/lib/libcrypto/asn1/a_dup.c b/lib/libcrypto/asn1/a_dup.c
index c0a8709f3b4..3202a816d0a 100644
--- a/lib/libcrypto/asn1/a_dup.c
+++ b/lib/libcrypto/asn1/a_dup.c
@@ -78,6 +78,6 @@ char *ASN1_dup(int (*i2d)(), char *(*d2i)(), char *x)
 	i=i2d(x,&p);
 	p= b;
 	ret=d2i(NULL,&p,i);
-	Free((char *)b);
+	Free(b);
 	return(ret);
 	}
diff --git a/lib/libcrypto/asn1/a_enum.c b/lib/libcrypto/asn1/a_enum.c
index 9239ecc439a..ccf62e5a044 100644
--- a/lib/libcrypto/asn1/a_enum.c
+++ b/lib/libcrypto/asn1/a_enum.c
@@ -65,6 +65,12 @@
  * for comments on encoding see a_int.c
  */
 
+ASN1_ENUMERATED *ASN1_ENUMERATED_new(void)
+{ return M_ASN1_ENUMERATED_new(); }
+
+void ASN1_ENUMERATED_free(ASN1_ENUMERATED *x)
+{ M_ASN1_ENUMERATED_free(x); }
+
 int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **pp)
 	{
 	int pad=0,ret,r,i,t;
@@ -142,7 +148,7 @@ ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
 
 	if ((a == NULL) || ((*a) == NULL))
 		{
-		if ((ret=ASN1_ENUMERATED_new()) == NULL) return(NULL);
+		if ((ret=M_ASN1_ENUMERATED_new()) == NULL) return(NULL);
 		ret->type=V_ASN1_ENUMERATED;
 		}
 	else
@@ -171,7 +177,12 @@ ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
 		goto err;
 		}
 	to=s;
-	if (*p & 0x80) /* a negative number */
+	if(!len) {
+		/* Strictly speaking this is an illegal ENUMERATED but we
+		 * tolerate it.
+		 */
+		ret->type=V_ASN1_ENUMERATED;
+	} else if (*p & 0x80) /* a negative number */
 		{
 		ret->type=V_ASN1_NEG_ENUMERATED;
 		if ((*p == 0xff) && (len != 1)) {
@@ -208,7 +219,7 @@ ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
 		p+=len;
 	}
 
-	if (ret->data != NULL) Free((char *)ret->data);
+	if (ret->data != NULL) Free(ret->data);
 	ret->data=s;
 	ret->length=(int)len;
 	if (a != NULL) (*a)=ret;
@@ -217,7 +228,7 @@ ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
 err:
 	ASN1err(ASN1_F_D2I_ASN1_ENUMERATED,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
-		ASN1_ENUMERATED_free(ret);
+		M_ASN1_ENUMERATED_free(ret);
 	return(NULL);
 	}
 
@@ -231,7 +242,7 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
 	if (a->length < (sizeof(long)+1))
 		{
 		if (a->data != NULL)
-			Free((char *)a->data);
+			Free(a->data);
 		if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
 			memset((char *)a->data,0,sizeof(long)+1);
 		}
@@ -295,7 +306,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 	int len,j;
 
 	if (ai == NULL)
-		ret=ASN1_ENUMERATED_new();
+		ret=M_ASN1_ENUMERATED_new();
 	else
 		ret=ai;
 	if (ret == NULL)
@@ -311,7 +322,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
-	if (ret != ai) ASN1_ENUMERATED_free(ret);
+	if (ret != ai) M_ASN1_ENUMERATED_free(ret);
 	return(NULL);
 	}
 
diff --git a/lib/libcrypto/asn1/a_gentm.c b/lib/libcrypto/asn1/a_gentm.c
index 226474f057b..84062170e83 100644
--- a/lib/libcrypto/asn1/a_gentm.c
+++ b/lib/libcrypto/asn1/a_gentm.c
@@ -63,6 +63,12 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_new(void)
+{ return M_ASN1_GENERALIZEDTIME_new(); }
+
+void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *x)
+{ M_ASN1_GENERALIZEDTIME_free(x); }
+
 int i2d_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME *a, unsigned char **pp)
 	{
 #ifdef CHARSET_EBCDIC
@@ -106,7 +112,7 @@ ASN1_GENERALIZEDTIME *d2i_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME **a,
 	return(ret);
 err:
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
-		ASN1_GENERALIZEDTIME_free(ret);
+		M_ASN1_GENERALIZEDTIME_free(ret);
 	return(NULL);
 	}
 
@@ -193,7 +199,7 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
 #endif
 
 	if (s == NULL)
-		s=ASN1_GENERALIZEDTIME_new();
+		s=M_ASN1_GENERALIZEDTIME_new();
 	if (s == NULL)
 		return(NULL);
 
diff --git a/lib/libcrypto/asn1/a_hdr.c b/lib/libcrypto/asn1/a_hdr.c
index 1171d364439..434610e8e12 100644
--- a/lib/libcrypto/asn1/a_hdr.c
+++ b/lib/libcrypto/asn1/a_hdr.c
@@ -102,7 +102,7 @@ ASN1_HEADER *ASN1_HEADER_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,ASN1_HEADER);
-	M_ASN1_New(ret->header,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->header,M_ASN1_OCTET_STRING_new);
 	ret->meth=NULL;
 	ret->data=NULL;
 	return(ret);
@@ -112,8 +112,8 @@ ASN1_HEADER *ASN1_HEADER_new(void)
 void ASN1_HEADER_free(ASN1_HEADER *a)
 	{
 	if (a == NULL) return;
-	ASN1_OCTET_STRING_free(a->header);
+	M_ASN1_OCTET_STRING_free(a->header);
 	if (a->meth != NULL)
 		a->meth->destroy(a->data);
-	Free((char *)a);
+	Free(a);
 	}
diff --git a/lib/libcrypto/asn1/a_i2d_fp.c b/lib/libcrypto/asn1/a_i2d_fp.c
index 6bd845443cc..d9b8035e172 100644
--- a/lib/libcrypto/asn1/a_i2d_fp.c
+++ b/lib/libcrypto/asn1/a_i2d_fp.c
@@ -108,6 +108,6 @@ int ASN1_i2d_bio(int (*i2d)(), BIO *out, unsigned char *x)
 		j+=i;
 		n-=i;
 		}
-	Free((char *)b);
+	Free(b);
 	return(ret);
 	}
diff --git a/lib/libcrypto/asn1/a_int.c b/lib/libcrypto/asn1/a_int.c
index d05436378b9..8b6794e8c11 100644
--- a/lib/libcrypto/asn1/a_int.c
+++ b/lib/libcrypto/asn1/a_int.c
@@ -60,6 +60,18 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_INTEGER *ASN1_INTEGER_new(void)
+{ return M_ASN1_INTEGER_new();}
+
+void ASN1_INTEGER_free(ASN1_INTEGER *x)
+{ M_ASN1_INTEGER_free(x);}
+
+ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
+{ return M_ASN1_INTEGER_dup(x);}
+
+int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
+{ return M_ASN1_INTEGER_cmp(x,y);}
+
 /* 
  * This converts an ASN1 INTEGER into its DER encoding.
  * The internal representation is an ASN1_STRING whose data is a big endian
@@ -160,7 +172,7 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 
 	if ((a == NULL) || ((*a) == NULL))
 		{
-		if ((ret=ASN1_INTEGER_new()) == NULL) return(NULL);
+		if ((ret=M_ASN1_INTEGER_new()) == NULL) return(NULL);
 		ret->type=V_ASN1_INTEGER;
 		}
 	else
@@ -190,7 +202,12 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		goto err;
 		}
 	to=s;
-	if (*p & 0x80) /* a negative number */
+	if(!len) {
+		/* Strictly speaking this is an illegal INTEGER but we
+		 * tolerate it.
+		 */
+		ret->type=V_ASN1_INTEGER;
+	} else if (*p & 0x80) /* a negative number */
 		{
 		ret->type=V_ASN1_NEG_INTEGER;
 		if ((*p == 0xff) && (len != 1)) {
@@ -231,7 +248,7 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		memcpy(s,p,(int)len);
 	}
 
-	if (ret->data != NULL) Free((char *)ret->data);
+	if (ret->data != NULL) Free(ret->data);
 	ret->data=s;
 	ret->length=(int)len;
 	if (a != NULL) (*a)=ret;
@@ -240,7 +257,7 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 err:
 	ASN1err(ASN1_F_D2I_ASN1_INTEGER,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
-		ASN1_INTEGER_free(ret);
+		M_ASN1_INTEGER_free(ret);
 	return(NULL);
 	}
 
@@ -260,7 +277,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
 
 	if ((a == NULL) || ((*a) == NULL))
 		{
-		if ((ret=ASN1_INTEGER_new()) == NULL) return(NULL);
+		if ((ret=M_ASN1_INTEGER_new()) == NULL) return(NULL);
 		ret->type=V_ASN1_INTEGER;
 		}
 	else
@@ -289,7 +306,8 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		goto err;
 		}
 	to=s;
-		ret->type=V_ASN1_INTEGER;
+	ret->type=V_ASN1_INTEGER;
+	if(len) {
 		if ((*p == 0) && (len != 1))
 			{
 			p++;
@@ -297,8 +315,9 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
 			}
 		memcpy(s,p,(int)len);
 		p+=len;
+	}
 
-	if (ret->data != NULL) Free((char *)ret->data);
+	if (ret->data != NULL) Free(ret->data);
 	ret->data=s;
 	ret->length=(int)len;
 	if (a != NULL) (*a)=ret;
@@ -307,7 +326,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
 err:
 	ASN1err(ASN1_F_D2I_ASN1_UINTEGER,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
-		ASN1_INTEGER_free(ret);
+		M_ASN1_INTEGER_free(ret);
 	return(NULL);
 	}
 
@@ -321,7 +340,7 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
 	if (a->length < (sizeof(long)+1))
 		{
 		if (a->data != NULL)
-			Free((char *)a->data);
+			Free(a->data);
 		if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
 			memset((char *)a->data,0,sizeof(long)+1);
 		}
@@ -385,7 +404,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
 	int len,j;
 
 	if (ai == NULL)
-		ret=ASN1_INTEGER_new();
+		ret=M_ASN1_INTEGER_new();
 	else
 		ret=ai;
 	if (ret == NULL)
@@ -401,7 +420,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
-	if (ret != ai) ASN1_INTEGER_free(ret);
+	if (ret != ai) M_ASN1_INTEGER_free(ret);
 	return(NULL);
 	}
 
diff --git a/lib/libcrypto/asn1/a_null.c b/lib/libcrypto/asn1/a_null.c
new file mode 100644
index 00000000000..119fd784bea
--- /dev/null
+++ b/lib/libcrypto/asn1/a_null.c
@@ -0,0 +1,119 @@
+/* a_null.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+/* ASN1 functions for NULL type. For compatibility with other ASN1 code
+ * it returns a pointer to an "ASN1_NULL" structure. The new/free functions
+ * don't need to do any allocating because nothing is stored in a NULL.
+ */
+
+int i2d_ASN1_NULL(ASN1_NULL *a, unsigned char **pp)
+	{
+	if(!a) return 0;
+	if (pp) ASN1_put_object(pp,0,0,V_ASN1_NULL,V_ASN1_UNIVERSAL);
+	return 2;
+	}
+
+ASN1_NULL *d2i_ASN1_NULL(ASN1_NULL **a, unsigned char **pp, long length)
+	{
+	ASN1_NULL *ret = NULL;
+	unsigned char *p;
+	long len;
+	int inf,tag,xclass;
+	int i=0;
+
+	p= *pp;
+	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+	if (inf & 0x80)
+		{
+		i=ASN1_R_BAD_OBJECT_HEADER;
+		goto err;
+		}
+
+	if (tag != V_ASN1_NULL)
+		{
+		i=ASN1_R_EXPECTING_A_NULL;
+		goto err;
+		}
+
+	if (len != 0)
+		{
+		i=ASN1_R_NULL_IS_WRONG_LENGTH;
+		goto err;
+		}
+	ret=(ASN1_NULL *)1;
+	if (a != NULL) (*a)=ret;
+	*pp=p;
+	return(ret);
+err:
+	ASN1err(ASN1_F_D2I_ASN1_NULL,i);
+	return(ret);
+	}
+
+ASN1_NULL *ASN1_NULL_new(void)
+{
+	return (ASN1_NULL *)1;
+}
+
+void ASN1_NULL_free(ASN1_NULL *a)
+{
+	return;
+}
diff --git a/lib/libcrypto/asn1/a_object.c b/lib/libcrypto/asn1/a_object.c
index b94b418ee89..09d56fb6690 100644
--- a/lib/libcrypto/asn1/a_object.c
+++ b/lib/libcrypto/asn1/a_object.c
@@ -222,8 +222,8 @@ ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
 		}
 	if ((ret->data == NULL) || (ret->length < len))
 		{
-		if (ret->data != NULL) Free((char *)ret->data);
-		ret->data=(unsigned char *)Malloc((int)len);
+		if (ret->data != NULL) Free(ret->data);
+		ret->data=(unsigned char *)Malloc(len ? (int)len : 1);
 		ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
 		if (ret->data == NULL)
 			{ i=ERR_R_MALLOC_FAILURE; goto err; }
@@ -269,7 +269,7 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a)
 	if (a == NULL) return;
 	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS)
 		{
-#ifndef CONST_STRICT /* disable purely for compile-time strict const checking. Doing this on a "real" compile will cause mempory leaks */
+#ifndef CONST_STRICT /* disable purely for compile-time strict const checking. Doing this on a "real" compile will cause memory leaks */
 		if (a->sn != NULL) Free((void *)a->sn);
 		if (a->ln != NULL) Free((void *)a->ln);
 #endif
diff --git a/lib/libcrypto/asn1/a_octet.c b/lib/libcrypto/asn1/a_octet.c
index 7659a13bd38..2586f4327dc 100644
--- a/lib/libcrypto/asn1/a_octet.c
+++ b/lib/libcrypto/asn1/a_octet.c
@@ -60,11 +60,23 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void)
+{ return M_ASN1_OCTET_STRING_new(); }
+
+void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *x)
+{ M_ASN1_OCTET_STRING_free(x); }
+
+ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *x)
+{ return M_ASN1_OCTET_STRING_dup(x); }
+
+int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b)
+{ return M_ASN1_OCTET_STRING_cmp(a, b); }
+
+int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *x, unsigned char *d, int len)
+{ return M_ASN1_OCTET_STRING_set(x, d, len); }
+
 int i2d_ASN1_OCTET_STRING(ASN1_OCTET_STRING *a, unsigned char **pp)
-	{
-	return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
-		V_ASN1_OCTET_STRING,V_ASN1_UNIVERSAL));
-	}
+{ return M_i2d_ASN1_OCTET_STRING(a, pp); }
 
 ASN1_OCTET_STRING *d2i_ASN1_OCTET_STRING(ASN1_OCTET_STRING **a,
 	     unsigned char **pp, long length)
diff --git a/lib/libcrypto/asn1/a_print.c b/lib/libcrypto/asn1/a_print.c
index cdec7a1561d..b7bd2bd18ae 100644
--- a/lib/libcrypto/asn1/a_print.c
+++ b/lib/libcrypto/asn1/a_print.c
@@ -60,6 +60,12 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_IA5STRING *ASN1_IA5STRING_new(void)
+{ return M_ASN1_IA5STRING_new();}
+
+void ASN1_IA5STRING_free(ASN1_IA5STRING *x)
+{ M_ASN1_IA5STRING_free(x);}
+
 int i2d_ASN1_IA5STRING(ASN1_IA5STRING *a, unsigned char **pp)
 	{ return(M_i2d_ASN1_IA5STRING(a,pp)); }
 
@@ -67,15 +73,30 @@ ASN1_IA5STRING *d2i_ASN1_IA5STRING(ASN1_IA5STRING **a, unsigned char **pp,
 	     long l)
 	{ return(M_d2i_ASN1_IA5STRING(a,pp,l)); }
 
+ASN1_T61STRING *ASN1_T61STRING_new(void)
+{ return M_ASN1_T61STRING_new();}
+
+void ASN1_T61STRING_free(ASN1_T61STRING *x)
+{ M_ASN1_T61STRING_free(x);}
+
 ASN1_T61STRING *d2i_ASN1_T61STRING(ASN1_T61STRING **a, unsigned char **pp,
 	     long l)
 	{ return(M_d2i_ASN1_T61STRING(a,pp,l)); }
 
+ASN1_PRINTABLESTRING *ASN1_PRINTABLESTRING_new(void)
+{ return M_ASN1_PRINTABLESTRING_new();}
+
+void ASN1_PRINTABLESTRING_free(ASN1_PRINTABLESTRING *x)
+{ M_ASN1_PRINTABLESTRING_free(x);}
+
 ASN1_PRINTABLESTRING *d2i_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING **a,
 	     unsigned char **pp, long l)
 	{ return(M_d2i_ASN1_PRINTABLESTRING(a,pp,
 	     l)); }
 
+int i2d_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING *a, unsigned char **pp)
+	{ return(M_i2d_ASN1_PRINTABLESTRING(a,pp)); }
+
 int i2d_ASN1_PRINTABLE(ASN1_STRING *a, unsigned char **pp)
 	{ return(M_i2d_ASN1_PRINTABLE(a,pp)); }
 
@@ -149,6 +170,11 @@ int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s)
 	return(1);
 	}
 
+ASN1_STRING *DIRECTORYSTRING_new(void)
+{ return M_DIRECTORYSTRING_new();}
+
+void DIRECTORYSTRING_free(ASN1_STRING *x)
+{ M_DIRECTORYSTRING_free(x);}
 
 int i2d_DIRECTORYSTRING(ASN1_STRING *a, unsigned char **pp)
 	{ return(M_i2d_DIRECTORYSTRING(a,pp)); }
@@ -157,6 +183,12 @@ ASN1_STRING *d2i_DIRECTORYSTRING(ASN1_STRING **a, unsigned char **pp,
 	     long l)
 	{ return(M_d2i_DIRECTORYSTRING(a,pp,l)); }
 
+ASN1_STRING *DISPLAYTEXT_new(void)
+{ return M_DISPLAYTEXT_new();}
+
+void DISPLAYTEXT_free(ASN1_STRING *x)
+{ M_DISPLAYTEXT_free(x);}
+
 int i2d_DISPLAYTEXT(ASN1_STRING *a, unsigned char **pp)
 	{ return(M_i2d_DISPLAYTEXT(a,pp)); }
 
diff --git a/lib/libcrypto/asn1/a_sign.c b/lib/libcrypto/asn1/a_sign.c
index 57595692e5b..cfb4bca4f1c 100644
--- a/lib/libcrypto/asn1/a_sign.c
+++ b/lib/libcrypto/asn1/a_sign.c
@@ -58,10 +58,13 @@
 
 #include <stdio.h>
 #include <time.h>
-#include <sys/types.h>
-#include <sys/stat.h>
 
 #include "cryptlib.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
@@ -126,11 +129,11 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 		ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB);
 		goto err;
 		}
-	if (signature->data != NULL) Free((char *)signature->data);
+	if (signature->data != NULL) Free(signature->data);
 	signature->data=buf_out;
 	buf_out=NULL;
 	signature->length=outl;
-	/* In the interests of compatability, I'll make sure that
+	/* In the interests of compatibility, I'll make sure that
 	 * the bit string has a 'not-used bits' value of 0
 	 */
 	signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
@@ -138,8 +141,8 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
 	memset(&ctx,0,sizeof(ctx));
 	if (buf_in != NULL)
-		{ memset((char *)buf_in,0,(unsigned int)inl); Free((char *)buf_in); }
+		{ memset((char *)buf_in,0,(unsigned int)inl); Free(buf_in); }
 	if (buf_out != NULL)
-		{ memset((char *)buf_out,0,outll); Free((char *)buf_out); }
+		{ memset((char *)buf_out,0,outll); Free(buf_out); }
 	return(outl);
 	}
diff --git a/lib/libcrypto/asn1/a_time.c b/lib/libcrypto/asn1/a_time.c
index c1690a56949..b193f1c71fb 100644
--- a/lib/libcrypto/asn1/a_time.c
+++ b/lib/libcrypto/asn1/a_time.c
@@ -66,6 +66,12 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_TIME *ASN1_TIME_new(void)
+{ return M_ASN1_TIME_new(); }
+
+void ASN1_TIME_free(ASN1_TIME *x)
+{ M_ASN1_TIME_free(x); }
+
 int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **pp)
 	{
 #ifdef CHARSET_EBCDIC
diff --git a/lib/libcrypto/asn1/a_type.c b/lib/libcrypto/asn1/a_type.c
index 3f2ecee5c2f..161ef811973 100644
--- a/lib/libcrypto/asn1/a_type.c
+++ b/lib/libcrypto/asn1/a_type.c
@@ -282,7 +282,7 @@ void ASN1_TYPE_free(ASN1_TYPE *a)
 	{
 	if (a == NULL) return;
 	ASN1_TYPE_component_free(a);
-	Free((char *)(char *)a);
+	Free(a);
 	}
 
 int ASN1_TYPE_get(ASN1_TYPE *a)
diff --git a/lib/libcrypto/asn1/a_utctm.c b/lib/libcrypto/asn1/a_utctm.c
index 688199fdd22..07565974e31 100644
--- a/lib/libcrypto/asn1/a_utctm.c
+++ b/lib/libcrypto/asn1/a_utctm.c
@@ -66,6 +66,12 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_UTCTIME *ASN1_UTCTIME_new(void)
+{ return M_ASN1_UTCTIME_new(); }
+
+void ASN1_UTCTIME_free(ASN1_UTCTIME *x)
+{ M_ASN1_UTCTIME_free(x); }
+
 int i2d_ASN1_UTCTIME(ASN1_UTCTIME *a, unsigned char **pp)
 	{
 #ifndef CHARSET_EBCDIC
@@ -109,7 +115,7 @@ ASN1_UTCTIME *d2i_ASN1_UTCTIME(ASN1_UTCTIME **a, unsigned char **pp,
 	return(ret);
 err:
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
-		ASN1_UTCTIME_free(ret);
+		M_ASN1_UTCTIME_free(ret);
 	return(NULL);
 	}
 
@@ -192,7 +198,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 #endif
 
 	if (s == NULL)
-		s=ASN1_UTCTIME_new();
+		s=M_ASN1_UTCTIME_new();
 	if (s == NULL)
 		return(NULL);
 
diff --git a/lib/libcrypto/asn1/a_utf8.c b/lib/libcrypto/asn1/a_utf8.c
index 4a8a92e9e46..b5125af2243 100644
--- a/lib/libcrypto/asn1/a_utf8.c
+++ b/lib/libcrypto/asn1/a_utf8.c
@@ -60,6 +60,12 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_UTF8STRING *ASN1_UTF8STRING_new(void)
+{ return M_ASN1_UTF8STRING_new();}
+
+void ASN1_UTF8STRING_free(ASN1_UTF8STRING *x)
+{ M_ASN1_UTF8STRING_free(x);}
+
 int i2d_ASN1_UTF8STRING(ASN1_UTF8STRING *a, unsigned char **pp)
 	{
 	return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
@@ -81,3 +87,152 @@ ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **a, unsigned char **pp,
 	return(ret);
 	}
 
+
+/* UTF8 utilities */
+
+/* This parses a UTF8 string one character at a time. It is passed a pointer
+ * to the string and the length of the string. It sets 'value' to the value of
+ * the current character. It returns the number of characters read or a
+ * negative error code:
+ * -1 = string too short
+ * -2 = illegal character
+ * -3 = subsequent characters not of the form 10xxxxxx
+ * -4 = character encoded incorrectly (not minimal length).
+ */
+
+int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
+{
+	const unsigned char *p;
+	unsigned long value;
+	int ret;
+	if(len <= 0) return 0;
+	p = str;
+
+	/* Check syntax and work out the encoded value (if correct) */
+	if((*p & 0x80) == 0) {
+		value = *p++ & 0x7f;
+		ret = 1;
+	} else if((*p & 0xe0) == 0xc0) {
+		if(len < 2) return -1;
+		if((p[1] & 0xc0) != 0x80) return -3;
+		value = (*p++ & 0x1f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x80) return -4;
+		ret = 2;
+	} else if((*p & 0xf0) == 0xe0) {
+		if(len < 3) return -1;
+		if( ((p[1] & 0xc0) != 0x80)
+		   || ((p[2] & 0xc0) != 0x80) ) return -3;
+		value = (*p++ & 0xf) << 12;
+		value |= (*p++ & 0x3f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x800) return -4;
+		ret = 3;
+	} else if((*p & 0xf8) == 0xf0) {
+		if(len < 4) return -1;
+		if( ((p[1] & 0xc0) != 0x80)
+		   || ((p[2] & 0xc0) != 0x80) 
+		   || ((p[3] & 0xc0) != 0x80) ) return -3;
+		value = (*p++ & 0x7) << 18;
+		value |= (*p++ & 0x3f) << 12;
+		value |= (*p++ & 0x3f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x10000) return -4;
+		ret = 4;
+	} else if((*p & 0xfc) == 0xf8) {
+		if(len < 5) return -1;
+		if( ((p[1] & 0xc0) != 0x80)
+		   || ((p[2] & 0xc0) != 0x80) 
+		   || ((p[3] & 0xc0) != 0x80) 
+		   || ((p[4] & 0xc0) != 0x80) ) return -3;
+		value = (*p++ & 0x3) << 24;
+		value |= (*p++ & 0x3f) << 18;
+		value |= (*p++ & 0x3f) << 12;
+		value |= (*p++ & 0x3f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x200000) return -4;
+		ret = 5;
+	} else if((*p & 0xfe) == 0xfc) {
+		if(len < 6) return -1;
+		if( ((p[1] & 0xc0) != 0x80)
+		   || ((p[2] & 0xc0) != 0x80) 
+		   || ((p[3] & 0xc0) != 0x80) 
+		   || ((p[4] & 0xc0) != 0x80) 
+		   || ((p[5] & 0xc0) != 0x80) ) return -3;
+		value = (*p++ & 0x1) << 30;
+		value |= (*p++ & 0x3f) << 24;
+		value |= (*p++ & 0x3f) << 18;
+		value |= (*p++ & 0x3f) << 12;
+		value |= (*p++ & 0x3f) << 6;
+		value |= *p++ & 0x3f;
+		if(value < 0x4000000) return -4;
+		ret = 6;
+	} else return -2;
+	*val = value;
+	return ret;
+}
+
+/* This takes a character 'value' and writes the UTF8 encoded value in
+ * 'str' where 'str' is a buffer containing 'len' characters. Returns
+ * the number of characters written or -1 if 'len' is too small. 'str' can
+ * be set to NULL in which case it just returns the number of characters.
+ * It will need at most 6 characters.
+ */
+
+int UTF8_putc(unsigned char *str, int len, unsigned long value)
+{
+	if(!str) len = 6;	/* Maximum we will need */
+	else if(len <= 0) return -1;
+	if(value < 0x80) {
+		if(str) *str = (unsigned char)value;
+		return 1;
+	}
+	if(value < 0x800) {
+		if(len < 2) return -1;
+		if(str) {
+			*str++ = (unsigned char)(((value >> 6) & 0x1f) | 0xc0);
+			*str = (unsigned char)((value & 0x3f) | 0x80);
+		}
+		return 2;
+	}
+	if(value < 0x10000) {
+		if(len < 3) return -1;
+		if(str) {
+			*str++ = (unsigned char)(((value >> 12) & 0xf) | 0xe0);
+			*str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
+			*str = (unsigned char)((value & 0x3f) | 0x80);
+		}
+		return 3;
+	}
+	if(value < 0x200000) {
+		if(len < 4) return -1;
+		if(str) {
+			*str++ = (unsigned char)(((value >> 18) & 0x7) | 0xf0);
+			*str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
+			*str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
+			*str = (unsigned char)((value & 0x3f) | 0x80);
+		}
+		return 4;
+	}
+	if(value < 0x4000000) {
+		if(len < 5) return -1;
+		if(str) {
+			*str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8);
+			*str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
+			*str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
+			*str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
+			*str = (unsigned char)((value & 0x3f) | 0x80);
+		}
+		return 5;
+	}
+	if(len < 6) return -1;
+	if(str) {
+		*str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc);
+		*str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80);
+		*str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
+		*str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
+		*str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
+		*str = (unsigned char)((value & 0x3f) | 0x80);
+	}
+	return 6;
+}
diff --git a/lib/libcrypto/asn1/a_verify.c b/lib/libcrypto/asn1/a_verify.c
index 6383d2c698d..d4aede85c37 100644
--- a/lib/libcrypto/asn1/a_verify.c
+++ b/lib/libcrypto/asn1/a_verify.c
@@ -58,10 +58,13 @@
 
 #include <stdio.h>
 #include <time.h>
-#include <sys/types.h>
-#include <sys/stat.h>
 
 #include "cryptlib.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
 #include <openssl/bn.h>
 #include <openssl/x509.h>
 #include <openssl/objects.h>
@@ -98,7 +101,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
 	memset(buf_in,0,(unsigned int)inl);
-	Free((char *)buf_in);
+	Free(buf_in);
 
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
 			(unsigned int)signature->length,pkey) <= 0)
diff --git a/lib/libcrypto/asn1/a_vis.c b/lib/libcrypto/asn1/a_vis.c
index 2072be780d4..5cfc080bec3 100644
--- a/lib/libcrypto/asn1/a_vis.c
+++ b/lib/libcrypto/asn1/a_vis.c
@@ -60,6 +60,12 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+ASN1_VISIBLESTRING *ASN1_VISIBLESTRING_new(void)
+{ return M_ASN1_VISIBLESTRING_new(); }
+
+void ASN1_VISIBLESTRING_free(ASN1_VISIBLESTRING *x)
+{ M_ASN1_VISIBLESTRING_free(x); }
+
 int i2d_ASN1_VISIBLESTRING(ASN1_VISIBLESTRING *a, unsigned char **pp)
 	{
 	return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
diff --git a/lib/libcrypto/asn1/asn1.h b/lib/libcrypto/asn1/asn1.h
index 5c2d8999bc1..99bd64a11e3 100644
--- a/lib/libcrypto/asn1/asn1.h
+++ b/lib/libcrypto/asn1/asn1.h
@@ -68,6 +68,10 @@ extern "C" {
 #include <openssl/stack.h>
 #include <openssl/safestack.h>
 
+#ifdef VMS
+#include <openssl/vms_idhacks.h>
+#endif
+
 #define V_ASN1_UNIVERSAL		0x00
 #define	V_ASN1_APPLICATION		0x40
 #define V_ASN1_CONTEXT_SPECIFIC		0x80
@@ -77,7 +81,7 @@ extern "C" {
 #define V_ASN1_PRIMITIVE_TAG		0x1f
 #define V_ASN1_PRIMATIVE_TAG		0x1f
 
-#define V_ASN1_APP_CHOOSE		-2	/* let the recipent choose */
+#define V_ASN1_APP_CHOOSE		-2	/* let the recipient choose */
 
 #define V_ASN1_UNDEF			-1
 #define V_ASN1_EOC			0
@@ -129,6 +133,13 @@ extern "C" {
 #define B_ASN1_UNKNOWN		0x1000
 #define B_ASN1_UTF8STRING	0x2000
 
+/* For use with ASN1_mbstring_copy() */
+#define MBSTRING_FLAG		0x1000
+#define MBSTRING_ASC		(MBSTRING_FLAG|1)
+#define MBSTRING_BMP		(MBSTRING_FLAG|2)
+#define MBSTRING_UNIV		(MBSTRING_FLAG|3)
+#define MBSTRING_UTF8		(MBSTRING_FLAG|4)
+
 #define DECLARE_ASN1_SET_OF(type) \
 int i2d_ASN1_SET_OF_##type(STACK_OF(type) *a,unsigned char **pp, \
 			   int (*func)(type *,unsigned char **), int ex_tag, \
@@ -165,7 +176,7 @@ typedef struct asn1_ctx_st
 	int tag;	/* tag from last 'get object' */
 	int xclass;	/* class from last 'get object' */
 	long slen;	/* length of last 'get object' */
-	unsigned char *max; /* largest value of p alowed */
+	unsigned char *max; /* largest value of p allowed */
 	unsigned char *q;/* temporary variable */
 	unsigned char **pp;/* variable */
 	int line;	/* used in error processing */
@@ -200,7 +211,34 @@ typedef struct asn1_string_st
 	long flags;
 	} ASN1_STRING;
 
-#ifndef DEBUG
+#define STABLE_FLAGS_MALLOC	0x01
+#define STABLE_NO_MASK		0x02
+#define DIRSTRING_TYPE	\
+ (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_BMPSTRING|B_ASN1_UTF8STRING)
+#define PKCS9STRING_TYPE (DIRSTRING_TYPE|B_ASN1_IA5STRING)
+
+typedef struct asn1_string_table_st {
+	int nid;
+	long minsize;
+	long maxsize;
+	unsigned long mask;
+	unsigned long flags;
+} ASN1_STRING_TABLE;
+
+DECLARE_STACK_OF(ASN1_STRING_TABLE)
+
+/* size limits: this stuff is taken straight from RFC2459 */
+
+#define ub_name				32768
+#define ub_common_name			64
+#define ub_locality_name		128
+#define ub_state_name			128
+#define ub_organization_name		64
+#define ub_organization_unit_name	64
+#define ub_title			64
+#define ub_email_address		128
+
+#ifdef NO_ASN1_TYPEDEFS
 #define ASN1_INTEGER		ASN1_STRING
 #define ASN1_ENUMERATED		ASN1_STRING
 #define ASN1_BIT_STRING		ASN1_STRING
@@ -234,6 +272,8 @@ typedef struct asn1_string_st ASN1_VISIBLESTRING;
 typedef struct asn1_string_st ASN1_UTF8STRING;
 #endif
 
+typedef int ASN1_NULL;
+
 typedef struct asn1_type_st
 	{
 	int type;
@@ -281,60 +321,58 @@ typedef struct asn1_header_st
 	ASN1_METHOD *meth;
 	} ASN1_HEADER;
 
-#define ASN1_STRING_length(x)	((x)->length)
-#define ASN1_STRING_type(x)	((x)->type)
-#define ASN1_STRING_data(x)	((x)->data)
+/* This is used to contain a list of bit names */
+typedef struct BIT_STRING_BITNAME_st {
+	int bitnum;
+	const char *lname;
+	const char *sname;
+} BIT_STRING_BITNAME;
+
+
+#define M_ASN1_STRING_length(x)	((x)->length)
+#define M_ASN1_STRING_length_set(x, n)	((x)->length = (n))
+#define M_ASN1_STRING_type(x)	((x)->type)
+#define M_ASN1_STRING_data(x)	((x)->data)
 
 /* Macros for string operations */
-#define ASN1_BIT_STRING_new()	(ASN1_BIT_STRING *)\
+#define M_ASN1_BIT_STRING_new()	(ASN1_BIT_STRING *)\
 		ASN1_STRING_type_new(V_ASN1_BIT_STRING)
-#define ASN1_BIT_STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
-#define ASN1_BIT_STRING_dup(a) (ASN1_BIT_STRING *)\
+#define M_ASN1_BIT_STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_BIT_STRING_dup(a) (ASN1_BIT_STRING *)\
 		ASN1_STRING_dup((ASN1_STRING *)a)
-#define ASN1_BIT_STRING_cmp(a,b) ASN1_STRING_cmp(\
+#define M_ASN1_BIT_STRING_cmp(a,b) ASN1_STRING_cmp(\
 		(ASN1_STRING *)a,(ASN1_STRING *)b)
-#define ASN1_BIT_STRING_set(a,b,c) ASN1_STRING_set((ASN1_STRING *)a,b,c)
-/* i2d_ASN1_BIT_STRING() is a function */
-/* d2i_ASN1_BIT_STRING() is a function */
+#define M_ASN1_BIT_STRING_set(a,b,c) ASN1_STRING_set((ASN1_STRING *)a,b,c)
 
-#define ASN1_INTEGER_new()	(ASN1_INTEGER *)\
+#define M_ASN1_INTEGER_new()	(ASN1_INTEGER *)\
 		ASN1_STRING_type_new(V_ASN1_INTEGER)
-#define ASN1_INTEGER_free(a)		ASN1_STRING_free((ASN1_STRING *)a)
-#define ASN1_INTEGER_dup(a) (ASN1_INTEGER *)ASN1_STRING_dup((ASN1_STRING *)a)
-#define ASN1_INTEGER_cmp(a,b)	ASN1_STRING_cmp(\
+#define M_ASN1_INTEGER_free(a)		ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_INTEGER_dup(a) (ASN1_INTEGER *)ASN1_STRING_dup((ASN1_STRING *)a)
+#define M_ASN1_INTEGER_cmp(a,b)	ASN1_STRING_cmp(\
 		(ASN1_STRING *)a,(ASN1_STRING *)b)
-/* ASN1_INTEGER_set() is a function, also see BN_to_ASN1_INTEGER() */
-/* ASN1_INTEGER_get() is a function, also see ASN1_INTEGER_to_BN() */
-/* i2d_ASN1_INTEGER() is a function */
-/* d2i_ASN1_INTEGER() is a function */
 
-#define ASN1_ENUMERATED_new()	(ASN1_ENUMERATED *)\
+#define M_ASN1_ENUMERATED_new()	(ASN1_ENUMERATED *)\
 		ASN1_STRING_type_new(V_ASN1_ENUMERATED)
-#define ASN1_ENUMERATED_free(a)		ASN1_STRING_free((ASN1_STRING *)a)
-#define ASN1_ENUMERATED_dup(a) (ASN1_ENUMERATED *)ASN1_STRING_dup((ASN1_STRING *)a)
-#define ASN1_ENUMERATED_cmp(a,b)	ASN1_STRING_cmp(\
+#define M_ASN1_ENUMERATED_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_ENUMERATED_dup(a) (ASN1_ENUMERATED *)ASN1_STRING_dup((ASN1_STRING *)a)
+#define M_ASN1_ENUMERATED_cmp(a,b)	ASN1_STRING_cmp(\
 		(ASN1_STRING *)a,(ASN1_STRING *)b)
-/* ASN1_ENUMERATED_set() is a function, also see BN_to_ASN1_ENUMERATED() */
-/* ASN1_ENUMERATED_get() is a function, also see ASN1_ENUMERATED_to_BN() */
-/* i2d_ASN1_ENUMERATED() is a function */
-/* d2i_ASN1_ENUMERATED() is a function */
 
-#define ASN1_OCTET_STRING_new()	(ASN1_OCTET_STRING *)\
+#define M_ASN1_OCTET_STRING_new()	(ASN1_OCTET_STRING *)\
 		ASN1_STRING_type_new(V_ASN1_OCTET_STRING)
-#define ASN1_OCTET_STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
-#define ASN1_OCTET_STRING_dup(a) (ASN1_OCTET_STRING *)\
+#define M_ASN1_OCTET_STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_OCTET_STRING_dup(a) (ASN1_OCTET_STRING *)\
 		ASN1_STRING_dup((ASN1_STRING *)a)
-#define ASN1_OCTET_STRING_cmp(a,b) ASN1_STRING_cmp(\
+#define M_ASN1_OCTET_STRING_cmp(a,b) ASN1_STRING_cmp(\
 		(ASN1_STRING *)a,(ASN1_STRING *)b)
-#define ASN1_OCTET_STRING_set(a,b,c)	ASN1_STRING_set((ASN1_STRING *)a,b,c)
-#define ASN1_OCTET_STRING_print(a,b)	ASN1_STRING_print(a,(ASN1_STRING *)b)
+#define M_ASN1_OCTET_STRING_set(a,b,c)	ASN1_STRING_set((ASN1_STRING *)a,b,c)
+#define M_ASN1_OCTET_STRING_print(a,b)	ASN1_STRING_print(a,(ASN1_STRING *)b)
 #define M_i2d_ASN1_OCTET_STRING(a,pp) \
 		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_OCTET_STRING,\
-		V_ASN1_OCTET_STRING)
-/* d2i_ASN1_OCTET_STRING() is a function */
+		V_ASN1_UNIVERSAL)
 
-#define ASN1_PRINTABLE_new()	ASN1_STRING_type_new(V_ASN1_T61STRING)
-#define ASN1_PRINTABLE_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_PRINTABLE_new()	ASN1_STRING_type_new(V_ASN1_T61STRING)
+#define M_ASN1_PRINTABLE_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_ASN1_PRINTABLE(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\
 		pp,a->type,V_ASN1_UNIVERSAL)
 #define M_d2i_ASN1_PRINTABLE(a,pp,l) \
@@ -345,10 +383,11 @@ typedef struct asn1_header_st
 			B_ASN1_BIT_STRING| \
 			B_ASN1_UNIVERSALSTRING|\
 			B_ASN1_BMPSTRING|\
+			B_ASN1_UTF8STRING|\
 			B_ASN1_UNKNOWN)
 
-#define DIRECTORYSTRING_new() ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING)
-#define DIRECTORYSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_DIRECTORYSTRING_new() ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING)
+#define M_DIRECTORYSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_DIRECTORYSTRING(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\
 						pp,a->type,V_ASN1_UNIVERSAL)
 #define M_d2i_DIRECTORYSTRING(a,pp,l) \
@@ -359,8 +398,8 @@ typedef struct asn1_header_st
 			B_ASN1_UNIVERSALSTRING|\
 			B_ASN1_UTF8STRING)
 
-#define DISPLAYTEXT_new() ASN1_STRING_type_new(V_ASN1_VISIBLESTRING)
-#define DISPLAYTEXT_free(a) ASN1_STRING_free((ASN1_STRING *)a)
+#define M_DISPLAYTEXT_new() ASN1_STRING_type_new(V_ASN1_VISIBLESTRING)
+#define M_DISPLAYTEXT_free(a) ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_DISPLAYTEXT(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\
 						pp,a->type,V_ASN1_UNIVERSAL)
 #define M_d2i_DISPLAYTEXT(a,pp,l) \
@@ -369,9 +408,9 @@ typedef struct asn1_header_st
 			B_ASN1_BMPSTRING|\
 			B_ASN1_UTF8STRING)
 
-#define ASN1_PRINTABLESTRING_new() (ASN1_PRINTABLESTRING *)\
+#define M_ASN1_PRINTABLESTRING_new() (ASN1_PRINTABLESTRING *)\
 		ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING)
-#define ASN1_PRINTABLESTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_PRINTABLESTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_ASN1_PRINTABLESTRING(a,pp) \
 		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_PRINTABLESTRING,\
 		V_ASN1_UNIVERSAL)
@@ -379,9 +418,9 @@ typedef struct asn1_header_st
 		(ASN1_PRINTABLESTRING *)d2i_ASN1_type_bytes\
 		((ASN1_STRING **)a,pp,l,B_ASN1_PRINTABLESTRING)
 
-#define ASN1_T61STRING_new()	(ASN1_T61STRING_STRING *)\
+#define M_ASN1_T61STRING_new()	(ASN1_T61STRING *)\
 		ASN1_STRING_type_new(V_ASN1_T61STRING)
-#define ASN1_T61STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_T61STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_ASN1_T61STRING(a,pp) \
 		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_T61STRING,\
 		V_ASN1_UNIVERSAL)
@@ -389,10 +428,10 @@ typedef struct asn1_header_st
 		(ASN1_T61STRING *)d2i_ASN1_type_bytes\
 		((ASN1_STRING **)a,pp,l,B_ASN1_T61STRING)
 
-#define ASN1_IA5STRING_new()	(ASN1_IA5STRING *)\
+#define M_ASN1_IA5STRING_new()	(ASN1_IA5STRING *)\
 		ASN1_STRING_type_new(V_ASN1_IA5STRING)
-#define ASN1_IA5STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
-#define ASN1_IA5STRING_dup(a)	\
+#define M_ASN1_IA5STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_IA5STRING_dup(a)	\
 			(ASN1_IA5STRING *)ASN1_STRING_dup((ASN1_STRING *)a)
 #define M_i2d_ASN1_IA5STRING(a,pp) \
 		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_IA5STRING,\
@@ -401,38 +440,25 @@ typedef struct asn1_header_st
 		(ASN1_IA5STRING *)d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l,\
 			B_ASN1_IA5STRING)
 
-#define ASN1_UTCTIME_new()	(ASN1_UTCTIME *)\
+#define M_ASN1_UTCTIME_new()	(ASN1_UTCTIME *)\
 		ASN1_STRING_type_new(V_ASN1_UTCTIME)
-#define ASN1_UTCTIME_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
-#define ASN1_UTCTIME_dup(a) (ASN1_UTCTIME *)ASN1_STRING_dup((ASN1_STRING *)a)
-/* i2d_ASN1_UTCTIME() is a function */
-/* d2i_ASN1_UTCTIME() is a function */
-/* ASN1_UTCTIME_set() is a function */
-/* ASN1_UTCTIME_check() is a function */
-
-#define ASN1_GENERALIZEDTIME_new()	(ASN1_GENERALIZEDTIME *)\
+#define M_ASN1_UTCTIME_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_UTCTIME_dup(a) (ASN1_UTCTIME *)ASN1_STRING_dup((ASN1_STRING *)a)
+
+#define M_ASN1_GENERALIZEDTIME_new()	(ASN1_GENERALIZEDTIME *)\
 		ASN1_STRING_type_new(V_ASN1_GENERALIZEDTIME)
-#define ASN1_GENERALIZEDTIME_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
-#define ASN1_GENERALIZEDTIME_dup(a) (ASN1_GENERALIZEDTIME *)ASN1_STRING_dup(\
+#define M_ASN1_GENERALIZEDTIME_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_GENERALIZEDTIME_dup(a) (ASN1_GENERALIZEDTIME *)ASN1_STRING_dup(\
 	(ASN1_STRING *)a)
-/* i2d_ASN1_GENERALIZEDTIME() is a function */
-/* d2i_ASN1_GENERALIZEDTIME() is a function */
-/* ASN1_GENERALIZEDTIME_set() is a function */
-/* ASN1_GENERALIZEDTIME_check() is a function */
 
-#define ASN1_TIME_new()	(ASN1_TIME *)\
+#define M_ASN1_TIME_new()	(ASN1_TIME *)\
 		ASN1_STRING_type_new(V_ASN1_UTCTIME)
-#define ASN1_TIME_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
-#define ASN1_TIME_dup(a) (ASN1_TIME *)ASN1_STRING_dup((ASN1_STRING *)a)
+#define M_ASN1_TIME_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_TIME_dup(a) (ASN1_TIME *)ASN1_STRING_dup((ASN1_STRING *)a)
 
-/* i2d_ASN1_TIME() is a function */
-/* d2i_ASN1_TIME() is a function */
-/* ASN1_TIME_set() is a function */
-/* ASN1_TIME_check() is a function */
-
-#define ASN1_GENERALSTRING_new()	(ASN1_GENERALSTRING *)\
+#define M_ASN1_GENERALSTRING_new()	(ASN1_GENERALSTRING *)\
 		ASN1_STRING_type_new(V_ASN1_GENERALSTRING)
-#define ASN1_GENERALSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_GENERALSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_ASN1_GENERALSTRING(a,pp) \
 		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_GENERALSTRING,\
 			V_ASN1_UNIVERSAL)
@@ -440,9 +466,9 @@ typedef struct asn1_header_st
 		(ASN1_GENERALSTRING *)d2i_ASN1_type_bytes\
 		((ASN1_STRING **)a,pp,l,B_ASN1_GENERALSTRING)
 
-#define ASN1_UNIVERSALSTRING_new()	(ASN1_UNIVERSALSTRING *)\
+#define M_ASN1_UNIVERSALSTRING_new()	(ASN1_UNIVERSALSTRING *)\
 		ASN1_STRING_type_new(V_ASN1_UNIVERSALSTRING)
-#define ASN1_UNIVERSALSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_UNIVERSALSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_ASN1_UNIVERSALSTRING(a,pp) \
 		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_UNIVERSALSTRING,\
 			V_ASN1_UNIVERSAL)
@@ -450,9 +476,9 @@ typedef struct asn1_header_st
 		(ASN1_UNIVERSALSTRING *)d2i_ASN1_type_bytes\
 		((ASN1_STRING **)a,pp,l,B_ASN1_UNIVERSALSTRING)
 
-#define ASN1_BMPSTRING_new()	(ASN1_BMPSTRING *)\
+#define M_ASN1_BMPSTRING_new()	(ASN1_BMPSTRING *)\
 		ASN1_STRING_type_new(V_ASN1_BMPSTRING)
-#define ASN1_BMPSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_BMPSTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_ASN1_BMPSTRING(a,pp) \
 		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_BMPSTRING,\
 			V_ASN1_UNIVERSAL)
@@ -460,9 +486,9 @@ typedef struct asn1_header_st
 		(ASN1_BMPSTRING *)d2i_ASN1_type_bytes\
 		((ASN1_STRING **)a,pp,l,B_ASN1_BMPSTRING)
 
-#define ASN1_VISIBLESTRING_new()	(ASN1_VISIBLESTRING *)\
+#define M_ASN1_VISIBLESTRING_new()	(ASN1_VISIBLESTRING *)\
 		ASN1_STRING_type_new(V_ASN1_VISIBLESTRING)
-#define ASN1_VISIBLESTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_VISIBLESTRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_ASN1_VISIBLESTRING(a,pp) \
 		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_VISIBLESTRING,\
 			V_ASN1_UNIVERSAL)
@@ -470,9 +496,9 @@ typedef struct asn1_header_st
 		(ASN1_VISIBLESTRING *)d2i_ASN1_type_bytes\
 		((ASN1_STRING **)a,pp,l,B_ASN1_VISIBLESTRING)
 
-#define ASN1_UTF8STRING_new()	(ASN1_UTF8STRING *)\
+#define M_ASN1_UTF8STRING_new()	(ASN1_UTF8STRING *)\
 		ASN1_STRING_type_new(V_ASN1_UTF8STRING)
-#define ASN1_UTF8STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
+#define M_ASN1_UTF8STRING_free(a)	ASN1_STRING_free((ASN1_STRING *)a)
 #define M_i2d_ASN1_UTF8STRING(a,pp) \
 		i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_UTF8STRING,\
 			V_ASN1_UNIVERSAL)
@@ -500,7 +526,7 @@ ASN1_OBJECT *	d2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp,
 DECLARE_STACK_OF(ASN1_OBJECT)
 DECLARE_ASN1_SET_OF(ASN1_OBJECT)
 
-ASN1_STRING *	ASN1_STRING_new(void );
+ASN1_STRING *	ASN1_STRING_new(void);
 void		ASN1_STRING_free(ASN1_STRING *a);
 ASN1_STRING *	ASN1_STRING_dup(ASN1_STRING *a);
 ASN1_STRING *	ASN1_STRING_type_new(int type );
@@ -508,23 +534,44 @@ int 		ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b);
   /* Since this is used to store all sorts of things, via macros, for now, make
      its data void * */
 int 		ASN1_STRING_set(ASN1_STRING *str, const void *data, int len);
+int ASN1_STRING_length(ASN1_STRING *x);
+void ASN1_STRING_length_set(ASN1_STRING *x, int n);
+int ASN1_STRING_type(ASN1_STRING *x);
+unsigned char * ASN1_STRING_data(ASN1_STRING *x);
 
+ASN1_BIT_STRING *	ASN1_BIT_STRING_new(void);
+void		ASN1_BIT_STRING_free(ASN1_BIT_STRING *a);
 int		i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a,unsigned char **pp);
 ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,unsigned char **pp,
 			long length);
+int		ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d,
+			int length );
 int		ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value);
 int		ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n);
 
+#ifdef HEADER_BIO_H
+int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
+				BIT_STRING_BITNAME *tbl, int indent);
+#endif
+int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl);
+int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
+				BIT_STRING_BITNAME *tbl);
 
 int		i2d_ASN1_BOOLEAN(int a,unsigned char **pp);
 int 		d2i_ASN1_BOOLEAN(int *a,unsigned char **pp,long length);
 
+ASN1_INTEGER *	ASN1_INTEGER_new(void);
+void		ASN1_INTEGER_free(ASN1_INTEGER *a);
 int		i2d_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
 ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp,
 			long length);
 ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,unsigned char **pp,
 			long length);
+ASN1_INTEGER *	ASN1_INTEGER_dup(ASN1_INTEGER *x);
+int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y);
 
+ASN1_ENUMERATED *	ASN1_ENUMERATED_new(void);
+void		ASN1_ENUMERATED_free(ASN1_ENUMERATED *a);
 int		i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a,unsigned char **pp);
 ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a,unsigned char **pp,
 			long length);
@@ -537,49 +584,88 @@ int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
 ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t);
 int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str); 
 
+ASN1_OCTET_STRING *	ASN1_OCTET_STRING_new(void);
+void		ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *a);
 int		i2d_ASN1_OCTET_STRING(ASN1_OCTET_STRING *a,unsigned char **pp);
 ASN1_OCTET_STRING *d2i_ASN1_OCTET_STRING(ASN1_OCTET_STRING **a,
 			unsigned char **pp,long length);
+ASN1_OCTET_STRING *	ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *a);
+int 	ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b);
+int 	ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len);
 
+ASN1_VISIBLESTRING *	ASN1_VISIBLESTRING_new(void);
+void		ASN1_VISIBLESTRING_free(ASN1_VISIBLESTRING *a);
 int	i2d_ASN1_VISIBLESTRING(ASN1_VISIBLESTRING *a,unsigned char **pp);
 ASN1_VISIBLESTRING *d2i_ASN1_VISIBLESTRING(ASN1_VISIBLESTRING **a,
 			unsigned char **pp,long length);
 
+ASN1_UTF8STRING *	ASN1_UTF8STRING_new(void);
+void		ASN1_UTF8STRING_free(ASN1_UTF8STRING *a);
 int		i2d_ASN1_UTF8STRING(ASN1_UTF8STRING *a,unsigned char **pp);
 ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **a,
 			unsigned char **pp,long length);
 
+ASN1_NULL *	ASN1_NULL_new(void);
+void		ASN1_NULL_free(ASN1_NULL *a);
+int		i2d_ASN1_NULL(ASN1_NULL *a,unsigned char **pp);
+ASN1_NULL *d2i_ASN1_NULL(ASN1_NULL **a, unsigned char **pp,long length);
+
+ASN1_BMPSTRING *	ASN1_BMPSTRING_new(void);
+void		ASN1_BMPSTRING_free(ASN1_BMPSTRING *a);
 int i2d_ASN1_BMPSTRING(ASN1_BMPSTRING *a, unsigned char **pp);
 ASN1_BMPSTRING *d2i_ASN1_BMPSTRING(ASN1_BMPSTRING **a, unsigned char **pp,
 	long length);
 
+
+int UTF8_getc(const unsigned char *str, int len, unsigned long *val);
+int UTF8_putc(unsigned char *str, int len, unsigned long value);
+
 int i2d_ASN1_PRINTABLE(ASN1_STRING *a,unsigned char **pp);
 ASN1_STRING *d2i_ASN1_PRINTABLE(ASN1_STRING **a,
 	unsigned char **pp, long l);
+
+ASN1_PRINTABLESTRING *	ASN1_PRINTABLESTRING_new(void);
+void		ASN1_PRINTABLESTRING_free(ASN1_PRINTABLESTRING *a);
 ASN1_PRINTABLESTRING *d2i_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING **a,
 	unsigned char **pp, long l);
+int i2d_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING *a, unsigned char **pp);
 
+ASN1_STRING *	DIRECTORYSTRING_new(void);
+void		DIRECTORYSTRING_free(ASN1_STRING *a);
 int	i2d_DIRECTORYSTRING(ASN1_STRING *a,unsigned char **pp);
 ASN1_STRING *d2i_DIRECTORYSTRING(ASN1_STRING **a, unsigned char **pp,
 								 long length);
 
+ASN1_STRING *	DISPLAYTEXT_new(void);
+void		DISPLAYTEXT_free(ASN1_STRING *a);
 int	i2d_DISPLAYTEXT(ASN1_STRING *a,unsigned char **pp);
 ASN1_STRING *d2i_DISPLAYTEXT(ASN1_STRING **a, unsigned char **pp, long length);
 
+ASN1_T61STRING *	ASN1_T61STRING_new(void);
+void		ASN1_T61STRING_free(ASN1_IA5STRING *a);
 ASN1_T61STRING *d2i_ASN1_T61STRING(ASN1_T61STRING **a,
 	unsigned char **pp, long l);
+
+ASN1_IA5STRING *	ASN1_IA5STRING_new(void);
+void		ASN1_IA5STRING_free(ASN1_IA5STRING *a);
 int i2d_ASN1_IA5STRING(ASN1_IA5STRING *a,unsigned char **pp);
 ASN1_IA5STRING *d2i_ASN1_IA5STRING(ASN1_IA5STRING **a,
 	unsigned char **pp, long l);
 
+ASN1_UTCTIME *	ASN1_UTCTIME_new(void);
+void		ASN1_UTCTIME_free(ASN1_UTCTIME *a);
 int		i2d_ASN1_UTCTIME(ASN1_UTCTIME *a,unsigned char **pp);
 ASN1_UTCTIME *	d2i_ASN1_UTCTIME(ASN1_UTCTIME **a,unsigned char **pp,
 			long length);
 
+ASN1_GENERALIZEDTIME *	ASN1_GENERALIZEDTIME_new(void);
+void		ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *a);
 int		i2d_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME *a,unsigned char **pp);
 ASN1_GENERALIZEDTIME *	d2i_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME **a,unsigned char **pp,
 			long length);
 
+ASN1_TIME *	ASN1_TIME_new(void);
+void		ASN1_TIME_free(ASN1_TIME *a);
 int		i2d_ASN1_TIME(ASN1_TIME *a,unsigned char **pp);
 ASN1_TIME *	d2i_ASN1_TIME(ASN1_TIME **a,unsigned char **pp, long length);
 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
@@ -654,6 +740,7 @@ int ASN1_TIME_print(BIO *fp,ASN1_TIME *a);
 int ASN1_STRING_print(BIO *bp,ASN1_STRING *v);
 int ASN1_parse(BIO *bp,unsigned char *pp,long len,int indent);
 #endif
+const char *ASN1_tag2str(int tag);
 
 /* Used to load and write netscape format cert/key */
 int i2d_ASN1_HEADER(ASN1_HEADER *a,unsigned char **pp);
@@ -687,6 +774,21 @@ unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
 void *ASN1_unpack_string(ASN1_STRING *oct, char *(*d2i)());
 ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 
+void ASN1_STRING_set_default_mask(unsigned long mask);
+int ASN1_STRING_set_default_mask_asc(char *p);
+unsigned long ASN1_STRING_get_default_mask(void);
+int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
+					int inform, unsigned long mask);
+int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
+					int inform, unsigned long mask, 
+					long minsize, long maxsize);
+
+ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, 
+		const unsigned char *in, int inlen, int inform, int nid);
+ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid);
+int ASN1_STRING_TABLE_add(int, long, long, unsigned long, unsigned long);
+void ASN1_STRING_TABLE_cleanup(void);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -699,6 +801,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_A2I_ASN1_ENUMERATED			 236
 #define ASN1_F_A2I_ASN1_INTEGER				 101
 #define ASN1_F_A2I_ASN1_STRING				 102
+#define ASN1_F_ACCESS_DESCRIPTION_NEW			 291
 #define ASN1_F_ASN1_COLLATE_PRIMITIVE			 103
 #define ASN1_F_ASN1_D2I_BIO				 104
 #define ASN1_F_ASN1_D2I_FP				 105
@@ -712,6 +815,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_ASN1_I2D_FP				 110
 #define ASN1_F_ASN1_INTEGER_SET				 111
 #define ASN1_F_ASN1_INTEGER_TO_BN			 112
+#define ASN1_F_ASN1_MBSTRING_COPY			 282
 #define ASN1_F_ASN1_OBJECT_NEW				 113
 #define ASN1_F_ASN1_PACK_STRING				 245
 #define ASN1_F_ASN1_PBE_SET				 253
@@ -719,6 +823,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_ASN1_SEQ_UNPACK				 247
 #define ASN1_F_ASN1_SIGN				 114
 #define ASN1_F_ASN1_STRING_NEW				 115
+#define ASN1_F_ASN1_STRING_TABLE_ADD			 283
 #define ASN1_F_ASN1_STRING_TYPE_NEW			 116
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING		 117
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING		 118
@@ -730,6 +835,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_BASIC_CONSTRAINTS_NEW			 226
 #define ASN1_F_BN_TO_ASN1_ENUMERATED			 234
 #define ASN1_F_BN_TO_ASN1_INTEGER			 122
+#define ASN1_F_D2I_ACCESS_DESCRIPTION			 284
 #define ASN1_F_D2I_ASN1_BIT_STRING			 123
 #define ASN1_F_D2I_ASN1_BMPSTRING			 124
 #define ASN1_F_D2I_ASN1_BOOLEAN				 125
@@ -738,6 +844,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_D2I_ASN1_GENERALIZEDTIME			 223
 #define ASN1_F_D2I_ASN1_HEADER				 127
 #define ASN1_F_D2I_ASN1_INTEGER				 128
+#define ASN1_F_D2I_ASN1_NULL				 292
 #define ASN1_F_D2I_ASN1_OBJECT				 129
 #define ASN1_F_D2I_ASN1_OCTET_STRING			 130
 #define ASN1_F_D2I_ASN1_PRINT_TYPE			 131
@@ -765,6 +872,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_D2I_NETSCAPE_SPKAC			 143
 #define ASN1_F_D2I_NETSCAPE_SPKI			 144
 #define ASN1_F_D2I_NOTICEREF				 268
+#define ASN1_F_D2I_OTHERNAME				 287
 #define ASN1_F_D2I_PBE2PARAM				 262
 #define ASN1_F_D2I_PBEPARAM				 249
 #define ASN1_F_D2I_PBKDF2PARAM				 263
@@ -796,6 +904,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_D2I_X509					 159
 #define ASN1_F_D2I_X509_ALGOR				 160
 #define ASN1_F_D2I_X509_ATTRIBUTE			 161
+#define ASN1_F_D2I_X509_CERT_AUX			 285
 #define ASN1_F_D2I_X509_CINF				 162
 #define ASN1_F_D2I_X509_CRL				 163
 #define ASN1_F_D2I_X509_CRL_INFO			 164
@@ -819,12 +928,14 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_I2D_DSAPARAMS				 178
 #define ASN1_F_I2D_DSAPRIVATEKEY			 179
 #define ASN1_F_I2D_DSAPUBLICKEY				 180
+#define ASN1_F_I2D_DSA_PUBKEY				 290
 #define ASN1_F_I2D_NETSCAPE_RSA				 181
 #define ASN1_F_I2D_PKCS7				 182
 #define ASN1_F_I2D_PRIVATEKEY				 183
 #define ASN1_F_I2D_PUBLICKEY				 184
 #define ASN1_F_I2D_RSAPRIVATEKEY			 185
 #define ASN1_F_I2D_RSAPUBLICKEY				 186
+#define ASN1_F_I2D_RSA_PUBKEY				 289
 #define ASN1_F_I2D_X509_ATTRIBUTE			 187
 #define ASN1_F_I2T_ASN1_OBJECT				 188
 #define ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW		 229
@@ -832,6 +943,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_NETSCAPE_SPKAC_NEW			 190
 #define ASN1_F_NETSCAPE_SPKI_NEW			 191
 #define ASN1_F_NOTICEREF_NEW				 272
+#define ASN1_F_OTHERNAME_NEW				 288
 #define ASN1_F_PBE2PARAM_NEW				 264
 #define ASN1_F_PBEPARAM_NEW				 251
 #define ASN1_F_PBKDF2PARAM_NEW				 265
@@ -859,6 +971,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_F_USERNOTICE_NEW				 275
 #define ASN1_F_X509_ALGOR_NEW				 202
 #define ASN1_F_X509_ATTRIBUTE_NEW			 203
+#define ASN1_F_X509_CERT_AUX_NEW			 286
 #define ASN1_F_X509_CINF_NEW				 204
 #define ASN1_F_X509_CRL_INFO_NEW			 205
 #define ASN1_F_X509_CRL_NEW				 206
@@ -889,6 +1002,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_R_BN_LIB					 107
 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH			 108
 #define ASN1_R_BUFFER_TOO_SMALL				 109
+#define ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER		 166
 #define ASN1_R_DATA_IS_WRONG				 110
 #define ASN1_R_DECODE_ERROR				 155
 #define ASN1_R_DECODING_ERROR				 111
@@ -902,24 +1016,31 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_R_EXPECTING_A_BIT_STRING			 116
 #define ASN1_R_EXPECTING_A_BOOLEAN			 117
 #define ASN1_R_EXPECTING_A_GENERALIZEDTIME		 151
+#define ASN1_R_EXPECTING_A_NULL				 164
 #define ASN1_R_EXPECTING_A_TIME				 152
 #define ASN1_R_EXPECTING_A_UTCTIME			 118
 #define ASN1_R_FIRST_NUM_TOO_LARGE			 119
 #define ASN1_R_GENERALIZEDTIME_TOO_LONG			 153
 #define ASN1_R_HEADER_TOO_LONG				 120
+#define ASN1_R_ILLEGAL_CHARACTERS			 158
+#define ASN1_R_INVALID_BMPSTRING_LENGTH			 159
 #define ASN1_R_INVALID_DIGIT				 121
 #define ASN1_R_INVALID_SEPARATOR			 122
 #define ASN1_R_INVALID_TIME_FORMAT			 123
+#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH		 160
+#define ASN1_R_INVALID_UTF8STRING			 161
 #define ASN1_R_IV_TOO_LARGE				 124
 #define ASN1_R_LENGTH_ERROR				 125
 #define ASN1_R_MISSING_SECOND_NUMBER			 126
 #define ASN1_R_NON_HEX_CHARACTERS			 127
 #define ASN1_R_NOT_ENOUGH_DATA				 128
+#define ASN1_R_NULL_IS_WRONG_LENGTH			 165
 #define ASN1_R_ODD_NUMBER_OF_CHARS			 129
 #define ASN1_R_PARSING					 130
 #define ASN1_R_PRIVATE_KEY_HEADER_MISSING		 131
 #define ASN1_R_SECOND_NUMBER_TOO_LARGE			 132
 #define ASN1_R_SHORT_LINE				 133
+#define ASN1_R_STRING_TOO_LONG				 163
 #define ASN1_R_STRING_TOO_SHORT				 134
 #define ASN1_R_TAG_VALUE_TOO_HIGH			 135
 #define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 136
@@ -927,6 +1048,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 138
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 139
 #define ASN1_R_UNKNOWN_ATTRIBUTE_TYPE			 140
+#define ASN1_R_UNKNOWN_FORMAT				 162
 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM		 141
 #define ASN1_R_UNKNOWN_OBJECT_TYPE			 142
 #define ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE			 143
diff --git a/lib/libcrypto/asn1/asn1_err.c b/lib/libcrypto/asn1/asn1_err.c
index 16755a0b059..b1838142423 100644
--- a/lib/libcrypto/asn1/asn1_err.c
+++ b/lib/libcrypto/asn1/asn1_err.c
@@ -69,19 +69,21 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0),	"a2i_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0),	"a2i_ASN1_INTEGER"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0),	"a2i_ASN1_STRING"},
+{ERR_PACK(0,ASN1_F_ACCESS_DESCRIPTION_NEW,0),	"ACCESS_DESCRIPTION_new"},
 {ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0),	"ASN1_COLLATE_PRIMITIVE"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0),	"ASN1_d2i_bio"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0),	"ASN1_d2i_fp"},
 {ERR_PACK(0,ASN1_F_ASN1_DUP,0),	"ASN1_dup"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0),	"ASN1_ENUMERATED_set"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0),	"ASN1_ENUMERATED_to_BN"},
-{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_NEW,0),	"ASN1_GENERALIZEDTIME_NEW"},
+{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_NEW,0),	"ASN1_GENERALIZEDTIME_new"},
 {ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0),	"ASN1_get_object"},
 {ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0),	"ASN1_HEADER_new"},
 {ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0),	"ASN1_i2d_bio"},
 {ERR_PACK(0,ASN1_F_ASN1_I2D_FP,0),	"ASN1_i2d_fp"},
 {ERR_PACK(0,ASN1_F_ASN1_INTEGER_SET,0),	"ASN1_INTEGER_set"},
 {ERR_PACK(0,ASN1_F_ASN1_INTEGER_TO_BN,0),	"ASN1_INTEGER_to_BN"},
+{ERR_PACK(0,ASN1_F_ASN1_MBSTRING_COPY,0),	"ASN1_mbstring_copy"},
 {ERR_PACK(0,ASN1_F_ASN1_OBJECT_NEW,0),	"ASN1_OBJECT_new"},
 {ERR_PACK(0,ASN1_F_ASN1_PACK_STRING,0),	"ASN1_pack_string"},
 {ERR_PACK(0,ASN1_F_ASN1_PBE_SET,0),	"ASN1_PBE_SET"},
@@ -89,17 +91,19 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0),	"ASN1_seq_unpack"},
 {ERR_PACK(0,ASN1_F_ASN1_SIGN,0),	"ASN1_sign"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_NEW,0),	"ASN1_STRING_new"},
+{ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),	"ASN1_STRING_TABLE_add"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),	"ASN1_STRING_type_new"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),	"ASN1_TYPE_get_int_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),	"ASN1_TYPE_get_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_NEW,0),	"ASN1_TYPE_new"},
 {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),	"ASN1_unpack_string"},
-{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_NEW,0),	"ASN1_UTCTIME_NEW"},
+{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_NEW,0),	"ASN1_UTCTIME_new"},
 {ERR_PACK(0,ASN1_F_ASN1_VERIFY,0),	"ASN1_verify"},
 {ERR_PACK(0,ASN1_F_AUTHORITY_KEYID_NEW,0),	"AUTHORITY_KEYID_new"},
 {ERR_PACK(0,ASN1_F_BASIC_CONSTRAINTS_NEW,0),	"BASIC_CONSTRAINTS_new"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0),	"BN_to_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0),	"BN_to_ASN1_INTEGER"},
+{ERR_PACK(0,ASN1_F_D2I_ACCESS_DESCRIPTION,0),	"d2i_ACCESS_DESCRIPTION"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_BIT_STRING,0),	"d2i_ASN1_BIT_STRING"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_BMPSTRING,0),	"d2i_ASN1_BMPSTRING"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_BOOLEAN,0),	"d2i_ASN1_BOOLEAN"},
@@ -108,6 +112,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_ASN1_GENERALIZEDTIME,0),	"d2i_ASN1_GENERALIZEDTIME"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_HEADER,0),	"d2i_ASN1_HEADER"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_INTEGER,0),	"d2i_ASN1_INTEGER"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_NULL,0),	"d2i_ASN1_NULL"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_OBJECT,0),	"d2i_ASN1_OBJECT"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_OCTET_STRING,0),	"d2i_ASN1_OCTET_STRING"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_PRINT_TYPE,0),	"D2I_ASN1_PRINT_TYPE"},
@@ -135,6 +140,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_NETSCAPE_SPKAC,0),	"d2i_NETSCAPE_SPKAC"},
 {ERR_PACK(0,ASN1_F_D2I_NETSCAPE_SPKI,0),	"d2i_NETSCAPE_SPKI"},
 {ERR_PACK(0,ASN1_F_D2I_NOTICEREF,0),	"d2i_NOTICEREF"},
+{ERR_PACK(0,ASN1_F_D2I_OTHERNAME,0),	"d2i_OTHERNAME"},
 {ERR_PACK(0,ASN1_F_D2I_PBE2PARAM,0),	"d2i_PBE2PARAM"},
 {ERR_PACK(0,ASN1_F_D2I_PBEPARAM,0),	"d2i_PBEPARAM"},
 {ERR_PACK(0,ASN1_F_D2I_PBKDF2PARAM,0),	"d2i_PBKDF2PARAM"},
@@ -166,6 +172,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509,0),	"d2i_X509"},
 {ERR_PACK(0,ASN1_F_D2I_X509_ALGOR,0),	"d2i_X509_ALGOR"},
 {ERR_PACK(0,ASN1_F_D2I_X509_ATTRIBUTE,0),	"d2i_X509_ATTRIBUTE"},
+{ERR_PACK(0,ASN1_F_D2I_X509_CERT_AUX,0),	"d2i_X509_CERT_AUX"},
 {ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),	"d2i_X509_CINF"},
 {ERR_PACK(0,ASN1_F_D2I_X509_CRL,0),	"d2i_X509_CRL"},
 {ERR_PACK(0,ASN1_F_D2I_X509_CRL_INFO,0),	"d2i_X509_CRL_INFO"},
@@ -189,12 +196,14 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_I2D_DSAPARAMS,0),	"i2d_DSAparams"},
 {ERR_PACK(0,ASN1_F_I2D_DSAPRIVATEKEY,0),	"i2d_DSAPrivateKey"},
 {ERR_PACK(0,ASN1_F_I2D_DSAPUBLICKEY,0),	"i2d_DSAPublicKey"},
+{ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),	"i2d_DSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0),	"i2d_Netscape_RSA"},
 {ERR_PACK(0,ASN1_F_I2D_PKCS7,0),	"i2d_PKCS7"},
 {ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),	"i2d_PrivateKey"},
 {ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),	"i2d_PublicKey"},
 {ERR_PACK(0,ASN1_F_I2D_RSAPRIVATEKEY,0),	"i2d_RSAPrivateKey"},
 {ERR_PACK(0,ASN1_F_I2D_RSAPUBLICKEY,0),	"i2d_RSAPublicKey"},
+{ERR_PACK(0,ASN1_F_I2D_RSA_PUBKEY,0),	"i2d_RSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_X509_ATTRIBUTE,0),	"i2d_X509_ATTRIBUTE"},
 {ERR_PACK(0,ASN1_F_I2T_ASN1_OBJECT,0),	"i2t_ASN1_OBJECT"},
 {ERR_PACK(0,ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW,0),	"NETSCAPE_CERT_SEQUENCE_new"},
@@ -202,6 +211,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_NETSCAPE_SPKAC_NEW,0),	"NETSCAPE_SPKAC_new"},
 {ERR_PACK(0,ASN1_F_NETSCAPE_SPKI_NEW,0),	"NETSCAPE_SPKI_new"},
 {ERR_PACK(0,ASN1_F_NOTICEREF_NEW,0),	"NOTICEREF_new"},
+{ERR_PACK(0,ASN1_F_OTHERNAME_NEW,0),	"OTHERNAME_new"},
 {ERR_PACK(0,ASN1_F_PBE2PARAM_NEW,0),	"PBE2PARAM_new"},
 {ERR_PACK(0,ASN1_F_PBEPARAM_NEW,0),	"PBEPARAM_new"},
 {ERR_PACK(0,ASN1_F_PBKDF2PARAM_NEW,0),	"PBKDF2PARAM_new"},
@@ -229,6 +239,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_USERNOTICE_NEW,0),	"USERNOTICE_new"},
 {ERR_PACK(0,ASN1_F_X509_ALGOR_NEW,0),	"X509_ALGOR_new"},
 {ERR_PACK(0,ASN1_F_X509_ATTRIBUTE_NEW,0),	"X509_ATTRIBUTE_new"},
+{ERR_PACK(0,ASN1_F_X509_CERT_AUX_NEW,0),	"X509_CERT_AUX_new"},
 {ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),	"X509_CINF_new"},
 {ERR_PACK(0,ASN1_F_X509_CRL_INFO_NEW,0),	"X509_CRL_INFO_new"},
 {ERR_PACK(0,ASN1_F_X509_CRL_NEW,0),	"X509_CRL_new"},
@@ -262,6 +273,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_BN_LIB                           ,"bn lib"},
 {ASN1_R_BOOLEAN_IS_WRONG_LENGTH          ,"boolean is wrong length"},
 {ASN1_R_BUFFER_TOO_SMALL                 ,"buffer too small"},
+{ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER  ,"cipher has no object identifier"},
 {ASN1_R_DATA_IS_WRONG                    ,"data is wrong"},
 {ASN1_R_DECODE_ERROR                     ,"decode error"},
 {ASN1_R_DECODING_ERROR                   ,"decoding error"},
@@ -275,24 +287,31 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_EXPECTING_A_BIT_STRING           ,"expecting a bit string"},
 {ASN1_R_EXPECTING_A_BOOLEAN              ,"expecting a boolean"},
 {ASN1_R_EXPECTING_A_GENERALIZEDTIME      ,"expecting a generalizedtime"},
+{ASN1_R_EXPECTING_A_NULL                 ,"expecting a null"},
 {ASN1_R_EXPECTING_A_TIME                 ,"expecting a time"},
 {ASN1_R_EXPECTING_A_UTCTIME              ,"expecting a utctime"},
 {ASN1_R_FIRST_NUM_TOO_LARGE              ,"first num too large"},
 {ASN1_R_GENERALIZEDTIME_TOO_LONG         ,"generalizedtime too long"},
 {ASN1_R_HEADER_TOO_LONG                  ,"header too long"},
+{ASN1_R_ILLEGAL_CHARACTERS               ,"illegal characters"},
+{ASN1_R_INVALID_BMPSTRING_LENGTH         ,"invalid bmpstring length"},
 {ASN1_R_INVALID_DIGIT                    ,"invalid digit"},
 {ASN1_R_INVALID_SEPARATOR                ,"invalid separator"},
 {ASN1_R_INVALID_TIME_FORMAT              ,"invalid time format"},
+{ASN1_R_INVALID_UNIVERSALSTRING_LENGTH   ,"invalid universalstring length"},
+{ASN1_R_INVALID_UTF8STRING               ,"invalid utf8string"},
 {ASN1_R_IV_TOO_LARGE                     ,"iv too large"},
 {ASN1_R_LENGTH_ERROR                     ,"length error"},
 {ASN1_R_MISSING_SECOND_NUMBER            ,"missing second number"},
 {ASN1_R_NON_HEX_CHARACTERS               ,"non hex characters"},
 {ASN1_R_NOT_ENOUGH_DATA                  ,"not enough data"},
+{ASN1_R_NULL_IS_WRONG_LENGTH             ,"null is wrong length"},
 {ASN1_R_ODD_NUMBER_OF_CHARS              ,"odd number of chars"},
 {ASN1_R_PARSING                          ,"parsing"},
 {ASN1_R_PRIVATE_KEY_HEADER_MISSING       ,"private key header missing"},
 {ASN1_R_SECOND_NUMBER_TOO_LARGE          ,"second number too large"},
 {ASN1_R_SHORT_LINE                       ,"short line"},
+{ASN1_R_STRING_TOO_LONG                  ,"string too long"},
 {ASN1_R_STRING_TOO_SHORT                 ,"string too short"},
 {ASN1_R_TAG_VALUE_TOO_HIGH               ,"tag value too high"},
 {ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
@@ -300,6 +319,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_UNABLE_TO_DECODE_RSA_KEY         ,"unable to decode rsa key"},
 {ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"},
 {ASN1_R_UNKNOWN_ATTRIBUTE_TYPE           ,"unknown attribute type"},
+{ASN1_R_UNKNOWN_FORMAT                   ,"unknown format"},
 {ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"},
 {ASN1_R_UNKNOWN_OBJECT_TYPE              ,"unknown object type"},
 {ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE          ,"unknown public key type"},
diff --git a/lib/libcrypto/asn1/asn1_lib.c b/lib/libcrypto/asn1/asn1_lib.c
index 95e54ed6267..be8daa8688d 100644
--- a/lib/libcrypto/asn1/asn1_lib.c
+++ b/lib/libcrypto/asn1/asn1_lib.c
@@ -176,7 +176,7 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 	}
 
 /* class 0 is constructed
- * constructed == 2 for indefinitle length constructed */
+ * constructed == 2 for indefinite length constructed */
 void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag,
 	     int xclass)
 	{
@@ -349,7 +349,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
 	if (data != NULL)
 		{
 		memcpy(str->data,data,len);
-		/* an alowance for strings :-) */
+		/* an allowance for strings :-) */
 		str->data[len]='\0';
 		}
 	return(1);
@@ -381,8 +381,8 @@ ASN1_STRING *ASN1_STRING_type_new(int type)
 void ASN1_STRING_free(ASN1_STRING *a)
 	{
 	if (a == NULL) return;
-	if (a->data != NULL) Free((char *)a->data);
-	Free((char *)a);
+	if (a->data != NULL) Free(a->data);
+	Free(a);
 	}
 
 int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)
@@ -411,3 +411,14 @@ void asn1_add_error(unsigned char *address, int offset)
 	ERR_add_error_data(4,"address=",buf1," offset=",buf2);
 	}
 
+int ASN1_STRING_length(ASN1_STRING *x)
+{ return M_ASN1_STRING_length(x); }
+
+void ASN1_STRING_length_set(ASN1_STRING *x, int len)
+{ M_ASN1_STRING_length_set(x, len); return; }
+
+int ASN1_STRING_type(ASN1_STRING *x)
+{ return M_ASN1_STRING_type(x); }
+
+unsigned char * ASN1_STRING_data(ASN1_STRING *x)
+{ return M_ASN1_STRING_data(x); }
diff --git a/lib/libcrypto/asn1/asn1_mac.h b/lib/libcrypto/asn1/asn1_mac.h
index 93f9c5193c5..4f2a82d340e 100644
--- a/lib/libcrypto/asn1/asn1_mac.h
+++ b/lib/libcrypto/asn1/asn1_mac.h
@@ -106,6 +106,20 @@ err:\
 #define M_ASN1_D2I_start_sequence() \
 	if (!asn1_GetSequence(&c,&length)) \
 		{ c.line=__LINE__; goto err; }
+/* Begin reading ASN1 without a surrounding sequence */
+#define M_ASN1_D2I_begin() \
+	c.slen = length;
+
+/* End reading ASN1 with no check on length */
+#define M_ASN1_D2I_Finish_nolen(a, func, e) \
+	*pp=c.p; \
+	if (a != NULL) (*a)=ret; \
+	return(ret); \
+err:\
+	ASN1_MAC_H_err((e),c.error,c.line); \
+	asn1_add_error(*pp,(int)(c.q- *pp)); \
+	if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \
+	return(NULL)
 
 #define M_ASN1_D2I_end_sequence() \
 	(((c.inf&1) == 0)?(c.slen <= 0): \
diff --git a/lib/libcrypto/asn1/asn1_par.c b/lib/libcrypto/asn1/asn1_par.c
index 86886606ef6..d1e9816bad3 100644
--- a/lib/libcrypto/asn1/asn1_par.c
+++ b/lib/libcrypto/asn1/asn1_par.c
@@ -93,55 +93,8 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
 		sprintf(str,"cont [ %d ]",tag);
 	else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
 		sprintf(str,"appl [ %d ]",tag);
-	else if ((tag == V_ASN1_EOC) /* && (xclass == V_ASN1_UNIVERSAL) */)
-		p="EOC";
-	else if (tag == V_ASN1_BOOLEAN)
-		p="BOOLEAN";
-	else if (tag == V_ASN1_INTEGER)
-		p="INTEGER";
-	else if (tag == V_ASN1_ENUMERATED)
-		p="ENUMERATED";
-	else if (tag == V_ASN1_BIT_STRING)
-		p="BIT STRING";
-	else if (tag == V_ASN1_OCTET_STRING)
-		p="OCTET STRING";
-	else if (tag == V_ASN1_NULL)
-		p="NULL";
-	else if (tag == V_ASN1_OBJECT)
-		p="OBJECT";
-	else if (tag == V_ASN1_SEQUENCE)
-		p="SEQUENCE";
-	else if (tag == V_ASN1_SET)
-		p="SET";
-	else if (tag == V_ASN1_PRINTABLESTRING)
-		p="PRINTABLESTRING";
-	else if (tag == V_ASN1_T61STRING)
-		p="T61STRING";
-	else if (tag == V_ASN1_IA5STRING)
-		p="IA5STRING";
-	else if (tag == V_ASN1_UTCTIME)
-		p="UTCTIME";
+	else p = ASN1_tag2str(tag);
 
-	/* extras */
-	else if (tag == V_ASN1_NUMERICSTRING)
-		p="NUMERICSTRING";
-	else if (tag == V_ASN1_VIDEOTEXSTRING)
-		p="VIDEOTEXSTRING";
-	else if (tag == V_ASN1_GENERALIZEDTIME)
-		p="GENERALIZEDTIME";
-	else if (tag == V_ASN1_GRAPHICSTRING)
-		p="GRAPHICSTRING";
-	else if (tag == V_ASN1_VISIBLESTRING)
-		p="VISIBLESTRING";
-	else if (tag == V_ASN1_GENERALSTRING)
-		p="GENERALSTRING";
-	else if (tag == V_ASN1_UNIVERSALSTRING)
-		p="UNIVERSALSTRING";
-	else if (tag == V_ASN1_BMPSTRING)
-		p="BMPSTRING";
-	else
-		p2="(unknown)";
-		
 	if (p2 != NULL)
 		{
 		if (BIO_printf(bp,fmt2,tag,p2) <= 0) goto err;
@@ -320,7 +273,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 							os->length) <= 0)
 							goto end;
 						}
-					ASN1_OCTET_STRING_free(os);
+					M_ASN1_OCTET_STRING_free(os);
 					os=NULL;
 					}
 				}
@@ -354,7 +307,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 					if (BIO_write(bp,"BAD INTEGER",11) <= 0)
 						goto end;
 					}
-				ASN1_INTEGER_free(bs);
+				M_ASN1_INTEGER_free(bs);
 				}
 			else if (tag == V_ASN1_ENUMERATED)
 				{
@@ -386,7 +339,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 					if (BIO_write(bp,"BAD ENUMERATED",11) <= 0)
 						goto end;
 					}
-				ASN1_ENUMERATED_free(bs);
+				M_ASN1_ENUMERATED_free(bs);
 				}
 
 			if (!nl) 
@@ -405,7 +358,28 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset,
 	ret=1;
 end:
 	if (o != NULL) ASN1_OBJECT_free(o);
-	if (os != NULL) ASN1_OCTET_STRING_free(os);
+	if (os != NULL) M_ASN1_OCTET_STRING_free(os);
 	*pp=p;
 	return(ret);
 	}
+
+const char *ASN1_tag2str(int tag)
+{
+	const static char *tag2str[] = {
+	 "EOC", "BOOLEAN", "INTEGER", "BIT STRING", "OCTET STRING", /* 0-4 */
+	 "NULL", "OBJECT", "OBJECT DESCRIPTOR", "EXTERNAL", "REAL", /* 5-9 */
+	 "ENUMERATED", "<ASN1 11>", "UTF8STRING", "<ASN1 13>", 	    /* 10-13 */
+	"<ASN1 14>", "<ASN1 15>", "SEQUENCE", "SET", 		    /* 15-17 */
+	"NUMERICSTRING", "PRINTABLESTRING", "T61STRING",	    /* 18-20 */
+	"VIDEOTEXSTRING", "IA5STRING", "UTCTIME","GENERALIZEDTIME", /* 21-24 */
+	"GRAPHICSTRING", "VISIBLESTRING", "GENERALSTRING",	    /* 25-27 */
+	"UNIVERSALSTRING", "<ASN1 29>", "BMPSTRING"		    /* 28-30 */
+	};
+
+	if((tag == V_ASN1_NEG_INTEGER) || (tag == V_ASN1_NEG_ENUMERATED))
+							tag &= ~0x100;
+
+	if(tag < 0 || tag > 30) return "(unknown)";
+	return tag2str[tag];
+}
+
diff --git a/lib/libcrypto/asn1/d2i_dhp.c b/lib/libcrypto/asn1/d2i_dhp.c
index a077211a4c1..635ae829db3 100644
--- a/lib/libcrypto/asn1/d2i_dhp.c
+++ b/lib/libcrypto/asn1/d2i_dhp.c
@@ -86,7 +86,7 @@ DH *d2i_DHparams(DH **a, unsigned char **pp, long length)
 		ret->length=(int)v;
 		}
 
-	ASN1_BIT_STRING_free(bs);
+	M_ASN1_BIT_STRING_free(bs);
 
 	M_ASN1_D2I_Finish_2(a);
 
@@ -95,7 +95,7 @@ err_bn:
 err:
 	ASN1err(ASN1_F_D2I_DHPARAMS,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DH_free(ret);
-	if (bs != NULL) ASN1_BIT_STRING_free(bs);
+	if (bs != NULL) M_ASN1_BIT_STRING_free(bs);
 	return(NULL);
 	}
 #endif
diff --git a/lib/libcrypto/asn1/d2i_dsap.c b/lib/libcrypto/asn1/d2i_dsap.c
index cdd7136f512..6d1c2971330 100644
--- a/lib/libcrypto/asn1/d2i_dsap.c
+++ b/lib/libcrypto/asn1/d2i_dsap.c
@@ -83,7 +83,7 @@ DSA *d2i_DSAparams(DSA **a, unsigned char **pp, long length)
 	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
 	if ((ret->g=BN_bin2bn(bs->data,bs->length,ret->g)) == NULL) goto err_bn;
 
-	ASN1_BIT_STRING_free(bs);
+	M_ASN1_BIT_STRING_free(bs);
 
 	M_ASN1_D2I_Finish_2(a);
 
@@ -92,7 +92,7 @@ err_bn:
 err:
 	ASN1err(ASN1_F_D2I_DSAPARAMS,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_free(ret);
-	if (bs != NULL) ASN1_BIT_STRING_free(bs);
+	if (bs != NULL) M_ASN1_BIT_STRING_free(bs);
 	return(NULL);
 	}
 #endif
diff --git a/lib/libcrypto/asn1/d2i_pr.c b/lib/libcrypto/asn1/d2i_pr.c
index f3d1aa6240e..c92b8325d8f 100644
--- a/lib/libcrypto/asn1/d2i_pr.c
+++ b/lib/libcrypto/asn1/d2i_pr.c
@@ -112,3 +112,26 @@ err:
 	return(NULL);
 	}
 
+/* This works like d2i_PrivateKey() except it automatically works out the type */
+
+EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
+	     long length)
+{
+	STACK_OF(ASN1_TYPE) *inkey;
+	unsigned char *p;
+	int keytype;
+	p = *pp;
+	/* Dirty trick: read in the ASN1 data into a STACK_OF(ASN1_TYPE):
+	 * by analyzing it we can determine the passed structure: this
+	 * assumes the input is surrounded by an ASN1 SEQUENCE.
+	 */
+	inkey = d2i_ASN1_SET_OF_ASN1_TYPE(NULL, &p, length, d2i_ASN1_TYPE, 
+			ASN1_TYPE_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+	/* Since we only need to discern "traditional format" RSA and DSA
+	 * keys we can just count the elements.
+         */
+	if(sk_ASN1_TYPE_num(inkey) == 6) keytype = EVP_PKEY_DSA;
+	else keytype = EVP_PKEY_RSA;
+	sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
+	return d2i_PrivateKey(keytype, a, pp, length);
+}
diff --git a/lib/libcrypto/asn1/d2i_r_pr.c b/lib/libcrypto/asn1/d2i_r_pr.c
index 18f11b6f5ef..6c8a45f821f 100644
--- a/lib/libcrypto/asn1/d2i_r_pr.c
+++ b/lib/libcrypto/asn1/d2i_r_pr.c
@@ -107,7 +107,7 @@ RSA *d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length)
 	if ((ret->iqmp=BN_bin2bn(bs->data,bs->length,ret->iqmp)) == NULL)
 		goto err_bn;
 
-	ASN1_INTEGER_free(bs);
+	M_ASN1_INTEGER_free(bs);
 
 	M_ASN1_D2I_Finish_2(a);
 err_bn:
@@ -115,7 +115,14 @@ err_bn:
 err:
 	ASN1err(ASN1_F_D2I_RSAPRIVATEKEY,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret))) RSA_free(ret);
-	if (bs != NULL) ASN1_INTEGER_free(bs);
+	if (bs != NULL) M_ASN1_INTEGER_free(bs);
+
 	return(NULL);
 	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
diff --git a/lib/libcrypto/asn1/d2i_r_pu.c b/lib/libcrypto/asn1/d2i_r_pu.c
index c4ae58b5943..d1289f160ee 100644
--- a/lib/libcrypto/asn1/d2i_r_pu.c
+++ b/lib/libcrypto/asn1/d2i_r_pu.c
@@ -81,7 +81,7 @@ RSA *d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length)
 	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
 	if ((ret->e=BN_bin2bn(bs->data,bs->length,ret->e)) == NULL) goto err_bn;
 
-	ASN1_INTEGER_free(bs);
+	M_ASN1_INTEGER_free(bs);
 	bs=NULL;
 
 	M_ASN1_D2I_Finish_2(a);
@@ -91,7 +91,13 @@ err_bn:
 err:
 	ASN1err(ASN1_F_D2I_RSAPUBLICKEY,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret))) RSA_free(ret);
-	if (bs != NULL) ASN1_INTEGER_free(bs);
+	if (bs != NULL) M_ASN1_INTEGER_free(bs);
 	return(NULL);
 	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
diff --git a/lib/libcrypto/asn1/d2i_s_pr.c b/lib/libcrypto/asn1/d2i_s_pr.c
index 050e1cc5fb2..dec2a2ebd38 100644
--- a/lib/libcrypto/asn1/d2i_s_pr.c
+++ b/lib/libcrypto/asn1/d2i_s_pr.c
@@ -91,7 +91,7 @@ DSA *d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length)
 	if ((ret->priv_key=BN_bin2bn(bs->data,bs->length,ret->priv_key))
 		== NULL) goto err_bn;
 
-	ASN1_INTEGER_free(bs);
+	M_ASN1_INTEGER_free(bs);
 
 	M_ASN1_D2I_Finish_2(a);
 err_bn:
@@ -99,7 +99,7 @@ err_bn:
 err:
 	ASN1err(ASN1_F_D2I_DSAPRIVATEKEY,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_free(ret);
-	if (bs != NULL) ASN1_INTEGER_free(bs);
+	if (bs != NULL) M_ASN1_INTEGER_free(bs);
 	return(NULL);
 	}
 #endif
diff --git a/lib/libcrypto/asn1/d2i_s_pu.c b/lib/libcrypto/asn1/d2i_s_pu.c
index 94ea1c313b6..e0adaa03936 100644
--- a/lib/libcrypto/asn1/d2i_s_pu.c
+++ b/lib/libcrypto/asn1/d2i_s_pu.c
@@ -107,7 +107,7 @@ DSA *d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length)
 		ret->write_params=1;
 		}
 
-	ASN1_INTEGER_free(bs);
+	M_ASN1_INTEGER_free(bs);
 	bs=NULL;
 	M_ASN1_D2I_Finish_2(a);
 err_bn:
@@ -115,7 +115,7 @@ err_bn:
 err:
 	ASN1err(ASN1_F_D2I_DSAPUBLICKEY,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_free(ret);
-	if (bs != NULL) ASN1_INTEGER_free(bs);
+	if (bs != NULL) M_ASN1_INTEGER_free(bs);
 	return(NULL);
 	}
 #endif
diff --git a/lib/libcrypto/asn1/evp_asn1.c b/lib/libcrypto/asn1/evp_asn1.c
index 41ced49c190..3506005a714 100644
--- a/lib/libcrypto/asn1/evp_asn1.c
+++ b/lib/libcrypto/asn1/evp_asn1.c
@@ -65,8 +65,8 @@ int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len)
 	{
 	ASN1_STRING *os;
 
-	if ((os=ASN1_OCTET_STRING_new()) == NULL) return(0);
-	if (!ASN1_OCTET_STRING_set(os,data,len)) return(0);
+	if ((os=M_ASN1_OCTET_STRING_new()) == NULL) return(0);
+	if (!M_ASN1_OCTET_STRING_set(os,data,len)) return(0);
 	ASN1_TYPE_set(a,V_ASN1_OCTET_STRING,os);
 	return(1);
 	}
@@ -83,8 +83,8 @@ int ASN1_TYPE_get_octetstring(ASN1_TYPE *a, unsigned char *data,
 		ASN1err(ASN1_F_ASN1_TYPE_GET_OCTETSTRING,ASN1_R_DATA_IS_WRONG);
 		return(-1);
 		}
-	p=ASN1_STRING_data(a->value.octet_string);
-	ret=ASN1_STRING_length(a->value.octet_string);
+	p=M_ASN1_STRING_data(a->value.octet_string);
+	ret=M_ASN1_STRING_length(a->value.octet_string);
 	if (ret < max_len)
 		num=ret;
 	else
@@ -117,8 +117,8 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
 	/* Grow the 'string' */
 	ASN1_STRING_set(osp,NULL,size);
 
-	ASN1_STRING_length(osp)=size;
-	p=ASN1_STRING_data(osp);
+	M_ASN1_STRING_length_set(osp, size);
+	p=M_ASN1_STRING_data(osp);
 
 	ASN1_put_object(&p,1,n,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
 	  i2d_ASN1_INTEGER(&in,&p);
@@ -145,8 +145,8 @@ int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a, long *num, unsigned char *data,
 		{
 		goto err;
 		}
-	p=ASN1_STRING_data(a->value.sequence);
-	length=ASN1_STRING_length(a->value.sequence);
+	p=M_ASN1_STRING_data(a->value.sequence);
+	length=M_ASN1_STRING_length(a->value.sequence);
 
 	c.pp= &p;
 	c.p=p;
@@ -165,21 +165,21 @@ int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a, long *num, unsigned char *data,
 	if (num != NULL)
 		*num=ASN1_INTEGER_get(ai);
 
-	ret=ASN1_STRING_length(os);
+	ret=M_ASN1_STRING_length(os);
 	if (max_len > ret)
 		n=ret;
 	else
 		n=max_len;
 
 	if (data != NULL)
-		memcpy(data,ASN1_STRING_data(os),n);
+		memcpy(data,M_ASN1_STRING_data(os),n);
 	if (0)
 		{
 err:
 		ASN1err(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,ASN1_R_DATA_IS_WRONG);
 		}
-	if (os != NULL) ASN1_OCTET_STRING_free(os);
-	if (ai != NULL) ASN1_INTEGER_free(ai);
+	if (os != NULL) M_ASN1_OCTET_STRING_free(os);
+	if (ai != NULL) M_ASN1_INTEGER_free(ai);
 	return(ret);
 	}
 
diff --git a/lib/libcrypto/asn1/f_enum.c b/lib/libcrypto/asn1/f_enum.c
index 3bcceecdb85..3d0b1107cba 100644
--- a/lib/libcrypto/asn1/f_enum.c
+++ b/lib/libcrypto/asn1/f_enum.c
@@ -161,7 +161,7 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
 			if (sp == NULL)
 				{
 				ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
-				if (s != NULL) Free((char *)s);
+				if (s != NULL) Free(s);
 				goto err;
 				}
 			s=sp;
diff --git a/lib/libcrypto/asn1/f_int.c b/lib/libcrypto/asn1/f_int.c
index 55560dd814a..cd57331c3f0 100644
--- a/lib/libcrypto/asn1/f_int.c
+++ b/lib/libcrypto/asn1/f_int.c
@@ -168,7 +168,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
 			if (sp == NULL)
 				{
 				ASN1err(ASN1_F_A2I_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
-				if (s != NULL) Free((char *)s);
+				if (s != NULL) Free(s);
 				goto err;
 				}
 			s=sp;
diff --git a/lib/libcrypto/asn1/f_string.c b/lib/libcrypto/asn1/f_string.c
index 5d0cf5a46d4..088313689ab 100644
--- a/lib/libcrypto/asn1/f_string.c
+++ b/lib/libcrypto/asn1/f_string.c
@@ -166,7 +166,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
 			if (sp == NULL)
 				{
 				ASN1err(ASN1_F_A2I_ASN1_STRING,ERR_R_MALLOC_FAILURE);
-				if (s != NULL) Free((char *)s);
+				if (s != NULL) Free(s);
 				goto err;
 				}
 			s=sp;
diff --git a/lib/libcrypto/asn1/i2d_dhp.c b/lib/libcrypto/asn1/i2d_dhp.c
index fdda4ec41bc..61eeb646f9e 100644
--- a/lib/libcrypto/asn1/i2d_dhp.c
+++ b/lib/libcrypto/asn1/i2d_dhp.c
@@ -118,7 +118,7 @@ int i2d_DHparams(DH *a, unsigned char **pp)
 		bs.length=BN_bn2bin(num[i],bs.data);
 		i2d_ASN1_INTEGER(&bs,&p);
 		}
-	Free((char *)bs.data);
+	Free(bs.data);
 	ret=t;
 err:
 	if (num[2] != NULL) BN_free(num[2]);
diff --git a/lib/libcrypto/asn1/i2d_dsap.c b/lib/libcrypto/asn1/i2d_dsap.c
index f36f0da4e2e..4021123ba3f 100644
--- a/lib/libcrypto/asn1/i2d_dsap.c
+++ b/lib/libcrypto/asn1/i2d_dsap.c
@@ -107,7 +107,7 @@ int i2d_DSAparams(DSA *a, unsigned char **pp)
 		bs.length=BN_bn2bin(num[i],bs.data);
 		i2d_ASN1_INTEGER(&bs,&p);
 		}
-	Free((char *)bs.data);
+	Free(bs.data);
 	ret=t;
 err:
 	*pp=p;
diff --git a/lib/libcrypto/asn1/i2d_r_pr.c b/lib/libcrypto/asn1/i2d_r_pr.c
index 27e6844a7f6..1250fa4b2dd 100644
--- a/lib/libcrypto/asn1/i2d_r_pr.c
+++ b/lib/libcrypto/asn1/i2d_r_pr.c
@@ -119,9 +119,15 @@ int i2d_RSAPrivateKey(RSA *a, unsigned char **pp)
 		bs.length=BN_bn2bin(num[i],bs.data);
 		i2d_ASN1_INTEGER(&bs,&p);
 		}
-	Free((char *)bs.data);
+	Free(bs.data);
 	*pp=p;
 	return(t);
 	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
 
diff --git a/lib/libcrypto/asn1/i2d_r_pu.c b/lib/libcrypto/asn1/i2d_r_pu.c
index 6d01bfa8b5e..582b92ee4c1 100644
--- a/lib/libcrypto/asn1/i2d_r_pu.c
+++ b/lib/libcrypto/asn1/i2d_r_pu.c
@@ -105,8 +105,14 @@ int i2d_RSAPublicKey(RSA *a, unsigned char **pp)
 		bs.length=BN_bn2bin(num[i],bs.data);
 		i2d_ASN1_INTEGER(&bs,&p);
 		}
-	Free((char *)bs.data);
+	Free(bs.data);
 	*pp=p;
 	return(t);
 	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
diff --git a/lib/libcrypto/asn1/i2d_s_pr.c b/lib/libcrypto/asn1/i2d_s_pr.c
index 5d3dcdf1979..e399ceaeb91 100644
--- a/lib/libcrypto/asn1/i2d_s_pr.c
+++ b/lib/libcrypto/asn1/i2d_s_pr.c
@@ -116,7 +116,7 @@ int i2d_DSAPrivateKey(DSA *a, unsigned char **pp)
 		bs.length=BN_bn2bin(num[i],bs.data);
 		i2d_ASN1_INTEGER(&bs,&p);
 		}
-	Free((char *)bs.data);
+	Free(bs.data);
 	*pp=p;
 	return(t);
 	}
diff --git a/lib/libcrypto/asn1/i2d_s_pu.c b/lib/libcrypto/asn1/i2d_s_pu.c
index 18f790f7465..ca7f251b719 100644
--- a/lib/libcrypto/asn1/i2d_s_pu.c
+++ b/lib/libcrypto/asn1/i2d_s_pu.c
@@ -121,7 +121,7 @@ int i2d_DSAPublicKey(DSA *a, unsigned char **pp)
 		bs.length=BN_bn2bin(num[i],bs.data);
 		i2d_ASN1_INTEGER(&bs,&p);
 		}
-	Free((char *)bs.data);
+	Free(bs.data);
 	*pp=p;
 	if(all) return(t);
 	else return(tot);
diff --git a/lib/libcrypto/asn1/n_pkey.c b/lib/libcrypto/asn1/n_pkey.c
index cdc0d8b7c46..d804986b73b 100644
--- a/lib/libcrypto/asn1/n_pkey.c
+++ b/lib/libcrypto/asn1/n_pkey.c
@@ -139,7 +139,7 @@ int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)())
 		}
 
 	if (pkey->private_key->data != NULL)
-		Free((char *)pkey->private_key->data);
+		Free(pkey->private_key->data);
 	if ((pkey->private_key->data=(unsigned char *)Malloc(l[0])) == NULL)
 		{
 		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
@@ -205,10 +205,10 @@ RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)())
 		(char *)os->data,os->length) != 0))
 		{
 		ASN1err(ASN1_F_D2I_NETSCAPE_RSA,ASN1_R_PRIVATE_KEY_HEADER_MISSING);
-		ASN1_BIT_STRING_free(os);
+		M_ASN1_BIT_STRING_free(os);
 		goto err;
 		}
-	ASN1_BIT_STRING_free(os);
+	M_ASN1_BIT_STRING_free(os);
 	c.q=c.p;
 	if ((ret=d2i_Netscape_RSA_2(a,&c.p,c.slen,cb)) == NULL) goto err;
 	c.slen-=(c.p-c.q);
@@ -279,7 +279,7 @@ RSA *d2i_Netscape_RSA_2(RSA **a, unsigned char **pp, long length,
 	*pp=c.p;
 err:
 	if (pkey != NULL) NETSCAPE_PKEY_free(pkey);
-	if (os != NULL) ASN1_BIT_STRING_free(os);
+	if (os != NULL) M_ASN1_BIT_STRING_free(os);
 	if (alg != NULL) X509_ALGOR_free(alg);
 	return(ret);
 	}
@@ -321,9 +321,9 @@ static NETSCAPE_PKEY *NETSCAPE_PKEY_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,NETSCAPE_PKEY);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->algor,X509_ALGOR_new);
-	M_ASN1_New(ret->private_key,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->private_key,M_ASN1_OCTET_STRING_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_NETSCAPE_PKEY_NEW);
 	}
@@ -331,11 +331,18 @@ static NETSCAPE_PKEY *NETSCAPE_PKEY_new(void)
 static void NETSCAPE_PKEY_free(NETSCAPE_PKEY *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	X509_ALGOR_free(a->algor);
-	ASN1_OCTET_STRING_free(a->private_key);
-	Free((char *)a);
+	M_ASN1_OCTET_STRING_free(a->private_key);
+	Free(a);
 	}
 
 #endif /* NO_RC4 */
+
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
diff --git a/lib/libcrypto/asn1/p5_pbe.c b/lib/libcrypto/asn1/p5_pbe.c
index b831836e7b0..64e90237cc1 100644
--- a/lib/libcrypto/asn1/p5_pbe.c
+++ b/lib/libcrypto/asn1/p5_pbe.c
@@ -82,8 +82,8 @@ PBEPARAM *PBEPARAM_new(void)
 	PBEPARAM *ret=NULL;
 	ASN1_CTX c;
 	M_ASN1_New_Malloc(ret, PBEPARAM);
-	M_ASN1_New(ret->iter,ASN1_INTEGER_new);
-	M_ASN1_New(ret->salt,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->iter,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->salt,M_ASN1_OCTET_STRING_new);
 	return (ret);
 	M_ASN1_New_Error(ASN1_F_PBEPARAM_NEW);
 }
@@ -101,9 +101,9 @@ PBEPARAM *d2i_PBEPARAM(PBEPARAM **a, unsigned char **pp, long length)
 void PBEPARAM_free (PBEPARAM *a)
 {
 	if(a==NULL) return;
-	ASN1_OCTET_STRING_free(a->salt);
-	ASN1_INTEGER_free (a->iter);
-	Free ((char *)a);
+	M_ASN1_OCTET_STRING_free(a->salt);
+	M_ASN1_INTEGER_free (a->iter);
+	Free (a);
 }
 
 /* Return an algorithm identifier for a PKCS#5 PBE algorithm */
@@ -129,7 +129,8 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
 	}
 	pbe->salt->length = saltlen;
 	if (salt) memcpy (pbe->salt->data, salt, saltlen);
-	else RAND_bytes (pbe->salt->data, saltlen);
+	else if (RAND_bytes (pbe->salt->data, saltlen) <= 0)
+		return NULL;
 
 	if (!(astype = ASN1_TYPE_new())) {
 		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
diff --git a/lib/libcrypto/asn1/p5_pbev2.c b/lib/libcrypto/asn1/p5_pbev2.c
index 09f4bf61121..4ce06a94ab9 100644
--- a/lib/libcrypto/asn1/p5_pbev2.c
+++ b/lib/libcrypto/asn1/p5_pbev2.c
@@ -104,7 +104,7 @@ void PBE2PARAM_free (PBE2PARAM *a)
 	if(a==NULL) return;
 	X509_ALGOR_free(a->keyfunc);
 	X509_ALGOR_free(a->encryption);
-	Free ((char *)a);
+	Free (a);
 }
 
 int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **pp)
@@ -131,7 +131,7 @@ PBKDF2PARAM *PBKDF2PARAM_new(void)
 	ASN1_CTX c;
 	M_ASN1_New_Malloc(ret, PBKDF2PARAM);
 	M_ASN1_New(ret->salt, ASN1_TYPE_new);
-	M_ASN1_New(ret->iter, ASN1_INTEGER_new);
+	M_ASN1_New(ret->iter, M_ASN1_INTEGER_new);
 	ret->keylength = NULL;
 	ret->prf = NULL;
 	return (ret);
@@ -155,10 +155,10 @@ void PBKDF2PARAM_free (PBKDF2PARAM *a)
 {
 	if(a==NULL) return;
 	ASN1_TYPE_free(a->salt);
-	ASN1_INTEGER_free(a->iter);
-	ASN1_INTEGER_free(a->keylength);
+	M_ASN1_INTEGER_free(a->iter);
+	M_ASN1_INTEGER_free(a->keylength);
 	X509_ALGOR_free(a->prf);
-	Free ((char *)a);
+	Free (a);
 }
 
 /* Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm:
@@ -175,19 +175,26 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	PBKDF2PARAM *kdf = NULL;
 	PBE2PARAM *pbe2 = NULL;
 	ASN1_OCTET_STRING *osalt = NULL;
+	ASN1_OBJECT *obj;
+
+	alg_nid = EVP_CIPHER_type(cipher);
+	if(alg_nid == NID_undef) {
+		ASN1err(ASN1_F_PKCS5_PBE2_SET,
+				ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
+		goto err;
+	}
+	obj = OBJ_nid2obj(alg_nid);
 
 	if(!(pbe2 = PBE2PARAM_new())) goto merr;
 
 	/* Setup the AlgorithmIdentifier for the encryption scheme */
 	scheme = pbe2->encryption;
 
-	alg_nid = EVP_CIPHER_type(cipher);
-
-	scheme->algorithm = OBJ_nid2obj(alg_nid);
+	scheme->algorithm = obj;
 	if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
 
 	/* Create random IV */
-	RAND_bytes(iv, EVP_CIPHER_iv_length(cipher));
+	RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher));
 
 	/* Dummy cipherinit to just setup the IV */
 	EVP_CipherInit(&ctx, cipher, NULL, iv, 0);
@@ -199,13 +206,13 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	EVP_CIPHER_CTX_cleanup(&ctx);
 
 	if(!(kdf = PBKDF2PARAM_new())) goto merr;
-	if(!(osalt = ASN1_OCTET_STRING_new())) goto merr;
+	if(!(osalt = M_ASN1_OCTET_STRING_new())) goto merr;
 
 	if (!saltlen) saltlen = PKCS5_SALT_LEN;
 	if (!(osalt->data = Malloc (saltlen))) goto merr;
 	osalt->length = saltlen;
 	if (salt) memcpy (osalt->data, salt, saltlen);
-	else RAND_bytes (osalt->data, saltlen);
+	else if (RAND_bytes (osalt->data, saltlen) <= 0) goto merr;
 
 	if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
 	if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;
@@ -218,7 +225,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	/* If its RC2 then we'd better setup the key length */
 
 	if(alg_nid == NID_rc2_cbc) {
-		if(!(kdf->keylength = ASN1_INTEGER_new())) goto merr;
+		if(!(kdf->keylength = M_ASN1_INTEGER_new())) goto merr;
 		if(!ASN1_INTEGER_set (kdf->keylength,
 				 EVP_CIPHER_key_length(cipher))) goto merr;
 	}
@@ -264,7 +271,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	err:
 	PBE2PARAM_free(pbe2);
 	/* Note 'scheme' is freed as part of pbe2 */
-	ASN1_OCTET_STRING_free(osalt);
+	M_ASN1_OCTET_STRING_free(osalt);
 	PBKDF2PARAM_free(kdf);
 	X509_ALGOR_free(kalg);
 	X509_ALGOR_free(ret);
diff --git a/lib/libcrypto/asn1/p7_dgst.c b/lib/libcrypto/asn1/p7_dgst.c
index 62783a2b8de..cba90e94a1e 100644
--- a/lib/libcrypto/asn1/p7_dgst.c
+++ b/lib/libcrypto/asn1/p7_dgst.c
@@ -101,10 +101,10 @@ PKCS7_DIGEST *PKCS7_DIGEST_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,PKCS7_DIGEST);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->md,X509_ALGOR_new);
 	M_ASN1_New(ret->contents,PKCS7_new);
-	M_ASN1_New(ret->digest,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->digest,M_ASN1_OCTET_STRING_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_PKCS7_DIGEST_NEW);
 	}
@@ -112,10 +112,10 @@ PKCS7_DIGEST *PKCS7_DIGEST_new(void)
 void PKCS7_DIGEST_free(PKCS7_DIGEST *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	X509_ALGOR_free(a->md);
 	PKCS7_free(a->contents);
-	ASN1_OCTET_STRING_free(a->digest);
-	Free((char *)a);
+	M_ASN1_OCTET_STRING_free(a->digest);
+	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/p7_enc.c b/lib/libcrypto/asn1/p7_enc.c
index 47411265870..83b0e15faa7 100644
--- a/lib/libcrypto/asn1/p7_enc.c
+++ b/lib/libcrypto/asn1/p7_enc.c
@@ -95,7 +95,7 @@ PKCS7_ENCRYPT *PKCS7_ENCRYPT_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,PKCS7_ENCRYPT);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->enc_data,PKCS7_ENC_CONTENT_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_PKCS7_ENCRYPT_NEW);
@@ -104,8 +104,8 @@ PKCS7_ENCRYPT *PKCS7_ENCRYPT_new(void)
 void PKCS7_ENCRYPT_free(PKCS7_ENCRYPT *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	PKCS7_ENC_CONTENT_free(a->enc_data);
-	Free((char *)a);
+	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/p7_enc_c.c b/lib/libcrypto/asn1/p7_enc_c.c
index a832737a382..582cc78b069 100644
--- a/lib/libcrypto/asn1/p7_enc_c.c
+++ b/lib/libcrypto/asn1/p7_enc_c.c
@@ -101,7 +101,8 @@ PKCS7_ENC_CONTENT *PKCS7_ENC_CONTENT_new(void)
 
 	M_ASN1_New_Malloc(ret,PKCS7_ENC_CONTENT);
 	/* M_ASN1_New(ret->content_type,ASN1_OBJECT_new); */
-	ret->content_type=OBJ_nid2obj(NID_pkcs7_encrypted);
+	/* We will almost always want this: so make it the default */
+	ret->content_type=OBJ_nid2obj(NID_pkcs7_data);
 	M_ASN1_New(ret->algorithm,X509_ALGOR_new);
 	ret->enc_data=NULL;
 	return(ret);
@@ -113,7 +114,7 @@ void PKCS7_ENC_CONTENT_free(PKCS7_ENC_CONTENT *a)
 	if (a == NULL) return;
 	ASN1_OBJECT_free(a->content_type);
 	X509_ALGOR_free(a->algorithm);
-	ASN1_OCTET_STRING_free(a->enc_data);
-	Free((char *)a);
+	M_ASN1_OCTET_STRING_free(a->enc_data);
+	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/p7_evp.c b/lib/libcrypto/asn1/p7_evp.c
index b2b3d50dcd8..4e734fdd289 100644
--- a/lib/libcrypto/asn1/p7_evp.c
+++ b/lib/libcrypto/asn1/p7_evp.c
@@ -101,7 +101,7 @@ PKCS7_ENVELOPE *PKCS7_ENVELOPE_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,PKCS7_ENVELOPE);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->recipientinfo,sk_PKCS7_RECIP_INFO_new_null);
 	M_ASN1_New(ret->enc_data,PKCS7_ENC_CONTENT_new);
 	return(ret);
@@ -111,9 +111,9 @@ PKCS7_ENVELOPE *PKCS7_ENVELOPE_new(void)
 void PKCS7_ENVELOPE_free(PKCS7_ENVELOPE *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	sk_PKCS7_RECIP_INFO_pop_free(a->recipientinfo,PKCS7_RECIP_INFO_free);
 	PKCS7_ENC_CONTENT_free(a->enc_data);
-	Free((char *)a);
+	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/p7_i_s.c b/lib/libcrypto/asn1/p7_i_s.c
index 7d4b457e017..d21f7ddb846 100644
--- a/lib/libcrypto/asn1/p7_i_s.c
+++ b/lib/libcrypto/asn1/p7_i_s.c
@@ -96,7 +96,7 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_ISSUER_AND_SERIAL_new(void)
 
 	M_ASN1_New_Malloc(ret,PKCS7_ISSUER_AND_SERIAL);
 	M_ASN1_New(ret->issuer,X509_NAME_new);
-	M_ASN1_New(ret->serial,ASN1_INTEGER_new);
+	M_ASN1_New(ret->serial,M_ASN1_INTEGER_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_PKCS7_ISSUER_AND_SERIAL_NEW);
 	}
@@ -105,7 +105,7 @@ void PKCS7_ISSUER_AND_SERIAL_free(PKCS7_ISSUER_AND_SERIAL *a)
 	{
 	if (a == NULL) return;
 	X509_NAME_free(a->issuer);
-	ASN1_INTEGER_free(a->serial);
-	Free((char *)a);
+	M_ASN1_INTEGER_free(a->serial);
+	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/p7_lib.c b/lib/libcrypto/asn1/p7_lib.c
index 846be171588..86db82cfa1d 100644
--- a/lib/libcrypto/asn1/p7_lib.c
+++ b/lib/libcrypto/asn1/p7_lib.c
@@ -152,7 +152,7 @@ PKCS7 *d2i_PKCS7(PKCS7 **a, unsigned char **pp, long length)
 		{
 		if ((*a)->asn1 != NULL)
 			{
-			Free((char *)(*a)->asn1);
+			Free((*a)->asn1);
 			(*a)->asn1=NULL;
 			}
 		(*a)->length=0;
@@ -251,7 +251,7 @@ void PKCS7_free(PKCS7 *a)
 		{
 		ASN1_OBJECT_free(a->type);
 		}
-	Free((char *)(char *)a);
+	Free(a);
 	}
 
 void PKCS7_content_free(PKCS7 *a)
@@ -259,7 +259,7 @@ void PKCS7_content_free(PKCS7 *a)
 	if(a == NULL)
 	    return;
 
-	if (a->asn1 != NULL) Free((char *)a->asn1);
+	if (a->asn1 != NULL) Free(a->asn1);
 
 	if (a->d.ptr != NULL)
 		{
@@ -268,7 +268,7 @@ void PKCS7_content_free(PKCS7 *a)
 		switch (OBJ_obj2nid(a->type))
 			{
 		case NID_pkcs7_data:
-			ASN1_OCTET_STRING_free(a->d.data);
+			M_ASN1_OCTET_STRING_free(a->d.data);
 			break;
 		case NID_pkcs7_signed:
 			PKCS7_SIGNED_free(a->d.sign);
diff --git a/lib/libcrypto/asn1/p7_recip.c b/lib/libcrypto/asn1/p7_recip.c
index 9fda4f20d49..b1abfa3b8f2 100644
--- a/lib/libcrypto/asn1/p7_recip.c
+++ b/lib/libcrypto/asn1/p7_recip.c
@@ -101,10 +101,10 @@ PKCS7_RECIP_INFO *PKCS7_RECIP_INFO_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,PKCS7_RECIP_INFO);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->issuer_and_serial,PKCS7_ISSUER_AND_SERIAL_new);
 	M_ASN1_New(ret->key_enc_algor,X509_ALGOR_new);
-	M_ASN1_New(ret->enc_key,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->enc_key,M_ASN1_OCTET_STRING_new);
 	ret->cert=NULL;
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_PKCS7_RECIP_INFO_NEW);
@@ -113,10 +113,10 @@ PKCS7_RECIP_INFO *PKCS7_RECIP_INFO_new(void)
 void PKCS7_RECIP_INFO_free(PKCS7_RECIP_INFO *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	PKCS7_ISSUER_AND_SERIAL_free(a->issuer_and_serial);
 	X509_ALGOR_free(a->key_enc_algor);
-	ASN1_OCTET_STRING_free(a->enc_key);
+	M_ASN1_OCTET_STRING_free(a->enc_key);
 	if (a->cert != NULL) X509_free(a->cert);
 	Free(a);
 	}
diff --git a/lib/libcrypto/asn1/p7_s_e.c b/lib/libcrypto/asn1/p7_s_e.c
index 90946695c95..3d18fedf8e5 100644
--- a/lib/libcrypto/asn1/p7_s_e.c
+++ b/lib/libcrypto/asn1/p7_s_e.c
@@ -119,7 +119,7 @@ PKCS7_SIGN_ENVELOPE *PKCS7_SIGN_ENVELOPE_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,PKCS7_SIGN_ENVELOPE);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->recipientinfo,sk_PKCS7_RECIP_INFO_new_null);
 	M_ASN1_New(ret->md_algs,sk_X509_ALGOR_new_null);
 	M_ASN1_New(ret->enc_data,PKCS7_ENC_CONTENT_new);
@@ -133,7 +133,7 @@ PKCS7_SIGN_ENVELOPE *PKCS7_SIGN_ENVELOPE_new(void)
 void PKCS7_SIGN_ENVELOPE_free(PKCS7_SIGN_ENVELOPE *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	sk_PKCS7_RECIP_INFO_pop_free(a->recipientinfo,PKCS7_RECIP_INFO_free);
 	sk_X509_ALGOR_pop_free(a->md_algs,X509_ALGOR_free);
 	PKCS7_ENC_CONTENT_free(a->enc_data);
diff --git a/lib/libcrypto/asn1/p7_signd.c b/lib/libcrypto/asn1/p7_signd.c
index 74f0f522e15..f6f16a87158 100644
--- a/lib/libcrypto/asn1/p7_signd.c
+++ b/lib/libcrypto/asn1/p7_signd.c
@@ -112,7 +112,7 @@ PKCS7_SIGNED *PKCS7_SIGNED_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,PKCS7_SIGNED);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->md_algs,sk_X509_ALGOR_new_null);
 	M_ASN1_New(ret->contents,PKCS7_new);
 	ret->cert=NULL;
@@ -125,7 +125,7 @@ PKCS7_SIGNED *PKCS7_SIGNED_new(void)
 void PKCS7_SIGNED_free(PKCS7_SIGNED *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	sk_X509_ALGOR_pop_free(a->md_algs,X509_ALGOR_free);
 	PKCS7_free(a->contents);
 	sk_X509_pop_free(a->cert,X509_free);
diff --git a/lib/libcrypto/asn1/p7_signi.c b/lib/libcrypto/asn1/p7_signi.c
index 21132ef4ddd..f74658ffe68 100644
--- a/lib/libcrypto/asn1/p7_signi.c
+++ b/lib/libcrypto/asn1/p7_signi.c
@@ -119,12 +119,12 @@ PKCS7_SIGNER_INFO *PKCS7_SIGNER_INFO_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,PKCS7_SIGNER_INFO);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->issuer_and_serial,PKCS7_ISSUER_AND_SERIAL_new);
 	M_ASN1_New(ret->digest_alg,X509_ALGOR_new);
 	ret->auth_attr=NULL;
 	M_ASN1_New(ret->digest_enc_alg,X509_ALGOR_new);
-	M_ASN1_New(ret->enc_digest,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->enc_digest,M_ASN1_OCTET_STRING_new);
 	ret->unauth_attr=NULL;
 	ret->pkey=NULL;
 	return(ret);
@@ -134,16 +134,16 @@ PKCS7_SIGNER_INFO *PKCS7_SIGNER_INFO_new(void)
 void PKCS7_SIGNER_INFO_free(PKCS7_SIGNER_INFO *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	PKCS7_ISSUER_AND_SERIAL_free(a->issuer_and_serial);
 	X509_ALGOR_free(a->digest_alg);
 	sk_X509_ATTRIBUTE_pop_free(a->auth_attr,X509_ATTRIBUTE_free);
 	X509_ALGOR_free(a->digest_enc_alg);
-	ASN1_OCTET_STRING_free(a->enc_digest);
+	M_ASN1_OCTET_STRING_free(a->enc_digest);
 	sk_X509_ATTRIBUTE_pop_free(a->unauth_attr,X509_ATTRIBUTE_free);
 	if (a->pkey != NULL)
 		EVP_PKEY_free(a->pkey);
-	Free((char *)a);
+	Free(a);
 	}
 
 IMPLEMENT_STACK_OF(PKCS7_SIGNER_INFO)
diff --git a/lib/libcrypto/asn1/p8_pkey.c b/lib/libcrypto/asn1/p8_pkey.c
index aa9a4f6c968..59cfbe7f280 100644
--- a/lib/libcrypto/asn1/p8_pkey.c
+++ b/lib/libcrypto/asn1/p8_pkey.c
@@ -88,7 +88,7 @@ PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void)
 	PKCS8_PRIV_KEY_INFO *ret=NULL;
 	ASN1_CTX c;
 	M_ASN1_New_Malloc(ret, PKCS8_PRIV_KEY_INFO);
-	M_ASN1_New (ret->version, ASN1_INTEGER_new);
+	M_ASN1_New (ret->version, M_ASN1_INTEGER_new);
 	M_ASN1_New (ret->pkeyalg, X509_ALGOR_new);
 	M_ASN1_New (ret->pkey, ASN1_TYPE_new);
 	ret->attributes = NULL;
@@ -109,15 +109,13 @@ PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO **a,
 	M_ASN1_D2I_get_IMP_set_opt_type(X509_ATTRIBUTE, ret->attributes,
 					d2i_X509_ATTRIBUTE,
 					X509_ATTRIBUTE_free, 0);
-	if (ASN1_TYPE_get(ret->pkey) == V_ASN1_SEQUENCE) 
-						ret->broken = PKCS8_NO_OCTET;
 	M_ASN1_D2I_Finish(a, PKCS8_PRIV_KEY_INFO_free, ASN1_F_D2I_PKCS8_PRIV_KEY_INFO);
 }
 
 void PKCS8_PRIV_KEY_INFO_free (PKCS8_PRIV_KEY_INFO *a)
 {
 	if (a == NULL) return;
-	ASN1_INTEGER_free (a->version);
+	M_ASN1_INTEGER_free (a->version);
 	X509_ALGOR_free(a->pkeyalg);
 	/* Clear sensitive data */
 	if (a->pkey->value.octet_string)
diff --git a/lib/libcrypto/asn1/pkcs8.c b/lib/libcrypto/asn1/pkcs8.c
index 29c4ea6a296..e69de29bb2d 100644
--- a/lib/libcrypto/asn1/pkcs8.c
+++ b/lib/libcrypto/asn1/pkcs8.c
@@ -1,131 +0,0 @@
-/* crypto/asn1/pkcs8.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include "cryptlib.h"
-#include <openssl/asn1_mac.h>
-#include <openssl/objects.h>
-
-int i2d_X509_KEY(X509 *a, unsigned char **pp)
-	{
-	M_ASN1_I2D_vars(a);
-
-	M_ASN1_I2D_len(a->cert_info,	i2d_X509_CINF);
-	M_ASN1_I2D_len(a->sig_alg,	i2d_X509_ALGOR);
-	M_ASN1_I2D_len(a->signature,	i2d_ASN1_BIT_STRING);
-
-	M_ASN1_I2D_seq_total();
-
-	M_ASN1_I2D_put(a->cert_info,	i2d_X509_CINF);
-	M_ASN1_I2D_put(a->sig_alg,	i2d_X509_ALGOR);
-	M_ASN1_I2D_put(a->signature,	i2d_ASN1_BIT_STRING);
-
-	M_ASN1_I2D_finish();
-	}
-
-X509 *d2i_X509_KEY(X509 **a, unsigned char **pp, long length)
-	{
-	M_ASN1_D2I_vars(a,X509 *,X509_new);
-
-	M_ASN1_D2I_Init();
-	M_ASN1_D2I_start_sequence();
-	M_ASN1_D2I_get(ret->cert_info,d2i_X509_CINF);
-	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
-	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
-	M_ASN1_D2I_Finish(a,X509_free,ASN1_F_D2I_X509);
-	}
-
-X509 *X509_KEY_new(void)
-	{
-	X509_KEY *ret=NULL;
-
-	M_ASN1_New_Malloc(ret,X509_KEY);
-	ret->references=1;
-	ret->type=NID
-	M_ASN1_New(ret->cert_info,X509_CINF_new);
-	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-	M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
-	return(ret);
-	M_ASN1_New_Error(ASN1_F_X509_NEW);
-	}
-
-void X509_KEY_free(X509 *a)
-	{
-	int i;
-
-	if (a == NULL) return;
-
-	i=CRYPTO_add_lock(&a->references,-1,CRYPTO_LOCK_X509_KEY);
-#ifdef REF_PRINT
-	REF_PRINT("X509_KEY",a);
-#endif
-	if (i > 0) return;
-#ifdef REF_CHECK
-	if (i < 0)
-		{
-		fprintf(stderr,"X509_KEY_free, bad reference count\n");
-		abort();
-		}
-#endif
-
-	X509_CINF_free(a->cert_info);
-	X509_ALGOR_free(a->sig_alg);
-	ASN1_BIT_STRING_free(a->signature);
-	Free((char *)a);
-	}
-
diff --git a/lib/libcrypto/asn1/t_crl.c b/lib/libcrypto/asn1/t_crl.c
index c2e447ce6ff..d78e4a8f887 100644
--- a/lib/libcrypto/asn1/t_crl.c
+++ b/lib/libcrypto/asn1/t_crl.c
@@ -160,7 +160,7 @@ static void ext_print(BIO *out, X509_EXTENSION *ex)
 	BIO_printf(out, ": %s\n", j ? "critical":"","");
 	if(!X509V3_EXT_print(out, ex, 0, 16)) {
 		BIO_printf(out, "%16s", "");
-		ASN1_OCTET_STRING_print(out,ex->value);
+		M_ASN1_OCTET_STRING_print(out,ex->value);
 	}
 	BIO_write(out,"\n",1);
 }
diff --git a/lib/libcrypto/asn1/t_pkey.c b/lib/libcrypto/asn1/t_pkey.c
index 0dc6e30c3dd..e570ed1c473 100644
--- a/lib/libcrypto/asn1/t_pkey.c
+++ b/lib/libcrypto/asn1/t_pkey.c
@@ -133,7 +133,7 @@ int RSA_print(BIO *bp, RSA *x, int off)
 	if (!print(bp,"coefficient:",x->iqmp,m,off)) goto err;
 	ret=1;
 err:
-	if (m != NULL) Free((char *)m);
+	if (m != NULL) Free(m);
 	return(ret);
 	}
 #endif /* NO_RSA */
@@ -204,7 +204,7 @@ int DSA_print(BIO *bp, DSA *x, int off)
 	if ((x->g != NULL) && !print(bp,"G:   ",x->g,m,off)) goto err;
 	ret=1;
 err:
-	if (m != NULL) Free((char *)m);
+	if (m != NULL) Free(m);
 	return(ret);
 	}
 #endif /* !NO_DSA */
@@ -298,7 +298,7 @@ int DHparams_print(BIO *bp, DH *x)
 	if (!print(bp,"generator:",x->g,m,4)) goto err;
 	if (x->length != 0)
 		{
-		if (BIO_printf(bp,"    recomented-private-length: %d bits\n",
+		if (BIO_printf(bp,"    recommended-private-length: %d bits\n",
 			(int)x->length) <= 0) goto err;
 		}
 	ret=1;
@@ -307,7 +307,7 @@ int DHparams_print(BIO *bp, DH *x)
 err:
 		DHerr(DH_F_DHPARAMS_PRINT,reason);
 		}
-	if (m != NULL) Free((char *)m);
+	if (m != NULL) Free(m);
 	return(ret);
 	}
 #endif
@@ -352,7 +352,7 @@ int DSAparams_print(BIO *bp, DSA *x)
 	if (!print(bp,"g:",x->g,m,4)) goto err;
 	ret=1;
 err:
-	if (m != NULL) Free((char *)m);
+	if (m != NULL) Free(m);
 	DSAerr(DSA_F_DSAPARAMS_PRINT,reason);
 	return(ret);
 	}
diff --git a/lib/libcrypto/asn1/t_req.c b/lib/libcrypto/asn1/t_req.c
index bdd749436ab..81dd6355a88 100644
--- a/lib/libcrypto/asn1/t_req.c
+++ b/lib/libcrypto/asn1/t_req.c
@@ -62,6 +62,7 @@
 #include <openssl/bn.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 
 #ifndef NO_FP_API
 int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
@@ -90,6 +91,7 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
 	X509_REQ_INFO *ri;
 	EVP_PKEY *pkey;
 	STACK_OF(X509_ATTRIBUTE) *sk;
+	STACK_OF(X509_EXTENSION) *exts;
 	char str[128];
 
 	ri=x->req_info;
@@ -161,6 +163,8 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
 			int j,type=0,count=1,ii=0;
 
 			a=sk_X509_ATTRIBUTE_value(sk,i);
+			if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
+								continue;
 			sprintf(str,"%12s","");
 			if (BIO_puts(bp,str) <= 0) goto err;
 			if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
@@ -201,6 +205,29 @@ get_next:
 			}
 		}
 
+	exts = X509_REQ_get_extensions(x);
+	if(exts) {
+		BIO_printf(bp,"%8sRequested Extensions:\n","");
+		for (i=0; i<sk_X509_EXTENSION_num(exts); i++) {
+			ASN1_OBJECT *obj;
+			X509_EXTENSION *ex;
+			int j;
+			ex=sk_X509_EXTENSION_value(exts, i);
+			if (BIO_printf(bp,"%12s","") <= 0) goto err;
+			obj=X509_EXTENSION_get_object(ex);
+			i2a_ASN1_OBJECT(bp,obj);
+			j=X509_EXTENSION_get_critical(ex);
+			if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
+				goto err;
+			if(!X509V3_EXT_print(bp, ex, 0, 16)) {
+				BIO_printf(bp, "%16s", "");
+				M_ASN1_OCTET_STRING_print(bp,ex->value);
+			}
+			if (BIO_write(bp,"\n",1) <= 0) goto err;
+		}
+		sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+	}
+
 	i=OBJ_obj2nid(x->sig_alg->algorithm);
 	sprintf(str,"%4sSignature Algorithm: %s","",
 		(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
diff --git a/lib/libcrypto/asn1/t_x509.c b/lib/libcrypto/asn1/t_x509.c
index 42f4d498cfa..6ee1065ce94 100644
--- a/lib/libcrypto/asn1/t_x509.c
+++ b/lib/libcrypto/asn1/t_x509.c
@@ -188,11 +188,7 @@ int X509_print(BIO *bp, X509 *x)
 		BIO_printf(bp,"%8sX509v3 extensions:\n","");
 		for (i=0; i<n; i++)
 			{
-#if 0
-			int data_type,pack_type;
-#endif
 			ASN1_OBJECT *obj;
-
 			ex=X509_get_ext(x,i);
 			if (BIO_printf(bp,"%12s","") <= 0) goto err;
 			obj=X509_EXTENSION_get_object(ex);
@@ -203,7 +199,7 @@ int X509_print(BIO *bp, X509 *x)
 			if(!X509V3_EXT_print(bp, ex, 0, 16))
 				{
 				BIO_printf(bp, "%16s", "");
-				ASN1_OCTET_STRING_print(bp,ex->value);
+				M_ASN1_OCTET_STRING_print(bp,ex->value);
 				}
 			if (BIO_write(bp,"\n",1) <= 0) goto err;
 			}
@@ -223,10 +219,11 @@ int X509_print(BIO *bp, X509 *x)
 			((i+1) == n)?"":":") <= 0) goto err;
 		}
 	if (BIO_write(bp,"\n",1) != 1) goto err;
+	if (!X509_CERT_AUX_print(bp, x->aux, 0)) goto err;
 	ret=1;
 err:
 	if (str != NULL) ASN1_STRING_free(str);
-	if (m != NULL) Free((char *)m);
+	if (m != NULL) Free(m);
 	return(ret);
 	}
 
diff --git a/lib/libcrypto/asn1/x_algor.c b/lib/libcrypto/asn1/x_algor.c
index b2c20d139fc..fe023842f84 100644
--- a/lib/libcrypto/asn1/x_algor.c
+++ b/lib/libcrypto/asn1/x_algor.c
@@ -111,7 +111,7 @@ void X509_ALGOR_free(X509_ALGOR *a)
 	if (a == NULL) return;
 	ASN1_OBJECT_free(a->algorithm);
 	ASN1_TYPE_free(a->parameter);
-	Free((char *)a);
+	Free(a);
 	}
 
 IMPLEMENT_STACK_OF(X509_ALGOR)
diff --git a/lib/libcrypto/asn1/x_attrib.c b/lib/libcrypto/asn1/x_attrib.c
index a1cbebf5a50..a874df79db6 100644
--- a/lib/libcrypto/asn1/x_attrib.c
+++ b/lib/libcrypto/asn1/x_attrib.c
@@ -160,6 +160,6 @@ void X509_ATTRIBUTE_free(X509_ATTRIBUTE *a)
 		sk_ASN1_TYPE_pop_free(a->value.set,ASN1_TYPE_free);
 	else
 		ASN1_TYPE_free(a->value.single);
-	Free((char *)a);
+	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/x_cinf.c b/lib/libcrypto/asn1/x_cinf.c
index fe1b18a90ff..b87c8fff171 100644
--- a/lib/libcrypto/asn1/x_cinf.c
+++ b/lib/libcrypto/asn1/x_cinf.c
@@ -115,7 +115,7 @@ X509_CINF *d2i_X509_CINF(X509_CINF **a, unsigned char **pp, long length)
 		{
 		if (ret->version != NULL)
 			{
-			ASN1_INTEGER_free(ret->version);
+			M_ASN1_INTEGER_free(ret->version);
 			ret->version=NULL;
 			}
 		}
@@ -129,12 +129,12 @@ X509_CINF *d2i_X509_CINF(X509_CINF **a, unsigned char **pp, long length)
 		{
 		if (ret->issuerUID != NULL)
 			{
-			ASN1_BIT_STRING_free(ret->issuerUID);
+			M_ASN1_BIT_STRING_free(ret->issuerUID);
 			ret->issuerUID=NULL;
 			}
 		if (ret->subjectUID != NULL)
 			{
-			ASN1_BIT_STRING_free(ret->subjectUID);
+			M_ASN1_BIT_STRING_free(ret->subjectUID);
 			ret->subjectUID=NULL;
 			}
 		M_ASN1_D2I_get_IMP_opt(ret->issuerUID,d2i_ASN1_BIT_STRING,  1,
@@ -170,7 +170,7 @@ X509_CINF *X509_CINF_new(void)
 
 	M_ASN1_New_Malloc(ret,X509_CINF);
 	ret->version=NULL;
-	M_ASN1_New(ret->serialNumber,ASN1_INTEGER_new);
+	M_ASN1_New(ret->serialNumber,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->signature,X509_ALGOR_new);
 	M_ASN1_New(ret->issuer,X509_NAME_new);
 	M_ASN1_New(ret->validity,X509_VAL_new);
@@ -186,15 +186,15 @@ X509_CINF *X509_CINF_new(void)
 void X509_CINF_free(X509_CINF *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
-	ASN1_INTEGER_free(a->serialNumber);
+	M_ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->serialNumber);
 	X509_ALGOR_free(a->signature);
 	X509_NAME_free(a->issuer);
 	X509_VAL_free(a->validity);
 	X509_NAME_free(a->subject);
 	X509_PUBKEY_free(a->key);
-	ASN1_BIT_STRING_free(a->issuerUID);
-	ASN1_BIT_STRING_free(a->subjectUID);
+	M_ASN1_BIT_STRING_free(a->issuerUID);
+	M_ASN1_BIT_STRING_free(a->subjectUID);
 	sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free);
 	Free(a);
 	}
diff --git a/lib/libcrypto/asn1/x_crl.c b/lib/libcrypto/asn1/x_crl.c
index cd46bbebc28..12a42d04c75 100644
--- a/lib/libcrypto/asn1/x_crl.c
+++ b/lib/libcrypto/asn1/x_crl.c
@@ -130,9 +130,9 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp)
 		}
 	M_ASN1_I2D_put(a->sig_alg,i2d_X509_ALGOR);
 	M_ASN1_I2D_put(a->issuer,i2d_X509_NAME);
-	M_ASN1_I2D_put(a->lastUpdate,i2d_ASN1_UTCTIME);
+	M_ASN1_I2D_put(a->lastUpdate,i2d_ASN1_TIME);
 	if (a->nextUpdate != NULL)
-		{ M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_UTCTIME); }
+		{ M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); }
 	M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked,
 					 i2d_X509_REVOKED);
 	M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
@@ -157,20 +157,16 @@ X509_CRL_INFO *d2i_X509_CRL_INFO(X509_CRL_INFO **a, unsigned char **pp,
 	
 	if ((ver == 0) && (ret->version != NULL))
 		{
-		ASN1_INTEGER_free(ret->version);
+		M_ASN1_INTEGER_free(ret->version);
 		ret->version=NULL;
 		}
 	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
 	M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME);
 	M_ASN1_D2I_get(ret->lastUpdate,d2i_ASN1_TIME);
 	/* Manually handle the OPTIONAL ASN1_TIME stuff */
-	if(c.slen != 0
-	   && ( (M_ASN1_next & ~V_ASN1_CONSTRUCTED) ==
-		    (V_ASN1_UNIVERSAL|V_ASN1_UTCTIME)
-		|| (M_ASN1_next & ~V_ASN1_CONSTRUCTED) ==
-		    (V_ASN1_UNIVERSAL|V_ASN1_GENERALIZEDTIME) ) ) {
-		M_ASN1_D2I_get(ret->nextUpdate,d2i_ASN1_TIME);
-	}
+	/* First try UTCTime */
+	M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_UTCTIME, V_ASN1_UTCTIME);
+	/* If that doesn't work try GeneralizedTime */
 	if(!ret->nextUpdate) 
 		M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_GENERALIZEDTIME,
 							V_ASN1_GENERALIZEDTIME);
@@ -190,20 +186,17 @@ X509_CRL_INFO *d2i_X509_CRL_INFO(X509_CRL_INFO **a, unsigned char **pp,
 			}
 		}
 
-	if (ver >= 1)
+	if (ret->extensions != NULL)
 		{
-		if (ret->extensions != NULL)
-			{
-			while (sk_X509_EXTENSION_num(ret->extensions))
-				X509_EXTENSION_free(
-				sk_X509_EXTENSION_pop(ret->extensions));
-			}
-			
-		M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions,
-						d2i_X509_EXTENSION,
-						X509_EXTENSION_free,0,
-						V_ASN1_SEQUENCE);
+		while (sk_X509_EXTENSION_num(ret->extensions))
+			X509_EXTENSION_free(
+			sk_X509_EXTENSION_pop(ret->extensions));
 		}
+		
+	M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions,
+					d2i_X509_EXTENSION,
+					X509_EXTENSION_free,0,
+					V_ASN1_SEQUENCE);
 
 	M_ASN1_D2I_Finish(a,X509_CRL_INFO_free,ASN1_F_D2I_X509_CRL_INFO);
 	}
@@ -245,8 +238,8 @@ X509_REVOKED *X509_REVOKED_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,X509_REVOKED);
-	M_ASN1_New(ret->serialNumber,ASN1_INTEGER_new);
-	M_ASN1_New(ret->revocationDate,ASN1_UTCTIME_new);
+	M_ASN1_New(ret->serialNumber,M_ASN1_INTEGER_new);
+	M_ASN1_New(ret->revocationDate,M_ASN1_UTCTIME_new);
 	ret->extensions=NULL;
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_REVOKED_NEW);
@@ -261,7 +254,7 @@ X509_CRL_INFO *X509_CRL_INFO_new(void)
 	ret->version=NULL;
 	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
 	M_ASN1_New(ret->issuer,X509_NAME_new);
-	M_ASN1_New(ret->lastUpdate,ASN1_UTCTIME_new);
+	M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new);
 	ret->nextUpdate=NULL;
 	M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null);
 	M_ASN1_New(ret->extensions,sk_X509_EXTENSION_new_null);
@@ -279,7 +272,7 @@ X509_CRL *X509_CRL_new(void)
 	ret->references=1;
 	M_ASN1_New(ret->crl,X509_CRL_INFO_new);
 	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-	M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
+	M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_CRL_NEW);
 	}
@@ -287,8 +280,8 @@ X509_CRL *X509_CRL_new(void)
 void X509_REVOKED_free(X509_REVOKED *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->serialNumber);
-	ASN1_UTCTIME_free(a->revocationDate);
+	M_ASN1_INTEGER_free(a->serialNumber);
+	M_ASN1_UTCTIME_free(a->revocationDate);
 	sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free);
 	Free(a);
 	}
@@ -296,12 +289,12 @@ void X509_REVOKED_free(X509_REVOKED *a)
 void X509_CRL_INFO_free(X509_CRL_INFO *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	X509_ALGOR_free(a->sig_alg);
 	X509_NAME_free(a->issuer);
-	ASN1_UTCTIME_free(a->lastUpdate);
+	M_ASN1_UTCTIME_free(a->lastUpdate);
 	if (a->nextUpdate)
-		ASN1_UTCTIME_free(a->nextUpdate);
+		M_ASN1_UTCTIME_free(a->nextUpdate);
 	sk_X509_REVOKED_pop_free(a->revoked,X509_REVOKED_free);
 	sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free);
 	Free(a);
@@ -328,7 +321,7 @@ void X509_CRL_free(X509_CRL *a)
 
 	X509_CRL_INFO_free(a->crl);
 	X509_ALGOR_free(a->sig_alg);
-	ASN1_BIT_STRING_free(a->signature);
+	M_ASN1_BIT_STRING_free(a->signature);
 	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/x_exten.c b/lib/libcrypto/asn1/x_exten.c
index d5f9e1df9e0..185cbd78a0f 100644
--- a/lib/libcrypto/asn1/x_exten.c
+++ b/lib/libcrypto/asn1/x_exten.c
@@ -100,10 +100,6 @@ X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **a, unsigned char **pp,
 	M_ASN1_D2I_start_sequence();
 	M_ASN1_D2I_get(ret->object,d2i_ASN1_OBJECT);
 
-	if ((ret->argp != NULL) && (ret->ex_free != NULL))
-		ret->ex_free(ret);
-	ret->argl=0;
-	ret->argp=NULL;
 	ret->netscape_hack=0;
 	if ((c.slen != 0) &&
 		(M_ASN1_next == (V_ASN1_UNIVERSAL|V_ASN1_BOOLEAN)))
@@ -126,12 +122,9 @@ X509_EXTENSION *X509_EXTENSION_new(void)
 
 	M_ASN1_New_Malloc(ret,X509_EXTENSION);
 	ret->object=OBJ_nid2obj(NID_undef);
-	M_ASN1_New(ret->value,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->value,M_ASN1_OCTET_STRING_new);
 	ret->critical=0;
 	ret->netscape_hack=0;
-	ret->argl=0L;
-	ret->argp=NULL;
-	ret->ex_free=NULL;
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_EXTENSION_NEW);
 	}
@@ -139,10 +132,8 @@ X509_EXTENSION *X509_EXTENSION_new(void)
 void X509_EXTENSION_free(X509_EXTENSION *a)
 	{
 	if (a == NULL) return;
-	if ((a->argp != NULL) && (a->ex_free != NULL))
-		a->ex_free(a);
 	ASN1_OBJECT_free(a->object);
-	ASN1_OCTET_STRING_free(a->value);
-	Free((char *)a);
+	M_ASN1_OCTET_STRING_free(a->value);
+	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/x_info.c b/lib/libcrypto/asn1/x_info.c
index 99ce011f075..7fdc6f9dc81 100644
--- a/lib/libcrypto/asn1/x_info.c
+++ b/lib/libcrypto/asn1/x_info.c
@@ -106,7 +106,8 @@ void X509_INFO_free(X509_INFO *x)
 	if (x->x509 != NULL) X509_free(x->x509);
 	if (x->crl != NULL) X509_CRL_free(x->crl);
 	if (x->x_pkey != NULL) X509_PKEY_free(x->x_pkey);
-	Free((char *)x);
+	if (x->enc_data != NULL) Free(x->enc_data);
+	Free(x);
 	}
 
 IMPLEMENT_STACK_OF(X509_INFO)
diff --git a/lib/libcrypto/asn1/x_name.c b/lib/libcrypto/asn1/x_name.c
index b09fba33fbd..64baf5719d8 100644
--- a/lib/libcrypto/asn1/x_name.c
+++ b/lib/libcrypto/asn1/x_name.c
@@ -253,7 +253,7 @@ void X509_NAME_ENTRY_free(X509_NAME_ENTRY *a)
 	{
 	if (a == NULL) return;
 	ASN1_OBJECT_free(a->object);
-	ASN1_BIT_STRING_free(a->value);
+	M_ASN1_BIT_STRING_free(a->value);
 	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/x_pkey.c b/lib/libcrypto/asn1/x_pkey.c
index b0057eb212c..fe58919dbba 100644
--- a/lib/libcrypto/asn1/x_pkey.c
+++ b/lib/libcrypto/asn1/x_pkey.c
@@ -112,7 +112,7 @@ X509_PKEY *X509_PKEY_new(void)
 	M_ASN1_New_Malloc(ret,X509_PKEY);
 	ret->version=0;
 	M_ASN1_New(ret->enc_algor,X509_ALGOR_new);
-	M_ASN1_New(ret->enc_pkey,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->enc_pkey,M_ASN1_OCTET_STRING_new);
 	ret->dec_pkey=NULL;
 	ret->key_length=0;
 	ret->key_data=NULL;
@@ -144,8 +144,8 @@ void X509_PKEY_free(X509_PKEY *x)
 #endif
 
 	if (x->enc_algor != NULL) X509_ALGOR_free(x->enc_algor);
-	if (x->enc_pkey != NULL) ASN1_OCTET_STRING_free(x->enc_pkey);
+	if (x->enc_pkey != NULL) M_ASN1_OCTET_STRING_free(x->enc_pkey);
 	if (x->dec_pkey != NULL)EVP_PKEY_free(x->dec_pkey);
-	if ((x->key_data != NULL) && (x->key_free)) Free((char *)x->key_data);
-	Free((char *)(char *)x);
+	if ((x->key_data != NULL) && (x->key_free)) Free(x->key_data);
+	Free(x);
 	}
diff --git a/lib/libcrypto/asn1/x_pubkey.c b/lib/libcrypto/asn1/x_pubkey.c
index 4ac32c59dd7..81e9815222a 100644
--- a/lib/libcrypto/asn1/x_pubkey.c
+++ b/lib/libcrypto/asn1/x_pubkey.c
@@ -100,7 +100,7 @@ X509_PUBKEY *X509_PUBKEY_new(void)
 
 	M_ASN1_New_Malloc(ret,X509_PUBKEY);
 	M_ASN1_New(ret->algor,X509_ALGOR_new);
-	M_ASN1_New(ret->public_key,ASN1_BIT_STRING_new);
+	M_ASN1_New(ret->public_key,M_ASN1_BIT_STRING_new);
 	ret->pkey=NULL;
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_PUBKEY_NEW);
@@ -110,9 +110,9 @@ void X509_PUBKEY_free(X509_PUBKEY *a)
 	{
 	if (a == NULL) return;
 	X509_ALGOR_free(a->algor);
-	ASN1_BIT_STRING_free(a->public_key);
+	M_ASN1_BIT_STRING_free(a->public_key);
 	if (a->pkey != NULL) EVP_PKEY_free(a->pkey);
-	Free((char *)a);
+	Free(a);
 	}
 
 int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
@@ -176,7 +176,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 	if ((s=(unsigned char *)Malloc(i+1)) == NULL) goto err;
 	p=s;
 	i2d_PublicKey(pkey,&p);
-	if (!ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
+	if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
 	/* Set number of unused bits to zero */
 	pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
 	pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT;
@@ -252,3 +252,113 @@ err:
 	return(NULL);
 	}
 
+/* Now two pseudo ASN1 routines that take an EVP_PKEY structure
+ * and encode or decode as X509_PUBKEY
+ */
+
+EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, unsigned char **pp,
+	     long length)
+{
+	X509_PUBKEY *xpk;
+	EVP_PKEY *pktmp;
+	xpk = d2i_X509_PUBKEY(NULL, pp, length);
+	if(!xpk) return NULL;
+	pktmp = X509_PUBKEY_get(xpk);
+	X509_PUBKEY_free(xpk);
+	if(!pktmp) return NULL;
+	if(a) {
+		EVP_PKEY_free(*a);
+		*a = pktmp;
+	}
+	return pktmp;
+}
+
+int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp)
+{
+	X509_PUBKEY *xpk=NULL;
+	int ret;
+	if(!a) return 0;
+	if(!X509_PUBKEY_set(&xpk, a)) return 0;
+	ret = i2d_X509_PUBKEY(xpk, pp);
+	X509_PUBKEY_free(xpk);
+	return ret;
+}
+
+/* The following are equivalents but which return RSA and DSA
+ * keys
+ */
+#ifndef NO_RSA
+RSA *d2i_RSA_PUBKEY(RSA **a, unsigned char **pp,
+	     long length)
+{
+	EVP_PKEY *pkey;
+	RSA *key;
+	unsigned char *q;
+	q = *pp;
+	pkey = d2i_PUBKEY(NULL, &q, length);
+	if(!pkey) return NULL;
+	key = EVP_PKEY_get1_RSA(pkey);
+	EVP_PKEY_free(pkey);
+	if(!key) return NULL;
+	*pp = q;
+	if(a) {
+		RSA_free(*a);
+		*a = key;
+	}
+	return key;
+}
+
+int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp)
+{
+	EVP_PKEY *pktmp;
+	int ret;
+	if(!a) return 0;
+	pktmp = EVP_PKEY_new();
+	if(!pktmp) {
+		ASN1err(ASN1_F_I2D_RSA_PUBKEY, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	EVP_PKEY_set1_RSA(pktmp, a);
+	ret = i2d_PUBKEY(pktmp, pp);
+	EVP_PKEY_free(pktmp);
+	return ret;
+}
+#endif
+
+#ifndef NO_DSA
+DSA *d2i_DSA_PUBKEY(DSA **a, unsigned char **pp,
+	     long length)
+{
+	EVP_PKEY *pkey;
+	DSA *key;
+	unsigned char *q;
+	q = *pp;
+	pkey = d2i_PUBKEY(NULL, &q, length);
+	if(!pkey) return NULL;
+	key = EVP_PKEY_get1_DSA(pkey);
+	EVP_PKEY_free(pkey);
+	if(!key) return NULL;
+	*pp = q;
+	if(a) {
+		DSA_free(*a);
+		*a = key;
+	}
+	return key;
+}
+
+int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp)
+{
+	EVP_PKEY *pktmp;
+	int ret;
+	if(!a) return 0;
+	pktmp = EVP_PKEY_new();
+	if(!pktmp) {
+		ASN1err(ASN1_F_I2D_DSA_PUBKEY, ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	EVP_PKEY_set1_DSA(pktmp, a);
+	ret = i2d_PUBKEY(pktmp, pp);
+	EVP_PKEY_free(pktmp);
+	return ret;
+}
+#endif
diff --git a/lib/libcrypto/asn1/x_req.c b/lib/libcrypto/asn1/x_req.c
index 9b1d6abe640..0cd572ee73b 100644
--- a/lib/libcrypto/asn1/x_req.c
+++ b/lib/libcrypto/asn1/x_req.c
@@ -73,7 +73,7 @@ int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **pp)
 	 * allow some CA Software to accept the cert request.
 	 * It is not following the PKCS standards ...
 	 * PKCS#10 pg 5
-	 * attributes [0] IMPLICIT Attibutes
+	 * attributes [0] IMPLICIT Attributes
 	 * NOTE: no OPTIONAL ... so it *must* be there
 	 */
 	if (a->req_kludge) 
@@ -94,7 +94,7 @@ int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **pp)
 	/* this is a *nasty* hack reported to be required by some CA's.
 	 * It is not following the PKCS standards ...
 	 * PKCS#10 pg 5
-	 * attributes [0] IMPLICIT Attibutes
+	 * attributes [0] IMPLICIT Attributes
 	 * NOTE: no OPTIONAL ... so it *must* be there
 	 */
 	if (a->req_kludge)
@@ -126,7 +126,7 @@ X509_REQ_INFO *d2i_X509_REQ_INFO(X509_REQ_INFO **a, unsigned char **pp,
 	 * have been reported as requiring it.
 	 * It is not following the PKCS standards ...
 	 * PKCS#10 pg 5
-	 * attributes [0] IMPLICIT Attibutes
+	 * attributes [0] IMPLICIT Attributes
 	 * NOTE: no OPTIONAL ... so it *must* be there
 	 */
 	if (asn1_Finish(&c))
@@ -147,7 +147,7 @@ X509_REQ_INFO *X509_REQ_INFO_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,X509_REQ_INFO);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->subject,X509_NAME_new);
 	M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
 	M_ASN1_New(ret->attributes,sk_X509_ATTRIBUTE_new_null);
@@ -159,11 +159,11 @@ X509_REQ_INFO *X509_REQ_INFO_new(void)
 void X509_REQ_INFO_free(X509_REQ_INFO *a)
 	{
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	X509_NAME_free(a->subject);
 	X509_PUBKEY_free(a->pubkey);
 	sk_X509_ATTRIBUTE_pop_free(a->attributes,X509_ATTRIBUTE_free);
-	Free((char *)a);
+	Free(a);
 	}
 
 int i2d_X509_REQ(X509_REQ *a, unsigned char **pp)
@@ -203,7 +203,7 @@ X509_REQ *X509_REQ_new(void)
 	ret->references=1;
 	M_ASN1_New(ret->req_info,X509_REQ_INFO_new);
 	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-	M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
+	M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_REQ_NEW);
 	}
@@ -229,8 +229,8 @@ void X509_REQ_free(X509_REQ *a)
 
 	X509_REQ_INFO_free(a->req_info);
 	X509_ALGOR_free(a->sig_alg);
-	ASN1_BIT_STRING_free(a->signature);
-	Free((char *)a);
+	M_ASN1_BIT_STRING_free(a->signature);
+	Free(a);
 	}
 
 
diff --git a/lib/libcrypto/asn1/x_sig.c b/lib/libcrypto/asn1/x_sig.c
index c2782d1b9c0..3559bd53685 100644
--- a/lib/libcrypto/asn1/x_sig.c
+++ b/lib/libcrypto/asn1/x_sig.c
@@ -94,7 +94,7 @@ X509_SIG *X509_SIG_new(void)
 
 	M_ASN1_New_Malloc(ret,X509_SIG);
 	M_ASN1_New(ret->algor,X509_ALGOR_new);
-	M_ASN1_New(ret->digest,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->digest,M_ASN1_OCTET_STRING_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_SIG_NEW);
 	}
@@ -103,8 +103,8 @@ void X509_SIG_free(X509_SIG *a)
 	{
 	if (a == NULL) return;
 	X509_ALGOR_free(a->algor);
-	ASN1_OCTET_STRING_free(a->digest);
-	Free((char *)a);
+	M_ASN1_OCTET_STRING_free(a->digest);
+	Free(a);
 	}
 
 
diff --git a/lib/libcrypto/asn1/x_spki.c b/lib/libcrypto/asn1/x_spki.c
index 43e0023839a..8f5e7e6380a 100644
--- a/lib/libcrypto/asn1/x_spki.c
+++ b/lib/libcrypto/asn1/x_spki.c
@@ -57,7 +57,7 @@
  */
 
  /* This module was send to me my Pat Richards <patr@x509.com> who
-  * wrote it.  It is under my Copyright with his permision
+  * wrote it.  It is under my Copyright with his permission
   */
 
 #include <stdio.h>
@@ -99,7 +99,7 @@ NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void)
 
 	M_ASN1_New_Malloc(ret,NETSCAPE_SPKAC);
 	M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
-	M_ASN1_New(ret->challenge,ASN1_IA5STRING_new);
+	M_ASN1_New(ret->challenge,M_ASN1_IA5STRING_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_NETSCAPE_SPKAC_NEW);
 	}
@@ -108,8 +108,8 @@ void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *a)
 	{
 	if (a == NULL) return;
 	X509_PUBKEY_free(a->pubkey);
-	ASN1_IA5STRING_free(a->challenge);
-	Free((char *)a);
+	M_ASN1_IA5STRING_free(a->challenge);
+	Free(a);
 	}
 
 int i2d_NETSCAPE_SPKI(NETSCAPE_SPKI *a, unsigned char **pp)
@@ -150,7 +150,7 @@ NETSCAPE_SPKI *NETSCAPE_SPKI_new(void)
 	M_ASN1_New_Malloc(ret,NETSCAPE_SPKI);
 	M_ASN1_New(ret->spkac,NETSCAPE_SPKAC_new);
 	M_ASN1_New(ret->sig_algor,X509_ALGOR_new);
-	M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
+	M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_NETSCAPE_SPKI_NEW);
 	}
@@ -160,7 +160,7 @@ void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a)
 	if (a == NULL) return;
 	NETSCAPE_SPKAC_free(a->spkac);
 	X509_ALGOR_free(a->sig_algor);
-	ASN1_BIT_STRING_free(a->signature);
-	Free((char *)a);
+	M_ASN1_BIT_STRING_free(a->signature);
+	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/x_val.c b/lib/libcrypto/asn1/x_val.c
index 84d6f7ca4df..1a2f49ffdfd 100644
--- a/lib/libcrypto/asn1/x_val.c
+++ b/lib/libcrypto/asn1/x_val.c
@@ -93,8 +93,8 @@ X509_VAL *X509_VAL_new(void)
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,X509_VAL);
-	M_ASN1_New(ret->notBefore,ASN1_TIME_new);
-	M_ASN1_New(ret->notAfter,ASN1_TIME_new);
+	M_ASN1_New(ret->notBefore,M_ASN1_TIME_new);
+	M_ASN1_New(ret->notAfter,M_ASN1_TIME_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_VAL_NEW);
 	}
@@ -102,8 +102,8 @@ X509_VAL *X509_VAL_new(void)
 void X509_VAL_free(X509_VAL *a)
 	{
 	if (a == NULL) return;
-	ASN1_TIME_free(a->notBefore);
-	ASN1_TIME_free(a->notAfter);
-	Free((char *)a);
+	M_ASN1_TIME_free(a->notBefore);
+	M_ASN1_TIME_free(a->notAfter);
+	Free(a);
 	}
 
diff --git a/lib/libcrypto/asn1/x_x509.c b/lib/libcrypto/asn1/x_x509.c
index 7abf6b2a6ba..11e564ea30a 100644
--- a/lib/libcrypto/asn1/x_x509.c
+++ b/lib/libcrypto/asn1/x_x509.c
@@ -62,6 +62,9 @@
 #include <openssl/asn1_mac.h>
 #include <openssl/x509.h>
 
+static int x509_meth_num = 0;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_meth = NULL;
+
 static ASN1_METHOD meth={
 	(int (*)())  i2d_X509,
 	(char *(*)())d2i_X509,
@@ -113,10 +116,13 @@ X509 *X509_new(void)
 	M_ASN1_New_Malloc(ret,X509);
 	ret->references=1;
 	ret->valid=0;
+	ret->ex_flags = 0;
 	ret->name=NULL;
+	ret->aux=NULL;
 	M_ASN1_New(ret->cert_info,X509_CINF_new);
 	M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-	M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
+	M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
+	CRYPTO_new_ex_data(x509_meth, ret, &ret->ex_data);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_NEW);
 	}
@@ -140,12 +146,65 @@ void X509_free(X509 *a)
 		}
 #endif
 
-	/* CRYPTO_free_ex_data(bio_meth,(char *)a,&a->ex_data); */
+	CRYPTO_free_ex_data(x509_meth,a,&a->ex_data);
 	X509_CINF_free(a->cert_info);
 	X509_ALGOR_free(a->sig_alg);
-	ASN1_BIT_STRING_free(a->signature);
+	M_ASN1_BIT_STRING_free(a->signature);
+	X509_CERT_AUX_free(a->aux);
 
 	if (a->name != NULL) Free(a->name);
-	Free((char *)a);
+	Free(a);
+	}
+
+int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+	x509_meth_num++;
+	return(CRYPTO_get_ex_new_index(x509_meth_num-1,
+		&x509_meth,argl,argp,new_func,dup_func,free_func));
+        }
+
+int X509_set_ex_data(X509 *r, int idx, void *arg)
+	{
+	return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
 	}
 
+void *X509_get_ex_data(X509 *r, int idx)
+	{
+	return(CRYPTO_get_ex_data(&r->ex_data,idx));
+	}
+
+/* X509_AUX ASN1 routines. X509_AUX is the name given to
+ * a certificate with extra info tagged on the end. Since these
+ * functions set how a certificate is trusted they should only
+ * be used when the certificate comes from a reliable source
+ * such as local storage.
+ *
+ */
+
+X509 *d2i_X509_AUX(X509 **a, unsigned char **pp, long length)
+{
+	unsigned char *q;
+	X509 *ret;
+	/* Save start position */
+	q = *pp;
+	ret = d2i_X509(a, pp, length);
+	/* If certificate unreadable then forget it */
+	if(!ret) return NULL;
+	/* update length */
+	length -= *pp - q;
+	if(!length) return ret;
+	if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
+	return ret;
+	err:
+	X509_free(ret);
+	return NULL;
+}
+
+int i2d_X509_AUX(X509 *a, unsigned char **pp)
+{
+	int length;
+	length = i2d_X509(a, pp);
+	if(a) length += i2d_X509_CERT_AUX(a->aux, pp);
+	return length;
+}
diff --git a/lib/libcrypto/bf/bf_cbc.c b/lib/libcrypto/bf/bf_cbc.c
index 95d1cdcdf92..f949629dc67 100644
--- a/lib/libcrypto/bf/bf_cbc.c
+++ b/lib/libcrypto/bf/bf_cbc.c
@@ -59,8 +59,8 @@
 #include <openssl/blowfish.h>
 #include "bf_locl.h"
 
-void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
-	     BF_KEY *ks, unsigned char *iv, int encrypt)
+void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     const BF_KEY *schedule, unsigned char *ivec, int encrypt)
 	{
 	register BF_LONG tin0,tin1;
 	register BF_LONG tout0,tout1,xor0,xor1;
@@ -69,9 +69,9 @@ void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
 
 	if (encrypt)
 		{
-		n2l(iv,tout0);
-		n2l(iv,tout1);
-		iv-=8;
+		n2l(ivec,tout0);
+		n2l(ivec,tout1);
+		ivec-=8;
 		for (l-=8; l>=0; l-=8)
 			{
 			n2l(in,tin0);
@@ -80,7 +80,7 @@ void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
 			tin1^=tout1;
 			tin[0]=tin0;
 			tin[1]=tin1;
-			BF_encrypt(tin,ks);
+			BF_encrypt(tin,schedule);
 			tout0=tin[0];
 			tout1=tin[1];
 			l2n(tout0,out);
@@ -93,27 +93,27 @@ void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
 			tin1^=tout1;
 			tin[0]=tin0;
 			tin[1]=tin1;
-			BF_encrypt(tin,ks);
+			BF_encrypt(tin,schedule);
 			tout0=tin[0];
 			tout1=tin[1];
 			l2n(tout0,out);
 			l2n(tout1,out);
 			}
-		l2n(tout0,iv);
-		l2n(tout1,iv);
+		l2n(tout0,ivec);
+		l2n(tout1,ivec);
 		}
 	else
 		{
-		n2l(iv,xor0);
-		n2l(iv,xor1);
-		iv-=8;
+		n2l(ivec,xor0);
+		n2l(ivec,xor1);
+		ivec-=8;
 		for (l-=8; l>=0; l-=8)
 			{
 			n2l(in,tin0);
 			n2l(in,tin1);
 			tin[0]=tin0;
 			tin[1]=tin1;
-			BF_decrypt(tin,ks);
+			BF_decrypt(tin,schedule);
 			tout0=tin[0]^xor0;
 			tout1=tin[1]^xor1;
 			l2n(tout0,out);
@@ -127,15 +127,15 @@ void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
 			n2l(in,tin1);
 			tin[0]=tin0;
 			tin[1]=tin1;
-			BF_decrypt(tin,ks);
+			BF_decrypt(tin,schedule);
 			tout0=tin[0]^xor0;
 			tout1=tin[1]^xor1;
 			l2nn(tout0,tout1,out,l+8);
 			xor0=tin0;
 			xor1=tin1;
 			}
-		l2n(xor0,iv);
-		l2n(xor1,iv);
+		l2n(xor0,ivec);
+		l2n(xor1,ivec);
 		}
 	tin0=tin1=tout0=tout1=xor0=xor1=0;
 	tin[0]=tin[1]=0;
diff --git a/lib/libcrypto/bf/bf_cfb64.c b/lib/libcrypto/bf/bf_cfb64.c
index 1fb8905f49e..6451c8d407f 100644
--- a/lib/libcrypto/bf/bf_cfb64.c
+++ b/lib/libcrypto/bf/bf_cfb64.c
@@ -64,8 +64,8 @@
  * 64bit block we have used is contained in *num;
  */
 
-void BF_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	     BF_KEY *schedule, unsigned char *ivec, int *num, int encrypt)
+void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     const BF_KEY *schedule, unsigned char *ivec, int *num, int encrypt)
 	{
 	register BF_LONG v0,v1,t;
 	register int n= *num;
diff --git a/lib/libcrypto/bf/bf_ecb.c b/lib/libcrypto/bf/bf_ecb.c
index 9f8a24cdff5..341991636f4 100644
--- a/lib/libcrypto/bf/bf_ecb.c
+++ b/lib/libcrypto/bf/bf_ecb.c
@@ -61,11 +61,11 @@
 #include <openssl/opensslv.h>
 
 /* Blowfish as implemented from 'Blowfish: Springer-Verlag paper'
- * (From LECTURE NOTES IN COIMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
+ * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
  * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
  */
 
-const char *BF_version="BlowFish" OPENSSL_VERSION_PTEXT;
+const char *BF_version="Blowfish" OPENSSL_VERSION_PTEXT;
 
 const char *BF_options(void)
 	{
@@ -78,17 +78,17 @@ const char *BF_options(void)
 #endif
 	}
 
-void BF_ecb_encrypt(unsigned char *in, unsigned char *out, BF_KEY *ks,
-	     int encrypt)
+void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
+	     const BF_KEY *key, int encrypt)
 	{
 	BF_LONG l,d[2];
 
 	n2l(in,l); d[0]=l;
 	n2l(in,l); d[1]=l;
 	if (encrypt)
-		BF_encrypt(d,ks);
+		BF_encrypt(d,key);
 	else
-		BF_decrypt(d,ks);
+		BF_decrypt(d,key);
 	l=d[0]; l2n(l,out);
 	l=d[1]; l2n(l,out);
 	l=d[0]=d[1]=0;
diff --git a/lib/libcrypto/bf/bf_enc.c b/lib/libcrypto/bf/bf_enc.c
index ee018345619..b380acf9594 100644
--- a/lib/libcrypto/bf/bf_enc.c
+++ b/lib/libcrypto/bf/bf_enc.c
@@ -60,7 +60,7 @@
 #include "bf_locl.h"
 
 /* Blowfish as implemented from 'Blowfish: Springer-Verlag paper'
- * (From LECTURE NOTES IN COIMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
+ * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
  * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
  */
 
@@ -69,10 +69,11 @@
 to modify the code.
 #endif
 
-void BF_encrypt(BF_LONG *data, BF_KEY *key)
+void BF_encrypt(BF_LONG *data, const BF_KEY *key)
 	{
 #ifndef BF_PTR2
-	register BF_LONG l,r,*p,*s;
+	register BF_LONG l,r;
+    const register BF_LONG *p,*s;
 
 	p=key->P;
 	s= &(key->S[0]);
@@ -145,10 +146,11 @@ void BF_encrypt(BF_LONG *data, BF_KEY *key)
 
 #ifndef BF_DEFAULT_OPTIONS
 
-void BF_decrypt(BF_LONG *data, BF_KEY *key)
+void BF_decrypt(BF_LONG *data, const BF_KEY *key)
 	{
 #ifndef BF_PTR2
-	register BF_LONG l,r,*p,*s;
+	register BF_LONG l,r;
+    const register BF_LONG *p,*s;
 
 	p=key->P;
 	s= &(key->S[0]);
@@ -219,8 +221,8 @@ void BF_decrypt(BF_LONG *data, BF_KEY *key)
 #endif
 	}
 
-void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
-	     BF_KEY *ks, unsigned char *iv, int encrypt)
+void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     const BF_KEY *schedule, unsigned char *ivec, int encrypt)
 	{
 	register BF_LONG tin0,tin1;
 	register BF_LONG tout0,tout1,xor0,xor1;
@@ -229,9 +231,9 @@ void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
 
 	if (encrypt)
 		{
-		n2l(iv,tout0);
-		n2l(iv,tout1);
-		iv-=8;
+		n2l(ivec,tout0);
+		n2l(ivec,tout1);
+		ivec-=8;
 		for (l-=8; l>=0; l-=8)
 			{
 			n2l(in,tin0);
@@ -240,7 +242,7 @@ void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
 			tin1^=tout1;
 			tin[0]=tin0;
 			tin[1]=tin1;
-			BF_encrypt(tin,ks);
+			BF_encrypt(tin,schedule);
 			tout0=tin[0];
 			tout1=tin[1];
 			l2n(tout0,out);
@@ -253,27 +255,27 @@ void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
 			tin1^=tout1;
 			tin[0]=tin0;
 			tin[1]=tin1;
-			BF_encrypt(tin,ks);
+			BF_encrypt(tin,schedule);
 			tout0=tin[0];
 			tout1=tin[1];
 			l2n(tout0,out);
 			l2n(tout1,out);
 			}
-		l2n(tout0,iv);
-		l2n(tout1,iv);
+		l2n(tout0,ivec);
+		l2n(tout1,ivec);
 		}
 	else
 		{
-		n2l(iv,xor0);
-		n2l(iv,xor1);
-		iv-=8;
+		n2l(ivec,xor0);
+		n2l(ivec,xor1);
+		ivec-=8;
 		for (l-=8; l>=0; l-=8)
 			{
 			n2l(in,tin0);
 			n2l(in,tin1);
 			tin[0]=tin0;
 			tin[1]=tin1;
-			BF_decrypt(tin,ks);
+			BF_decrypt(tin,schedule);
 			tout0=tin[0]^xor0;
 			tout1=tin[1]^xor1;
 			l2n(tout0,out);
@@ -287,15 +289,15 @@ void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
 			n2l(in,tin1);
 			tin[0]=tin0;
 			tin[1]=tin1;
-			BF_decrypt(tin,ks);
+			BF_decrypt(tin,schedule);
 			tout0=tin[0]^xor0;
 			tout1=tin[1]^xor1;
 			l2nn(tout0,tout1,out,l+8);
 			xor0=tin0;
 			xor1=tin1;
 			}
-		l2n(xor0,iv);
-		l2n(xor1,iv);
+		l2n(xor0,ivec);
+		l2n(xor1,ivec);
 		}
 	tin0=tin1=tout0=tout1=xor0=xor1=0;
 	tin[0]=tin[1]=0;
diff --git a/lib/libcrypto/bf/bf_locl.h b/lib/libcrypto/bf/bf_locl.h
index 05756b5d3b6..cc7c3ec9922 100644
--- a/lib/libcrypto/bf/bf_locl.h
+++ b/lib/libcrypto/bf/bf_locl.h
@@ -148,7 +148,7 @@
                          *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
                          *((c)++)=(unsigned char)(((l)     )&0xff))
 
-/* This is actually a big endian algorithm, the most significate byte
+/* This is actually a big endian algorithm, the most significant byte
  * is used to lookup array 0 */
 
 #if defined(BF_PTR2)
@@ -183,8 +183,8 @@
 
 /*
  * This is normally very good on RISC platforms where normally you
- * have to explicitely "multiplicate" array index by sizeof(BF_LONG)
- * in order to caclulate the effective address. This implementation
+ * have to explicitly "multiply" array index by sizeof(BF_LONG)
+ * in order to calculate the effective address. This implementation
  * excuses CPU from this extra work. Power[PC] uses should have most
  * fun as (R>>BF_i)&BF_M gets folded into a single instruction, namely
  * rlwinm. So let'em double-check if their compiler does it.
diff --git a/lib/libcrypto/bf/bf_ofb64.c b/lib/libcrypto/bf/bf_ofb64.c
index 8ceb8d9bdaa..f2a9ff6e417 100644
--- a/lib/libcrypto/bf/bf_ofb64.c
+++ b/lib/libcrypto/bf/bf_ofb64.c
@@ -63,8 +63,8 @@
  * used.  The extra state information to record how much of the
  * 64bit block we have used is contained in *num;
  */
-void BF_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	     BF_KEY *schedule, unsigned char *ivec, int *num)
+void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	     const BF_KEY *schedule, unsigned char *ivec, int *num)
 	{
 	register BF_LONG v0,v1,t;
 	register int n= *num;
diff --git a/lib/libcrypto/bf/bf_opts.c b/lib/libcrypto/bf/bf_opts.c
index 5f330cc53ce..bbe32b28c93 100644
--- a/lib/libcrypto/bf/bf_opts.c
+++ b/lib/libcrypto/bf/bf_opts.c
@@ -242,7 +242,7 @@ int main(int argc, char **argv)
 		}
 
 #ifndef TIMES
-	fprintf(stderr,"To get the most acurate results, try to run this\n");
+	fprintf(stderr,"To get the most accurate results, try to run this\n");
 	fprintf(stderr,"program when this computer is idle.\n");
 #endif
 
diff --git a/lib/libcrypto/bf/bf_pi.h b/lib/libcrypto/bf/bf_pi.h
index 417b9355385..9949513c682 100644
--- a/lib/libcrypto/bf/bf_pi.h
+++ b/lib/libcrypto/bf/bf_pi.h
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-static BF_KEY bf_init= {
+static const BF_KEY bf_init= {
 	{
 	0x243f6a88L, 0x85a308d3L, 0x13198a2eL, 0x03707344L,
 	0xa4093822L, 0x299f31d0L, 0x082efa98L, 0xec4e6c89L,
diff --git a/lib/libcrypto/bf/bf_skey.c b/lib/libcrypto/bf/bf_skey.c
index eefa8e6f51d..4d6a232fe0f 100644
--- a/lib/libcrypto/bf/bf_skey.c
+++ b/lib/libcrypto/bf/bf_skey.c
@@ -62,11 +62,11 @@
 #include "bf_locl.h"
 #include "bf_pi.h"
 
-void BF_set_key(BF_KEY *key, int len, unsigned char *data)
+void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
 	{
 	int i;
 	BF_LONG *p,ri,in[2];
-	unsigned char *d,*end;
+	const unsigned char *d,*end;
 
 
 	memcpy((char *)key,(char *)&bf_init,sizeof(BF_KEY));
diff --git a/lib/libcrypto/bf/bfspeed.c b/lib/libcrypto/bf/bfspeed.c
index 9b893e92cc5..ecc9dff4e42 100644
--- a/lib/libcrypto/bf/bfspeed.c
+++ b/lib/libcrypto/bf/bfspeed.c
@@ -183,7 +183,7 @@ int main(int argc, char **argv)
 #endif
 
 #ifndef TIMES
-	printf("To get the most acurate results, try to run this\n");
+	printf("To get the most accurate results, try to run this\n");
 	printf("program when this computer is idle.\n");
 #endif
 
diff --git a/lib/libcrypto/bf/bftest.c b/lib/libcrypto/bf/bftest.c
index 6ecd2609a92..56952501954 100644
--- a/lib/libcrypto/bf/bftest.c
+++ b/lib/libcrypto/bf/bftest.c
@@ -76,18 +76,18 @@ int main(int argc, char *argv[])
 #include <openssl/ebcdic.h>
 #endif
 
-char *bf_key[2]={
+static char *bf_key[2]={
 	"abcdefghijklmnopqrstuvwxyz",
 	"Who is John Galt?"
 	};
 
 /* big endian */
-BF_LONG bf_plain[2][2]={
+static BF_LONG bf_plain[2][2]={
 	{0x424c4f57L,0x46495348L},
 	{0xfedcba98L,0x76543210L}
 	};
 
-BF_LONG bf_cipher[2][2]={
+static BF_LONG bf_cipher[2][2]={
 	{0x324ed0feL,0xf413a203L},
 	{0xcc91732bL,0x8022f684L}
 	};
@@ -228,16 +228,16 @@ static unsigned char ofb64_ok[]={
 	0x63,0xC2,0xCF,0x80,0xDA};
 
 #define KEY_TEST_NUM	25
-unsigned char key_test[KEY_TEST_NUM]={
+static unsigned char key_test[KEY_TEST_NUM]={
 	0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87,
 	0x78,0x69,0x5a,0x4b,0x3c,0x2d,0x1e,0x0f,
 	0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
 	0x88};
 
-unsigned char key_data[8]=
+static unsigned char key_data[8]=
 	{0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10};
 
-unsigned char key_out[KEY_TEST_NUM][8]={
+static unsigned char key_out[KEY_TEST_NUM][8]={
 	{0xF9,0xAD,0x59,0x7C,0x49,0xDB,0x00,0x5E},
 	{0xE9,0x1D,0x21,0xC1,0xD9,0x61,0xA6,0xD6},
 	{0xE9,0xC2,0xB7,0x0A,0x1B,0xC6,0x5C,0xF3},
diff --git a/lib/libcrypto/bf/blowfish.h b/lib/libcrypto/bf/blowfish.h
index 02f73b2f309..78acfd63b4d 100644
--- a/lib/libcrypto/bf/blowfish.h
+++ b/lib/libcrypto/bf/blowfish.h
@@ -103,17 +103,19 @@ typedef struct bf_key_st
 	} BF_KEY;
 
  
-void BF_set_key(BF_KEY *key, int len, unsigned char *data);
-void BF_ecb_encrypt(unsigned char *in,unsigned char *out,BF_KEY *key,
-	int enc);
-void BF_encrypt(BF_LONG *data,BF_KEY *key);
-void BF_decrypt(BF_LONG *data,BF_KEY *key);
-void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
-	BF_KEY *ks, unsigned char *iv, int enc);
-void BF_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	BF_KEY *schedule, unsigned char *ivec, int *num, int enc);
-void BF_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	BF_KEY *schedule, unsigned char *ivec, int *num);
+void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+
+void BF_encrypt(BF_LONG *data,const BF_KEY *key);
+void BF_decrypt(BF_LONG *data,const BF_KEY *key);
+
+void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
+	const BF_KEY *key, int enc);
+void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+	const BF_KEY *schedule, unsigned char *ivec, int enc);
+void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	const BF_KEY *schedule, unsigned char *ivec, int *num, int enc);
+void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length,
+	const BF_KEY *schedule, unsigned char *ivec, int *num);
 const char *BF_options(void);
 
 #ifdef  __cplusplus
diff --git a/lib/libcrypto/bio/Makefile.ssl b/lib/libcrypto/bio/Makefile.ssl
index d9c381d2635..2e7480ead9d 100644
--- a/lib/libcrypto/bio/Makefile.ssl
+++ b/lib/libcrypto/bio/Makefile.ssl
@@ -90,17 +90,20 @@ b_dump.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 b_dump.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 b_dump.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_dump.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-b_dump.o: ../../include/openssl/stack.h ../cryptlib.h
+b_dump.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_dump.o: ../cryptlib.h
 b_print.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 b_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-b_print.o: ../../include/openssl/stack.h ../cryptlib.h
+b_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_print.o: ../cryptlib.h
 b_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 b_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_sock.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-b_sock.o: ../../include/openssl/stack.h ../cryptlib.h
+b_sock.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_sock.o: ../cryptlib.h
 bf_buff.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 bf_buff.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 bf_buff.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -151,60 +154,65 @@ bio_cb.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bio_cb.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bio_cb.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bio_cb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_cb.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_cb.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_cb.o: ../cryptlib.h
 bio_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 bio_err.o: ../../include/openssl/err.h ../../include/openssl/opensslv.h
-bio_err.o: ../../include/openssl/stack.h
+bio_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bio_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bio_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bio_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bio_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_lib.o: ../../include/openssl/stack.h ../cryptlib.h
+bio_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_lib.o: ../cryptlib.h
 bss_acpt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bss_acpt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bss_acpt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_acpt.o: ../../include/openssl/opensslconf.h
-bss_acpt.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bss_acpt.o: ../cryptlib.h
+bss_acpt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_acpt.o: ../../include/openssl/stack.h ../cryptlib.h
 bss_bio.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 bss_bio.o: ../../include/openssl/err.h ../../include/openssl/opensslv.h
-bss_bio.o: ../../include/openssl/stack.h
+bss_bio.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bss_conn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bss_conn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bss_conn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_conn.o: ../../include/openssl/opensslconf.h
-bss_conn.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bss_conn.o: ../cryptlib.h
+bss_conn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_conn.o: ../../include/openssl/stack.h ../cryptlib.h
 bss_fd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bss_fd.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bss_fd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_fd.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bss_fd.o: ../../include/openssl/stack.h ../cryptlib.h bss_sock.c
+bss_fd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_fd.o: ../cryptlib.h bss_sock.c
 bss_file.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bss_file.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bss_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_file.o: ../../include/openssl/opensslconf.h
-bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bss_file.o: ../cryptlib.h
+bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_file.o: ../../include/openssl/stack.h ../cryptlib.h
 bss_log.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bss_log.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bss_log.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_log.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bss_log.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_log.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_log.o: ../cryptlib.h
 bss_mem.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bss_mem.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bss_mem.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_mem.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bss_mem.o: ../../include/openssl/stack.h ../cryptlib.h
+bss_mem.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bss_mem.o: ../cryptlib.h
 bss_null.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bss_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bss_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_null.o: ../../include/openssl/opensslconf.h
-bss_null.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bss_null.o: ../cryptlib.h
+bss_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_null.o: ../../include/openssl/stack.h ../cryptlib.h
 bss_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bss_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 bss_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_sock.o: ../../include/openssl/opensslconf.h
-bss_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bss_sock.o: ../cryptlib.h
+bss_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bss_sock.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/lib/libcrypto/bio/b_dump.c b/lib/libcrypto/bio/b_dump.c
index a7cd8289785..f5aeb237f50 100644
--- a/lib/libcrypto/bio/b_dump.c
+++ b/lib/libcrypto/bio/b_dump.c
@@ -92,7 +92,7 @@ int BIO_dump(BIO *bio, const char *s, int len)
       if (((i*DUMP_WIDTH)+j)>=len) {
 	strcat(buf,"   ");
       } else {
-        ch=((unsigned char)*((char *)(s)+i*DUMP_WIDTH+j)) & 0xff;
+        ch=((unsigned char)*(s+i*DUMP_WIDTH+j)) & 0xff;
 	sprintf(tmp,"%02x%c",ch,j==7?'-':' ');
         strcat(buf,tmp);
       }
@@ -101,7 +101,7 @@ int BIO_dump(BIO *bio, const char *s, int len)
     for(j=0;j<DUMP_WIDTH;j++) {
       if (((i*DUMP_WIDTH)+j)>=len)
 	break;
-      ch=((unsigned char)*((char *)(s)+i*DUMP_WIDTH+j)) & 0xff;
+      ch=((unsigned char)*(s+i*DUMP_WIDTH+j)) & 0xff;
 #ifndef CHARSET_EBCDIC
       sprintf(tmp,"%c",((ch>=' ')&&(ch<='~'))?ch:'.');
 #else
diff --git a/lib/libcrypto/bio/b_print.c b/lib/libcrypto/bio/b_print.c
index f448004298a..2a5e8b58c9c 100644
--- a/lib/libcrypto/bio/b_print.c
+++ b/lib/libcrypto/bio/b_print.c
@@ -62,26 +62,649 @@
 
 #include <stdio.h>
 #include <stdarg.h>
+#include <string.h>
+#include <ctype.h>
 #include "cryptlib.h"
+#ifndef NO_SYS_TYPES_H
+#include <sys/types.h>
+#endif
 #include <openssl/bio.h>
 
+#ifdef BN_LLONG
+# ifndef HAVE_LONG_LONG
+#  define HAVE_LONG_LONG
+# endif
+#endif
+
+static void dopr (char *buffer, size_t maxlen, size_t *retlen,
+	const char *format, va_list args);
+
 int BIO_printf (BIO *bio, ...)
 	{
 	va_list args;
 	char *format;
 	int ret;
+	size_t retlen;
 	MS_STATIC char hugebuf[1024*2]; /* 10k in one chunk is the limit */
 
 	va_start(args, bio);
 	format=va_arg(args, char *);
 
 	hugebuf[0]='\0';
-
-	vsprintf(hugebuf,format,args);
-
-	ret=BIO_write(bio,hugebuf,strlen(hugebuf));
+	dopr(hugebuf, sizeof(hugebuf), &retlen, format, args);
+	ret=BIO_write(bio, hugebuf, (int)retlen);
 
 	va_end(args);
 	return(ret);
 	}
 
+/*
+ * Copyright Patrick Powell 1995
+ * This code is based on code written by Patrick Powell <papowell@astart.com>
+ * It may be used for any purpose as long as this notice remains intact
+ * on all source code distributions.
+ */
+
+/*
+ * This code contains numerious changes and enhancements which were
+ * made by lots of contributors over the last years to Patrick Powell's
+ * original code:
+ *
+ * o Patrick Powell <papowell@astart.com>      (1995)
+ * o Brandon Long <blong@fiction.net>          (1996, for Mutt)
+ * o Thomas Roessler <roessler@guug.de>        (1998, for Mutt)
+ * o Michael Elkins <me@cs.hmc.edu>            (1998, for Mutt)
+ * o Andrew Tridgell <tridge@samba.org>        (1998, for Samba)
+ * o Luke Mewburn <lukem@netbsd.org>           (1999, for LukemFTP)
+ * o Ralf S. Engelschall <rse@engelschall.com> (1999, for Pth)
+ */
+
+#if HAVE_LONG_DOUBLE
+#define LDOUBLE long double
+#else
+#define LDOUBLE double
+#endif
+
+#if HAVE_LONG_LONG
+#define LLONG long long
+#else
+#define LLONG long
+#endif
+
+static void fmtstr     (char *, size_t *, size_t, char *, int, int, int);
+static void fmtint     (char *, size_t *, size_t, LLONG, int, int, int, int);
+static void fmtfp      (char *, size_t *, size_t, LDOUBLE, int, int, int);
+static void dopr_outch (char *, size_t *, size_t, int);
+
+/* format read states */
+#define DP_S_DEFAULT    0
+#define DP_S_FLAGS      1
+#define DP_S_MIN        2
+#define DP_S_DOT        3
+#define DP_S_MAX        4
+#define DP_S_MOD        5
+#define DP_S_CONV       6
+#define DP_S_DONE       7
+
+/* format flags - Bits */
+#define DP_F_MINUS      (1 << 0)
+#define DP_F_PLUS       (1 << 1)
+#define DP_F_SPACE      (1 << 2)
+#define DP_F_NUM        (1 << 3)
+#define DP_F_ZERO       (1 << 4)
+#define DP_F_UP         (1 << 5)
+#define DP_F_UNSIGNED   (1 << 6)
+
+/* conversion flags */
+#define DP_C_SHORT      1
+#define DP_C_LONG       2
+#define DP_C_LDOUBLE    3
+#define DP_C_LLONG      4
+
+/* some handy macros */
+#define char_to_int(p) (p - '0')
+#define MAX(p,q) ((p >= q) ? p : q)
+
+static void
+dopr(
+    char *buffer,
+    size_t maxlen,
+    size_t *retlen,
+    const char *format,
+    va_list args)
+{
+    char ch;
+    LLONG value;
+    LDOUBLE fvalue;
+    char *strvalue;
+    int min;
+    int max;
+    int state;
+    int flags;
+    int cflags;
+    size_t currlen;
+
+    state = DP_S_DEFAULT;
+    flags = currlen = cflags = min = 0;
+    max = -1;
+    ch = *format++;
+
+    while (state != DP_S_DONE) {
+        if ((ch == '\0') || (currlen >= maxlen))
+            state = DP_S_DONE;
+
+        switch (state) {
+        case DP_S_DEFAULT:
+            if (ch == '%')
+                state = DP_S_FLAGS;
+            else
+                dopr_outch(buffer, &currlen, maxlen, ch);
+            ch = *format++;
+            break;
+        case DP_S_FLAGS:
+            switch (ch) {
+            case '-':
+                flags |= DP_F_MINUS;
+                ch = *format++;
+                break;
+            case '+':
+                flags |= DP_F_PLUS;
+                ch = *format++;
+                break;
+            case ' ':
+                flags |= DP_F_SPACE;
+                ch = *format++;
+                break;
+            case '#':
+                flags |= DP_F_NUM;
+                ch = *format++;
+                break;
+            case '0':
+                flags |= DP_F_ZERO;
+                ch = *format++;
+                break;
+            default:
+                state = DP_S_MIN;
+                break;
+            }
+            break;
+        case DP_S_MIN:
+            if (isdigit((unsigned char)ch)) {
+                min = 10 * min + char_to_int(ch);
+                ch = *format++;
+            } else if (ch == '*') {
+                min = va_arg(args, int);
+                ch = *format++;
+                state = DP_S_DOT;
+            } else
+                state = DP_S_DOT;
+            break;
+        case DP_S_DOT:
+            if (ch == '.') {
+                state = DP_S_MAX;
+                ch = *format++;
+            } else
+                state = DP_S_MOD;
+            break;
+        case DP_S_MAX:
+            if (isdigit((unsigned char)ch)) {
+                if (max < 0)
+                    max = 0;
+                max = 10 * max + char_to_int(ch);
+                ch = *format++;
+            } else if (ch == '*') {
+                max = va_arg(args, int);
+                ch = *format++;
+                state = DP_S_MOD;
+            } else
+                state = DP_S_MOD;
+            break;
+        case DP_S_MOD:
+            switch (ch) {
+            case 'h':
+                cflags = DP_C_SHORT;
+                ch = *format++;
+                break;
+            case 'l':
+                if (*format == 'l') {
+                    cflags = DP_C_LLONG;
+                    format++;
+                } else
+                    cflags = DP_C_LONG;
+                ch = *format++;
+                break;
+            case 'q':
+                cflags = DP_C_LLONG;
+                ch = *format++;
+                break;
+            case 'L':
+                cflags = DP_C_LDOUBLE;
+                ch = *format++;
+                break;
+            default:
+                break;
+            }
+            state = DP_S_CONV;
+            break;
+        case DP_S_CONV:
+            switch (ch) {
+            case 'd':
+            case 'i':
+                switch (cflags) {
+                case DP_C_SHORT:
+                    value = (short int)va_arg(args, int);
+                    break;
+                case DP_C_LONG:
+                    value = va_arg(args, long int);
+                    break;
+                case DP_C_LLONG:
+                    value = va_arg(args, LLONG);
+                    break;
+                default:
+                    value = va_arg(args, int);
+                    break;
+                }
+                fmtint(buffer, &currlen, maxlen, value, 10, min, max, flags);
+                break;
+            case 'X':
+                flags |= DP_F_UP;
+                /* FALLTHROUGH */
+            case 'x':
+            case 'o':
+            case 'u':
+                flags |= DP_F_UNSIGNED;
+                switch (cflags) {
+                case DP_C_SHORT:
+                    value = (unsigned short int)va_arg(args, unsigned int);
+                    break;
+                case DP_C_LONG:
+                    value = (LLONG) va_arg(args,
+                        unsigned long int);
+                    break;
+                case DP_C_LLONG:
+                    value = va_arg(args, unsigned LLONG);
+                    break;
+                default:
+                    value = (LLONG) va_arg(args,
+                        unsigned int);
+                    break;
+                }
+                fmtint(buffer, &currlen, maxlen, value,
+                       ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
+                       min, max, flags);
+                break;
+            case 'f':
+                if (cflags == DP_C_LDOUBLE)
+                    fvalue = va_arg(args, LDOUBLE);
+                else
+                    fvalue = va_arg(args, double);
+                fmtfp(buffer, &currlen, maxlen, fvalue, min, max, flags);
+                break;
+            case 'E':
+                flags |= DP_F_UP;
+            case 'e':
+                if (cflags == DP_C_LDOUBLE)
+                    fvalue = va_arg(args, LDOUBLE);
+                else
+                    fvalue = va_arg(args, double);
+                break;
+            case 'G':
+                flags |= DP_F_UP;
+            case 'g':
+                if (cflags == DP_C_LDOUBLE)
+                    fvalue = va_arg(args, LDOUBLE);
+                else
+                    fvalue = va_arg(args, double);
+                break;
+            case 'c':
+                dopr_outch(buffer, &currlen, maxlen,
+                    va_arg(args, int));
+                break;
+            case 's':
+                strvalue = va_arg(args, char *);
+                if (max < 0)
+                    max = maxlen;
+                fmtstr(buffer, &currlen, maxlen, strvalue,
+                    flags, min, max);
+                break;
+            case 'p':
+                value = (long)va_arg(args, void *);
+                fmtint(buffer, &currlen, maxlen,
+                    value, 16, min, max, flags);
+                break;
+            case 'n': /* XXX */
+                if (cflags == DP_C_SHORT) {
+                    short int *num;
+                    num = va_arg(args, short int *);
+                    *num = currlen;
+                } else if (cflags == DP_C_LONG) { /* XXX */
+                    long int *num;
+                    num = va_arg(args, long int *);
+                    *num = (long int) currlen;
+                } else if (cflags == DP_C_LLONG) { /* XXX */
+                    LLONG *num;
+                    num = va_arg(args, LLONG *);
+                    *num = (LLONG) currlen;
+                } else {
+                    int    *num;
+                    num = va_arg(args, int *);
+                    *num = currlen;
+                }
+                break;
+            case '%':
+                dopr_outch(buffer, &currlen, maxlen, ch);
+                break;
+            case 'w':
+                /* not supported yet, treat as next char */
+                ch = *format++;
+                break;
+            default:
+                /* unknown, skip */
+                break;
+            }
+            ch = *format++;
+            state = DP_S_DEFAULT;
+            flags = cflags = min = 0;
+            max = -1;
+            break;
+        case DP_S_DONE:
+            break;
+        default:
+            break;
+        }
+    }
+    if (currlen >= maxlen - 1)
+        currlen = maxlen - 1;
+    buffer[currlen] = '\0';
+    *retlen = currlen;
+    return;
+}
+
+static void
+fmtstr(
+    char *buffer,
+    size_t *currlen,
+    size_t maxlen,
+    char *value,
+    int flags,
+    int min,
+    int max)
+{
+    int padlen, strln;
+    int cnt = 0;
+
+    if (value == 0)
+        value = "<NULL>";
+    for (strln = 0; value[strln]; ++strln)
+        ;
+    padlen = min - strln;
+    if (padlen < 0)
+        padlen = 0;
+    if (flags & DP_F_MINUS)
+        padlen = -padlen;
+
+    while ((padlen > 0) && (cnt < max)) {
+        dopr_outch(buffer, currlen, maxlen, ' ');
+        --padlen;
+        ++cnt;
+    }
+    while (*value && (cnt < max)) {
+        dopr_outch(buffer, currlen, maxlen, *value++);
+        ++cnt;
+    }
+    while ((padlen < 0) && (cnt < max)) {
+        dopr_outch(buffer, currlen, maxlen, ' ');
+        ++padlen;
+        ++cnt;
+    }
+}
+
+static void
+fmtint(
+    char *buffer,
+    size_t *currlen,
+    size_t maxlen,
+    LLONG value,
+    int base,
+    int min,
+    int max,
+    int flags)
+{
+    int signvalue = 0;
+    unsigned LLONG uvalue;
+    char convert[20];
+    int place = 0;
+    int spadlen = 0;
+    int zpadlen = 0;
+    int caps = 0;
+
+    if (max < 0)
+        max = 0;
+    uvalue = value;
+    if (!(flags & DP_F_UNSIGNED)) {
+        if (value < 0) {
+            signvalue = '-';
+            uvalue = -value;
+        } else if (flags & DP_F_PLUS)
+            signvalue = '+';
+        else if (flags & DP_F_SPACE)
+            signvalue = ' ';
+    }
+    if (flags & DP_F_UP)
+        caps = 1;
+    do {
+        convert[place++] =
+            (caps ? "0123456789ABCDEF" : "0123456789abcdef")
+            [uvalue % (unsigned) base];
+        uvalue = (uvalue / (unsigned) base);
+    } while (uvalue && (place < 20));
+    if (place == 20)
+        place--;
+    convert[place] = 0;
+
+    zpadlen = max - place;
+    spadlen = min - MAX(max, place) - (signvalue ? 1 : 0);
+    if (zpadlen < 0)
+        zpadlen = 0;
+    if (spadlen < 0)
+        spadlen = 0;
+    if (flags & DP_F_ZERO) {
+        zpadlen = MAX(zpadlen, spadlen);
+        spadlen = 0;
+    }
+    if (flags & DP_F_MINUS)
+        spadlen = -spadlen;
+
+    /* spaces */
+    while (spadlen > 0) {
+        dopr_outch(buffer, currlen, maxlen, ' ');
+        --spadlen;
+    }
+
+    /* sign */
+    if (signvalue)
+        dopr_outch(buffer, currlen, maxlen, signvalue);
+
+    /* zeros */
+    if (zpadlen > 0) {
+        while (zpadlen > 0) {
+            dopr_outch(buffer, currlen, maxlen, '0');
+            --zpadlen;
+        }
+    }
+    /* digits */
+    while (place > 0)
+        dopr_outch(buffer, currlen, maxlen, convert[--place]);
+
+    /* left justified spaces */
+    while (spadlen < 0) {
+        dopr_outch(buffer, currlen, maxlen, ' ');
+        ++spadlen;
+    }
+    return;
+}
+
+static LDOUBLE
+abs_val(LDOUBLE value)
+{
+    LDOUBLE result = value;
+    if (value < 0)
+        result = -value;
+    return result;
+}
+
+static LDOUBLE
+pow10(int exp)
+{
+    LDOUBLE result = 1;
+    while (exp) {
+        result *= 10;
+        exp--;
+    }
+    return result;
+}
+
+static long
+round(LDOUBLE value)
+{
+    long intpart;
+    intpart = (long) value;
+    value = value - intpart;
+    if (value >= 0.5)
+        intpart++;
+    return intpart;
+}
+
+static void
+fmtfp(
+    char *buffer,
+    size_t *currlen,
+    size_t maxlen,
+    LDOUBLE fvalue,
+    int min,
+    int max,
+    int flags)
+{
+    int signvalue = 0;
+    LDOUBLE ufvalue;
+    char iconvert[20];
+    char fconvert[20];
+    int iplace = 0;
+    int fplace = 0;
+    int padlen = 0;
+    int zpadlen = 0;
+    int caps = 0;
+    long intpart;
+    long fracpart;
+
+    if (max < 0)
+        max = 6;
+    ufvalue = abs_val(fvalue);
+    if (fvalue < 0)
+        signvalue = '-';
+    else if (flags & DP_F_PLUS)
+        signvalue = '+';
+    else if (flags & DP_F_SPACE)
+        signvalue = ' ';
+
+    intpart = (long)ufvalue;
+
+    /* sorry, we only support 9 digits past the decimal because of our
+       conversion method */
+    if (max > 9)
+        max = 9;
+
+    /* we "cheat" by converting the fractional part to integer by
+       multiplying by a factor of 10 */
+    fracpart = round((pow10(max)) * (ufvalue - intpart));
+
+    if (fracpart >= pow10(max)) {
+        intpart++;
+        fracpart -= (long)pow10(max);
+    }
+
+    /* convert integer part */
+    do {
+        iconvert[iplace++] =
+            (caps ? "0123456789ABCDEF"
+              : "0123456789abcdef")[intpart % 10];
+        intpart = (intpart / 10);
+    } while (intpart && (iplace < 20));
+    if (iplace == 20)
+        iplace--;
+    iconvert[iplace] = 0;
+
+    /* convert fractional part */
+    do {
+        fconvert[fplace++] =
+            (caps ? "0123456789ABCDEF"
+              : "0123456789abcdef")[fracpart % 10];
+        fracpart = (fracpart / 10);
+    } while (fracpart && (fplace < 20));
+    if (fplace == 20)
+        fplace--;
+    fconvert[fplace] = 0;
+
+    /* -1 for decimal point, another -1 if we are printing a sign */
+    padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
+    zpadlen = max - fplace;
+    if (zpadlen < 0)
+        zpadlen = 0;
+    if (padlen < 0)
+        padlen = 0;
+    if (flags & DP_F_MINUS)
+        padlen = -padlen;
+
+    if ((flags & DP_F_ZERO) && (padlen > 0)) {
+        if (signvalue) {
+            dopr_outch(buffer, currlen, maxlen, signvalue);
+            --padlen;
+            signvalue = 0;
+        }
+        while (padlen > 0) {
+            dopr_outch(buffer, currlen, maxlen, '0');
+            --padlen;
+        }
+    }
+    while (padlen > 0) {
+        dopr_outch(buffer, currlen, maxlen, ' ');
+        --padlen;
+    }
+    if (signvalue)
+        dopr_outch(buffer, currlen, maxlen, signvalue);
+
+    while (iplace > 0)
+        dopr_outch(buffer, currlen, maxlen, iconvert[--iplace]);
+
+    /*
+     * Decimal point. This should probably use locale to find the correct
+     * char to print out.
+     */
+    if (max > 0) {
+        dopr_outch(buffer, currlen, maxlen, '.');
+
+        while (fplace > 0)
+            dopr_outch(buffer, currlen, maxlen, fconvert[--fplace]);
+    }
+    while (zpadlen > 0) {
+        dopr_outch(buffer, currlen, maxlen, '0');
+        --zpadlen;
+    }
+
+    while (padlen < 0) {
+        dopr_outch(buffer, currlen, maxlen, ' ');
+        ++padlen;
+    }
+}
+
+static void
+dopr_outch(
+    char *buffer,
+    size_t *currlen,
+    size_t maxlen,
+    int c)
+{
+    if (*currlen < maxlen)
+        buffer[(*currlen)++] = (char)c;
+    return;
+}
diff --git a/lib/libcrypto/bio/b_sock.c b/lib/libcrypto/bio/b_sock.c
index d29b29ff8b3..6409f98f570 100644
--- a/lib/libcrypto/bio/b_sock.c
+++ b/lib/libcrypto/bio/b_sock.c
@@ -163,7 +163,14 @@ int BIO_get_port(const char *str, unsigned short *port_ptr)
 	else
 		{
 		CRYPTO_w_lock(CRYPTO_LOCK_GETSERVBYNAME);
- 		s=getservbyname(str,"tcp");
+		/* Note: under VMS with SOCKETSHR, it seems like the first
+		 * parameter is 'char *', instead of 'const char *'
+		 */
+ 		s=getservbyname(
+#ifndef CONST_STRICT
+		    (char *)
+#endif
+		    str,"tcp");
 		if(s != NULL)
 			*port_ptr=ntohs((unsigned short)s->s_port);
 		CRYPTO_w_unlock(CRYPTO_LOCK_GETSERVBYNAME);
@@ -282,12 +289,12 @@ static struct hostent *ghbn_dup(struct hostent *a)
 
 	j=strlen(a->h_name)+1;
 	if ((ret->h_name=Malloc(j)) == NULL) goto err;
-	memcpy((char *)ret->h_name,a->h_name,j+1);
+	memcpy((char *)ret->h_name,a->h_name,j);
 	for (i=0; a->h_aliases[i] != NULL; i++)
 		{
 		j=strlen(a->h_aliases[i])+1;
 		if ((ret->h_aliases[i]=Malloc(j)) == NULL) goto err;
-		memcpy(ret->h_aliases[i],a->h_aliases[i],j+1);
+		memcpy(ret->h_aliases[i],a->h_aliases[i],j);
 		}
 	ret->h_length=a->h_length;
 	ret->h_addrtype=a->h_addrtype;
@@ -327,7 +334,7 @@ static void ghbn_free(struct hostent *a)
 			Free(a->h_addr_list[i]);
 		Free(a->h_addr_list);
 		}
-	if (a->h_name != NULL) Free((char *)a->h_name);
+	if (a->h_name != NULL) Free(a->h_name);
 	Free(a);
 	}
 
@@ -368,7 +375,14 @@ struct hostent *BIO_gethostbyname(const char *name)
 	if (i == GHBN_NUM) /* no hit*/
 		{
 		BIO_ghbn_miss++;
-		ret=gethostbyname(name);
+		/* Note: under VMS with SOCKETSHR, it seems like the first
+		 * parameter is 'char *', instead of 'const char *'
+		 */
+		ret=gethostbyname(
+#ifndef CONST_STRICT
+		    (char *)
+#endif
+		    name);
 
 		if (ret == NULL)
 			goto end;
diff --git a/lib/libcrypto/bio/bf_buff.c b/lib/libcrypto/bio/bf_buff.c
index acd81481389..ff0c9070ae1 100644
--- a/lib/libcrypto/bio/bf_buff.c
+++ b/lib/libcrypto/bio/bf_buff.c
@@ -69,6 +69,7 @@ static int buffer_gets(BIO *h,char *str,int size);
 static long buffer_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int buffer_new(BIO *h);
 static int buffer_free(BIO *data);
+static long buffer_callback_ctrl(BIO *h,int cmd, void (*fp)());
 #define DEFAULT_BUFFER_SIZE	1024
 
 static BIO_METHOD methods_buffer=
@@ -82,6 +83,7 @@ static BIO_METHOD methods_buffer=
 	buffer_ctrl,
 	buffer_new,
 	buffer_free,
+	buffer_callback_ctrl,
 	};
 
 BIO_METHOD *BIO_f_buffer(void)
@@ -284,6 +286,7 @@ static long buffer_ctrl(BIO *b, int cmd, long num, char *ptr)
 		ctx->ibuf_len=0;
 		ctx->obuf_off=0;
 		ctx->obuf_len=0;
+		if (b->next_bio == NULL) return(0);
 		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
 		break;
 	case BIO_CTRL_INFO:
@@ -300,12 +303,18 @@ static long buffer_ctrl(BIO *b, int cmd, long num, char *ptr)
 	case BIO_CTRL_WPENDING:
 		ret=(long)ctx->obuf_len;
 		if (ret == 0)
+			{
+			if (b->next_bio == NULL) return(0);
 			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+			}
 		break;
 	case BIO_CTRL_PENDING:
 		ret=(long)ctx->ibuf_len;
 		if (ret == 0)
+			{
+			if (b->next_bio == NULL) return(0);
 			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+			}
 		break;
 	case BIO_C_SET_BUFF_READ_DATA:
 		if (num > ctx->ibuf_size)
@@ -374,12 +383,14 @@ static long buffer_ctrl(BIO *b, int cmd, long num, char *ptr)
 			}
 		break;
 	case BIO_C_DO_STATE_MACHINE:
+		if (b->next_bio == NULL) return(0);
 		BIO_clear_retry_flags(b);
 		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
 		BIO_copy_next_retry(b);
 		break;
 
 	case BIO_CTRL_FLUSH:
+		if (b->next_bio == NULL) return(0);
 		if (ctx->obuf_len <= 0)
 			{
 			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
@@ -418,6 +429,7 @@ fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len-ctx->obuf_
 			ret=0;
 		break;
 	default:
+		if (b->next_bio == NULL) return(0);
 		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
 		break;
 		}
@@ -427,6 +439,20 @@ malloc_error:
 	return(0);
 	}
 
+static long buffer_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
 static int buffer_gets(BIO *b, char *buf, int size)
 	{
 	BIO_F_BUFFER_CTX *ctx;
diff --git a/lib/libcrypto/bio/bf_nbio.c b/lib/libcrypto/bio/bf_nbio.c
index cbec2bae29a..5e574b72316 100644
--- a/lib/libcrypto/bio/bf_nbio.c
+++ b/lib/libcrypto/bio/bf_nbio.c
@@ -73,6 +73,7 @@ static int nbiof_gets(BIO *h,char *str,int size);
 static long nbiof_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int nbiof_new(BIO *h);
 static int nbiof_free(BIO *data);
+static long nbiof_callback_ctrl(BIO *h,int cmd,void (*fp)());
 typedef struct nbio_test_st
 	{
 	/* only set if we sent a 'should retry' error */
@@ -91,6 +92,7 @@ static BIO_METHOD methods_nbiof=
 	nbiof_ctrl,
 	nbiof_new,
 	nbiof_free,
+	nbiof_callback_ctrl,
 	};
 
 BIO_METHOD *BIO_f_nbio_test(void)
@@ -137,7 +139,7 @@ static int nbiof_read(BIO *b, char *out, int outl)
 
 	BIO_clear_retry_flags(b);
 #if 0
-	RAND_bytes(&n,1);
+	RAND_pseudo_bytes(&n,1);
 	num=(n&0x07);
 
 	if (outl > num) outl=num;
@@ -178,7 +180,7 @@ static int nbiof_write(BIO *b, char *in, int inl)
 		}
 	else
 		{
-		RAND_bytes(&n,1);
+		RAND_pseudo_bytes(&n,1);
 		num=(n&7);
 		}
 
@@ -224,6 +226,20 @@ static long nbiof_ctrl(BIO *b, int cmd, long num, char *ptr)
 	return(ret);
 	}
 
+static long nbiof_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
 static int nbiof_gets(BIO *bp, char *buf, int size)
 	{
 	if (bp->next_bio == NULL) return(0);
diff --git a/lib/libcrypto/bio/bf_null.c b/lib/libcrypto/bio/bf_null.c
index 3254a55dce7..0d183a6d9a4 100644
--- a/lib/libcrypto/bio/bf_null.c
+++ b/lib/libcrypto/bio/bf_null.c
@@ -72,6 +72,7 @@ static int nullf_gets(BIO *h,char *str,int size);
 static long nullf_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int nullf_new(BIO *h);
 static int nullf_free(BIO *data);
+static long nullf_callback_ctrl(BIO *h,int cmd,void (*fp)());
 static BIO_METHOD methods_nullf=
 	{
 	BIO_TYPE_NULL_FILTER,
@@ -83,6 +84,7 @@ static BIO_METHOD methods_nullf=
 	nullf_ctrl,
 	nullf_new,
 	nullf_free,
+	nullf_callback_ctrl,
 	};
 
 BIO_METHOD *BIO_f_null(void)
@@ -152,6 +154,20 @@ static long nullf_ctrl(BIO *b, int cmd, long num, char *ptr)
 	return(ret);
 	}
 
+static long nullf_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
 static int nullf_gets(BIO *bp, char *buf, int size)
 	{
 	if (bp->next_bio == NULL) return(0);
diff --git a/lib/libcrypto/bio/bio.h b/lib/libcrypto/bio/bio.h
index 54bf622a3bd..bc08401eebf 100644
--- a/lib/libcrypto/bio/bio.h
+++ b/lib/libcrypto/bio/bio.h
@@ -76,7 +76,7 @@ extern "C" {
 #define BIO_TYPE_SOCKET		(5|0x0400|0x0100)
 #define BIO_TYPE_NULL		(6|0x0400)
 #define BIO_TYPE_SSL		(7|0x0200)
-#define BIO_TYPE_MD		(8|0x0200)		/* pasive filter */
+#define BIO_TYPE_MD		(8|0x0200)		/* passive filter */
 #define BIO_TYPE_BUFFER		(9|0x0200)		/* filter */
 #define BIO_TYPE_CIPHER		(10|0x0200)		/* filter */
 #define BIO_TYPE_BASE64		(11|0x0200)		/* filter */
@@ -147,6 +147,11 @@ extern "C" {
 
 #define BIO_FLAGS_BASE64_NO_NL	0x100
 
+/* This is used with memory BIOs: it means we shouldn't free up or change the
+ * data in any way.
+ */
+#define BIO_FLAGS_MEM_RDONLY	0x200
+
 #define BIO_set_flags(b,f) ((b)->flags|=(f))
 #define BIO_get_flags(b) ((b)->flags)
 #define BIO_set_retry_special(b) \
@@ -163,7 +168,7 @@ extern "C" {
 #define BIO_get_retry_flags(b) \
 		((b)->flags&(BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY))
 
-/* These shouldbe used by the application to tell why we should retry */
+/* These should be used by the application to tell why we should retry */
 #define BIO_should_read(a)		((a)->flags & BIO_FLAGS_READ)
 #define BIO_should_write(a)		((a)->flags & BIO_FLAGS_WRITE)
 #define BIO_should_io_special(a)	((a)->flags & BIO_FLAGS_IO_SPECIAL)
@@ -214,6 +219,7 @@ typedef struct bio_method_st
 	long (*ctrl)();
 	int (*create)();
 	int (*destroy)();
+	long (*callback_ctrl)();
 	} BIO_METHOD;
 #else
 typedef struct bio_method_st
@@ -227,6 +233,7 @@ typedef struct bio_method_st
 	long (_far *ctrl)();
 	int (_far *create)();
 	int (_far *destroy)();
+	long (_fat *callback_ctrl)();
 	} BIO_METHOD;
 #endif
 
@@ -278,9 +285,6 @@ typedef struct bio_f_buffer_ctx_struct
 #define BIO_CONN_S_NBIO			8
 /*#define BIO_CONN_get_param_hostname	BIO_ctrl */
 
-#define BIO_number_read(b)	((b)->num_read)
-#define BIO_number_written(b)	((b)->num_write)
-
 #define BIO_C_SET_CONNECT			100
 #define BIO_C_DO_STATE_MACHINE			101
 #define BIO_C_SET_NBIO				102
@@ -325,9 +329,14 @@ typedef struct bio_f_buffer_ctx_struct
 #define BIO_C_GET_WRITE_GUARANTEE		140
 #define BIO_C_GET_READ_REQUEST			141
 #define BIO_C_SHUTDOWN_WR			142
+#define BIO_C_NREAD0				143
+#define BIO_C_NREAD				144
+#define BIO_C_NWRITE0				145
+#define BIO_C_NWRITE				146
+#define BIO_C_RESET_READ_REQUEST		147
 
 
-#define BIO_set_app_data(s,arg)		BIO_set_ex_data(s,0,(char *)arg)
+#define BIO_set_app_data(s,arg)		BIO_set_ex_data(s,0,arg)
 #define BIO_get_app_data(s)		BIO_get_ex_data(s,0)
 
 /* BIO_s_connect() and BIO_s_socks4a_connect() */
@@ -366,7 +375,7 @@ typedef struct bio_f_buffer_ctx_struct
 /* BIO_set_nbio(b,n) */
 #define BIO_set_filter_bio(b,s) BIO_ctrl(b,BIO_C_SET_PROXY_PARAM,2,(char *)(s))
 /* BIO *BIO_get_filter_bio(BIO *bio); */
-#define BIO_set_proxy_cb(b,cb) BIO_ctrl(b,BIO_C_SET_PROXY_PARAM,3,(char *)(cb))
+#define BIO_set_proxy_cb(b,cb) BIO_callback_ctrl(b,BIO_C_SET_PROXY_PARAM,3,(void *(*cb)()))
 #define BIO_set_proxy_header(b,sk) BIO_ctrl(b,BIO_C_SET_PROXY_PARAM,4,(char *)sk)
 #define BIO_set_no_connect_return(b,bool) BIO_int_ctrl(b,BIO_C_SET_PROXY_PARAM,5,bool)
 
@@ -445,8 +454,8 @@ int BIO_read_filename(BIO *b,const char *name);
 size_t BIO_ctrl_pending(BIO *b);
 size_t BIO_ctrl_wpending(BIO *b);
 #define BIO_flush(b)		(int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL)
-#define BIO_get_info_callback(b,cbp) (int)BIO_ctrl(b,BIO_CTRL_GET_CALLBACK,0,(char *)cbp)
-#define BIO_set_info_callback(b,cb) (int)BIO_ctrl(b,BIO_CTRL_SET_CALLBACK,0,(char *)cb)
+#define BIO_get_info_callback(b,cbp) (int)BIO_ctrl(b,BIO_CTRL_GET_CALLBACK,0,(void (**)())(cbp))
+#define BIO_set_info_callback(b,cb) (int)BIO_callback_ctrl(b,BIO_CTRL_SET_CALLBACK,(void (*)())(cb))
 
 /* For the BIO_f_buffer() type */
 #define BIO_buffer_get_num_lines(b) BIO_ctrl(b,BIO_CTRL_GET,0,NULL)
@@ -461,8 +470,7 @@ size_t BIO_ctrl_wpending(BIO *b);
 #define BIO_get_read_request(b)    (int)BIO_ctrl(b,BIO_C_GET_READ_REQUEST,0,NULL)
 size_t BIO_ctrl_get_write_guarantee(BIO *b);
 size_t BIO_ctrl_get_read_request(BIO *b);
-
-
+int BIO_ctrl_reset_read_request(BIO *b);
 
 #ifdef NO_STDIO
 #define NO_FP_API
@@ -472,10 +480,12 @@ size_t BIO_ctrl_get_read_request(BIO *b);
 /* These two aren't currently implemented */
 /* int BIO_get_ex_num(BIO *bio); */
 /* void BIO_set_ex_free_func(BIO *bio,int idx,void (*cb)()); */
-int BIO_set_ex_data(BIO *bio,int idx,char *data);
-char *BIO_get_ex_data(BIO *bio,int idx);
-int BIO_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	int (*dup_func)(), void (*free_func)());
+int BIO_set_ex_data(BIO *bio,int idx,void *data);
+void *BIO_get_ex_data(BIO *bio,int idx);
+int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+unsigned long BIO_number_read(BIO *bio);
+unsigned long BIO_number_written(BIO *bio);
 
 #  if defined(WIN16) && defined(_WINDLL)
 BIO_METHOD *BIO_s_file_internal(void);
@@ -500,6 +510,7 @@ int	BIO_gets(BIO *bp,char *buf, int size);
 int	BIO_write(BIO *b, const char *data, int len);
 int	BIO_puts(BIO *bp,const char *buf);
 long	BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);
+long	BIO_callback_ctrl(BIO *bp,int cmd,void (*fp)());
 char *	BIO_ptr_ctrl(BIO *bp,int cmd,long larg);
 long	BIO_int_ctrl(BIO *bp,int cmd,long larg,int iarg);
 BIO *	BIO_push(BIO *b,BIO *append);
@@ -510,6 +521,11 @@ BIO *	BIO_get_retry_BIO(BIO *bio, int *reason);
 int	BIO_get_retry_reason(BIO *bio);
 BIO *	BIO_dup_chain(BIO *in);
 
+int BIO_nread0(BIO *bio, char **buf);
+int BIO_nread(BIO *bio, char **buf, int num);
+int BIO_nwrite0(BIO *bio, char **buf);
+int BIO_nwrite(BIO *bio, char **buf, int num);
+
 #ifndef WIN16
 long BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi,
 	long argl,long ret);
@@ -519,6 +535,7 @@ long _far _loadds BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi,
 #endif
 
 BIO_METHOD *BIO_s_mem(void);
+BIO *BIO_new_mem_buf(void *buf, int len);
 BIO_METHOD *BIO_s_socket(void);
 BIO_METHOD *BIO_s_connect(void);
 BIO_METHOD *BIO_s_accept(void);
@@ -597,11 +614,17 @@ int BIO_printf(BIO *bio, ...);
 #define BIO_F_BIO_MAKE_PAIR				 121
 #define BIO_F_BIO_NEW					 108
 #define BIO_F_BIO_NEW_FILE				 109
+#define BIO_F_BIO_NEW_MEM_BUF				 126
+#define BIO_F_BIO_NREAD					 123
+#define BIO_F_BIO_NREAD0				 124
+#define BIO_F_BIO_NWRITE				 125
+#define BIO_F_BIO_NWRITE0				 122
 #define BIO_F_BIO_PUTS					 110
 #define BIO_F_BIO_READ					 111
 #define BIO_F_BIO_SOCK_INIT				 112
 #define BIO_F_BIO_WRITE					 113
 #define BIO_F_BUFFER_CTRL				 114
+#define BIO_F_CONN_CTRL					 127
 #define BIO_F_CONN_STATE				 115
 #define BIO_F_FILE_CTRL					 116
 #define BIO_F_MEM_WRITE					 117
@@ -634,6 +657,7 @@ int BIO_printf(BIO *bio, ...);
 #define BIO_R_UNABLE_TO_LISTEN_SOCKET			 119
 #define BIO_R_UNINITIALIZED				 120
 #define BIO_R_UNSUPPORTED_METHOD			 121
+#define BIO_R_WRITE_TO_READ_ONLY_BIO			 126
 #define BIO_R_WSASTARTUP				 122
 
 #ifdef  __cplusplus
diff --git a/lib/libcrypto/bio/bio_err.c b/lib/libcrypto/bio/bio_err.c
index 712d98a3a1a..b5f07de5a05 100644
--- a/lib/libcrypto/bio/bio_err.c
+++ b/lib/libcrypto/bio/bio_err.c
@@ -77,11 +77,17 @@ static ERR_STRING_DATA BIO_str_functs[]=
 {ERR_PACK(0,BIO_F_BIO_MAKE_PAIR,0),	"BIO_MAKE_PAIR"},
 {ERR_PACK(0,BIO_F_BIO_NEW,0),	"BIO_new"},
 {ERR_PACK(0,BIO_F_BIO_NEW_FILE,0),	"BIO_new_file"},
+{ERR_PACK(0,BIO_F_BIO_NEW_MEM_BUF,0),	"BIO_new_mem_buf"},
+{ERR_PACK(0,BIO_F_BIO_NREAD,0),	"BIO_nread"},
+{ERR_PACK(0,BIO_F_BIO_NREAD0,0),	"BIO_nread0"},
+{ERR_PACK(0,BIO_F_BIO_NWRITE,0),	"BIO_nwrite"},
+{ERR_PACK(0,BIO_F_BIO_NWRITE0,0),	"BIO_nwrite0"},
 {ERR_PACK(0,BIO_F_BIO_PUTS,0),	"BIO_puts"},
 {ERR_PACK(0,BIO_F_BIO_READ,0),	"BIO_read"},
 {ERR_PACK(0,BIO_F_BIO_SOCK_INIT,0),	"BIO_sock_init"},
 {ERR_PACK(0,BIO_F_BIO_WRITE,0),	"BIO_write"},
 {ERR_PACK(0,BIO_F_BUFFER_CTRL,0),	"BUFFER_CTRL"},
+{ERR_PACK(0,BIO_F_CONN_CTRL,0),	"CONN_CTRL"},
 {ERR_PACK(0,BIO_F_CONN_STATE,0),	"CONN_STATE"},
 {ERR_PACK(0,BIO_F_FILE_CTRL,0),	"FILE_CTRL"},
 {ERR_PACK(0,BIO_F_MEM_WRITE,0),	"MEM_WRITE"},
@@ -117,6 +123,7 @@ static ERR_STRING_DATA BIO_str_reasons[]=
 {BIO_R_UNABLE_TO_LISTEN_SOCKET           ,"unable to listen socket"},
 {BIO_R_UNINITIALIZED                     ,"uninitialized"},
 {BIO_R_UNSUPPORTED_METHOD                ,"unsupported method"},
+{BIO_R_WRITE_TO_READ_ONLY_BIO            ,"write to read only bio"},
 {BIO_R_WSASTARTUP                        ,"wsastartup"},
 {0,NULL}
 	};
diff --git a/lib/libcrypto/bio/bio_lib.c b/lib/libcrypto/bio/bio_lib.c
index b72688ea901..cf8e6150fd5 100644
--- a/lib/libcrypto/bio/bio_lib.c
+++ b/lib/libcrypto/bio/bio_lib.c
@@ -63,7 +63,7 @@
 #include <openssl/bio.h>
 #include <openssl/stack.h>
 
-static STACK *bio_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *bio_meth=NULL;
 static int bio_meth_num=0;
 
 BIO *BIO_new(BIO_METHOD *method)
@@ -100,7 +100,7 @@ int BIO_set(BIO *bio, BIO_METHOD *method)
 	bio->references=1;
 	bio->num_read=0L;
 	bio->num_write=0L;
-	CRYPTO_new_ex_data(bio_meth,(char *)bio,&bio->ex_data);
+	CRYPTO_new_ex_data(bio_meth,bio,&bio->ex_data);
 	if (method->create != NULL)
 		if (!method->create(bio))
 			return(0);
@@ -129,7 +129,7 @@ int BIO_free(BIO *a)
 		((i=(int)a->callback(a,BIO_CB_FREE,NULL,0,0L,1L)) <= 0))
 			return(i);
 
-	CRYPTO_free_ex_data(bio_meth,(char *)a,&a->ex_data);
+	CRYPTO_free_ex_data(bio_meth,a,&a->ex_data);
 
 	if ((a->method == NULL) || (a->method->destroy == NULL)) return(1);
 	ret=a->method->destroy(a);
@@ -317,16 +317,43 @@ long BIO_ctrl(BIO *b, int cmd, long larg, void *parg)
 	return(ret);
 	}
 
+long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret;
+	long (*cb)();
+
+	if (b == NULL) return(0);
+
+	if ((b->method == NULL) || (b->method->callback_ctrl == NULL))
+		{
+		BIOerr(BIO_F_BIO_CTRL,BIO_R_UNSUPPORTED_METHOD);
+		return(-2);
+		}
+
+	cb=b->callback;
+
+	if ((cb != NULL) &&
+		((ret=cb(b,BIO_CB_CTRL,(void *)&fp,cmd,0,1L)) <= 0))
+		return(ret);
+
+	ret=b->method->callback_ctrl(b,cmd,fp);
+
+	if (cb != NULL)
+		ret=cb(b,BIO_CB_CTRL|BIO_CB_RETURN,(void *)&fp,cmd,
+			0,ret);
+	return(ret);
+	}
+
 /* It is unfortunate to duplicate in functions what the BIO_(w)pending macros
  * do; but those macros have inappropriate return type, and for interfacing
  * from other programming languages, C macros aren't much of a help anyway. */
 size_t BIO_ctrl_pending(BIO *bio)
-    {
+	{
 	return BIO_ctrl(bio, BIO_CTRL_PENDING, 0, NULL);
 	}
 
 size_t BIO_ctrl_wpending(BIO *bio)
-    {
+	{
 	return BIO_ctrl(bio, BIO_CTRL_WPENDING, 0, NULL);
 	}
 
@@ -476,21 +503,32 @@ void BIO_copy_next_retry(BIO *b)
 	b->retry_reason=b->next_bio->retry_reason;
 	}
 
-int BIO_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	     int (*dup_func)(), void (*free_func)())
+int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
 	{
 	bio_meth_num++;
 	return(CRYPTO_get_ex_new_index(bio_meth_num-1,&bio_meth,
 		argl,argp,new_func,dup_func,free_func));
 	}
 
-int BIO_set_ex_data(BIO *bio, int idx, char *data)
+int BIO_set_ex_data(BIO *bio, int idx, void *data)
 	{
 	return(CRYPTO_set_ex_data(&(bio->ex_data),idx,data));
 	}
 
-char *BIO_get_ex_data(BIO *bio, int idx)
+void *BIO_get_ex_data(BIO *bio, int idx)
 	{
 	return(CRYPTO_get_ex_data(&(bio->ex_data),idx));
 	}
 
+unsigned long BIO_number_read(BIO *bio)
+{
+	if(bio) return bio->num_read;
+	return 0;
+}
+
+unsigned long BIO_number_written(BIO *bio)
+{
+	if(bio) return bio->num_write;
+	return 0;
+}
diff --git a/lib/libcrypto/bio/bss_acpt.c b/lib/libcrypto/bio/bss_acpt.c
index 47af80f76d5..9afa6364069 100644
--- a/lib/libcrypto/bio/bss_acpt.c
+++ b/lib/libcrypto/bio/bss_acpt.c
@@ -118,6 +118,7 @@ static BIO_METHOD methods_acceptp=
 	acpt_ctrl,
 	acpt_new,
 	acpt_free,
+	NULL,
 	};
 
 BIO_METHOD *BIO_s_accept(void)
diff --git a/lib/libcrypto/bio/bss_bio.c b/lib/libcrypto/bio/bss_bio.c
index 562e9d8de27..0d0f9356f7d 100644
--- a/lib/libcrypto/bio/bss_bio.c
+++ b/lib/libcrypto/bio/bss_bio.c
@@ -13,6 +13,7 @@
 #endif
 
 #include <assert.h>
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -40,7 +41,8 @@ static BIO_METHOD methods_biop =
 	NULL /* no bio_gets */,
 	bio_ctrl,
 	bio_new,
-	bio_free
+	bio_free,
+	NULL /* no bio_callback_ctrl */
 };
 
 BIO_METHOD *BIO_s_bio(void)
@@ -64,7 +66,7 @@ struct bio_bio_st
 
 	size_t request; /* valid iff peer != NULL; 0 if len != 0,
 	                 * otherwise set by peer to number of bytes
-	                 * it (unsuccesfully) tried to read,
+	                 * it (unsuccessfully) tried to read,
 	                 * never more than buffer space (size-len) warrants. */
 };
 
@@ -195,6 +197,81 @@ static int bio_read(BIO *bio, char *buf, int size_)
 	return size;
 	}
 
+/* non-copying interface: provide pointer to available data in buffer
+ *    bio_nread0:  return number of available bytes
+ *    bio_nread:   also advance index
+ * (example usage:  bio_nread0(), read from buffer, bio_nread()
+ *  or just         bio_nread(), read from buffer)
+ */
+/* WARNING: The non-copying interface is largely untested as of yet
+ * and may contain bugs. */
+static size_t bio_nread0(BIO *bio, char **buf)
+	{
+	struct bio_bio_st *b, *peer_b;
+	size_t num;
+	
+	BIO_clear_retry_flags(bio);
+
+	if (!bio->init)
+		return 0;
+	
+	b = bio->ptr;
+	assert(b != NULL);
+	assert(b->peer != NULL);
+	peer_b = b->peer->ptr;
+	assert(peer_b != NULL);
+	assert(peer_b->buf != NULL);
+	
+	peer_b->request = 0;
+	
+	if (peer_b->len == 0)
+		{
+		char dummy;
+		
+		/* avoid code duplication -- nothing available for reading */
+		return bio_read(bio, &dummy, 1); /* returns 0 or -1 */
+		}
+
+	num = peer_b->len;
+	if (peer_b->size < peer_b->offset + num)
+		/* no ring buffer wrap-around for non-copying interface */
+		num = peer_b->size - peer_b->offset;
+	assert(num > 0);
+
+	if (buf != NULL)
+		*buf = peer_b->buf + peer_b->offset;
+	return num;
+	}
+
+static size_t bio_nread(BIO *bio, char **buf, size_t num)
+	{
+	struct bio_bio_st *b, *peer_b;
+	size_t available;
+
+	available = bio_nread0(bio, buf);
+	if (num > available)
+		num = available;
+	if (num == 0)
+		return num;
+
+	b = bio->ptr;
+	peer_b = b->peer->ptr;
+
+	peer_b->len -= num;
+	if (peer_b->len) 
+		{
+		peer_b->offset += num;
+		assert(peer_b->offset <= peer_b->size);
+		if (peer_b->offset == peer_b->size)
+			peer_b->offset = 0;
+		}
+	else
+		peer_b->offset = 0;
+
+	return num;
+	}
+
+
 static int bio_write(BIO *bio, char *buf, int num_)
 	{
 	size_t num = num_;
@@ -268,6 +345,78 @@ static int bio_write(BIO *bio, char *buf, int num_)
 	return num;
 	}
 
+/* non-copying interface: provide pointer to region to write to
+ *   bio_nwrite0:  check how much space is available
+ *   bio_nwrite:   also increase length
+ * (example usage:  bio_nwrite0(), write to buffer, bio_nwrite()
+ *  or just         bio_nwrite(), write to buffer)
+ */
+static size_t bio_nwrite0(BIO *bio, char **buf)
+	{
+	struct bio_bio_st *b;
+	size_t num;
+	size_t write_offset;
+
+	BIO_clear_retry_flags(bio);
+
+	if (!bio->init)
+		return 0;
+
+	b = bio->ptr;		
+	assert(b != NULL);
+	assert(b->peer != NULL);
+	assert(b->buf != NULL);
+
+	b->request = 0;
+	if (b->closed)
+		{
+		BIOerr(BIO_F_BIO_NWRITE0, BIO_R_BROKEN_PIPE);
+		return -1;
+		}
+
+	assert(b->len <= b->size);
+
+	if (b->len == b->size)
+		{
+		BIO_set_retry_write(bio);
+		return -1;
+		}
+
+	num = b->size - b->len;
+	write_offset = b->offset + b->len;
+	if (write_offset >= b->size)
+		write_offset -= b->size;
+	if (write_offset + num > b->size)
+		/* no ring buffer wrap-around for non-copying interface
+		 * (to fulfil the promise by BIO_ctrl_get_write_guarantee,
+		 * BIO_nwrite may have to be called twice) */
+		num = b->size - write_offset;
+
+	if (buf != NULL)
+		*buf = b->buf + write_offset;
+	assert(write_offset + num <= b->size);
+
+	return num;
+	}
+
+static size_t bio_nwrite(BIO *bio, char **buf, size_t num)
+	{
+	struct bio_bio_st *b;
+	size_t space;
+
+	space = bio_nwrite0(bio, buf);
+	if (num > space)
+		num = space;
+	if (num == 0)
+		return num;
+	b = bio->ptr;
+	assert(b != NULL);
+	b->len += num;
+	assert(b->len <= b->size);
+
+	return num;
+	}
+
 
 static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
 	{
@@ -331,7 +480,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
 
 	case BIO_C_GET_WRITE_GUARANTEE:
 		/* How many bytes can the caller feed to the next write
-		 * withouth having to keep any? */
+		 * without having to keep any? */
 		if (b->peer == NULL || b->closed)
 			ret = 0;
 		else
@@ -339,18 +488,42 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
 		break;
 
 	case BIO_C_GET_READ_REQUEST:
-		/* If the peer unsuccesfully tried to read, how many bytes
+		/* If the peer unsuccessfully tried to read, how many bytes
 		 * were requested?  (As with BIO_CTRL_PENDING, that number
 		 * can usually be treated as boolean.) */
 		ret = (long) b->request;
 		break;
 
+	case BIO_C_RESET_READ_REQUEST:
+		/* Reset request.  (Can be useful after read attempts
+		 * at the other side that are meant to be non-blocking,
+		 * e.g. when probing SSL_read to see if any data is
+		 * available.) */
+		b->request = 0;
+		ret = 1;
+		break;
+
 	case BIO_C_SHUTDOWN_WR:
 		/* similar to shutdown(..., SHUT_WR) */
 		b->closed = 1;
 		ret = 1;
 		break;
 
+	case BIO_C_NREAD:
+		/* non-copying read */
+		ret = (long) bio_nread(bio, ptr, (size_t) num);
+		break;
+		
+	case BIO_C_NWRITE0:
+		/* prepare for non-copying write */
+		ret = (long) bio_nwrite0(bio, ptr);
+		break;
+
+	case BIO_C_NWRITE:
+		/* non-copying write */
+		ret = (long) bio_nwrite(bio, ptr, (size_t) num);
+		break;
+		
 
 	/* standard CTRL codes follow */
 
@@ -586,3 +759,78 @@ size_t BIO_ctrl_get_read_request(BIO *bio)
 	{
 	return BIO_ctrl(bio, BIO_C_GET_READ_REQUEST, 0, NULL);
 	}
+
+int BIO_ctrl_reset_read_request(BIO *bio)
+	{
+	return (BIO_ctrl(bio, BIO_C_RESET_READ_REQUEST, 0, NULL) != 0);
+	}
+
+
+/* BIO_nread0/nread/nwrite0/nwrite are available only for BIO pairs for now
+ * (conceivably some other BIOs could allow non-copying reads and writes too.)
+ */
+int BIO_nread0(BIO *bio, char **buf)
+	{
+	long ret;
+
+	if (!bio->init)
+		{
+		BIOerr(BIO_F_BIO_NREAD0, BIO_R_UNINITIALIZED);
+		return -2;
+		}
+
+	ret = BIO_ctrl(bio, BIO_C_NREAD0, 0, buf);
+	if (ret > INT_MAX)
+		return INT_MAX;
+	else
+		return (int) ret;
+	}
+
+int BIO_nread(BIO *bio, char **buf, int num)
+	{
+	int ret;
+
+	if (!bio->init)
+		{
+		BIOerr(BIO_F_BIO_NREAD, BIO_R_UNINITIALIZED);
+		return -2;
+		}
+
+	ret = (int) BIO_ctrl(bio, BIO_C_NREAD, num, buf);
+	if (ret > 0)
+		bio->num_read += ret;
+	return ret;
+	}
+
+int BIO_nwrite0(BIO *bio, char **buf)
+	{
+	long ret;
+
+	if (!bio->init)
+		{
+		BIOerr(BIO_F_BIO_NWRITE0, BIO_R_UNINITIALIZED);
+		return -2;
+		}
+
+	ret = BIO_ctrl(bio, BIO_C_NWRITE0, 0, buf);
+	if (ret > INT_MAX)
+		return INT_MAX;
+	else
+		return (int) ret;
+	}
+
+int BIO_nwrite(BIO *bio, char **buf, int num)
+	{
+	int ret;
+
+	if (!bio->init)
+		{
+		BIOerr(BIO_F_BIO_NWRITE, BIO_R_UNINITIALIZED);
+		return -2;
+		}
+
+	ret = BIO_ctrl(bio, BIO_C_NWRITE, num, buf);
+	if (ret > 0)
+		bio->num_read += ret;
+	return ret;
+	}
diff --git a/lib/libcrypto/bio/bss_conn.c b/lib/libcrypto/bio/bss_conn.c
index 68c46e3d699..22d00b369ec 100644
--- a/lib/libcrypto/bio/bss_conn.c
+++ b/lib/libcrypto/bio/bss_conn.c
@@ -90,11 +90,11 @@ typedef struct bio_connect_st
 	struct sockaddr_in them;
 
 	/* int socket; this will be kept in bio->num so that it is
-	 * compatable with the bss_sock bio */ 
+	 * compatible with the bss_sock bio */ 
 
 	/* called when the connection is initially made
 	 *  callback(BIO,state,ret);  The callback should return
-	 * 'ret'.  state is for compatablity with the ssl info_callback */
+	 * 'ret'.  state is for compatibility with the ssl info_callback */
 	int (*info_callback)();
 	} BIO_CONNECT;
 
@@ -104,6 +104,7 @@ static int conn_puts(BIO *h,char *str);
 static long conn_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int conn_new(BIO *h);
 static int conn_free(BIO *data);
+static long conn_callback_ctrl(BIO *h,int cmd,void *(*fp)());
 
 static int conn_state(BIO *b, BIO_CONNECT *c);
 static void conn_close_socket(BIO *data);
@@ -121,6 +122,7 @@ static BIO_METHOD methods_connectp=
 	conn_ctrl,
 	conn_new,
 	conn_free,
+	conn_callback_ctrl,
 	};
 
 static int conn_state(BIO *b, BIO_CONNECT *c)
@@ -494,7 +496,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, char *ptr)
 				*((int *)ptr)=data->port;
 				}
 			if ((!b->init) || (ptr == NULL))
-				*pptr="not initalised";
+				*pptr="not initialized";
 			ret=1;
 			}
 		break;
@@ -564,16 +566,25 @@ static long conn_ctrl(BIO *b, int cmd, long num, char *ptr)
 	case BIO_CTRL_FLUSH:
 		break;
 	case BIO_CTRL_DUP:
+		{
 		dbio=(BIO *)ptr;
 		if (data->param_port)
 			BIO_set_conn_port(dbio,data->param_port);
 		if (data->param_hostname)
 			BIO_set_conn_hostname(dbio,data->param_hostname);
 		BIO_set_nbio(dbio,data->nbio);
-		(void)BIO_set_info_callback(dbio,data->info_callback);
+		(void)BIO_set_info_callback(dbio,(void *(*)())(data->info_callback));
+		}
 		break;
 	case BIO_CTRL_SET_CALLBACK:
-		data->info_callback=(int (*)())ptr;
+		{
+#if 0 /* FIXME: Should this be used?  -- Richard Levitte */
+		BIOerr(BIO_F_CONN_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ret = -1;
+#else
+		ret=0;
+#endif
+		}
 		break;
 	case BIO_CTRL_GET_CALLBACK:
 		{
@@ -590,6 +601,27 @@ static long conn_ctrl(BIO *b, int cmd, long num, char *ptr)
 	return(ret);
 	}
 
+static long conn_callback_ctrl(BIO *b, int cmd, void *(*fp)())
+	{
+	long ret=1;
+	BIO_CONNECT *data;
+
+	data=(BIO_CONNECT *)b->ptr;
+
+	switch (cmd)
+		{
+	case BIO_CTRL_SET_CALLBACK:
+		{
+		data->info_callback=(int (*)())fp;
+		}
+		break;
+	default:
+		ret=0;
+		break;
+		}
+	return(ret);
+	}
+
 static int conn_puts(BIO *bp, char *str)
 	{
 	int n,ret;
diff --git a/lib/libcrypto/bio/bss_file.c b/lib/libcrypto/bio/bss_file.c
index 52c0c39df04..0d44dc38896 100644
--- a/lib/libcrypto/bio/bss_file.c
+++ b/lib/libcrypto/bio/bss_file.c
@@ -91,6 +91,7 @@ static BIO_METHOD methods_filep=
 	file_ctrl,
 	file_new,
 	file_free,
+	NULL,
 	};
 
 BIO *BIO_new_file(const char *filename, const char *mode)
@@ -171,7 +172,7 @@ static int MS_CALLBACK file_write(BIO *b, char *in, int inl)
 		if (fwrite(in,(int)inl,1,(FILE *)b->ptr))
 			ret=inl;
 		/* ret=fwrite(in,1,(int)inl,(FILE *)b->ptr); */
-		/* acording to Tim Hudson <tjh@cryptsoft.com>, the commented
+		/* according to Tim Hudson <tjh@cryptsoft.com>, the commented
 		 * out version above can cause 'inl' write calls under
 		 * some stupid stdio implementations (VMS) */
 		}
diff --git a/lib/libcrypto/bio/bss_log.c b/lib/libcrypto/bio/bss_log.c
index db82e757e7a..4308b196633 100644
--- a/lib/libcrypto/bio/bss_log.c
+++ b/lib/libcrypto/bio/bss_log.c
@@ -72,6 +72,8 @@
 #else
 #include <syslog.h>
 #endif
+#else
+#include <process.h>
 #endif
 
 #include "cryptlib.h"
@@ -98,6 +100,7 @@ static BIO_METHOD methods_slg=
 	slg_ctrl,
 	slg_new,
 	slg_free,
+	NULL,
 	};
 
 BIO_METHOD *BIO_s_log(void)
@@ -131,8 +134,10 @@ static int MS_CALLBACK slg_write(BIO *b, char *in, int inl)
 	char* buf= in;
 	char* pp;
 #if defined(WIN32)
-	LPTSTR lpszStrings[1];
+	LPCSTR lpszStrings[2];
 	WORD evtype= EVENTLOG_ERROR_TYPE;
+	int pid = _getpid();
+	char pidbuf[20];
 #else
 	int priority;
 #endif
@@ -156,10 +161,13 @@ static int MS_CALLBACK slg_write(BIO *b, char *in, int inl)
 		evtype= EVENTLOG_ERROR_TYPE;
 		pp= buf;
 	}
-	lpszStrings[0]= pp;
+
+	sprintf(pidbuf, "[%d] ", pid);
+	lpszStrings[0] = pidbuf;
+	lpszStrings[1] = pp;
 
 	if(b->ptr)
-		ReportEvent(b->ptr, evtype, 0, 1024, NULL, 1, 0,
+		ReportEvent(b->ptr, evtype, 0, 1024, NULL, 2, 0,
 				lpszStrings, NULL);
 #else
 	if(strncmp(buf, "ERR ", 4) == 0){
diff --git a/lib/libcrypto/bio/bss_mem.c b/lib/libcrypto/bio/bss_mem.c
index 7e749a503ef..41eab92415e 100644
--- a/lib/libcrypto/bio/bss_mem.c
+++ b/lib/libcrypto/bio/bss_mem.c
@@ -79,6 +79,7 @@ static BIO_METHOD mem_method=
 	mem_ctrl,
 	mem_new,
 	mem_free,
+	NULL,
 	};
 
 /* bio->num is used to hold the value to return on 'empty', if it is
@@ -89,6 +90,26 @@ BIO_METHOD *BIO_s_mem(void)
 	return(&mem_method);
 	}
 
+BIO *BIO_new_mem_buf(void *buf, int len)
+{
+	BIO *ret;
+	BUF_MEM *b;
+	if (!buf) {
+		BIOerr(BIO_F_BIO_NEW_MEM_BUF,BIO_R_NULL_PARAMETER);
+		return NULL;
+	}
+	if(len == -1) len = strlen(buf);
+	if(!(ret = BIO_new(BIO_s_mem())) ) return NULL;
+	b = (BUF_MEM *)ret->ptr;
+	b->data = buf;
+	b->length = len;
+	b->max = len;
+	ret->flags |= BIO_FLAGS_MEM_RDONLY;
+	/* Since this is static data retrying wont help */
+	ret->num = 0;
+	return ret;
+}
+
 static int mem_new(BIO *bi)
 	{
 	BUF_MEM *b;
@@ -109,7 +130,10 @@ static int mem_free(BIO *a)
 		{
 		if ((a->init) && (a->ptr != NULL))
 			{
-			BUF_MEM_free((BUF_MEM *)a->ptr);
+			BUF_MEM *b;
+			b = (BUF_MEM *)a->ptr;
+			if(a->flags & BIO_FLAGS_MEM_RDONLY) b->data = NULL;
+			BUF_MEM_free(b);
 			a->ptr=NULL;
 			}
 		}
@@ -126,17 +150,18 @@ static int mem_read(BIO *b, char *out, int outl)
 	bm=(BUF_MEM *)b->ptr;
 	BIO_clear_retry_flags(b);
 	ret=(outl > bm->length)?bm->length:outl;
-	if ((out != NULL) && (ret > 0))
-		{
+	if ((out != NULL) && (ret > 0)) {
 		memcpy(out,bm->data,ret);
 		bm->length-=ret;
 		/* memmove(&(bm->data[0]),&(bm->data[ret]), bm->length); */
-		from=(char *)&(bm->data[ret]);
-		to=(char *)&(bm->data[0]);
-		for (i=0; i<bm->length; i++)
-			to[i]=from[i];
+		if(b->flags & BIO_FLAGS_MEM_RDONLY) bm->data += ret;
+		else {
+			from=(char *)&(bm->data[ret]);
+			to=(char *)&(bm->data[0]);
+			for (i=0; i<bm->length; i++)
+				to[i]=from[i];
 		}
-	else if (bm->length == 0)
+	} else if (bm->length == 0)
 		{
 		if (b->num != 0)
 			BIO_set_retry_read(b);
@@ -158,6 +183,11 @@ static int mem_write(BIO *b, char *in, int inl)
 		goto end;
 		}
 
+	if(b->flags & BIO_FLAGS_MEM_RDONLY) {
+		BIOerr(BIO_F_MEM_WRITE,BIO_R_WRITE_TO_READ_ONLY_BIO);
+		goto end;
+	}
+
 	BIO_clear_retry_flags(b);
 	blen=bm->length;
 	if (BUF_MEM_grow(bm,blen+inl) != (blen+inl))
@@ -178,9 +208,15 @@ static long mem_ctrl(BIO *b, int cmd, long num, char *ptr)
 	switch (cmd)
 		{
 	case BIO_CTRL_RESET:
-		if (bm->data != NULL)
-			memset(bm->data,0,bm->max);
-		bm->length=0;
+		if (bm->data != NULL) {
+			/* For read only case reset to the start again */
+			if(b->flags & BIO_FLAGS_MEM_RDONLY) 
+					bm->data -= bm->max - bm->length;
+			else {
+				memset(bm->data,0,bm->max);
+				bm->length=0;
+			}
+		}
 		break;
 	case BIO_CTRL_EOF:
 		ret=(long)(bm->length == 0);
diff --git a/lib/libcrypto/bio/bss_null.c b/lib/libcrypto/bio/bss_null.c
index d04be888e53..aee18e3ada4 100644
--- a/lib/libcrypto/bio/bss_null.c
+++ b/lib/libcrypto/bio/bss_null.c
@@ -79,6 +79,7 @@ static BIO_METHOD null_method=
 	null_ctrl,
 	null_new,
 	null_free,
+	NULL,
 	};
 
 BIO_METHOD *BIO_s_null(void)
diff --git a/lib/libcrypto/bio/bss_rtcp.c b/lib/libcrypto/bio/bss_rtcp.c
index 2ef040057e3..4ad0739464b 100644
--- a/lib/libcrypto/bio/bss_rtcp.c
+++ b/lib/libcrypto/bio/bss_rtcp.c
@@ -107,6 +107,7 @@ static BIO_METHOD rtcp_method=
 	rtcp_ctrl,
 	rtcp_new,
 	rtcp_free,
+	NULL,
 	};
 
 BIO_METHOD *BIO_s_rtcp(void)
diff --git a/lib/libcrypto/bio/bss_sock.c b/lib/libcrypto/bio/bss_sock.c
index d336b99fe81..8ce80ef68d2 100644
--- a/lib/libcrypto/bio/bss_sock.c
+++ b/lib/libcrypto/bio/bss_sock.c
@@ -95,6 +95,7 @@ static BIO_METHOD methods_sockp=
 	sock_ctrl,
 	sock_new,
 	sock_free,
+	NULL,
 	};
 
 BIO_METHOD *BIO_s_socket(void)
@@ -112,6 +113,7 @@ static BIO_METHOD methods_fdp=
 	fd_ctrl,
 	fd_new,
 	fd_free,
+	NULL,
 	};
 
 BIO_METHOD *BIO_s_fd(void)
@@ -163,8 +165,7 @@ static int fd_free(BIO *a)
 		if (a->init)
 			{
 #ifndef BIO_FD
-			shutdown(a->num,2);
-			closesocket(a->num);
+			SHUTDOWN2(a->num);
 #else			/* BIO_FD */
 			close(a->num);
 #endif
diff --git a/lib/libcrypto/bn/Makefile.ssl b/lib/libcrypto/bn/Makefile.ssl
index cf77869fab1..fa23a43fa0c 100644
--- a/lib/libcrypto/bn/Makefile.ssl
+++ b/lib/libcrypto/bn/Makefile.ssl
@@ -20,6 +20,13 @@ BN_ASM=		bn_asm.o
 #BN_ASM=	bn86-elf.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS=$(CC) -c
 ASFLAGS=$(CFLAGS)
 
 GENERAL=Makefile
@@ -27,12 +34,12 @@ TEST=bntest.c exptest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_mul.c \
+LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
 	bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
 	bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c bn_recp.c bn_mont.c \
 	bn_mpi.c bn_exp2.c
 
-LIBOBJ=	bn_add.o bn_div.o bn_exp.o bn_lib.o bn_mul.o \
+LIBOBJ=	bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o \
 	bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
 	bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) bn_recp.o bn_mont.o \
 	bn_mpi.o bn_exp2.o
@@ -49,12 +56,14 @@ top:
 
 all:	lib
 
-knuth: bn_knuth.c
-	cc -pg -I.. -I../../include bn_knuth.c -o knuth $(LIB) #../../../libefence.a
+bn_prime.h: bn_prime.pl
+	$(PERL) bn_prime.pl >bn_prime.h
 
-knuth.fast: bn_knuth.c
-	cc -pg -fast -I.. -I../../include bn_knuth.c -o knuth $(LIB) #../../../libefence.a
+divtest: divtest.c ../../libcrypto.a
+	cc -I../../include divtest.c -o divtest ../../libcrypto.a
 
+bnbug: bnbug.c ../../libcrypto.a top
+	cc -g -I../../include bnbug.c -o bnbug ../../libcrypto.a
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
@@ -113,13 +122,6 @@ asm/sparcv8plus-gcc27.o: asm/sparcv8plus.S
 	$(CC) $(ASFLAGS) -E asm/sparcv8plus.S | \
 		/usr/ccs/bin/as -xarch=v8plus - -o asm/sparcv8plus-gcc27.o
 
-# MIPS 64 bit assember 
-asm/mips3.o: asm/mips3.s
-
-# MIPS 32 bit assember
-asm/mips1.o: asm/mips1.s
-	/usr/bin/as -O2 -o asm/mips1.o asm/mips1.s
-
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
@@ -168,109 +170,117 @@ bn_add.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_add.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_add.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_add.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_add.o: ../cryptlib.h bn_lcl.h
+bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_add.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_asm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_asm.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_asm.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_asm.o: ../cryptlib.h bn_lcl.h
+bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_asm.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_blind.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_blind.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_blind.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_blind.o: ../cryptlib.h bn_lcl.h
+bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_blind.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_ctx.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_ctx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_ctx.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_ctx.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_ctx.o: ../../include/openssl/stack.h ../cryptlib.h
 bn_div.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_div.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_div.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_div.o: ../cryptlib.h bn_lcl.h
+bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_div.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_err.o: ../../include/openssl/bn.h ../../include/openssl/err.h
 bn_err.o: ../../include/openssl/opensslconf.h
 bn_exp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_exp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_exp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_exp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_exp.o: ../cryptlib.h bn_lcl.h
+bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_exp.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_exp2.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_exp2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_exp2.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_exp2.o: ../cryptlib.h bn_lcl.h
+bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_exp2.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_gcd.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_gcd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_gcd.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_gcd.o: ../cryptlib.h bn_lcl.h
+bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_gcd.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_lib.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_lib.o: ../cryptlib.h bn_lcl.h
+bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_lib.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_mont.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_mont.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_mont.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_mont.o: ../cryptlib.h bn_lcl.h
+bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mont.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_mpi.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_mpi.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_mpi.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_mpi.o: ../cryptlib.h bn_lcl.h
+bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mpi.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_mul.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_mul.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_mul.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_mul.o: ../cryptlib.h bn_lcl.h
+bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mul.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_prime.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_prime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_prime.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-bn_prime.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h bn_prime.h
+bn_prime.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_prime.o: ../cryptlib.h bn_lcl.h bn_prime.h
 bn_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_print.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_print.o: ../cryptlib.h bn_lcl.h
+bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_print.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_rand.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_rand.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_rand.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 bn_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-bn_rand.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
+bn_rand.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_rand.o: ../cryptlib.h bn_lcl.h
 bn_recp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_recp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_recp.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_recp.o: ../cryptlib.h bn_lcl.h
+bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_recp.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_shift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_shift.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_shift.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_shift.o: ../cryptlib.h bn_lcl.h
+bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_shift.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_sqr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_sqr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_sqr.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_sqr.o: ../cryptlib.h bn_lcl.h
+bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_sqr.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
 bn_word.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_word.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 bn_word.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-bn_word.o: ../cryptlib.h bn_lcl.h
+bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_word.o: ../../include/openssl/stack.h ../cryptlib.h bn_lcl.h
diff --git a/lib/libcrypto/bn/asm/README b/lib/libcrypto/bn/asm/README
index d93fbff77f5..86bf64cfc2f 100644
--- a/lib/libcrypto/bn/asm/README
+++ b/lib/libcrypto/bn/asm/README
@@ -1,5 +1,5 @@
 All assember in this directory are just version of the file
-crypto/bn/bn_mulw.c.
+crypto/bn/bn_asm.c.
 
 Quite a few of these files are just the assember output from gcc since on 
 quite a few machines they are 2 times faster than the system compiler.
@@ -15,13 +15,6 @@ On the 2 alpha C compilers I had access to, it was not possible to do
 were 64 bits).  So the hand assember gives access to the 128 bit result and
 a 2 times speedup :-).
 
-The x86xxxx.obj files are the assembled version of x86xxxx.asm files.
-I had such a hard time finding a macro assember for Microsoft, I decided to
-include the object file to save others the hassle :-).
-
-I have also included uu encoded versions of the .obj incase they get
-trashed.
-
 There are 2 versions of assember for the HP PA-RISC.
 pa-risc.s is the origional one which works fine.
 pa-risc2.s is a new version that often generates warnings but if the
diff --git a/lib/libcrypto/bn/asm/alpha.s b/lib/libcrypto/bn/asm/alpha.s
index a351694ca23..555ff0b92d1 100644
--- a/lib/libcrypto/bn/asm/alpha.s
+++ b/lib/libcrypto/bn/asm/alpha.s
@@ -694,567 +694,1868 @@ bn_mul_comba8:
 bn_mul_comba8..ng:
 	.frame $30,0,$26,0
 	.prologue 0
-
-	subq	$30,	16,	$30
-	ldq	$0,	0($17)
+	ldq	$1,	0($17)
+	ldq	$2,	0($18)
+	zapnot	$1,	15,	$7
+	srl	$2,	32,	$8
+	mulq	$8,	$7,	$22
+	srl	$1,	32,	$6
+	zapnot	$2,	15,	$5
+	mulq	$5,	$6,	$4
+	mulq	$7,	$5,	$24
+	addq	$22,	$4,	$22
+	cmpult	$22,	$4,	$1
+	mulq	$6,	$8,	$3
+	beq	$1,	$173
+	bis	$31,	1,	$1
+	sll	$1,	32,	$1
+	addq	$3,	$1,	$3
+$173:
+	sll	$22,	32,	$4
+	addq	$24,	$4,	$24
+	stq	$24,	0($16)
+	ldq	$2,	0($17)
+	ldq	$1,	8($18)
+	zapnot	$2,	15,	$7
+	srl	$1,	32,	$8
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$2,	32,	$6
+	mulq	$5,	$6,	$23
+	mulq	$6,	$8,	$6
+	srl	$22,	32,	$1
+	cmpult	$24,	$4,	$2
+	addq	$3,	$1,	$3
+	addq	$2,	$3,	$22
+	addq	$25,	$23,	$25
+	cmpult	$25,	$23,	$1
+	bis	$31,	1,	$2
+	beq	$1,	$177
+	sll	$2,	32,	$1
+	addq	$6,	$1,	$6
+$177:
+	sll	$25,	32,	$23
 	ldq	$1,	0($18)
-	stq	$9,	0($30)
-	stq	$10,	8($30)
-	ldq	$2,	8($17)
-	ldq	$3,	8($18)
-	ldq	$4,	16($17)
-	ldq	$5,	16($18)
-	ldq	$6,	24($17)
-	ldq	$7,	24($18)
-	ldq	$8,	8($17)
-	ldq	$22,	8($18)
-	ldq	$23,	8($17)
-	ldq	$24,	8($18)
-	ldq	$25,	8($17)
-	ldq	$27,	8($18)
-	ldq	$28,	8($17)
-	ldq	$21,	8($18)
-	bis	$31,	$31,	$9
-	mulq	$0,	$1,	$20
-	umulh	$0,	$1,	$19
-	stq	$20,	0($16)
-	bis	$31,	$31,	$20
-	mulq	$0,	$3,	$10
-	umulh	$0,	$3,	$17
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$10
-	addq	$20,	$10,	$20
-	mulq	$2,	$1,	$18
-	umulh	$2,	$1,	$17
-	addq	$19,	$18,	$19
-	cmpult	$19,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$18
-	addq	$20,	$18,	$20
-	stq	$19,	8($16)
-	bis	$31,	$31,	$19
-	mulq	$0,	$5,	$10
-	umulh	$0,	$5,	$17
-	addq	$9,	$10,	$9
-	cmpult	$9,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$10
-	addq	$19,	$10,	$19
-	mulq	$2,	$3,	$18
-	umulh	$2,	$3,	$17
-	addq	$9,	$18,	$9
-	cmpult	$9,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$18
-	addq	$19,	$18,	$19
-	mulq	$4,	$1,	$10
-	umulh	$4,	$1,	$17
-	addq	$9,	$10,	$9
-	cmpult	$9,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$10
-	addq	$19,	$10,	$19
-	stq	$9,	16($16)
-	bis	$31,	$31,	$9
-	mulq	$0,	$7,	$18
-	umulh	$0,	$7,	$17
-	addq	$20,	$18,	$20
-	cmpult	$20,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$18
-	addq	$9,	$18,	$9
-	mulq	$2,	$5,	$10
-	umulh	$2,	$5,	$17
-	addq	$20,	$10,	$20
-	cmpult	$20,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$10
-	addq	$9,	$10,	$9
-	mulq	$4,	$3,	$18
-	umulh	$4,	$3,	$17
-	addq	$20,	$18,	$20
-	cmpult	$20,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$18
-	addq	$9,	$18,	$9
-	mulq	$6,	$1,	$10
-	umulh	$6,	$1,	$17
-	addq	$20,	$10,	$20
-	cmpult	$20,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$10
-	addq	$9,	$10,	$9
-	stq	$20,	24($16)
-	bis	$31,	$31,	$20
-	mulq	$0,	$22,	$18
-	umulh	$0,	$22,	$17
-	addq	$19,	$18,	$19
-	cmpult	$19,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$18
-	addq	$20,	$18,	$20
-	mulq	$2,	$7,	$10
-	umulh	$2,	$7,	$17
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$10
-	addq	$20,	$10,	$20
-	mulq	$4,	$5,	$18
-	umulh	$4,	$5,	$17
-	addq	$19,	$18,	$19
-	cmpult	$19,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$18
-	addq	$20,	$18,	$20
-	mulq	$6,	$3,	$10
-	umulh	$6,	$3,	$17
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$10
-	addq	$20,	$10,	$20
-	mulq	$8,	$1,	$18
-	umulh	$8,	$1,	$17
-	addq	$19,	$18,	$19
-	cmpult	$19,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$18
-	addq	$20,	$18,	$20
-	stq	$19,	32($16)
-	bis	$31,	$31,	$19
-	mulq	$0,	$24,	$10
-	umulh	$0,	$24,	$17
-	addq	$9,	$10,	$9
-	cmpult	$9,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$10
-	addq	$19,	$10,	$19
-	mulq	$2,	$22,	$18
-	umulh	$2,	$22,	$17
-	addq	$9,	$18,	$9
-	cmpult	$9,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$18
-	addq	$19,	$18,	$19
-	mulq	$4,	$7,	$10
-	umulh	$4,	$7,	$17
-	addq	$9,	$10,	$9
-	cmpult	$9,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$10
-	addq	$19,	$10,	$19
-	mulq	$6,	$5,	$18
-	umulh	$6,	$5,	$17
-	addq	$9,	$18,	$9
-	cmpult	$9,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$18
-	addq	$19,	$18,	$19
-	mulq	$8,	$3,	$10
-	umulh	$8,	$3,	$17
-	addq	$9,	$10,	$9
-	cmpult	$9,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$10
-	addq	$19,	$10,	$19
-	mulq	$23,	$1,	$18
-	umulh	$23,	$1,	$17
-	addq	$9,	$18,	$9
-	cmpult	$9,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$18
-	addq	$19,	$18,	$19
-	stq	$9,	40($16)
-	bis	$31,	$31,	$9
-	mulq	$0,	$27,	$10
-	umulh	$0,	$27,	$17
-	addq	$20,	$10,	$20
-	cmpult	$20,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$10
-	addq	$9,	$10,	$9
-	mulq	$2,	$24,	$18
-	umulh	$2,	$24,	$17
-	addq	$20,	$18,	$20
-	cmpult	$20,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$18
-	addq	$9,	$18,	$9
-	mulq	$4,	$22,	$10
-	umulh	$4,	$22,	$17
-	addq	$20,	$10,	$20
-	cmpult	$20,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$10
-	addq	$9,	$10,	$9
-	mulq	$6,	$7,	$18
-	umulh	$6,	$7,	$17
-	addq	$20,	$18,	$20
-	cmpult	$20,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$18
-	addq	$9,	$18,	$9
-	mulq	$8,	$5,	$10
-	umulh	$8,	$5,	$17
-	addq	$20,	$10,	$20
-	cmpult	$20,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$10
-	addq	$9,	$10,	$9
-	mulq	$23,	$3,	$18
-	umulh	$23,	$3,	$17
-	addq	$20,	$18,	$20
-	cmpult	$20,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$18
-	addq	$9,	$18,	$9
-	mulq	$25,	$1,	$10
-	umulh	$25,	$1,	$17
-	addq	$20,	$10,	$20
-	cmpult	$20,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$10
-	addq	$9,	$10,	$9
-	stq	$20,	48($16)
-	bis	$31,	$31,	$20
-	mulq	$0,	$21,	$18
-	umulh	$0,	$21,	$17
-	addq	$19,	$18,	$19
-	cmpult	$19,	$18,	$10
-	addq	$10,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$18
-	addq	$20,	$18,	$20
-	mulq	$2,	$27,	$10
-	umulh	$2,	$27,	$17
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$0
-	addq	$20,	$0,	$20
-	mulq	$4,	$24,	$10
-	umulh	$4,	$24,	$18
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$17
-	addq	$17,	$18,	$18
-	addq	$9,	$18,	$9
-	cmpult	$9,	$18,	$0
-	addq	$20,	$0,	$20
-	mulq	$6,	$22,	$10
-	umulh	$6,	$22,	$17
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$0
-	addq	$20,	$0,	$20
-	mulq	$8,	$7,	$10
-	umulh	$8,	$7,	$18
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$17
-	addq	$17,	$18,	$18
-	addq	$9,	$18,	$9
-	cmpult	$9,	$18,	$0
-	addq	$20,	$0,	$20
-	mulq	$23,	$5,	$10
-	umulh	$23,	$5,	$17
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$0
-	addq	$20,	$0,	$20
-	mulq	$25,	$3,	$10
-	umulh	$25,	$3,	$18
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$17
-	addq	$17,	$18,	$18
-	addq	$9,	$18,	$9
-	cmpult	$9,	$18,	$0
-	addq	$20,	$0,	$20
-	mulq	$28,	$1,	$10
-	umulh	$28,	$1,	$17
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$18
-	addq	$18,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$0
-	addq	$20,	$0,	$20
-	stq	$19,	56($16)
-	bis	$31,	$31,	$19
-	mulq	$2,	$21,	$10
-	umulh	$2,	$21,	$18
-	addq	$9,	$10,	$9
-	cmpult	$9,	$10,	$17
-	addq	$17,	$18,	$18
-	addq	$20,	$18,	$20
-	cmpult	$20,	$18,	$0
-	addq	$19,	$0,	$19
-	mulq	$4,	$27,	$1
-	umulh	$4,	$27,	$10
-	addq	$9,	$1,	$9
-	cmpult	$9,	$1,	$17
-	addq	$17,	$10,	$10
-	addq	$20,	$10,	$20
-	cmpult	$20,	$10,	$18
-	addq	$19,	$18,	$19
-	mulq	$6,	$24,	$0
-	umulh	$6,	$24,	$2
-	addq	$9,	$0,	$9
-	cmpult	$9,	$0,	$1
-	addq	$1,	$2,	$2
-	addq	$20,	$2,	$20
-	cmpult	$20,	$2,	$17
-	addq	$19,	$17,	$19
-	mulq	$8,	$22,	$10
-	umulh	$8,	$22,	$18
-	addq	$9,	$10,	$9
-	cmpult	$9,	$10,	$0
-	addq	$0,	$18,	$18
-	addq	$20,	$18,	$20
-	cmpult	$20,	$18,	$1
-	addq	$19,	$1,	$19
-	mulq	$23,	$7,	$2
-	umulh	$23,	$7,	$17
-	addq	$9,	$2,	$9
-	cmpult	$9,	$2,	$10
-	addq	$10,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$0
-	addq	$19,	$0,	$19
-	mulq	$25,	$5,	$18
-	umulh	$25,	$5,	$1
-	addq	$9,	$18,	$9
-	cmpult	$9,	$18,	$2
-	addq	$2,	$1,	$1
-	addq	$20,	$1,	$20
-	cmpult	$20,	$1,	$10
-	addq	$19,	$10,	$19
-	mulq	$28,	$3,	$17
-	umulh	$28,	$3,	$0
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$18
-	addq	$18,	$0,	$0
-	addq	$20,	$0,	$20
-	cmpult	$20,	$0,	$2
-	addq	$19,	$2,	$19
-	stq	$9,	64($16)
-	bis	$31,	$31,	$9
-	mulq	$4,	$21,	$1
-	umulh	$4,	$21,	$10
-	addq	$20,	$1,	$20
-	cmpult	$20,	$1,	$17
-	addq	$17,	$10,	$10
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$18
-	addq	$9,	$18,	$9
-	mulq	$6,	$27,	$0
-	umulh	$6,	$27,	$2
-	addq	$20,	$0,	$20
-	cmpult	$20,	$0,	$3
-	addq	$3,	$2,	$2
-	addq	$19,	$2,	$19
-	cmpult	$19,	$2,	$1
-	addq	$9,	$1,	$9
-	mulq	$8,	$24,	$17
-	umulh	$8,	$24,	$10
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$18
-	addq	$18,	$10,	$10
-	addq	$19,	$10,	$19
-	cmpult	$19,	$10,	$4
-	addq	$9,	$4,	$9
-	mulq	$23,	$22,	$0
-	umulh	$23,	$22,	$3
-	addq	$20,	$0,	$20
-	cmpult	$20,	$0,	$2
-	addq	$2,	$3,	$3
-	addq	$19,	$3,	$19
-	cmpult	$19,	$3,	$1
-	addq	$9,	$1,	$9
-	mulq	$25,	$7,	$17
-	umulh	$25,	$7,	$18
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$10
-	addq	$10,	$18,	$18
-	addq	$19,	$18,	$19
-	cmpult	$19,	$18,	$4
-	addq	$9,	$4,	$9
-	mulq	$28,	$5,	$0
-	umulh	$28,	$5,	$2
-	addq	$20,	$0,	$20
-	cmpult	$20,	$0,	$3
-	addq	$3,	$2,	$2
-	addq	$19,	$2,	$19
-	cmpult	$19,	$2,	$1
-	addq	$9,	$1,	$9
-	stq	$20,	72($16)
-	bis	$31,	$31,	$20
-	mulq	$6,	$21,	$17
-	umulh	$6,	$21,	$10
-	addq	$19,	$17,	$19
-	cmpult	$19,	$17,	$18
-	addq	$18,	$10,	$10
-	addq	$9,	$10,	$9
-	cmpult	$9,	$10,	$4
-	addq	$20,	$4,	$20
-	mulq	$8,	$27,	$0
-	umulh	$8,	$27,	$3
-	addq	$19,	$0,	$19
-	cmpult	$19,	$0,	$2
-	addq	$2,	$3,	$3
-	addq	$9,	$3,	$9
-	cmpult	$9,	$3,	$1
-	addq	$20,	$1,	$20
-	mulq	$23,	$24,	$5
-	umulh	$23,	$24,	$17
-	addq	$19,	$5,	$19
-	cmpult	$19,	$5,	$18
-	addq	$18,	$17,	$17
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$10
-	addq	$20,	$10,	$20
-	mulq	$25,	$22,	$4
-	umulh	$25,	$22,	$6
-	addq	$19,	$4,	$19
-	cmpult	$19,	$4,	$0
-	addq	$0,	$6,	$6
-	addq	$9,	$6,	$9
-	cmpult	$9,	$6,	$2
-	addq	$20,	$2,	$20
-	mulq	$28,	$7,	$3
-	umulh	$28,	$7,	$1
-	addq	$19,	$3,	$19
-	cmpult	$19,	$3,	$5
-	addq	$5,	$1,	$1
-	addq	$9,	$1,	$9
-	cmpult	$9,	$1,	$18
-	addq	$20,	$18,	$20
-	stq	$19,	80($16)
-	bis	$31,	$31,	$19
-	mulq	$8,	$21,	$17
-	umulh	$8,	$21,	$10
-	addq	$9,	$17,	$9
-	cmpult	$9,	$17,	$4
-	addq	$4,	$10,	$10
-	addq	$20,	$10,	$20
-	cmpult	$20,	$10,	$0
-	addq	$19,	$0,	$19
-	mulq	$23,	$27,	$6
-	umulh	$23,	$27,	$2
-	addq	$9,	$6,	$9
-	cmpult	$9,	$6,	$3
-	addq	$3,	$2,	$2
+	addq	$0,	$23,	$0
+	bis	$0,	$0,	$7
+	ldq	$3,	8($17)
+	addq	$22,	$7,	$22
+	srl	$1,	32,	$8
+	cmpult	$22,	$7,	$4
+	zapnot	$3,	15,	$7
+	mulq	$8,	$7,	$28
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$25,	32,	$1
+	cmpult	$0,	$23,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$4,	$6,	$24
+	srl	$3,	32,	$6
+	mulq	$5,	$6,	$2
+	mulq	$6,	$8,	$6
+	addq	$28,	$2,	$28
+	cmpult	$28,	$2,	$1
+	bis	$31,	1,	$2
+	beq	$1,	$181
+	sll	$2,	32,	$1
+	addq	$6,	$1,	$6
+$181:
+	sll	$28,	32,	$2
+	addq	$21,	$2,	$21
+	bis	$21,	$21,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	8($16)
+	ldq	$3,	16($17)
+	ldq	$1,	0($18)
+	cmpult	$22,	$7,	$4
+	zapnot	$3,	15,	$7
+	srl	$1,	32,	$8
+	mulq	$8,	$7,	$22
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$20
+	srl	$28,	32,	$1
+	cmpult	$21,	$2,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$4,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$3,	32,	$6
+	mulq	$5,	$6,	$2
+	mulq	$6,	$8,	$6
+	addq	$22,	$2,	$22
+	cmpult	$22,	$2,	$1
+	bis	$31,	1,	$2
+	beq	$1,	$185
+	sll	$2,	32,	$1
+	addq	$6,	$1,	$6
+$185:
+	sll	$22,	32,	$2
+	ldq	$1,	8($18)
 	addq	$20,	$2,	$20
-	cmpult	$20,	$2,	$5
-	addq	$19,	$5,	$19
-	mulq	$25,	$24,	$1
-	umulh	$25,	$24,	$18
-	addq	$9,	$1,	$9
-	cmpult	$9,	$1,	$7
-	addq	$7,	$18,	$18
-	addq	$20,	$18,	$20
-	cmpult	$20,	$18,	$17
-	addq	$19,	$17,	$19
-	mulq	$28,	$22,	$4
-	umulh	$28,	$22,	$10
-	addq	$9,	$4,	$9
-	cmpult	$9,	$4,	$0
-	addq	$0,	$10,	$10
-	addq	$20,	$10,	$20
-	cmpult	$20,	$10,	$8
-	addq	$19,	$8,	$19
-	stq	$9,	88($16)
-	bis	$31,	$31,	$9
-	mulq	$23,	$21,	$6
-	umulh	$23,	$21,	$3
-	addq	$20,	$6,	$20
-	cmpult	$20,	$6,	$2
-	addq	$2,	$3,	$3
-	addq	$19,	$3,	$19
-	cmpult	$19,	$3,	$5
-	addq	$9,	$5,	$9
-	mulq	$25,	$27,	$1
-	umulh	$25,	$27,	$7
-	addq	$20,	$1,	$20
-	cmpult	$20,	$1,	$18
-	addq	$18,	$7,	$7
-	addq	$19,	$7,	$19
-	cmpult	$19,	$7,	$17
-	addq	$9,	$17,	$9
-	mulq	$28,	$24,	$4
-	umulh	$28,	$24,	$0
-	addq	$20,	$4,	$20
-	cmpult	$20,	$4,	$10
-	addq	$10,	$0,	$0
-	addq	$19,	$0,	$19
-	cmpult	$19,	$0,	$8
-	addq	$9,	$8,	$9
-	stq	$20,	96($16)
-	bis	$31,	$31,	$20
-	mulq	$25,	$21,	$22
-	umulh	$25,	$21,	$6
-	addq	$19,	$22,	$19
-	cmpult	$19,	$22,	$2
+	bis	$20,	$20,	$7
+	ldq	$4,	8($17)
+	addq	$24,	$7,	$24
+	srl	$1,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$22,	32,	$1
+	cmpult	$20,	$2,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$22
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$189
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$189:
+	sll	$25,	32,	$5
+	ldq	$2,	16($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	0($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$193
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$193:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	stq	$24,	16($16)
+	ldq	$4,	0($17)
+	ldq	$5,	24($18)
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$24
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$0,	$24,	$0
+	cmpult	$0,	$24,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$197
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$197:
+	sll	$0,	32,	$24
+	ldq	$1,	16($18)
+	addq	$2,	$24,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	8($17)
+	addq	$23,	$7,	$23
+	srl	$1,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$24,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$24
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$201
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$201:
+	sll	$25,	32,	$5
+	ldq	$2,	8($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	16($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$205
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$205:
+	sll	$28,	32,	$25
+	ldq	$2,	0($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$209
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$209:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$23,	$7,	$23
+	stq	$23,	24($16)
+	ldq	$4,	32($17)
+	ldq	$5,	0($18)
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$23
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$28,	$23,	$28
+	cmpult	$28,	$23,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$213
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$213:
+	sll	$28,	32,	$23
+	ldq	$1,	8($18)
+	addq	$2,	$23,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	24($17)
+	addq	$22,	$7,	$22
+	srl	$1,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$23,	$2
+	addq	$6,	$1,	$6
 	addq	$2,	$6,	$6
-	addq	$9,	$6,	$9
-	cmpult	$9,	$6,	$3
-	addq	$20,	$3,	$20
-	mulq	$28,	$27,	$5
-	umulh	$28,	$27,	$23
-	addq	$19,	$5,	$19
-	cmpult	$19,	$5,	$1
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$217
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$217:
+	sll	$25,	32,	$5
+	ldq	$2,	16($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	16($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
 	addq	$1,	$23,	$23
-	addq	$9,	$23,	$9
-	cmpult	$9,	$23,	$18
-	addq	$20,	$18,	$20
-	stq	$19,	104($16)
-	bis	$31,	$31,	$19
-	mulq	$28,	$21,	$7
-	umulh	$28,	$21,	$17
-	addq	$9,	$7,	$9
-	cmpult	$9,	$7,	$4
-	addq	$4,	$17,	$17
-	addq	$20,	$17,	$20
-	cmpult	$20,	$17,	$10
-	addq	$19,	$10,	$19
-	stq	$9,	112($16)
-	stq	$20,	120($16)
-	ldq	$9,	0($30)
-	ldq	$10,	8($30)
-	addq	$30,	16,	$30
-	ret	$31,($26),1
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$221
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$221:
+	sll	$28,	32,	$25
+	ldq	$2,	24($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	8($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$225
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$225:
+	sll	$0,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	0($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$229
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$229:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	32($16)
+	ldq	$4,	0($17)
+	ldq	$5,	40($18)
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$22
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$0,	$22,	$0
+	cmpult	$0,	$22,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$233
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$233:
+	sll	$0,	32,	$22
+	ldq	$1,	32($18)
+	addq	$2,	$22,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	8($17)
+	addq	$24,	$7,	$24
+	srl	$1,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$22,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$22
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$237
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$237:
+	sll	$25,	32,	$5
+	ldq	$2,	24($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	16($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$241
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$241:
+	sll	$28,	32,	$25
+	ldq	$2,	16($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$245
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$245:
+	sll	$0,	32,	$25
+	ldq	$2,	8($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	32($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$249
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$249:
+	sll	$28,	32,	$25
+	ldq	$2,	0($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	40($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$253
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$253:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	stq	$24,	40($16)
+	ldq	$4,	48($17)
+	ldq	$5,	0($18)
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$24
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$28,	$24,	$28
+	cmpult	$28,	$24,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$257
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$257:
+	sll	$28,	32,	$24
+	ldq	$1,	8($18)
+	addq	$2,	$24,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	40($17)
+	addq	$23,	$7,	$23
+	srl	$1,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$24,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$24
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$261
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$261:
+	sll	$25,	32,	$5
+	ldq	$2,	16($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	32($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$265
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$265:
+	sll	$28,	32,	$25
+	ldq	$2,	24($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$269
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$269:
+	sll	$0,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	16($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$273
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$273:
+	sll	$28,	32,	$25
+	ldq	$2,	40($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	8($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$277
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$277:
+	sll	$0,	32,	$25
+	ldq	$2,	48($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	0($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$281
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$281:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$23,	$7,	$23
+	stq	$23,	48($16)
+	ldq	$4,	0($17)
+	ldq	$5,	56($18)
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$23
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$0,	$23,	$0
+	cmpult	$0,	$23,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$285
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$285:
+	sll	$0,	32,	$23
+	ldq	$1,	48($18)
+	addq	$2,	$23,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	8($17)
+	addq	$22,	$7,	$22
+	srl	$1,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$23,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$289
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$289:
+	sll	$25,	32,	$5
+	ldq	$2,	40($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	16($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$293
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$293:
+	sll	$28,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$297
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$297:
+	sll	$0,	32,	$25
+	ldq	$2,	24($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	32($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$301
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$301:
+	sll	$28,	32,	$25
+	ldq	$2,	16($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	40($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$305
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$305:
+	sll	$0,	32,	$25
+	ldq	$2,	8($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	48($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$309
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$309:
+	sll	$28,	32,	$25
+	ldq	$2,	0($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	56($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$313
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$313:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	56($16)
+	ldq	$4,	56($17)
+	ldq	$5,	8($18)
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$22
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$28,	$22,	$28
+	cmpult	$28,	$22,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$317
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$317:
+	sll	$28,	32,	$22
+	ldq	$1,	16($18)
+	addq	$2,	$22,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	48($17)
+	addq	$24,	$7,	$24
+	srl	$1,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$22,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$22
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$321
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$321:
+	sll	$25,	32,	$5
+	ldq	$2,	24($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	40($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$325
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$325:
+	sll	$28,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	32($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$329
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$329:
+	sll	$0,	32,	$25
+	ldq	$2,	40($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$333
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$333:
+	sll	$28,	32,	$25
+	ldq	$2,	48($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	16($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$337
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$337:
+	sll	$0,	32,	$25
+	ldq	$2,	56($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	8($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$341
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$341:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	stq	$24,	64($16)
+	ldq	$4,	16($17)
+	ldq	$5,	56($18)
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$24
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$0,	$24,	$0
+	cmpult	$0,	$24,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$345
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$345:
+	sll	$0,	32,	$24
+	ldq	$1,	48($18)
+	addq	$2,	$24,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	24($17)
+	addq	$23,	$7,	$23
+	srl	$1,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$24,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$24
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$349
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$349:
+	sll	$25,	32,	$5
+	ldq	$2,	40($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	32($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$353
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$353:
+	sll	$28,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	40($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$357
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$357:
+	sll	$0,	32,	$25
+	ldq	$2,	24($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	48($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$361
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$361:
+	sll	$28,	32,	$25
+	ldq	$2,	16($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	56($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$365
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$365:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$23,	$7,	$23
+	stq	$23,	72($16)
+	ldq	$4,	56($17)
+	ldq	$5,	24($18)
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$23
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$28,	$23,	$28
+	cmpult	$28,	$23,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$369
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$369:
+	sll	$28,	32,	$23
+	ldq	$1,	32($18)
+	addq	$2,	$23,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	48($17)
+	addq	$22,	$7,	$22
+	srl	$1,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$23,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$21
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$373
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$373:
+	sll	$25,	32,	$5
+	ldq	$2,	40($18)
+	addq	$0,	$5,	$0
+	bis	$0,	$0,	$7
+	ldq	$4,	40($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$0,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$377
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$377:
+	sll	$28,	32,	$25
+	ldq	$2,	48($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	32($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$23,	$23
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$381
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$381:
+	sll	$0,	32,	$25
+	ldq	$2,	56($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	24($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$385
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$385:
+	sll	$28,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	80($16)
+	ldq	$4,	32($17)
+	ldq	$5,	56($18)
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$22
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$0,	$22,	$0
+	cmpult	$0,	$22,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$389
+	sll	$21,	32,	$1
+	addq	$6,	$1,	$6
+$389:
+	sll	$0,	32,	$22
+	ldq	$1,	48($18)
+	addq	$2,	$22,	$2
+	bis	$2,	$2,	$7
+	ldq	$4,	40($17)
+	addq	$24,	$7,	$24
+	srl	$1,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$25
+	zapnot	$1,	15,	$5
+	mulq	$7,	$5,	$21
+	srl	$0,	32,	$1
+	cmpult	$2,	$22,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$22
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$5
+	bis	$31,	1,	$20
+	addq	$25,	$5,	$25
+	cmpult	$25,	$5,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$393
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$393:
+	sll	$25,	32,	$5
+	ldq	$2,	40($18)
+	addq	$21,	$5,	$21
+	bis	$21,	$21,	$7
+	ldq	$4,	48($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$25,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$21,	$5,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$397
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$397:
+	sll	$28,	32,	$25
+	ldq	$2,	32($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	56($17)
+	addq	$24,	$7,	$24
+	srl	$2,	32,	$8
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$21
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$22,	$22
+	addq	$21,	$25,	$21
+	cmpult	$21,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$401
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$401:
+	sll	$21,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	stq	$24,	88($16)
+	ldq	$4,	56($17)
+	ldq	$5,	40($18)
+	cmpult	$24,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$0
+	srl	$21,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$23,	$6,	$23
+	cmpult	$23,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$24
+	mulq	$7,	$5,	$5
+	addq	$1,	$22,	$22
+	addq	$0,	$24,	$0
+	cmpult	$0,	$24,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$405
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$405:
+	sll	$0,	32,	$24
+	ldq	$2,	48($18)
+	addq	$5,	$24,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	48($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$24,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$24
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$5
+	addq	$28,	$25,	$28
+	cmpult	$28,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$409
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$409:
+	sll	$28,	32,	$25
+	ldq	$2,	56($18)
+	addq	$5,	$25,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	40($17)
+	addq	$23,	$7,	$23
+	srl	$2,	32,	$8
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$25,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$1,	$24,	$24
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$413
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$413:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$23,	$7,	$23
+	stq	$23,	96($16)
+	ldq	$4,	48($17)
+	ldq	$5,	56($18)
+	cmpult	$23,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$22,	$6,	$22
+	cmpult	$22,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$23
+	mulq	$7,	$5,	$5
+	addq	$1,	$24,	$24
+	addq	$28,	$23,	$28
+	cmpult	$28,	$23,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$417
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$417:
+	sll	$28,	32,	$23
+	ldq	$2,	48($18)
+	addq	$5,	$23,	$5
+	bis	$5,	$5,	$7
+	ldq	$4,	56($17)
+	addq	$22,	$7,	$22
+	srl	$2,	32,	$8
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	mulq	$8,	$7,	$0
+	srl	$28,	32,	$1
+	addq	$6,	$1,	$6
+	cmpult	$5,	$23,	$1
+	zapnot	$2,	15,	$5
+	addq	$1,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$23
+	srl	$4,	32,	$6
+	mulq	$5,	$6,	$25
+	mulq	$7,	$5,	$2
+	addq	$0,	$25,	$0
+	cmpult	$0,	$25,	$1
+	mulq	$6,	$8,	$6
+	beq	$1,	$421
+	sll	$20,	32,	$1
+	addq	$6,	$1,	$6
+$421:
+	sll	$0,	32,	$25
+	addq	$2,	$25,	$2
+	bis	$2,	$2,	$7
+	addq	$22,	$7,	$22
+	stq	$22,	104($16)
+	ldq	$4,	56($17)
+	ldq	$5,	56($18)
+	cmpult	$22,	$7,	$3
+	zapnot	$4,	15,	$7
+	srl	$5,	32,	$8
+	mulq	$8,	$7,	$28
+	srl	$0,	32,	$1
+	cmpult	$2,	$25,	$2
+	addq	$6,	$1,	$6
+	addq	$2,	$6,	$6
+	addq	$3,	$6,	$6
+	addq	$24,	$6,	$24
+	cmpult	$24,	$6,	$1
+	srl	$4,	32,	$6
+	zapnot	$5,	15,	$5
+	mulq	$5,	$6,	$22
+	mulq	$7,	$5,	$2
+	addq	$1,	$23,	$23
+	addq	$28,	$22,	$28
+	cmpult	$28,	$22,	$1
+	mulq	$6,	$8,	$3
+	beq	$1,	$425
+	sll	$20,	32,	$1
+	addq	$3,	$1,	$3
+$425:
+	sll	$28,	32,	$22
+	srl	$28,	32,	$1
+	addq	$2,	$22,	$2
+	addq	$3,	$1,	$3
+	bis	$2,	$2,	$7
+	addq	$24,	$7,	$24
+	cmpult	$7,	$22,	$1
+	cmpult	$24,	$7,	$2
+	addq	$1,	$3,	$6
+	addq	$2,	$6,	$6
+	stq	$24,	112($16)
+	addq	$23,	$6,	$23
+	stq	$23,	120($16)
+	ret	$31,	($26),	1
 	.end bn_mul_comba8
 	.text
 	.align 3
diff --git a/lib/libcrypto/bn/asm/mips3.s b/lib/libcrypto/bn/asm/mips3.s
index 191345d9207..2df4dcd4b0b 100644
--- a/lib/libcrypto/bn/asm/mips3.s
+++ b/lib/libcrypto/bn/asm/mips3.s
@@ -395,32 +395,32 @@ LEAF(bn_add_words)
 
 .L_bn_add_words_loop:
 	ld	ta0,0(a2)
+	subu	a3,4
 	ld	t1,8(a1)
-	ld	ta1,8(a2)
+	and	AT,a3,MINUS4
 	ld	t2,16(a1)
-	ld	ta2,16(a2)
+	PTR_ADD	a2,32
 	ld	t3,24(a1)
-	ld	ta3,24(a2)
+	PTR_ADD	a0,32
+	ld	ta1,-24(a2)
+	PTR_ADD	a1,32
+	ld	ta2,-16(a2)
+	ld	ta3,-8(a2)
 	daddu	ta0,t0
-	subu	a3,4
 	sltu	t8,ta0,t0
 	daddu	t0,ta0,v0
-	PTR_ADD	a0,32
 	sltu	v0,t0,ta0
 	sd	t0,-32(a0)
 	daddu	v0,t8
 
 	daddu	ta1,t1
-	PTR_ADD	a1,32
 	sltu	t9,ta1,t1
 	daddu	t1,ta1,v0
-	PTR_ADD	a2,32
 	sltu	v0,t1,ta1
 	sd	t1,-24(a0)
 	daddu	v0,t9
 
 	daddu	ta2,t2
-	and	AT,a3,MINUS4
 	sltu	t8,ta2,t2
 	daddu	t2,ta2,v0
 	sltu	v0,t2,ta2
@@ -495,25 +495,26 @@ LEAF(bn_sub_words)
 
 .L_bn_sub_words_loop:
 	ld	ta0,0(a2)
+	subu	a3,4
 	ld	t1,8(a1)
-	ld	ta1,8(a2)
+	and	AT,a3,MINUS4
 	ld	t2,16(a1)
-	ld	ta2,16(a2)
+	PTR_ADD	a2,32
 	ld	t3,24(a1)
-	ld	ta3,24(a2)
+	PTR_ADD	a0,32
+	ld	ta1,-24(a2)
+	PTR_ADD	a1,32
+	ld	ta2,-16(a2)
+	ld	ta3,-8(a2)
 	sltu	t8,t0,ta0
 	dsubu	t0,ta0
-	subu	a3,4
 	dsubu	ta0,t0,v0
-	and	AT,a3,MINUS4
-	sd	ta0,0(a0)
+	sd	ta0,-32(a0)
 	MOVNZ	(t0,v0,t8)
 
 	sltu	t9,t1,ta1
 	dsubu	t1,ta1
-	PTR_ADD	a0,32
 	dsubu	ta1,t1,v0
-	PTR_ADD	a1,32
 	sd	ta1,-24(a0)
 	MOVNZ	(t1,v0,t9)
 
@@ -521,7 +522,6 @@ LEAF(bn_sub_words)
 	sltu	t8,t2,ta2
 	dsubu	t2,ta2
 	dsubu	ta2,t2,v0
-	PTR_ADD	a2,32
 	sd	ta2,-16(a0)
 	MOVNZ	(t2,v0,t8)
 
@@ -574,6 +574,51 @@ END(bn_sub_words)
 
 #undef	MINUS4
 
+.align 5
+LEAF(bn_div_3_words)
+	.set	reorder
+	move	a3,a0		/* we know that bn_div_words doesn't
+				 * touch a3, ta2, ta3 and preserves a2
+				 * so that we can save two arguments
+				 * and return address in registers
+				 * instead of stack:-)
+				 */
+	ld	a0,(a3)
+	move	ta2,a1
+	ld	a1,-8(a3)
+	move	ta3,ra
+	move	v1,zero
+	li	v0,-1
+	beq	a0,a2,.L_bn_div_3_words_skip_div
+	bal	bn_div_words
+	move	ra,ta3
+.L_bn_div_3_words_skip_div:
+	dmultu	ta2,v0
+	ld	t2,-16(a3)
+	move	ta0,zero
+	mfhi	t1
+	mflo	t0
+	sltu	t8,t1,v1
+.L_bn_div_3_words_inner_loop:
+	bnez	t8,.L_bn_div_3_words_inner_loop_done
+	sgeu	AT,t2,t0
+	seq	t9,t1,v1
+	and	AT,t9
+	sltu	t3,t0,ta2
+	daddu	v1,a2
+	dsubu	t1,t3
+	dsubu	t0,ta2
+	sltu	t8,t1,v1
+	sltu	ta0,v1,a2
+	or	t8,ta0
+	.set	noreorder
+	beqzl	AT,.L_bn_div_3_words_inner_loop
+	dsubu	v0,1
+	.set	reorder
+.L_bn_div_3_words_inner_loop_done:
+	jr	ra
+END(bn_div_3_words)
+
 .align	5
 LEAF(bn_div_words)
 	.set	noreorder
@@ -633,16 +678,16 @@ LEAF(bn_div_words)
 	seq	t8,HH,t1
 	sltu	AT,HH,t1
 	and	t2,t8
+	sltu	v0,t0,a2
 	or	AT,t2
 	.set	noreorder
 	beqz	AT,.L_bn_div_words_inner_loop1_done
-	sltu	t2,t0,a2
-	.set	reorder
-	dsubu	QT,1
+	dsubu	t1,v0
 	dsubu	t0,a2
-	dsubu	t1,t2
 	b	.L_bn_div_words_inner_loop1
-.L_bn_div_words_inner_loop1_done:	
+	dsubu	QT,1
+	.set	reorder
+.L_bn_div_words_inner_loop1_done:
 
 	dsll	a1,32
 	dsubu	a0,t3,t0
@@ -655,6 +700,7 @@ LEAF(bn_div_words)
 	ddivu	zero,a0,DH
 	mflo	QT
 .L_bn_div_words_skip_div2:
+#undef	DH
 	dmultu	a2,QT
 	dsll	t3,a0,32
 	dsrl	AT,a1,32
@@ -666,69 +712,26 @@ LEAF(bn_div_words)
 	seq	t8,HH,t1
 	sltu	AT,HH,t1
 	and	t2,t8
+	sltu	v1,t0,a2
 	or	AT,t2
 	.set	noreorder
 	beqz	AT,.L_bn_div_words_inner_loop2_done
-	sltu	t2,t0,a2
-	.set	reorder
-	dsubu	QT,1
+	dsubu	t1,v1
 	dsubu	t0,a2
-	dsubu	t1,t2
 	b	.L_bn_div_words_inner_loop2
+	dsubu	QT,1
+	.set	reorder
 .L_bn_div_words_inner_loop2_done:	
+#undef	HH
 
 	dsubu	a0,t3,t0
 	or	v0,QT
 	dsrl	v1,a0,t9	/* v1 contains remainder if anybody wants it */
 	dsrl	a2,t9		/* restore a2 */
 	jr	ra
-#undef	HH
-#undef	DH
 #undef	QT
 END(bn_div_words)
 
-.align 5
-LEAF(bn_div_3_words)
-	.set	reorder
-	move	a3,a0		/* we know that bn_div_words doesn't
-				 * touch a3, ta2, ta3 and preserves a2
-				 * so that we can save two arguments
-				 * and return address in registers
-				 * instead of stack:-)
-				 */
-	ld	a0,(a3)
-	move	ta2,a2
-	move	a2,a1
-	ld	a1,-8(a3)
-	move	ta3,ra
-	move	v1,zero
-	li	v0,-1
-	beq	a0,a2,.L_bn_div_3_words_skip_div
-	jal	bn_div_words
-	move	ra,ta3
-.L_bn_div_3_words_skip_div:
-	dmultu	ta2,v0
-	ld	t2,-16(a3)
-	mflo	t0
-	mfhi	t1
-.L_bn_div_3_words_inner_loop:
-	sgeu	AT,t2,t0
-	seq	t9,t1,v1
-	sltu	t8,t1,v1
-	and	AT,t9
-	or	AT,t8
-	bnez	AT,.L_bn_div_3_words_inner_loop_done
-	daddu	v1,a2
-	sltu	t3,t0,ta2
-	sltu	AT,v1,a2
-	dsubu	v0,1
-	dsubu	t0,ta2
-	dsubu	t1,t3
-	beqz	AT,.L_bn_div_3_words_inner_loop
-.L_bn_div_3_words_inner_loop_done:
-	jr	ra
-END(bn_div_3_words)
-
 #define	a_0	t0
 #define	a_1	t1
 #define	a_2	t2
diff --git a/lib/libcrypto/bn/bn.h b/lib/libcrypto/bn/bn.h
index f935e1ca79d..d8822610dfa 100644
--- a/lib/libcrypto/bn/bn.h
+++ b/lib/libcrypto/bn/bn.h
@@ -83,12 +83,12 @@ extern "C" {
  * The reason for this flag is that when the particular C compiler
  * library routine is used, and the library is linked with a different
  * compiler, the library is missing.  This mostly happens when the
- * library is built with gcc and then linked using nornal cc.  This would
- * be a common occurance because gcc normally produces code that is
+ * library is built with gcc and then linked using normal cc.  This would
+ * be a common occurrence because gcc normally produces code that is
  * 2 times faster than system compilers for the big number stuff.
  * For machines with only one compiler (or shared libraries), this should
  * be on.  Again this in only really a problem on machines
- * using "long long's", are 32bit, and are not using my assember code. */
+ * using "long long's", are 32bit, and are not using my assembler code. */
 #if defined(MSDOS) || defined(WINDOWS) || defined(linux)
 #define BN_DIV2W
 #endif
@@ -118,8 +118,8 @@ extern "C" {
 
 /* This is where the long long data type is 64 bits, but long is 32.
  * For machines where there are 64bit registers, this is the mode to use.
- * IRIX, on R4000 and above should use this mode, along with the relevent
- * assember code :-).  Do NOT define BN_LLONG.
+ * IRIX, on R4000 and above should use this mode, along with the relevant
+ * assembler code :-).  Do NOT define BN_LLONG.
  */
 #ifdef SIXTY_FOUR_BIT
 #undef BN_LLONG
@@ -240,11 +240,15 @@ typedef struct bignum_st
 
 /* Used for temp variables */
 #define BN_CTX_NUM	12
+#define BN_CTX_NUM_POS	12
 typedef struct bignum_ctx
 	{
 	int tos;
-	BIGNUM bn[BN_CTX_NUM+1];
+	BIGNUM bn[BN_CTX_NUM];
 	int flags;
+	int depth;
+	int pos[BN_CTX_NUM_POS];
+	int too_many;
 	} BN_CTX;
 
 typedef struct bn_blinding_st
@@ -257,16 +261,15 @@ typedef struct bn_blinding_st
 
 /* Used for montgomery multiplication */
 typedef struct bn_mont_ctx_st
-        {
-	int use_word;	/* 0 for word form, 1 for long form */
-        int ri;         /* number of bits in R */
-        BIGNUM RR;     /* used to convert to montgomery form */
-        BIGNUM N;      /* The modulus */
-        BIGNUM Ni;     /* The inverse of N */
-	BN_ULONG n0;	/* word form of inverse, normally only one of
-			 * Ni or n0 is defined */
+	{
+	int ri;        /* number of bits in R */
+	BIGNUM RR;     /* used to convert to montgomery form */
+	BIGNUM N;      /* The modulus */
+	BIGNUM Ni;     /* R*(1/R mod N) - N*Ni = 1
+	                * (Ni is only stored for bignum algorithm) */
+	BN_ULONG n0;   /* least significant word of Ni */
 	int flags;
-        } BN_MONT_CTX;
+	} BN_MONT_CTX;
 
 /* Used for reciprocal division/mod functions
  * It cannot be shared between threads
@@ -283,7 +286,26 @@ typedef struct bn_recp_ctx_st
 #define BN_to_montgomery(r,a,mont,ctx)	BN_mod_mul_montgomery(\
 	r,a,&((mont)->RR),(mont),ctx)
 
-#define BN_prime_checks		(5)
+#define BN_prime_checks 0 /* default: select number of iterations
+			     based on the size of the number */
+
+/* number of Miller-Rabin iterations for an error rate  of less than 2^-80
+ * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook
+ * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
+ * original paper: Damgaard, Landrock, Pomerance: Average case error estimates
+ * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */
+#define BN_prime_checks_for_size(b) ((b) >= 1300 ?  2 : \
+                                (b) >=  850 ?  3 : \
+                                (b) >=  650 ?  4 : \
+                                (b) >=  550 ?  5 : \
+                                (b) >=  450 ?  6 : \
+                                (b) >=  400 ?  7 : \
+                                (b) >=  350 ?  8 : \
+                                (b) >=  300 ?  9 : \
+                                (b) >=  250 ? 12 : \
+                                (b) >=  200 ? 15 : \
+                                (b) >=  150 ? 18 : \
+                                /* b >= 100 */ 27)
 
 #define BN_num_bytes(a)	((BN_num_bits(a)+7)/8)
 #define BN_is_word(a,w)	(((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
@@ -296,26 +318,16 @@ typedef struct bn_recp_ctx_st
 /*#define BN_ascii2bn(a)	BN_hex2bn(a) */
 /*#define BN_bn2ascii(a)	BN_bn2hex(a) */
 
-#define bn_expand(n,b) ((((((b+BN_BITS2-1))/BN_BITS2)) <= (n)->max)?\
-	(n):bn_expand2((n),(b)/BN_BITS2+1))
-#define bn_wexpand(n,b) (((b) <= (n)->max)?(n):bn_expand2((n),(b)))
-
-#define bn_fix_top(a) \
-        { \
-        BN_ULONG *ftl; \
-	if ((a)->top > 0) \
-		{ \
-		for (ftl= &((a)->d[(a)->top-1]); (a)->top > 0; (a)->top--) \
-		if (*(ftl--)) break; \
-		} \
-	}
-
 BIGNUM *BN_value_one(void);
 char *	BN_options(void);
 BN_CTX *BN_CTX_new(void);
 void	BN_CTX_init(BN_CTX *c);
 void	BN_CTX_free(BN_CTX *c);
+void	BN_CTX_start(BN_CTX *ctx);
+BIGNUM *BN_CTX_get(BN_CTX *ctx);
+void	BN_CTX_end(BN_CTX *ctx);
 int     BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
+int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
 int	BN_num_bits(const BIGNUM *a);
 int	BN_num_bits_word(BN_ULONG);
 BIGNUM *BN_new(void);
@@ -329,13 +341,13 @@ int	BN_bn2mpi(const BIGNUM *a, unsigned char *to);
 int	BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 int	BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 int	BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-int	BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+int	BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 int	BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
 int	BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 	       BN_CTX *ctx);
-int	BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b,BN_CTX *ctx);
+int	BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
 int	BN_sqr(BIGNUM *r, BIGNUM *a,BN_CTX *ctx);
-BN_ULONG BN_mod_word(BIGNUM *a, BN_ULONG w);
+BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
 BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
 int	BN_mul_word(BIGNUM *a, BN_ULONG w);
 int	BN_add_word(BIGNUM *a, BN_ULONG w);
@@ -358,19 +370,18 @@ int	BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p,
 	BIGNUM *m,BN_CTX *ctx);
 int	BN_mask_bits(BIGNUM *a,int n);
 int	BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
-#ifndef WIN16
-int	BN_print_fp(FILE *fp, BIGNUM *a);
+#ifndef NO_FP_API
+int	BN_print_fp(FILE *fp, const BIGNUM *a);
 #endif
 #ifdef HEADER_BIO_H
 int	BN_print(BIO *fp, const BIGNUM *a);
 #else
-int	BN_print(char *fp, const BIGNUM *a);
+int	BN_print(void *fp, const BIGNUM *a);
 #endif
 int	BN_reciprocal(BIGNUM *r, BIGNUM *m, int len, BN_CTX *ctx);
 int	BN_rshift(BIGNUM *r, BIGNUM *a, int n);
 int	BN_rshift1(BIGNUM *r, BIGNUM *a);
 void	BN_clear(BIGNUM *a);
-BIGNUM *bn_expand2(BIGNUM *b, int bits);
 BIGNUM *BN_dup(const BIGNUM *a);
 int	BN_ucmp(const BIGNUM *a, const BIGNUM *b);
 int	BN_set_bit(BIGNUM *a, int n);
@@ -381,19 +392,16 @@ int 	BN_hex2bn(BIGNUM **a, const char *str);
 int 	BN_dec2bn(BIGNUM **a, const char *str);
 int	BN_gcd(BIGNUM *r,BIGNUM *in_a,BIGNUM *in_b,BN_CTX *ctx);
 BIGNUM *BN_mod_inverse(BIGNUM *ret,BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
-BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int strong,BIGNUM *add,
+BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,BIGNUM *add,
 		BIGNUM *rem,void (*callback)(int,int,void *),void *cb_arg);
-int	BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int,void *),
+int	BN_is_prime(const BIGNUM *p,int nchecks,
+		void (*callback)(int,int,void *),
 		BN_CTX *ctx,void *cb_arg);
+int	BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
+		void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
+		int do_trial_division);
 void	ERR_load_BN_strings(void );
 
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
-BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
-void     bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num);
-BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
-BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
-BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
-
 BN_MONT_CTX *BN_MONT_CTX_new(void );
 void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
 int BN_mod_mul_montgomery(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_MONT_CTX *mont,
@@ -423,6 +431,39 @@ int	BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 int	BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m,
 		BN_RECP_CTX *recp, BN_CTX *ctx);
 
+/* library internal functions */
+
+#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->max)?\
+	(a):bn_expand2((a),(bits)/BN_BITS2+1))
+#define bn_wexpand(a,words) (((words) <= (a)->max)?(a):bn_expand2((a),(words)))
+BIGNUM *bn_expand2(BIGNUM *a, int words);
+
+#define bn_fix_top(a) \
+        { \
+        BN_ULONG *ftl; \
+	if ((a)->top > 0) \
+		{ \
+		for (ftl= &((a)->d[(a)->top-1]); (a)->top > 0; (a)->top--) \
+		if (*(ftl--)) break; \
+		} \
+	}
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+void     bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num);
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
+BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
+BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
+
+#ifdef BN_DEBUG
+  void bn_dump1(FILE *o, const char *a, BN_ULONG *b,int n);
+# define bn_print(a) {fprintf(stderr, #a "="); BN_print_fp(stderr,a); \
+   fprintf(stderr,"\n");}
+# define bn_dump(a,n) bn_dump1(stderr,#a,a,n);
+#else
+# define bn_print(a)
+# define bn_dump(a,b)
+#endif
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -438,6 +479,7 @@ int	BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m,
 #define BN_F_BN_BLINDING_UPDATE				 103
 #define BN_F_BN_BN2DEC					 104
 #define BN_F_BN_BN2HEX					 105
+#define BN_F_BN_CTX_GET					 116
 #define BN_F_BN_CTX_NEW					 106
 #define BN_F_BN_DIV					 107
 #define BN_F_BN_EXPAND2					 108
@@ -459,6 +501,7 @@ int	BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m,
 #define BN_R_INVALID_LENGTH				 106
 #define BN_R_NOT_INITIALIZED				 107
 #define BN_R_NO_INVERSE					 108
+#define BN_R_TOO_MANY_TEMPORARY_VARIABLES		 109
 
 #ifdef  __cplusplus
 }
diff --git a/lib/libcrypto/bn/bn_add.c b/lib/libcrypto/bn/bn_add.c
index c5ab066c9e4..5d246912330 100644
--- a/lib/libcrypto/bn/bn_add.c
+++ b/lib/libcrypto/bn/bn_add.c
@@ -61,9 +61,9 @@
 #include "bn_lcl.h"
 
 /* r can == a or b */
-int BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b)
+int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	{
-	BIGNUM *tmp;
+	const BIGNUM *tmp;
 
 	bn_check_top(a);
 	bn_check_top(b);
diff --git a/lib/libcrypto/bn/bn_asm.c b/lib/libcrypto/bn/bn_asm.c
index 4d3da16a0c9..3329cc18e6c 100644
--- a/lib/libcrypto/bn/bn_asm.c
+++ b/lib/libcrypto/bn/bn_asm.c
@@ -56,31 +56,38 @@
  * [including the GNU Public Licence.]
  */
 
+#ifndef BN_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
 #include <stdio.h>
+#include <assert.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
-#ifdef BN_LLONG 
+#if defined(BN_LLONG) || defined(BN_UMULT_HIGH)
 
 BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
 	{
 	BN_ULONG c1=0;
 
-	bn_check_num(num);
+	assert(num >= 0);
 	if (num <= 0) return(c1);
 
-	for (;;)
+	while (num&~3)
 		{
 		mul_add(rp[0],ap[0],w,c1);
-		if (--num == 0) break;
 		mul_add(rp[1],ap[1],w,c1);
-		if (--num == 0) break;
 		mul_add(rp[2],ap[2],w,c1);
-		if (--num == 0) break;
 		mul_add(rp[3],ap[3],w,c1);
-		if (--num == 0) break;
-		ap+=4;
-		rp+=4;
+		ap+=4; rp+=4; num-=4;
+		}
+	if (num)
+		{
+		mul_add(rp[0],ap[0],w,c1); if (--num==0) return c1;
+		mul_add(rp[1],ap[1],w,c1); if (--num==0) return c1;
+		mul_add(rp[2],ap[2],w,c1); return c1;
 		}
 	
 	return(c1);
@@ -90,63 +97,54 @@ BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
 	{
 	BN_ULONG c1=0;
 
-	bn_check_num(num);
+	assert(num >= 0);
 	if (num <= 0) return(c1);
 
-	/* for (;;) */
-	while (1) /* circumvent egcs-1.1.2 bug */
+	while (num&~3)
 		{
 		mul(rp[0],ap[0],w,c1);
-		if (--num == 0) break;
 		mul(rp[1],ap[1],w,c1);
-		if (--num == 0) break;
 		mul(rp[2],ap[2],w,c1);
-		if (--num == 0) break;
 		mul(rp[3],ap[3],w,c1);
-		if (--num == 0) break;
-		ap+=4;
-		rp+=4;
+		ap+=4; rp+=4; num-=4;
+		}
+	if (num)
+		{
+		mul(rp[0],ap[0],w,c1); if (--num == 0) return c1;
+		mul(rp[1],ap[1],w,c1); if (--num == 0) return c1;
+		mul(rp[2],ap[2],w,c1);
 		}
 	return(c1);
 	} 
 
 void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
         {
-	bn_check_num(n);
+	assert(n >= 0);
 	if (n <= 0) return;
-	for (;;)
+	while (n&~3)
 		{
-		BN_ULLONG t;
-
-		t=(BN_ULLONG)(a[0])*(a[0]);
-		r[0]=Lw(t); r[1]=Hw(t);
-		if (--n == 0) break;
-
-		t=(BN_ULLONG)(a[1])*(a[1]);
-		r[2]=Lw(t); r[3]=Hw(t);
-		if (--n == 0) break;
-
-		t=(BN_ULLONG)(a[2])*(a[2]);
-		r[4]=Lw(t); r[5]=Hw(t);
-		if (--n == 0) break;
-
-		t=(BN_ULLONG)(a[3])*(a[3]);
-		r[6]=Lw(t); r[7]=Hw(t);
-		if (--n == 0) break;
-
-		a+=4;
-		r+=8;
+		sqr(r[0],r[1],a[0]);
+		sqr(r[2],r[3],a[1]);
+		sqr(r[4],r[5],a[2]);
+		sqr(r[6],r[7],a[3]);
+		a+=4; r+=8; n-=4;
+		}
+	if (n)
+		{
+		sqr(r[0],r[1],a[0]); if (--n == 0) return;
+		sqr(r[2],r[3],a[1]); if (--n == 0) return;
+		sqr(r[4],r[5],a[2]);
 		}
 	}
 
-#else
+#else /* !(defined(BN_LLONG) || defined(BN_UMULT_HIGH)) */
 
 BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
 	{
 	BN_ULONG c=0;
 	BN_ULONG bl,bh;
 
-	bn_check_num(num);
+	assert(num >= 0);
 	if (num <= 0) return((BN_ULONG)0);
 
 	bl=LBITS(w);
@@ -173,7 +171,7 @@ BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
 	BN_ULONG carry=0;
 	BN_ULONG bl,bh;
 
-	bn_check_num(num);
+	assert(num >= 0);
 	if (num <= 0) return((BN_ULONG)0);
 
 	bl=LBITS(w);
@@ -197,7 +195,7 @@ BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
 
 void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
         {
-	bn_check_num(n);
+	assert(n >= 0);
 	if (n <= 0) return;
 	for (;;)
 		{
@@ -218,7 +216,7 @@ void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
 		}
 	}
 
-#endif
+#endif /* !(defined(BN_LLONG) || defined(BN_UMULT_HIGH)) */
 
 #if defined(BN_LLONG) && defined(BN_DIV2W)
 
@@ -300,14 +298,14 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
 	ret|=q;
 	return(ret);
 	}
-#endif
+#endif /* !defined(BN_LLONG) && defined(BN_DIV2W) */
 
 #ifdef BN_LLONG
 BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
         {
 	BN_ULLONG ll=0;
 
-	bn_check_num(n);
+	assert(n >= 0);
 	if (n <= 0) return((BN_ULONG)0);
 
 	for (;;)
@@ -338,12 +336,12 @@ BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 		}
 	return((BN_ULONG)ll);
 	}
-#else
+#else /* !BN_LLONG */
 BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
         {
 	BN_ULONG c,l,t;
 
-	bn_check_num(n);
+	assert(n >= 0);
 	if (n <= 0) return((BN_ULONG)0);
 
 	c=0;
@@ -387,14 +385,14 @@ BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 		}
 	return((BN_ULONG)c);
 	}
-#endif
+#endif /* !BN_LLONG */
 
 BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
         {
 	BN_ULONG t1,t2;
 	int c=0;
 
-	bn_check_num(n);
+	assert(n >= 0);
 	if (n <= 0) return((BN_ULONG)0);
 
 	for (;;)
@@ -433,6 +431,11 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 #undef bn_sqr_comba8
 #undef bn_sqr_comba4
 
+/* mul_add_c(a,b,c0,c1,c2)  -- c+=a*b for three word number c=(c2,c1,c0) */
+/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
+/* sqr_add_c(a,i,c0,c1,c2)  -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
+/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
+
 #ifdef BN_LLONG
 #define mul_add_c(a,b,c0,c1,c2) \
 	t=(BN_ULLONG)a*b; \
@@ -460,7 +463,39 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 
 #define sqr_add_c2(a,i,j,c0,c1,c2) \
 	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
-#else
+
+#elif defined(BN_UMULT_HIGH)
+
+#define mul_add_c(a,b,c0,c1,c2)	{	\
+	BN_ULONG ta=(a),tb=(b);		\
+	t1 = ta * tb;			\
+	t2 = BN_UMULT_HIGH(ta,tb);	\
+	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c1 += t2; c2 += (c1<t2)?1:0;	\
+	}
+
+#define mul_add_c2(a,b,c0,c1,c2) {	\
+	BN_ULONG ta=(a),tb=(b),t0;	\
+	t1 = BN_UMULT_HIGH(ta,tb);	\
+	t0 = ta * tb;			\
+	t2 = t1+t1; c2 += (t2<t1)?1:0;	\
+	t1 = t0+t0; t2 += (t1<t0)?1:0;	\
+	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c1 += t2; c2 += (c1<t2)?1:0;	\
+	}
+
+#define sqr_add_c(a,i,c0,c1,c2)	{	\
+	BN_ULONG ta=(a)[i];		\
+	t1 = ta * ta;			\
+	t2 = BN_UMULT_HIGH(ta,ta);	\
+	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c1 += t2; c2 += (c1<t2)?1:0;	\
+	}
+
+#define sqr_add_c2(a,i,j,c0,c1,c2)	\
+	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+
+#else /* !BN_LLONG */
 #define mul_add_c(a,b,c0,c1,c2) \
 	t1=LBITS(a); t2=HBITS(a); \
 	bl=LBITS(b); bh=HBITS(b); \
@@ -487,7 +522,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 
 #define sqr_add_c2(a,i,j,c0,c1,c2) \
 	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
-#endif
+#endif /* !BN_LLONG */
 
 void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 	{
@@ -762,7 +797,7 @@ void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
 	r[6]=c1;
 	r[7]=c2;
 	}
-#else
+#else /* !BN_MUL_COMBA */
 
 /* hmm... is it faster just to do a multiply? */
 #undef bn_sqr_comba4
@@ -799,4 +834,4 @@ void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 	r[15]=bn_mul_add_words(&(r[7]),a,8,b[7]);
 	}
 
-#endif /* BN_COMBA */
+#endif /* !BN_MUL_COMBA */
diff --git a/lib/libcrypto/bn/bn_comba.c b/lib/libcrypto/bn/bn_comba.c
index 7ad09b4a6df..e69de29bb2d 100644
--- a/lib/libcrypto/bn/bn_comba.c
+++ b/lib/libcrypto/bn/bn_comba.c
@@ -1,345 +0,0 @@
-/* crypto/bn/bn_comba.c */
-#include <stdio.h>
-#include "bn_lcl.h"
-/* Auto generated from crypto/bn/comba.pl
- */
-
-#undef bn_mul_comba8
-#undef bn_mul_comba4
-#undef bn_sqr_comba8
-#undef bn_sqr_comba4
-
-#ifdef BN_LLONG
-#define mul_add_c(a,b,c0,c1,c2) \
-	t=(BN_ULLONG)a*b; \
-	t1=(BN_ULONG)Lw(t); \
-	t2=(BN_ULONG)Hw(t); \
-	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define mul_add_c2(a,b,c0,c1,c2) \
-	t=(BN_ULLONG)a*b; \
-	tt=(t+t)&BN_MASK; \
-	if (tt < t) c2++; \
-	t1=(BN_ULONG)Lw(tt); \
-	t2=(BN_ULONG)Hw(tt); \
-	c0=(c0+t1)&BN_MASK2;  \
-	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define sqr_add_c(a,i,c0,c1,c2) \
-	t=(BN_ULLONG)a[i]*a[i]; \
-	t1=(BN_ULONG)Lw(t); \
-	t2=(BN_ULONG)Hw(t); \
-	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define sqr_add_c2(a,i,j,c0,c1,c2) \
-	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
-#else
-#define mul_add_c(a,b,c0,c1,c2) \
-	t1=LBITS(a); t2=HBITS(a); \
-	bl=LBITS(b); bh=HBITS(b); \
-	mul64(t1,t2,bl,bh); \
-	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define mul_add_c2(a,b,c0,c1,c2) \
-	t1=LBITS(a); t2=HBITS(a); \
-	bl=LBITS(b); bh=HBITS(b); \
-	mul64(t1,t2,bl,bh); \
-	if (t2 & BN_TBIT) c2++; \
-	t2=(t2+t2)&BN_MASK2; \
-	if (t1 & BN_TBIT) t2++; \
-	t1=(t1+t1)&BN_MASK2; \
-	c0=(c0+t1)&BN_MASK2;  \
-	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define sqr_add_c(a,i,c0,c1,c2) \
-	sqr64(t1,t2,(a)[i]); \
-	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define sqr_add_c2(a,i,j,c0,c1,c2) \
-	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
-#endif
-
-void bn_mul_comba88(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
-void bn_mul_comba44(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
-void bn_sqr_comba88(BN_ULONG *r,BN_ULONG *a);
-void bn_sqr_comba44(BN_ULONG *r,BN_ULONG *a);
-
-void bn_mul_comba88(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
-	{
-#ifdef BN_LLONG
-	BN_ULLONG t;
-#else
-	BN_ULONG bl,bh;
-#endif
-	BN_ULONG t1,t2;
-	BN_ULONG c1,c2,c3;
-
-	c1=0;
-	c2=0;
-	c3=0;
-	mul_add_c(a[0],b[0],c1,c2,c3);
-	r[0]=c1;
-	c1=0;
-	mul_add_c(a[0],b[1],c2,c3,c1);
-	mul_add_c(a[1],b[0],c2,c3,c1);
-	r[1]=c2;
-	c2=0;
-	mul_add_c(a[2],b[0],c3,c1,c2);
-	mul_add_c(a[1],b[1],c3,c1,c2);
-	mul_add_c(a[0],b[2],c3,c1,c2);
-	r[2]=c3;
-	c3=0;
-	mul_add_c(a[0],b[3],c1,c2,c3);
-	mul_add_c(a[1],b[2],c1,c2,c3);
-	mul_add_c(a[2],b[1],c1,c2,c3);
-	mul_add_c(a[3],b[0],c1,c2,c3);
-	r[3]=c1;
-	c1=0;
-	mul_add_c(a[4],b[0],c2,c3,c1);
-	mul_add_c(a[3],b[1],c2,c3,c1);
-	mul_add_c(a[2],b[2],c2,c3,c1);
-	mul_add_c(a[1],b[3],c2,c3,c1);
-	mul_add_c(a[0],b[4],c2,c3,c1);
-	r[4]=c2;
-	c2=0;
-	mul_add_c(a[0],b[5],c3,c1,c2);
-	mul_add_c(a[1],b[4],c3,c1,c2);
-	mul_add_c(a[2],b[3],c3,c1,c2);
-	mul_add_c(a[3],b[2],c3,c1,c2);
-	mul_add_c(a[4],b[1],c3,c1,c2);
-	mul_add_c(a[5],b[0],c3,c1,c2);
-	r[5]=c3;
-	c3=0;
-	mul_add_c(a[6],b[0],c1,c2,c3);
-	mul_add_c(a[5],b[1],c1,c2,c3);
-	mul_add_c(a[4],b[2],c1,c2,c3);
-	mul_add_c(a[3],b[3],c1,c2,c3);
-	mul_add_c(a[2],b[4],c1,c2,c3);
-	mul_add_c(a[1],b[5],c1,c2,c3);
-	mul_add_c(a[0],b[6],c1,c2,c3);
-	r[6]=c1;
-	c1=0;
-	mul_add_c(a[0],b[7],c2,c3,c1);
-	mul_add_c(a[1],b[6],c2,c3,c1);
-	mul_add_c(a[2],b[5],c2,c3,c1);
-	mul_add_c(a[3],b[4],c2,c3,c1);
-	mul_add_c(a[4],b[3],c2,c3,c1);
-	mul_add_c(a[5],b[2],c2,c3,c1);
-	mul_add_c(a[6],b[1],c2,c3,c1);
-	mul_add_c(a[7],b[0],c2,c3,c1);
-	r[7]=c2;
-	c2=0;
-	mul_add_c(a[7],b[1],c3,c1,c2);
-	mul_add_c(a[6],b[2],c3,c1,c2);
-	mul_add_c(a[5],b[3],c3,c1,c2);
-	mul_add_c(a[4],b[4],c3,c1,c2);
-	mul_add_c(a[3],b[5],c3,c1,c2);
-	mul_add_c(a[2],b[6],c3,c1,c2);
-	mul_add_c(a[1],b[7],c3,c1,c2);
-	r[8]=c3;
-	c3=0;
-	mul_add_c(a[2],b[7],c1,c2,c3);
-	mul_add_c(a[3],b[6],c1,c2,c3);
-	mul_add_c(a[4],b[5],c1,c2,c3);
-	mul_add_c(a[5],b[4],c1,c2,c3);
-	mul_add_c(a[6],b[3],c1,c2,c3);
-	mul_add_c(a[7],b[2],c1,c2,c3);
-	r[9]=c1;
-	c1=0;
-	mul_add_c(a[7],b[3],c2,c3,c1);
-	mul_add_c(a[6],b[4],c2,c3,c1);
-	mul_add_c(a[5],b[5],c2,c3,c1);
-	mul_add_c(a[4],b[6],c2,c3,c1);
-	mul_add_c(a[3],b[7],c2,c3,c1);
-	r[10]=c2;
-	c2=0;
-	mul_add_c(a[4],b[7],c3,c1,c2);
-	mul_add_c(a[5],b[6],c3,c1,c2);
-	mul_add_c(a[6],b[5],c3,c1,c2);
-	mul_add_c(a[7],b[4],c3,c1,c2);
-	r[11]=c3;
-	c3=0;
-	mul_add_c(a[7],b[5],c1,c2,c3);
-	mul_add_c(a[6],b[6],c1,c2,c3);
-	mul_add_c(a[5],b[7],c1,c2,c3);
-	r[12]=c1;
-	c1=0;
-	mul_add_c(a[6],b[7],c2,c3,c1);
-	mul_add_c(a[7],b[6],c2,c3,c1);
-	r[13]=c2;
-	c2=0;
-	mul_add_c(a[7],b[7],c3,c1,c2);
-	r[14]=c3;
-	r[15]=c1;
-	}
-
-void bn_mul_comba44(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
-	{
-#ifdef BN_LLONG
-	BN_ULLONG t;
-#else
-	BN_ULONG bl,bh;
-#endif
-	BN_ULONG t1,t2;
-	BN_ULONG c1,c2,c3;
-
-	c1=0;
-	c2=0;
-	c3=0;
-	mul_add_c(a[0],b[0],c1,c2,c3);
-	r[0]=c1;
-	c1=0;
-	mul_add_c(a[0],b[1],c2,c3,c1);
-	mul_add_c(a[1],b[0],c2,c3,c1);
-	r[1]=c2;
-	c2=0;
-	mul_add_c(a[2],b[0],c3,c1,c2);
-	mul_add_c(a[1],b[1],c3,c1,c2);
-	mul_add_c(a[0],b[2],c3,c1,c2);
-	r[2]=c3;
-	c3=0;
-	mul_add_c(a[0],b[3],c1,c2,c3);
-	mul_add_c(a[1],b[2],c1,c2,c3);
-	mul_add_c(a[2],b[1],c1,c2,c3);
-	mul_add_c(a[3],b[0],c1,c2,c3);
-	r[3]=c1;
-	c1=0;
-	mul_add_c(a[3],b[1],c2,c3,c1);
-	mul_add_c(a[2],b[2],c2,c3,c1);
-	mul_add_c(a[1],b[3],c2,c3,c1);
-	r[4]=c2;
-	c2=0;
-	mul_add_c(a[2],b[3],c3,c1,c2);
-	mul_add_c(a[3],b[2],c3,c1,c2);
-	r[5]=c3;
-	c3=0;
-	mul_add_c(a[3],b[3],c1,c2,c3);
-	r[6]=c1;
-	r[7]=c2;
-	}
-
-void bn_sqr_comba88(BN_ULONG *r, BN_ULONG *a)
-	{
-#ifdef BN_LLONG
-	BN_ULLONG t,tt;
-#else
-	BN_ULONG bl,bh;
-#endif
-	BN_ULONG t1,t2;
-	BN_ULONG c1,c2,c3;
-
-	c1=0;
-	c2=0;
-	c3=0;
-	sqr_add_c(a,0,c1,c2,c3);
-	r[0]=c1;
-	c1=0;
-	sqr_add_c2(a,1,0,c2,c3,c1);
-	r[1]=c2;
-	c2=0;
-	sqr_add_c(a,1,c3,c1,c2);
-	sqr_add_c2(a,2,0,c3,c1,c2);
-	r[2]=c3;
-	c3=0;
-	sqr_add_c2(a,3,0,c1,c2,c3);
-	sqr_add_c2(a,2,1,c1,c2,c3);
-	r[3]=c1;
-	c1=0;
-	sqr_add_c(a,2,c2,c3,c1);
-	sqr_add_c2(a,3,1,c2,c3,c1);
-	sqr_add_c2(a,4,0,c2,c3,c1);
-	r[4]=c2;
-	c2=0;
-	sqr_add_c2(a,5,0,c3,c1,c2);
-	sqr_add_c2(a,4,1,c3,c1,c2);
-	sqr_add_c2(a,3,2,c3,c1,c2);
-	r[5]=c3;
-	c3=0;
-	sqr_add_c(a,3,c1,c2,c3);
-	sqr_add_c2(a,4,2,c1,c2,c3);
-	sqr_add_c2(a,5,1,c1,c2,c3);
-	sqr_add_c2(a,6,0,c1,c2,c3);
-	r[6]=c1;
-	c1=0;
-	sqr_add_c2(a,7,0,c2,c3,c1);
-	sqr_add_c2(a,6,1,c2,c3,c1);
-	sqr_add_c2(a,5,2,c2,c3,c1);
-	sqr_add_c2(a,4,3,c2,c3,c1);
-	r[7]=c2;
-	c2=0;
-	sqr_add_c(a,4,c3,c1,c2);
-	sqr_add_c2(a,5,3,c3,c1,c2);
-	sqr_add_c2(a,6,2,c3,c1,c2);
-	sqr_add_c2(a,7,1,c3,c1,c2);
-	r[8]=c3;
-	c3=0;
-	sqr_add_c2(a,7,2,c1,c2,c3);
-	sqr_add_c2(a,6,3,c1,c2,c3);
-	sqr_add_c2(a,5,4,c1,c2,c3);
-	r[9]=c1;
-	c1=0;
-	sqr_add_c(a,5,c2,c3,c1);
-	sqr_add_c2(a,6,4,c2,c3,c1);
-	sqr_add_c2(a,7,3,c2,c3,c1);
-	r[10]=c2;
-	c2=0;
-	sqr_add_c2(a,7,4,c3,c1,c2);
-	sqr_add_c2(a,6,5,c3,c1,c2);
-	r[11]=c3;
-	c3=0;
-	sqr_add_c(a,6,c1,c2,c3);
-	sqr_add_c2(a,7,5,c1,c2,c3);
-	r[12]=c1;
-	c1=0;
-	sqr_add_c2(a,7,6,c2,c3,c1);
-	r[13]=c2;
-	c2=0;
-	sqr_add_c(a,7,c3,c1,c2);
-	r[14]=c3;
-	r[15]=c1;
-	}
-
-void bn_sqr_comba44(BN_ULONG *r, BN_ULONG *a)
-	{
-#ifdef BN_LLONG
-	BN_ULLONG t,tt;
-#else
-	BN_ULONG bl,bh;
-#endif
-	BN_ULONG t1,t2;
-	BN_ULONG c1,c2,c3;
-
-	c1=0;
-	c2=0;
-	c3=0;
-	sqr_add_c(a,0,c1,c2,c3);
-	r[0]=c1;
-	c1=0;
-	sqr_add_c2(a,1,0,c2,c3,c1);
-	r[1]=c2;
-	c2=0;
-	sqr_add_c(a,1,c3,c1,c2);
-	sqr_add_c2(a,2,0,c3,c1,c2);
-	r[2]=c3;
-	c3=0;
-	sqr_add_c2(a,3,0,c1,c2,c3);
-	sqr_add_c2(a,2,1,c1,c2,c3);
-	r[3]=c1;
-	c1=0;
-	sqr_add_c(a,2,c2,c3,c1);
-	sqr_add_c2(a,3,1,c2,c3,c1);
-	r[4]=c2;
-	c2=0;
-	sqr_add_c2(a,3,2,c3,c1,c2);
-	r[5]=c3;
-	c3=0;
-	sqr_add_c(a,3,c1,c2,c3);
-	r[6]=c1;
-	r[7]=c2;
-	}
diff --git a/lib/libcrypto/bn/bn_div.c b/lib/libcrypto/bn/bn_div.c
index 150dd289a58..07af1d3b449 100644
--- a/lib/libcrypto/bn/bn_div.c
+++ b/lib/libcrypto/bn/bn_div.c
@@ -63,9 +63,11 @@
 
 /* The old slow way */
 #if 0
-int BN_div(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx)
+int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+	   BN_CTX *ctx)
 	{
 	int i,nm,nd;
+	int ret = 0;
 	BIGNUM *D;
 
 	bn_check_top(m);
@@ -84,14 +86,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx)
 		return(1);
 		}
 
-	D= &(ctx->bn[ctx->tos]);
-	if (dv == NULL) dv= &(ctx->bn[ctx->tos+1]);
-	if (rem == NULL) rem= &(ctx->bn[ctx->tos+2]);
+	BN_CTX_start(ctx);
+	D = BN_CTX_get(ctx);
+	if (dv == NULL) dv = BN_CTX_get(ctx);
+	if (rem == NULL) rem = BN_CTX_get(ctx);
+	if (D == NULL || dv == NULL || rem == NULL)
+		goto end;
 
 	nd=BN_num_bits(d);
 	nm=BN_num_bits(m);
-	if (BN_copy(D,d) == NULL) return(0);
-	if (BN_copy(rem,m) == NULL) return(0);
+	if (BN_copy(D,d) == NULL) goto end;
+	if (BN_copy(rem,m) == NULL) goto end;
 
 	/* The next 2 are needed so we can do a dv->d[0]|=1 later
 	 * since BN_lshift1 will only work once there is a value :-) */
@@ -99,25 +104,54 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx)
 	bn_wexpand(dv,1);
 	dv->top=1;
 
-	if (!BN_lshift(D,D,nm-nd)) return(0);
+	if (!BN_lshift(D,D,nm-nd)) goto end;
 	for (i=nm-nd; i>=0; i--)
 		{
-		if (!BN_lshift1(dv,dv)) return(0);
+		if (!BN_lshift1(dv,dv)) goto end;
 		if (BN_ucmp(rem,D) >= 0)
 			{
 			dv->d[0]|=1;
-			if (!BN_usub(rem,rem,D)) return(0);
+			if (!BN_usub(rem,rem,D)) goto end;
 			}
 /* CAN IMPROVE (and have now :=) */
-		if (!BN_rshift1(D,D)) return(0);
+		if (!BN_rshift1(D,D)) goto end;
 		}
 	rem->neg=BN_is_zero(rem)?0:m->neg;
 	dv->neg=m->neg^d->neg;
-	return(1);
+	ret = 1;
+ end:
+	BN_CTX_end(ctx);
+	return(ret);
 	}
 
 #else
 
+#if !defined(NO_ASM) && !defined(NO_INLINE_ASM) && !defined(PEDANTIC) && !defined(BN_DIV3W)
+# if defined(__GNUC__) && __GNUC__>=2
+#  if defined(__i386)
+   /*
+    * There were two reasons for implementing this template:
+    * - GNU C generates a call to a function (__udivdi3 to be exact)
+    *   in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
+    *   understand why...);
+    * - divl doesn't only calculate quotient, but also leaves
+    *   remainder in %edx which we can definitely use here:-)
+    *
+    *					<appro@fy.chalmers.se>
+    */
+#  define bn_div_words(n0,n1,d0)		\
+	({  asm volatile (			\
+		"divl	%4"			\
+		: "=a"(q), "=d"(rem)		\
+		: "a"(n1), "d"(n0), "g"(d0)	\
+		: "cc");			\
+	    q;					\
+	})
+#  define REMAINDER_IS_ALREADY_CALCULATED
+#  endif /* __<cpu> */
+# endif /* __GNUC__ */
+#endif /* NO_ASM */
+
 int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	   BN_CTX *ctx)
 	{
@@ -144,13 +178,15 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 		return(1);
 		}
 
-	tmp= &(ctx->bn[ctx->tos]);
+	BN_CTX_start(ctx);
+	tmp=BN_CTX_get(ctx);
 	tmp->neg=0;
-	snum= &(ctx->bn[ctx->tos+1]);
-	sdiv= &(ctx->bn[ctx->tos+2]);
+	snum=BN_CTX_get(ctx);
+	sdiv=BN_CTX_get(ctx);
 	if (dv == NULL)
-		res= &(ctx->bn[ctx->tos+3]);
+		res=BN_CTX_get(ctx);
 	else	res=dv;
+	if (res == NULL) goto err;
 
 	/* First we normalise the numbers */
 	norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
@@ -202,97 +238,76 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 		{
 		BN_ULONG q,l0;
 #ifdef BN_DIV3W
-		q=bn_div_3_words(wnump,d0,d1);
+		q=bn_div_3_words(wnump,d1,d0);
 #else
-
-#if !defined(NO_ASM) && !defined(PEDANTIC)
-# if defined(__GNUC__) && __GNUC__>=2
-#  if defined(__i386)
-   /*
-    * There were two reasons for implementing this template:
-    * - GNU C generates a call to a function (__udivdi3 to be exact)
-    *   in reply to ((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0 (I fail to
-    *   understand why...);
-    * - divl doesn't only calculate quotient, but also leaves
-    *   remainder in %edx which we can definitely use here:-)
-    *
-    *					<appro@fy.chalmers.se>
-    */
-#  define bn_div_words(n0,n1,d0)		\
-	({  asm volatile (			\
-		"divl	%4"			\
-		: "=a"(q), "=d"(rem)		\
-		: "a"(n1), "d"(n0), "g"(d0)	\
-		: "cc");			\
-	    q;					\
-	})
-#  define REMINDER_IS_ALREADY_CALCULATED
-#  endif /* __<cpu> */
-# endif /* __GNUC__ */
-#endif /* NO_ASM */
 		BN_ULONG n0,n1,rem=0;
 
 		n0=wnump[0];
 		n1=wnump[-1];
 		if (n0 == d0)
 			q=BN_MASK2;
-		else
+		else 			/* n0 < d0 */
+			{
+#ifdef BN_LLONG
+			BN_ULLONG t2;
+
 #if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
-			q=((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0;
+			q=(BN_ULONG)(((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0);
 #else
 			q=bn_div_words(n0,n1,d0);
 #endif
-		{
-#ifdef BN_LLONG
-		BN_ULLONG t2;
-
-#ifndef REMINDER_IS_ALREADY_CALCULATED
-		/*
-		 * rem doesn't have to be BN_ULLONG. The least we
-		 * know it's less that d0, isn't it?
-		 */
-		rem=(n1-q*d0)&BN_MASK2;
+
+#ifndef REMAINDER_IS_ALREADY_CALCULATED
+			/*
+			 * rem doesn't have to be BN_ULLONG. The least we
+			 * know it's less that d0, isn't it?
+			 */
+			rem=(n1-q*d0)&BN_MASK2;
 #endif
-		t2=(BN_ULLONG)d1*q;
+			t2=(BN_ULLONG)d1*q;
+
+			for (;;)
+				{
+				if (t2 <= ((((BN_ULLONG)rem)<<BN_BITS2)|wnump[-2]))
+					break;
+				q--;
+				rem += d0;
+				if (rem < d0) break; /* don't let rem overflow */
+				t2 -= d1;
+				}
+#else /* !BN_LLONG */
+			BN_ULONG t2l,t2h,ql,qh;
 
-		for (;;)
-			{
-                        if (t2 <= ((((BN_ULLONG)rem)<<BN_BITS2)|wnump[-2]))
-				break;
-			q--;
-			rem += d0;
-			if (rem < d0) break; /* don't let rem overflow */
-			t2 -= d1;
-			}
+			q=bn_div_words(n0,n1,d0);
+#ifndef REMAINDER_IS_ALREADY_CALCULATED
+			rem=(n1-q*d0)&BN_MASK2;
+#endif
+
+#ifdef BN_UMULT_HIGH
+			t2l = d1 * q;
+			t2h = BN_UMULT_HIGH(d1,q);
 #else
-		BN_ULONG t2l,t2h,ql,qh;
-
-#ifndef REMINDER_IS_ALREADY_CALCULATED
-		/*
-		 * It's more than enough with the only multiplication.
-		 * See the comment above in BN_LLONG section...
-		 */
-		rem=(n1-q*d0)&BN_MASK2;
+			t2l=LBITS(d1); t2h=HBITS(d1);
+			ql =LBITS(q);  qh =HBITS(q);
+			mul64(t2l,t2h,ql,qh); /* t2=(BN_ULLONG)d1*q; */
 #endif
-		t2l=LBITS(d1); t2h=HBITS(d1);
-		ql =LBITS(q);  qh =HBITS(q);
-		mul64(t2l,t2h,ql,qh); /* t2=(BN_ULLONG)d1*q; */
 
-		for (;;)
-			{
-			if ((t2h < rem) ||
-				((t2h == rem) && (t2l <= wnump[-2])))
-				break;
-			q--;
-			rem += d0;
-			if (rem < d0) break; /* don't let rem overflow */
-			if (t2l < d1) t2h--; t2l -= d1;
+			for (;;)
+				{
+				if ((t2h < rem) ||
+					((t2h == rem) && (t2l <= wnump[-2])))
+					break;
+				q--;
+				rem += d0;
+				if (rem < d0) break; /* don't let rem overflow */
+				if (t2l < d1) t2h--; t2l -= d1;
+				}
+#endif /* !BN_LLONG */
 			}
-#endif
-		}
 #endif /* !BN_DIV3W */
-		wnum.d--; wnum.top++;
+
 		l0=bn_mul_words(tmp->d,sdiv->d,div_n,q);
+		wnum.d--; wnum.top++;
 		tmp->d[div_n]=l0;
 		for (j=div_n+1; j>0; j--)
 			if (tmp->d[j-1]) break;
@@ -318,8 +333,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 		BN_rshift(rm,snum,norm_shift);
 		rm->neg=num->neg;
 		}
+	BN_CTX_end(ctx);
 	return(1);
 err:
+	BN_CTX_end(ctx);
 	return(0);
 	}
 
@@ -335,22 +352,27 @@ int BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
 	if (BN_ucmp(m,d) < 0)
 		return((BN_copy(rem,m) == NULL)?0:1);
 
-	dv= &(ctx->bn[ctx->tos]);
+	BN_CTX_start(ctx);
+	dv=BN_CTX_get(ctx);
 
-	if (!BN_copy(rem,m)) return(0);
+	if (!BN_copy(rem,m)) goto err;
 
 	nm=BN_num_bits(rem);
 	nd=BN_num_bits(d);
-	if (!BN_lshift(dv,d,nm-nd)) return(0);
+	if (!BN_lshift(dv,d,nm-nd)) goto err;
 	for (i=nm-nd; i>=0; i--)
 		{
 		if (BN_cmp(rem,dv) >= 0)
 			{
-			if (!BN_sub(rem,rem,dv)) return(0);
+			if (!BN_sub(rem,rem,dv)) goto err;
 			}
-		if (!BN_rshift1(dv,dv)) return(0);
+		if (!BN_rshift1(dv,dv)) goto err;
 		}
+	BN_CTX_end(ctx);
 	return(1);
+ err:
+	BN_CTX_end(ctx);
+	return(0);
 #else
 	return(BN_div(NULL,rem,m,d,ctx));
 #endif
diff --git a/lib/libcrypto/bn/bn_err.c b/lib/libcrypto/bn/bn_err.c
index 73e80774e57..f3b9497dca0 100644
--- a/lib/libcrypto/bn/bn_err.c
+++ b/lib/libcrypto/bn/bn_err.c
@@ -71,6 +71,7 @@ static ERR_STRING_DATA BN_str_functs[]=
 {ERR_PACK(0,BN_F_BN_BLINDING_UPDATE,0),	"BN_BLINDING_update"},
 {ERR_PACK(0,BN_F_BN_BN2DEC,0),	"BN_bn2dec"},
 {ERR_PACK(0,BN_F_BN_BN2HEX,0),	"BN_bn2hex"},
+{ERR_PACK(0,BN_F_BN_CTX_GET,0),	"BN_CTX_get"},
 {ERR_PACK(0,BN_F_BN_CTX_NEW,0),	"BN_CTX_new"},
 {ERR_PACK(0,BN_F_BN_DIV,0),	"BN_div"},
 {ERR_PACK(0,BN_F_BN_EXPAND2,0),	"bn_expand2"},
@@ -95,6 +96,7 @@ static ERR_STRING_DATA BN_str_reasons[]=
 {BN_R_INVALID_LENGTH                     ,"invalid length"},
 {BN_R_NOT_INITIALIZED                    ,"not initialized"},
 {BN_R_NO_INVERSE                         ,"no inverse"},
+{BN_R_TOO_MANY_TEMPORARY_VARIABLES       ,"too many temporary variables"},
 {0,NULL}
 	};
 
diff --git a/lib/libcrypto/bn/bn_exp.c b/lib/libcrypto/bn/bn_exp.c
index 2df1614ada1..0c116016754 100644
--- a/lib/libcrypto/bn/bn_exp.c
+++ b/lib/libcrypto/bn/bn_exp.c
@@ -59,6 +59,12 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
+#ifdef ATALLA
+# include <alloca.h>
+# include <atasi.h>
+# include <assert.h>
+# include <dlfcn.h>
+#endif
 
 #define TABLE_SIZE	16
 
@@ -72,7 +78,8 @@ int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
 	bn_check_top(b);
 	bn_check_top(m);
 
-	t= &(ctx->bn[ctx->tos++]);
+	BN_CTX_start(ctx);
+	if ((t = BN_CTX_get(ctx)) == NULL) goto err;
 	if (a == b)
 		{ if (!BN_sqr(t,a,ctx)) goto err; }
 	else
@@ -80,7 +87,7 @@ int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
 	if (!BN_mod(ret,t,m,ctx)) goto err;
 	r=1;
 err:
-	ctx->tos--;
+	BN_CTX_end(ctx);
 	return(r);
 	}
 
@@ -91,8 +98,10 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m, BN_CTX *ctx)
 	int i,bits,ret=0;
 	BIGNUM *v,*tmp;
 
-	v= &(ctx->bn[ctx->tos++]);
-	tmp= &(ctx->bn[ctx->tos++]);
+	BN_CTX_start(ctx);
+	v = BN_CTX_get(ctx);
+	tmp = BN_CTX_get(ctx);
+	if (v == NULL || tmp == NULL) goto err;
 
 	if (BN_copy(v,a) == NULL) goto err;
 	bits=BN_num_bits(p);
@@ -113,7 +122,7 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m, BN_CTX *ctx)
 		}
 	ret=1;
 err:
-	ctx->tos-=2;
+	BN_CTX_end(ctx);
 	return(ret);
 	}
 
@@ -122,15 +131,15 @@ err:
 /* this one works - simple but works */
 int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx)
 	{
-	int i,bits,ret=0,tos;
+	int i,bits,ret=0;
 	BIGNUM *v,*rr;
 
-	tos=ctx->tos;
-	v= &(ctx->bn[ctx->tos++]);
+	BN_CTX_start(ctx);
 	if ((r == a) || (r == p))
-		rr= &(ctx->bn[ctx->tos++]);
+		rr = BN_CTX_get(ctx);
 	else
-		rr=r;
+		rr = r;
+	if ((v = BN_CTX_get(ctx)) == NULL) goto err;
 
 	if (BN_copy(v,a) == NULL) goto err;
 	bits=BN_num_bits(p);
@@ -149,11 +158,178 @@ int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx)
 		}
 	ret=1;
 err:
-	ctx->tos=tos;
 	if (r != rr) BN_copy(r,rr);
+	BN_CTX_end(ctx);
 	return(ret);
 	}
 
+#ifdef ATALLA
+
+/*
+ * This routine will dynamically check for the existance of an Atalla AXL-200
+ * SSL accelerator module.  If one is found, the variable
+ * asi_accelerator_present is set to 1 and the function pointers
+ * ptr_ASI_xxxxxx above will be initialized to corresponding ASI API calls.
+ */
+typedef int tfnASI_GetPerformanceStatistics(int reset_flag,
+					    unsigned int *ret_buf);
+typedef int tfnASI_GetHardwareConfig(long card_num, unsigned int *ret_buf);
+typedef int tfnASI_RSAPrivateKeyOpFn(RSAPrivateKey * rsaKey,
+				     unsigned char *output,
+				     unsigned char *input,
+				     unsigned int modulus_len);
+
+static tfnASI_GetHardwareConfig *ptr_ASI_GetHardwareConfig;
+static tfnASI_RSAPrivateKeyOpFn *ptr_ASI_RSAPrivateKeyOpFn;
+static tfnASI_GetPerformanceStatistics *ptr_ASI_GetPerformanceStatistics;
+static int asi_accelerator_present;
+static int tried_atalla;
+
+void atalla_initialize_accelerator_handle(void)
+	{
+	void *dl_handle;
+	int status;
+	unsigned int config_buf[1024]; 
+	static int tested;
+
+	if(tested)
+		return;
+
+	tested=1;
+
+	bzero((void *)config_buf, 1024);
+
+	/*
+	 * Check to see if the library is present on the system
+	 */
+	dl_handle = dlopen("atasi.so", RTLD_NOW);
+	if (dl_handle == (void *) NULL)
+		{
+/*		printf("atasi.so library is not present on the system\n");
+		printf("No HW acceleration available\n");*/
+		return;
+	        }
+
+	/*
+	 * The library is present.  Now we'll check to insure that the
+	 * LDM is up and running. First we'll get the address of the
+	 * function in the atasi library that we need to see if the
+	 * LDM is operating.
+	 */
+
+	ptr_ASI_GetHardwareConfig =
+	  (tfnASI_GetHardwareConfig *)dlsym(dl_handle,"ASI_GetHardwareConfig");
+
+	if (ptr_ASI_GetHardwareConfig)
+		{
+		/*
+		 * We found the call, now we'll get our config
+		 * status.  If we get a non 0 result, the LDM is not
+		 * running and we cannot use the Atalla ASI *
+		 * library.
+		 */
+		status = (*ptr_ASI_GetHardwareConfig)(0L, config_buf);
+		if (status != 0)
+			{
+			printf("atasi.so library is present but not initialized\n");
+			printf("No HW acceleration available\n");
+			return;
+			}    
+	        }
+	else
+		{
+/*		printf("We found the library, but not the function. Very Strange!\n");*/
+		return ;
+	      	}
+
+	/* 
+	 * It looks like we have acceleration capabilities.  Load up the
+	 * pointers to our ASI API calls.
+	 */
+	ptr_ASI_RSAPrivateKeyOpFn=
+	  (tfnASI_RSAPrivateKeyOpFn *)dlsym(dl_handle, "ASI_RSAPrivateKeyOpFn");
+	if (ptr_ASI_RSAPrivateKeyOpFn == NULL)
+		{
+/*		printf("We found the library, but no RSA function. Very Strange!\n");*/
+		return;
+	        }
+
+	ptr_ASI_GetPerformanceStatistics =
+	  (tfnASI_GetPerformanceStatistics *)dlsym(dl_handle, "ASI_GetPerformanceStatistics");
+	if (ptr_ASI_GetPerformanceStatistics == NULL)
+		{
+/*		printf("We found the library, but no stat function. Very Strange!\n");*/
+		return;
+	      }
+
+	/*
+	 * Indicate that acceleration is available
+	 */
+	asi_accelerator_present = 1;
+
+/*	printf("This system has acceleration!\n");*/
+
+	return;
+	}
+
+/* make sure this only gets called once when bn_mod_exp calls bn_mod_exp_mont */
+int BN_mod_exp_atalla(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m)
+	{
+	unsigned char *abin;
+	unsigned char *pbin;
+	unsigned char *mbin;
+	unsigned char *rbin;
+	int an,pn,mn,ret;
+	RSAPrivateKey keydata;
+
+	atalla_initialize_accelerator_handle();
+	if(!asi_accelerator_present)
+		return 0;
+
+
+/* We should be able to run without size testing */
+# define ASIZE	128
+	an=BN_num_bytes(a);
+	pn=BN_num_bytes(p);
+	mn=BN_num_bytes(m);
+
+	if(an <= ASIZE && pn <= ASIZE && mn <= ASIZE)
+	    {
+	    int size=mn;
+
+	    assert(an <= mn);
+	    abin=alloca(size);
+	    memset(abin,'\0',mn);
+	    BN_bn2bin(a,abin+size-an);
+
+	    pbin=alloca(pn);
+	    BN_bn2bin(p,pbin);
+
+	    mbin=alloca(size);
+	    memset(mbin,'\0',mn);
+	    BN_bn2bin(m,mbin+size-mn);
+
+	    rbin=alloca(size);
+
+	    memset(&keydata,'\0',sizeof keydata);
+	    keydata.privateExponent.data=pbin;
+	    keydata.privateExponent.len=pn;
+	    keydata.modulus.data=mbin;
+	    keydata.modulus.len=size;
+
+	    ret=(*ptr_ASI_RSAPrivateKeyOpFn)(&keydata,rbin,abin,keydata.modulus.len);
+/*fprintf(stderr,"!%s\n",BN_bn2hex(a));*/
+	    if(!ret)
+	        {
+		BN_bin2bn(rbin,keydata.modulus.len,r);
+/*fprintf(stderr,"?%s\n",BN_bn2hex(r));*/
+		return 1;
+	        }
+	    }
+	return 0;
+        }
+#endif /* def ATALLA */
+
 int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	       BN_CTX *ctx)
 	{
@@ -163,6 +339,13 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	bn_check_top(p);
 	bn_check_top(m);
 
+#ifdef ATALLA
+	if(BN_mod_exp_atalla(r,a,p,m))
+	    return 1;
+/* If it fails, try the other methods (but don't try atalla again) */
+	tried_atalla=1;
+#endif
+
 #ifdef MONT_MUL_MOD
 	/* I have finally been able to take out this pre-condition of
 	 * the top bit being set.  It was caused by an error in BN_div
@@ -180,6 +363,10 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		{ ret=BN_mod_exp_simple(r,a,p,m,ctx); }
 #endif
 
+#ifdef ATALLA
+	tried_atalla=0;
+#endif
+
 	return(ret);
 	}
 
@@ -193,7 +380,6 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	BIGNUM val[TABLE_SIZE];
 	BN_RECP_CTX recp;
 
-	aa= &(ctx->bn[ctx->tos++]);
 	bits=BN_num_bits(p);
 
 	if (bits == 0)
@@ -201,6 +387,10 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		BN_one(r);
 		return(1);
 		}
+
+	BN_CTX_start(ctx);
+	if ((aa = BN_CTX_get(ctx)) == NULL) goto err;
+
 	BN_RECP_CTX_init(&recp);
 	if (BN_RECP_CTX_set(&recp,m,ctx) <= 0) goto err;
 
@@ -289,7 +479,7 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		}
 	ret=1;
 err:
-	ctx->tos--;
+	BN_CTX_end(ctx);
 	for (i=0; i<ts; i++)
 		BN_clear_free(&(val[i]));
 	BN_RECP_CTX_free(&recp);
@@ -312,19 +502,27 @@ int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
 	bn_check_top(p);
 	bn_check_top(m);
 
+#ifdef ATALLA
+	if(!tried_atalla && BN_mod_exp_atalla(rr,a,p,m))
+	    return 1;
+/* If it fails, try the other methods */
+#endif
+
 	if (!(m->d[0] & 1))
 		{
 		BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
 		return(0);
 		}
-	d= &(ctx->bn[ctx->tos++]);
-	r= &(ctx->bn[ctx->tos++]);
 	bits=BN_num_bits(p);
 	if (bits == 0)
 		{
-		BN_one(r);
+		BN_one(rr);
 		return(1);
 		}
+	BN_CTX_start(ctx);
+	d = BN_CTX_get(ctx);
+	r = BN_CTX_get(ctx);
+	if (d == NULL || r == NULL) goto err;
 
 	/* If this is not done, things will break in the montgomery
 	 * part */
@@ -432,7 +630,7 @@ int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
 	ret=1;
 err:
 	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
-	ctx->tos-=2;
+	BN_CTX_end(ctx);
 	for (i=0; i<ts; i++)
 		BN_clear_free(&(val[i]));
 	return(ret);
@@ -448,7 +646,6 @@ int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
 	BIGNUM *d;
 	BIGNUM val[TABLE_SIZE];
 
-	d= &(ctx->bn[ctx->tos++]);
 	bits=BN_num_bits(p);
 
 	if (bits == 0)
@@ -457,6 +654,9 @@ int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
 		return(1);
 		}
 
+	BN_CTX_start(ctx);
+	if ((d = BN_CTX_get(ctx)) == NULL) goto err;
+
 	BN_init(&(val[0]));
 	ts=1;
 	if (!BN_mod(&(val[0]),a,m,ctx)) goto err;		/* 1 */
@@ -541,7 +741,7 @@ int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
 		}
 	ret=1;
 err:
-	ctx->tos--;
+	BN_CTX_end(ctx);
 	for (i=0; i<ts; i++)
 		BN_clear_free(&(val[i]));
 	return(ret);
diff --git a/lib/libcrypto/bn/bn_exp2.c b/lib/libcrypto/bn/bn_exp2.c
index 1132d533651..4f4e9e32998 100644
--- a/lib/libcrypto/bn/bn_exp2.c
+++ b/lib/libcrypto/bn/bn_exp2.c
@@ -9,7 +9,7 @@
  * bits=1  75.4%  79.4%
  * bits=2  61.2%  62.4%
  * bits=3  61.3%  59.3%
- * The lack of speed improvment is also a function of the pre-calculation
+ * The lack of speed improvement is also a function of the pre-calculation
  * which could be removed.
  */
 #define EXP2_TABLE_BITS	2 /* 1  2  3  4  5  */
@@ -35,15 +35,19 @@ int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
 		BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
 		return(0);
 		}
-	d= &(ctx->bn[ctx->tos++]);
-	r= &(ctx->bn[ctx->tos++]);
 	bits1=BN_num_bits(p1);
 	bits2=BN_num_bits(p2);
 	if ((bits1 == 0) && (bits2 == 0))
 		{
-		BN_one(r);
+		BN_one(rr);
 		return(1);
 		}
+
+	BN_CTX_start(ctx);
+	d = BN_CTX_get(ctx);
+	r = BN_CTX_get(ctx);
+	if (d == NULL || r == NULL) goto err;
+
 	bits=(bits1 > bits2)?bits1:bits2;
 
 	/* If this is not done, things will break in the montgomery
@@ -183,7 +187,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
 	ret=1;
 err:
 	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
-	ctx->tos-=2;
+	BN_CTX_end(ctx);
 	for (i=0; i<ts; i++)
 		{
 		for (j=0; j<ts; j++)
diff --git a/lib/libcrypto/bn/bn_gcd.c b/lib/libcrypto/bn/bn_gcd.c
index 64a76f44989..398207196be 100644
--- a/lib/libcrypto/bn/bn_gcd.c
+++ b/lib/libcrypto/bn/bn_gcd.c
@@ -61,6 +61,7 @@
 #include "bn_lcl.h"
 
 static BIGNUM *euclid(BIGNUM *a, BIGNUM *b);
+
 int BN_gcd(BIGNUM *r, BIGNUM *in_a, BIGNUM *in_b, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*t;
@@ -69,8 +70,10 @@ int BN_gcd(BIGNUM *r, BIGNUM *in_a, BIGNUM *in_b, BN_CTX *ctx)
 	bn_check_top(in_a);
 	bn_check_top(in_b);
 
-	a= &(ctx->bn[ctx->tos]);
-	b= &(ctx->bn[ctx->tos+1]);
+	BN_CTX_start(ctx);
+	a = BN_CTX_get(ctx);
+	b = BN_CTX_get(ctx);
+	if (a == NULL || b == NULL) goto err;
 
 	if (BN_copy(a,in_a) == NULL) goto err;
 	if (BN_copy(b,in_b) == NULL) goto err;
@@ -82,6 +85,7 @@ int BN_gcd(BIGNUM *r, BIGNUM *in_a, BIGNUM *in_b, BN_CTX *ctx)
 	if (BN_copy(r,t) == NULL) goto err;
 	ret=1;
 err:
+	BN_CTX_end(ctx);
 	return(ret);
 	}
 
@@ -142,20 +146,22 @@ err:
 /* solves ax == 1 (mod n) */
 BIGNUM *BN_mod_inverse(BIGNUM *in, BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
 	{
-	BIGNUM *A,*B,*X,*Y,*M,*D,*R;
+	BIGNUM *A,*B,*X,*Y,*M,*D,*R=NULL;
 	BIGNUM *T,*ret=NULL;
 	int sign;
 
 	bn_check_top(a);
 	bn_check_top(n);
 
-	A= &(ctx->bn[ctx->tos]);
-	B= &(ctx->bn[ctx->tos+1]);
-	X= &(ctx->bn[ctx->tos+2]);
-	D= &(ctx->bn[ctx->tos+3]);
-	M= &(ctx->bn[ctx->tos+4]);
-	Y= &(ctx->bn[ctx->tos+5]);
-	ctx->tos+=6;
+	BN_CTX_start(ctx);
+	A = BN_CTX_get(ctx);
+	B = BN_CTX_get(ctx);
+	X = BN_CTX_get(ctx);
+	D = BN_CTX_get(ctx);
+	M = BN_CTX_get(ctx);
+	Y = BN_CTX_get(ctx);
+	if (Y == NULL) goto err;
+
 	if (in == NULL)
 		R=BN_new();
 	else
@@ -198,7 +204,7 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
 	ret=R;
 err:
 	if ((ret == NULL) && (in == NULL)) BN_free(R);
-	ctx->tos-=6;
+	BN_CTX_end(ctx);
 	return(ret);
 	}
 
diff --git a/lib/libcrypto/bn/bn_lcl.h b/lib/libcrypto/bn/bn_lcl.h
index 85a372695b9..e36ccbc4c2d 100644
--- a/lib/libcrypto/bn/bn_lcl.h
+++ b/lib/libcrypto/bn/bn_lcl.h
@@ -73,18 +73,53 @@ extern "C" {
 #define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL	(32) /* 32 */
 #define BN_MONT_CTX_SET_SIZE_WORD		(64) /* 32 */
 
-#if 0
-#ifndef BN_MUL_COMBA
-/* #define bn_mul_comba8(r,a,b)	bn_mul_normal(r,a,8,b,8) */
-/* #define bn_mul_comba4(r,a,b)	bn_mul_normal(r,a,4,b,4) */
-#endif
-
-#ifndef BN_SQR_COMBA
-/* This is probably faster than using the C code - I need to check */
-#define bn_sqr_comba8(r,a)	bn_mul_normal(r,a,8,a,8)
-#define bn_sqr_comba4(r,a)	bn_mul_normal(r,a,4,a,4)
-#endif
-#endif
+#if !defined(NO_ASM) && !defined(NO_INLINE_ASM) && !defined(PEDANTIC)
+/*
+ * BN_UMULT_HIGH section.
+ *
+ * No, I'm not trying to overwhelm you when stating that the
+ * product of N-bit numbers is 2*N bits wide:-) No, I don't expect
+ * you to be impressed when I say that if the compiler doesn't
+ * support 2*N integer type, then you have to replace every N*N
+ * multiplication with 4 (N/2)*(N/2) accompanied by some shifts
+ * and additions which unavoidably results in severe performance
+ * penalties. Of course provided that the hardware is capable of
+ * producing 2*N result... That's when you normally start
+ * considering assembler implementation. However! It should be
+ * pointed out that some CPUs (most notably Alpha, PowerPC and
+ * upcoming IA-64 family:-) provide *separate* instruction
+ * calculating the upper half of the product placing the result
+ * into a general purpose register. Now *if* the compiler supports
+ * inline assembler, then it's not impossible to implement the
+ * "bignum" routines (and have the compiler optimize 'em)
+ * exhibiting "native" performance in C. That's what BN_UMULT_HIGH
+ * macro is about:-)
+ *
+ *					<appro@fy.chalmers.se>
+ */
+# if defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
+#  if defined(__DECC)
+#   include <c_asm.h>
+#   define BN_UMULT_HIGH(a,b)	(BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b))
+#  elif defined(__GNUC__)
+#   define BN_UMULT_HIGH(a,b)	({	\
+	register BN_ULONG ret;		\
+	asm ("umulh	%1,%2,%0"	\
+	     : "=r"(ret)		\
+	     : "r"(a), "r"(b));		\
+	ret;			})
+#  endif	/* compiler */
+# elif defined(_ARCH_PPC) && defined(__64BIT__) && defined(SIXTY_FOUR_BIT_LONG)
+#  if defined(__GNUC__)
+#   define BN_UMULT_HIGH(a,b)	({	\
+	register BN_ULONG ret;		\
+	asm ("mulhdu	%0,%1,%2"	\
+	     : "=r"(ret)		\
+	     : "r"(a), "r"(b));		\
+	ret;			})
+#  endif	/* compiler */
+# endif		/* cpu */
+#endif		/* NO_ASM */
 
 /*************************************************************
  * Using the long long type
@@ -92,15 +127,12 @@ extern "C" {
 #define Lw(t)    (((BN_ULONG)(t))&BN_MASK2)
 #define Hw(t)    (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
 
-/* These are used for internal error checking and are not normally used */
+/* This is used for internal error checking and is not normally used */
 #ifdef BN_DEBUG
-#define bn_check_top(a) \
-	{ if (((a)->top < 0) || ((a)->top > (a)->max)) \
-		{ char *nullp=NULL; *nullp='z'; } }
-#define bn_check_num(a) if ((a) < 0) { char *nullp=NULL; *nullp='z'; }
+# include <assert.h>
+# define bn_check_top(a) assert ((a)->top >= 0 && (a)->top <= (a)->max);
 #else
-#define bn_check_top(a)
-#define bn_check_num(a)
+# define bn_check_top(a)
 #endif
 
 /* This macro is to add extra stuff for development checking */
@@ -134,8 +166,6 @@ extern "C" {
 	bn_set_max(r); \
 	}
 
-/* #define bn_expand(n,b) ((((b)/BN_BITS2) <= (n)->max)?(n):bn_expand2((n),(b))) */
-
 #ifdef BN_LLONG
 #define mul_add(r,a,w,c) { \
 	BN_ULLONG t; \
@@ -151,6 +181,43 @@ extern "C" {
 	(c)= Hw(t); \
 	}
 
+#define sqr(r0,r1,a) { \
+	BN_ULLONG t; \
+	t=(BN_ULLONG)(a)*(a); \
+	(r0)=Lw(t); \
+	(r1)=Hw(t); \
+	}
+
+#elif defined(BN_UMULT_HIGH)
+#define mul_add(r,a,w,c) {		\
+	BN_ULONG high,low,ret,tmp=(a);	\
+	ret =  (r);			\
+	high=  BN_UMULT_HIGH(w,tmp);	\
+	ret += (c);			\
+	low =  (w) * tmp;		\
+	(c) =  (ret<(c))?1:0;		\
+	(c) += high;			\
+	ret += low;			\
+	(c) += (ret<low)?1:0;		\
+	(r) =  ret;			\
+	}
+
+#define mul(r,a,w,c)	{		\
+	BN_ULONG high,low,ret,ta=(a);	\
+	low =  (w) * ta;		\
+	high=  BN_UMULT_HIGH(w,ta);	\
+	ret =  low + (c);		\
+	(c) =  high;			\
+	(c) += (ret<low)?1:0;		\
+	(r) =  ret;			\
+	}
+
+#define sqr(r0,r1,a)	{		\
+	BN_ULONG tmp=(a);		\
+	(r0) = tmp * tmp;		\
+	(r1) = BN_UMULT_HIGH(tmp,tmp);	\
+	}
+
 #else
 /*************************************************************
  * No long long type
@@ -228,21 +295,7 @@ extern "C" {
 	(c)=h&BN_MASK2; \
 	(r)=l&BN_MASK2; \
 	}
-
-#endif
-
-OPENSSL_EXTERN int bn_limit_bits;
-OPENSSL_EXTERN int bn_limit_num;        /* (1<<bn_limit_bits) */
-/* Recursive 'low' limit */
-OPENSSL_EXTERN int bn_limit_bits_low;
-OPENSSL_EXTERN int bn_limit_num_low;    /* (1<<bn_limit_bits_low) */
-/* Do modified 'high' part calculation' */
-OPENSSL_EXTERN int bn_limit_bits_high;
-OPENSSL_EXTERN int bn_limit_num_high;   /* (1<<bn_limit_bits_high) */
-OPENSSL_EXTERN int bn_limit_bits_mont;
-OPENSSL_EXTERN int bn_limit_num_mont;   /* (1<<bn_limit_bits_mont) */
-
-BIGNUM *bn_expand2(BIGNUM *b, int bits);
+#endif /* !BN_LLONG */
 
 void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb);
 void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
diff --git a/lib/libcrypto/bn/bn_lib.c b/lib/libcrypto/bn/bn_lib.c
index 5d62d88e8b6..0e6b12d9c36 100644
--- a/lib/libcrypto/bn/bn_lib.c
+++ b/lib/libcrypto/bn/bn_lib.c
@@ -71,14 +71,14 @@ const char *BN_version="Big Number" OPENSSL_VERSION_PTEXT;
  * 7 - 128 == 4096
  * 8 - 256 == 8192
  */
-OPENSSL_GLOBAL int bn_limit_bits=0;
-OPENSSL_GLOBAL int bn_limit_num=8;        /* (1<<bn_limit_bits) */
-OPENSSL_GLOBAL int bn_limit_bits_low=0;
-OPENSSL_GLOBAL int bn_limit_num_low=8;    /* (1<<bn_limit_bits_low) */
-OPENSSL_GLOBAL int bn_limit_bits_high=0;
-OPENSSL_GLOBAL int bn_limit_num_high=8;   /* (1<<bn_limit_bits_high) */
-OPENSSL_GLOBAL int bn_limit_bits_mont=0;
-OPENSSL_GLOBAL int bn_limit_num_mont=8;   /* (1<<bn_limit_bits_mont) */
+static int bn_limit_bits=0;
+static int bn_limit_num=8;        /* (1<<bn_limit_bits) */
+static int bn_limit_bits_low=0;
+static int bn_limit_num_low=8;    /* (1<<bn_limit_bits_low) */
+static int bn_limit_bits_high=0;
+static int bn_limit_num_high=8;   /* (1<<bn_limit_bits_high) */
+static int bn_limit_bits_mont=0;
+static int bn_limit_num_mont=8;   /* (1<<bn_limit_bits_mont) */
 
 void BN_set_params(int mult, int high, int low, int mont)
 	{
@@ -304,42 +304,10 @@ BIGNUM *BN_new(void)
 	return(ret);
 	}
 
-
-BN_CTX *BN_CTX_new(void)
-	{
-	BN_CTX *ret;
-
-	ret=(BN_CTX *)Malloc(sizeof(BN_CTX));
-	if (ret == NULL)
-		{
-		BNerr(BN_F_BN_CTX_NEW,ERR_R_MALLOC_FAILURE);
-		return(NULL);
-		}
-
-	BN_CTX_init(ret);
-	ret->flags=BN_FLG_MALLOCED;
-	return(ret);
-	}
-
-void BN_CTX_init(BN_CTX *ctx)
-	{
-	memset(ctx,0,sizeof(BN_CTX));
-	ctx->tos=0;
-	ctx->flags=0;
-	}
-
-void BN_CTX_free(BN_CTX *c)
-	{
-	int i;
-
-	if(c == NULL)
-	    return;
-
-	for (i=0; i<BN_CTX_NUM; i++)
-		BN_clear_free(&(c->bn[i]));
-	if (c->flags & BN_FLG_MALLOCED)
-		Free(c);
-	}
+/* This is an internal function that should not be used in applications.
+ * It ensures that 'b' has enough room for a 'words' word number number.
+ * It is mostly used by the various BIGNUM routines. If there is an error,
+ * NULL is returned. If not, 'b' is returned. */
 
 BIGNUM *bn_expand2(BIGNUM *b, int words)
 	{
@@ -389,7 +357,7 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
  * if A and B happen to share same cache line such code is going to
  * cause severe cache trashing. Both factors have severe impact on
  * performance of modern CPUs and this is the reason why this
- * particulare piece of code is #ifdefed away and replaced by more
+ * particular piece of code is #ifdefed away and replaced by more
  * "friendly" version found in #else section below. This comment
  * also applies to BN_copy function.
  *
@@ -420,7 +388,7 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
 				A[0]=B[0];
 			case 0:
 				/* I need the 'case 0' entry for utrix cc.
-				 * If the optimiser is turned on, it does the
+				 * If the optimizer is turned on, it does the
 				 * switch table by doing
 				 * a=top&7
 				 * a--;
diff --git a/lib/libcrypto/bn/bn_mont.c b/lib/libcrypto/bn/bn_mont.c
index ee0f410c22a..7bb0b91223c 100644
--- a/lib/libcrypto/bn/bn_mont.c
+++ b/lib/libcrypto/bn/bn_mont.c
@@ -57,25 +57,27 @@
  */
 
 /*
- * Details about Montgomery multiplication algorithms can be found at:
- * http://www.ece.orst.edu/ISL/Publications.html
- * http://www.ece.orst.edu/ISL/Koc/papers/j37acmon.pdf
+ * Details about Montgomery multiplication algorithms can be found at
+ * http://security.ece.orst.edu/publications.html, e.g.
+ * http://security.ece.orst.edu/koc/papers/j37acmon.pdf and
+ * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
  */
 
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
-#define MONT_WORD
+#define MONT_WORD /* use the faster word-based algorithm */
 
 int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
 			  BN_MONT_CTX *mont, BN_CTX *ctx)
 	{
 	BIGNUM *tmp,*tmp2;
 
-        tmp= &(ctx->bn[ctx->tos]);
-        tmp2= &(ctx->bn[ctx->tos]);
-	ctx->tos+=2;
+	BN_CTX_start(ctx);
+	tmp = BN_CTX_get(ctx);
+	tmp2 = BN_CTX_get(ctx);
+	if (tmp == NULL || tmp2 == NULL) goto err;
 
 	bn_check_top(tmp);
 	bn_check_top(tmp2);
@@ -99,7 +101,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
 		}
 	/* reduce from aRR to aR */
 	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
-	ctx->tos-=2;
+	BN_CTX_end(ctx);
 	return(1);
 err:
 	return(0);
@@ -108,160 +110,123 @@ err:
 int BN_from_montgomery(BIGNUM *ret, BIGNUM *a, BN_MONT_CTX *mont,
 	     BN_CTX *ctx)
 	{
-#ifdef BN_RECURSION_MONT
-	if (mont->use_word)
-#endif
-		{
-		BIGNUM *n,*r;
-		BN_ULONG *ap,*np,*rp,n0,v,*nrp;
-		int al,nl,max,i,x,ri;
-		int retn=0;
+	int retn=0;
 
-		r= &(ctx->bn[ctx->tos]);
+#ifdef MONT_WORD
+	BIGNUM *n,*r;
+	BN_ULONG *ap,*np,*rp,n0,v,*nrp;
+	int al,nl,max,i,x,ri;
 
-		if (!BN_copy(r,a)) goto err1;
-		n= &(mont->N);
+	BN_CTX_start(ctx);
+	if ((r = BN_CTX_get(ctx)) == NULL) goto err;
 
-		ap=a->d;
-		/* mont->ri is the size of mont->N in bits/words */
-		al=ri=mont->ri/BN_BITS2;
+	if (!BN_copy(r,a)) goto err;
+	n= &(mont->N);
 
-		nl=n->top;
-		if ((al == 0) || (nl == 0)) { r->top=0; return(1); }
+	ap=a->d;
+	/* mont->ri is the size of mont->N in bits (rounded up
+	   to the word size) */
+	al=ri=mont->ri/BN_BITS2;
+	
+	nl=n->top;
+	if ((al == 0) || (nl == 0)) { r->top=0; return(1); }
 
-		max=(nl+al+1); /* allow for overflow (no?) XXX */
-		if (bn_wexpand(r,max) == NULL) goto err1;
-		if (bn_wexpand(ret,max) == NULL) goto err1;
+	max=(nl+al+1); /* allow for overflow (no?) XXX */
+	if (bn_wexpand(r,max) == NULL) goto err;
+	if (bn_wexpand(ret,max) == NULL) goto err;
 
-		r->neg=a->neg^n->neg;
-		np=n->d;
-		rp=r->d;
-		nrp= &(r->d[nl]);
+	r->neg=a->neg^n->neg;
+	np=n->d;
+	rp=r->d;
+	nrp= &(r->d[nl]);
 
-		/* clear the top words of T */
+	/* clear the top words of T */
 #if 1
-		for (i=r->top; i<max; i++) /* memset? XXX */
-			r->d[i]=0;
+	for (i=r->top; i<max; i++) /* memset? XXX */
+		r->d[i]=0;
 #else
-		memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG)); 
+	memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG)); 
 #endif
 
-		r->top=max;
-		n0=mont->n0;
+	r->top=max;
+	n0=mont->n0;
 
 #ifdef BN_COUNT
-printf("word BN_from_montgomery %d * %d\n",nl,nl);
+	printf("word BN_from_montgomery %d * %d\n",nl,nl);
 #endif
-		for (i=0; i<nl; i++)
-			{
-			v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
-			nrp++;
-			rp++;
-			if (((nrp[-1]+=v)&BN_MASK2) >= v)
-				continue;
-			else
-				{
-				if (((++nrp[0])&BN_MASK2) != 0) continue;
-				if (((++nrp[1])&BN_MASK2) != 0) continue;
-				for (x=2; (((++nrp[x])&BN_MASK2) == 0); x++) ;
-				}
-			}
-		bn_fix_top(r);
-
-		/* mont->ri will be a multiple of the word size */
-#if 0
-		BN_rshift(ret,r,mont->ri);
-#else
-		x=ri;
-		rp=ret->d;
-		ap= &(r->d[x]);
-		if (r->top < x)
-			al=0;
+	for (i=0; i<nl; i++)
+		{
+		v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
+		nrp++;
+		rp++;
+		if (((nrp[-1]+=v)&BN_MASK2) >= v)
+			continue;
 		else
-			al=r->top-x;
-		ret->top=al;
-		al-=4;
-		for (i=0; i<al; i+=4)
 			{
-			BN_ULONG t1,t2,t3,t4;
-
-			t1=ap[i+0];
-			t2=ap[i+1];
-			t3=ap[i+2];
-			t4=ap[i+3];
-			rp[i+0]=t1;
-			rp[i+1]=t2;
-			rp[i+2]=t3;
-			rp[i+3]=t4;
+			if (((++nrp[0])&BN_MASK2) != 0) continue;
+			if (((++nrp[1])&BN_MASK2) != 0) continue;
+			for (x=2; (((++nrp[x])&BN_MASK2) == 0); x++) ;
 			}
-		al+=4;
-		for (; i<al; i++)
-			rp[i]=ap[i];
-#endif
-
-		if (BN_ucmp(ret, &(mont->N)) >= 0)
-			{
-			BN_usub(ret,ret,&(mont->N)); /* XXX */
-			}
-		retn=1;
-err1:
-		return(retn);
 		}
-#ifdef BN_RECURSION_MONT
-	else /* bignum version */ 
+	bn_fix_top(r);
+	
+	/* mont->ri will be a multiple of the word size */
+#if 0
+	BN_rshift(ret,r,mont->ri);
+#else
+	x=ri;
+	rp=ret->d;
+	ap= &(r->d[x]);
+	if (r->top < x)
+		al=0;
+	else
+		al=r->top-x;
+	ret->top=al;
+	al-=4;
+	for (i=0; i<al; i+=4)
 		{
-		BIGNUM *t1,*t2,*t3;
-		int j,i;
-
-#ifdef BN_COUNT
-printf("number BN_from_montgomery\n");
-#endif
-
-		t1= &(ctx->bn[ctx->tos]);
-		t2= &(ctx->bn[ctx->tos+1]);
-		t3= &(ctx->bn[ctx->tos+2]);
-
-		i=mont->Ni.top;
-		bn_wexpand(ret,i); /* perhaps only i*2 */
-		bn_wexpand(t1,i*4); /* perhaps only i*2 */
-		bn_wexpand(t2,i*2); /* perhaps only i   */
-
-		bn_mul_low_recursive(t2->d,a->d,mont->Ni.d,i,t1->d);
-
-		BN_zero(t3);
-		BN_set_bit(t3,mont->N.top*BN_BITS2);
-		bn_sub_words(t3->d,t3->d,a->d,i);
-		bn_mul_high(ret->d,t2->d,mont->N.d,t3->d,i,t1->d);
-
-		/* hmm... if a is between i and 2*i, things are bad */
-		if (a->top > i)
-			{
-			j=(int)(bn_add_words(ret->d,ret->d,&(a->d[i]),i));
-			if (j) /* overflow */
-				bn_sub_words(ret->d,ret->d,mont->N.d,i);
-			}
-		ret->top=i;
-		bn_fix_top(ret);
-		if (a->d[0])
-			BN_add_word(ret,1); /* Always? */
-		else	/* Very very rare */
-			{
-			for (i=1; i<mont->N.top-1; i++)
-				{
-				if (a->d[i])
-					{
-					BN_add_word(ret,1); /* Always? */
-					break;
-					}
-				}
-			}
-
-		if (BN_ucmp(ret,&(mont->N)) >= 0)
-			BN_usub(ret,ret,&(mont->N));
-
-		return(1);
+		BN_ULONG t1,t2,t3,t4;
+		
+		t1=ap[i+0];
+		t2=ap[i+1];
+		t3=ap[i+2];
+		t4=ap[i+3];
+		rp[i+0]=t1;
+		rp[i+1]=t2;
+		rp[i+2]=t3;
+		rp[i+3]=t4;
 		}
+	al+=4;
+	for (; i<al; i++)
+		rp[i]=ap[i];
 #endif
+#else /* !MONT_WORD */ 
+	BIGNUM *t1,*t2;
+
+	BN_CTX_start(ctx);
+	t1 = BN_CTX_get(ctx);
+	t2 = BN_CTX_get(ctx);
+	if (t1 == NULL || t2 == NULL) goto err;
+	
+	if (!BN_copy(t1,a)) goto err;
+	BN_mask_bits(t1,mont->ri);
+
+	if (!BN_mul(t2,t1,&mont->Ni,ctx)) goto err;
+	BN_mask_bits(t2,mont->ri);
+
+	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
+	if (!BN_add(t2,a,t1)) goto err;
+	BN_rshift(ret,t2,mont->ri);
+#endif /* MONT_WORD */
+
+	if (BN_ucmp(ret, &(mont->N)) >= 0)
+		{
+		BN_usub(ret,ret,&(mont->N));
+		}
+	retn=1;
+ err:
+	BN_CTX_end(ctx);
+	return(retn);
 	}
 
 BN_MONT_CTX *BN_MONT_CTX_new(void)
@@ -278,7 +243,6 @@ BN_MONT_CTX *BN_MONT_CTX_new(void)
 
 void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
 	{
-	ctx->use_word=0;
 	ctx->ri=0;
 	BN_init(&(ctx->RR));
 	BN_init(&(ctx->N));
@@ -306,85 +270,53 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 	R= &(mont->RR);					/* grab RR as a temp */
 	BN_copy(&(mont->N),mod);			/* Set N */
 
-#ifdef BN_RECURSION_MONT
-	if (mont->N.top < BN_MONT_CTX_SET_SIZE_WORD)
-#endif
+#ifdef MONT_WORD
 		{
 		BIGNUM tmod;
 		BN_ULONG buf[2];
 
-		mont->use_word=1;
-
 		mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
 		BN_zero(R);
-		BN_set_bit(R,BN_BITS2);
-		/* I was bad, this modification of a passed variable was
-		 * breaking the multithreaded stuff :-(
-		 * z=mod->top;
-		 * mod->top=1; */
+		BN_set_bit(R,BN_BITS2);			/* R */
 
-		buf[0]=mod->d[0];
+		buf[0]=mod->d[0]; /* tmod = N mod word size */
 		buf[1]=0;
 		tmod.d=buf;
 		tmod.top=1;
-		tmod.max=mod->max;
+		tmod.max=2;
 		tmod.neg=mod->neg;
-
+							/* Ri = R^-1 mod N*/
 		if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL)
 			goto err;
-		BN_lshift(&Ri,&Ri,BN_BITS2);			/* R*Ri */
+		BN_lshift(&Ri,&Ri,BN_BITS2);		/* R*Ri */
 		if (!BN_is_zero(&Ri))
-			{
-#if 1
 			BN_sub_word(&Ri,1);
-#else
-			BN_usub(&Ri,&Ri,BN_value_one());	/* R*Ri - 1 */
-#endif
-			}
-		else
-			{
-			/* This is not common..., 1 in BN_MASK2,
-			 * It happens when buf[0] was == 1.  So for 8 bit,
-			 * this is 1/256, 16bit, 1 in 2^16 etc.
-			 */
-			BN_set_word(&Ri,BN_MASK2);
-			}
-		BN_div(&Ri,NULL,&Ri,&tmod,ctx);
+		else /* if N mod word size == 1 */
+			BN_set_word(&Ri,BN_MASK2);  /* Ri-- (mod word size) */
+		BN_div(&Ri,NULL,&Ri,&tmod,ctx);	/* Ni = (R*Ri-1)/N,
+		                                 * keep only least significant word: */
 		mont->n0=Ri.d[0];
 		BN_free(&Ri);
-		/* mod->top=z; */
 		}
-#ifdef BN_RECURSION_MONT
-	else
-		{
-		mont->use_word=0;
-		mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
-#if 1
+#else /* !MONT_WORD */
+		{ /* bignum version */
+		mont->ri=BN_num_bits(mod);
 		BN_zero(R);
-		BN_set_bit(R,mont->ri);
-#else
-		BN_lshift(R,BN_value_one(),mont->ri);	/* R */
-#endif
+		BN_set_bit(R,mont->ri);			/* R = 2^ri */
+							/* Ri = R^-1 mod N*/
 		if ((BN_mod_inverse(&Ri,R,mod,ctx)) == NULL)
 			goto err;
 		BN_lshift(&Ri,&Ri,mont->ri);		/* R*Ri */
-#if 1
 		BN_sub_word(&Ri,1);
-#else
-		BN_usub(&Ri,&Ri,BN_value_one());	/* R*Ri - 1 */
-#endif
+							/* Ni = (R*Ri-1) / N */
 		BN_div(&(mont->Ni),NULL,&Ri,mod,ctx);
 		BN_free(&Ri);
 		}
 #endif
 
 	/* setup RR for conversions */
-#if 1
 	BN_zero(&(mont->RR));
 	BN_set_bit(&(mont->RR),mont->ri*2);
-#else
-	BN_lshift(mont->RR,BN_value_one(),mont->ri*2);
-#endif
 	BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx);
 
 	return(1);
@@ -399,7 +331,6 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
 	BN_copy(&(to->RR),&(from->RR));
 	BN_copy(&(to->N),&(from->N));
 	BN_copy(&(to->Ni),&(from->Ni));
-	to->use_word=from->use_word;
 	to->ri=from->ri;
 	to->n0=from->n0;
 	return(to);
diff --git a/lib/libcrypto/bn/bn_mul.c b/lib/libcrypto/bn/bn_mul.c
index 38c47f3d1f0..eb007e19e9a 100644
--- a/lib/libcrypto/bn/bn_mul.c
+++ b/lib/libcrypto/bn/bn_mul.c
@@ -66,7 +66,7 @@
  * n2 must be a power of 2.
  * We multiply and return the result.
  * t must be 2*n2 words in size
- * We calulate
+ * We calculate
  * a[0]*b[0]
  * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
  * a[1]*b[1]
@@ -78,21 +78,23 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 	unsigned int neg,zero;
 	BN_ULONG ln,lo,*p;
 
-#ifdef BN_COUNT
-printf(" bn_mul_recursive %d * %d\n",n2,n2);
-#endif
-#ifdef BN_MUL_COMBA
-/*	if (n2 == 4)
+# ifdef BN_COUNT
+	printf(" bn_mul_recursive %d * %d\n",n2,n2);
+# endif
+# ifdef BN_MUL_COMBA
+#  if 0
+	if (n2 == 4)
 		{
 		bn_mul_comba4(r,a,b);
 		return;
 		}
-	else */ if (n2 == 8)
+#  endif
+	if (n2 == 8)
 		{
 		bn_mul_comba8(r,a,b);
 		return; 
 		}
-#endif
+# endif /* BN_MUL_COMBA */
 	if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
 		{
 		/* This should not happen */
@@ -136,7 +138,7 @@ printf(" bn_mul_recursive %d * %d\n",n2,n2);
 		break;
 		}
 
-#ifdef BN_MUL_COMBA
+# ifdef BN_MUL_COMBA
 	if (n == 4)
 		{
 		if (!zero)
@@ -158,7 +160,7 @@ printf(" bn_mul_recursive %d * %d\n",n2,n2);
 		bn_mul_comba8(&(r[n2]),&(a[n]),&(b[n]));
 		}
 	else
-#endif
+# endif /* BN_MUL_COMBA */
 		{
 		p= &(t[n2*2]);
 		if (!zero)
@@ -219,12 +221,12 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
 	     int n, BN_ULONG *t)
 	{
 	int i,j,n2=n*2;
-	unsigned int c1;
+	unsigned int c1,c2,neg,zero;
 	BN_ULONG ln,lo,*p;
 
-#ifdef BN_COUNT
-printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
-#endif
+# ifdef BN_COUNT
+	printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
+# endif
 	if (n < 8)
 		{
 		i=tn+n;
@@ -233,17 +235,54 @@ printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
 		}
 
 	/* r=(a[0]-a[1])*(b[1]-b[0]) */
-	bn_sub_words(t,      a,      &(a[n]),n); /* + */
-	bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
-
-/*	if (n == 4)
+	c1=bn_cmp_words(a,&(a[n]),n);
+	c2=bn_cmp_words(&(b[n]),b,n);
+	zero=neg=0;
+	switch (c1*3+c2)
+		{
+	case -4:
+		bn_sub_words(t,      &(a[n]),a,      n); /* - */
+		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		break;
+	case -3:
+		zero=1;
+		/* break; */
+	case -2:
+		bn_sub_words(t,      &(a[n]),a,      n); /* - */
+		bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
+		neg=1;
+		break;
+	case -1:
+	case 0:
+	case 1:
+		zero=1;
+		/* break; */
+	case 2:
+		bn_sub_words(t,      a,      &(a[n]),n); /* + */
+		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+		neg=1;
+		break;
+	case 3:
+		zero=1;
+		/* break; */
+	case 4:
+		bn_sub_words(t,      a,      &(a[n]),n);
+		bn_sub_words(&(t[n]),&(b[n]),b,      n);
+		break;
+		}
+		/* The zero case isn't yet implemented here. The speedup
+		   would probably be negligible. */
+# if 0
+	if (n == 4)
 		{
 		bn_mul_comba4(&(t[n2]),t,&(t[n]));
 		bn_mul_comba4(r,a,b);
 		bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
 		memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2));
 		}
-	else */ if (n == 8)
+	else
+# endif
+	if (n == 8)
 		{
 		bn_mul_comba8(&(t[n2]),t,&(t[n]));
 		bn_mul_comba8(r,a,b);
@@ -308,7 +347,16 @@ printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
 	 */
 
 	c1=(int)(bn_add_words(t,r,&(r[n2]),n2));
-	c1-=(int)(bn_sub_words(&(t[n2]),t,&(t[n2]),n2));
+
+	if (neg) /* if t[32] is negative */
+		{
+		c1-=(int)(bn_sub_words(&(t[n2]),t,&(t[n2]),n2));
+		}
+	else
+		{
+		/* Might have a carry */
+		c1+=(int)(bn_add_words(&(t[n2]),&(t[n2]),t,n2));
+		}
 
 	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
 	 * r[10] holds (a[0]*b[0])
@@ -345,9 +393,9 @@ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 	{
 	int n=n2/2;
 
-#ifdef BN_COUNT
-printf(" bn_mul_low_recursive %d * %d\n",n2,n2);
-#endif
+# ifdef BN_COUNT
+	printf(" bn_mul_low_recursive %d * %d\n",n2,n2);
+# endif
 
 	bn_mul_recursive(r,a,b,n,&(t[0]));
 	if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL)
@@ -379,9 +427,9 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 	int neg,oneg,zero;
 	BN_ULONG ll,lc,*lp,*mp;
 
-#ifdef BN_COUNT
-printf(" bn_mul_high %d * %d\n",n2,n2);
-#endif
+# ifdef BN_COUNT
+	printf(" bn_mul_high %d * %d\n",n2,n2);
+# endif
 	n=n2/2;
 
 	/* Calculate (al-ah)*(bh-bl) */
@@ -424,14 +472,14 @@ printf(" bn_mul_high %d * %d\n",n2,n2);
 	oneg=neg;
 	/* t[10] = (a[0]-a[1])*(b[1]-b[0]) */
 	/* r[10] = (a[1]*b[1]) */
-#ifdef BN_MUL_COMBA
+# ifdef BN_MUL_COMBA
 	if (n == 8)
 		{
 		bn_mul_comba8(&(t[0]),&(r[0]),&(r[n]));
 		bn_mul_comba8(r,&(a[n]),&(b[n]));
 		}
 	else
-#endif
+# endif
 		{
 		bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,&(t[n2]));
 		bn_mul_recursive(r,&(a[n]),&(b[n]),n,&(t[n2]));
@@ -555,19 +603,23 @@ printf(" bn_mul_high %d * %d\n",n2,n2);
 			}
 		}
 	}
-#endif
+#endif /* BN_RECURSION */
 
 int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
 	{
 	int top,al,bl;
 	BIGNUM *rr;
+	int ret = 0;
+#if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
+	int i;
+#endif
 #ifdef BN_RECURSION
 	BIGNUM *t;
-	int i,j,k;
+	int j,k;
 #endif
 
 #ifdef BN_COUNT
-printf("BN_mul %d * %d\n",a->top,b->top);
+	printf("BN_mul %d * %d\n",a->top,b->top);
 #endif
 
 	bn_check_top(a);
@@ -585,115 +637,99 @@ printf("BN_mul %d * %d\n",a->top,b->top);
 		}
 	top=al+bl;
 
+	BN_CTX_start(ctx);
 	if ((r == a) || (r == b))
-		rr= &(ctx->bn[ctx->tos+1]);
+		{
+		if ((rr = BN_CTX_get(ctx)) == NULL) goto err;
+		}
 	else
-		rr=r;
+		rr = r;
 
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
-	if (al == bl)
+	i = al-bl;
+#endif
+#ifdef BN_MUL_COMBA
+	if (i == 0)
 		{
-#  ifdef BN_MUL_COMBA
-/*		if (al == 4)
+# if 0
+		if (al == 4)
 			{
-			if (bn_wexpand(rr,8) == NULL) return(0);
+			if (bn_wexpand(rr,8) == NULL) goto err;
 			rr->top=8;
 			bn_mul_comba4(rr->d,a->d,b->d);
 			goto end;
 			}
-		else */ if (al == 8)
+# endif
+		if (al == 8)
 			{
-			if (bn_wexpand(rr,16) == NULL) return(0);
+			if (bn_wexpand(rr,16) == NULL) goto err;
 			rr->top=16;
 			bn_mul_comba8(rr->d,a->d,b->d);
 			goto end;
 			}
-		else
-#  endif
-#ifdef BN_RECURSION
-		if (al < BN_MULL_SIZE_NORMAL)
-#endif
-			{
-			if (bn_wexpand(rr,top) == NULL) return(0);
-			rr->top=top;
-			bn_mul_normal(rr->d,a->d,al,b->d,bl);
-			goto end;
-			}
-#  ifdef BN_RECURSION
-		goto symetric;
-#  endif
 		}
-#endif
+#endif /* BN_MUL_COMBA */
 #ifdef BN_RECURSION
-	else if ((al < BN_MULL_SIZE_NORMAL) || (bl < BN_MULL_SIZE_NORMAL))
+	if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL))
 		{
-		if (bn_wexpand(rr,top) == NULL) return(0);
-		rr->top=top;
-		bn_mul_normal(rr->d,a->d,al,b->d,bl);
-		goto end;
-		}
-	else
-		{
-		i=(al-bl);
-		if ((i ==  1) && !BN_get_flags(b,BN_FLG_STATIC_DATA))
+		if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA))
 			{
 			bn_wexpand(b,al);
 			b->d[bl]=0;
 			bl++;
-			goto symetric;
+			i--;
 			}
-		else if ((i ==  -1) && !BN_get_flags(a,BN_FLG_STATIC_DATA))
+		else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA))
 			{
 			bn_wexpand(a,bl);
 			a->d[al]=0;
 			al++;
-			goto symetric;
+			i++;
+			}
+		if (i == 0)
+			{
+			/* symmetric and > 4 */
+			/* 16 or larger */
+			j=BN_num_bits_word((BN_ULONG)al);
+			j=1<<(j-1);
+			k=j+j;
+			t = BN_CTX_get(ctx);
+			if (al == j) /* exact multiple */
+				{
+				bn_wexpand(t,k*2);
+				bn_wexpand(rr,k*2);
+				bn_mul_recursive(rr->d,a->d,b->d,al,t->d);
+				}
+			else
+				{
+				bn_wexpand(a,k);
+				bn_wexpand(b,k);
+				bn_wexpand(t,k*4);
+				bn_wexpand(rr,k*4);
+				for (i=a->top; i<k; i++)
+					a->d[i]=0;
+				for (i=b->top; i<k; i++)
+					b->d[i]=0;
+				bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d);
+				}
+			rr->top=top;
+			goto end;
 			}
 		}
-#endif
-
-	/* asymetric and >= 4 */ 
-	if (bn_wexpand(rr,top) == NULL) return(0);
+#endif /* BN_RECURSION */
+	if (bn_wexpand(rr,top) == NULL) goto err;
 	rr->top=top;
 	bn_mul_normal(rr->d,a->d,al,b->d,bl);
 
-#ifdef BN_RECURSION
-	if (0)
-		{
-symetric:
-		/* symetric and > 4 */
-		/* 16 or larger */
-		j=BN_num_bits_word((BN_ULONG)al);
-		j=1<<(j-1);
-		k=j+j;
-		t= &(ctx->bn[ctx->tos]);
-		if (al == j) /* exact multiple */
-			{
-			bn_wexpand(t,k*2);
-			bn_wexpand(rr,k*2);
-			bn_mul_recursive(rr->d,a->d,b->d,al,t->d);
-			}
-		else
-			{
-			bn_wexpand(a,k);
-			bn_wexpand(b,k);
-			bn_wexpand(t,k*4);
-			bn_wexpand(rr,k*4);
-			for (i=a->top; i<k; i++)
-				a->d[i]=0;
-			for (i=b->top; i<k; i++)
-				b->d[i]=0;
-			bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d);
-			}
-		rr->top=top;
-		}
-#endif
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
 end:
 #endif
 	bn_fix_top(rr);
 	if (r != rr) BN_copy(r,rr);
-	return(1);
+	ret=1;
+err:
+	BN_CTX_end(ctx);
+	return(ret);
 	}
 
 void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
@@ -701,7 +737,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 	BN_ULONG *rr;
 
 #ifdef BN_COUNT
-printf(" bn_mul_normal %d * %d\n",na,nb);
+	printf(" bn_mul_normal %d * %d\n",na,nb);
 #endif
 
 	if (na < nb)
@@ -735,7 +771,7 @@ printf(" bn_mul_normal %d * %d\n",na,nb);
 void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 	{
 #ifdef BN_COUNT
-printf(" bn_mul_low_normal %d * %d\n",n,n);
+	printf(" bn_mul_low_normal %d * %d\n",n,n);
 #endif
 	bn_mul_words(r,a,n,b[0]);
 
@@ -753,4 +789,3 @@ printf(" bn_mul_low_normal %d * %d\n",n,n);
 		b+=4;
 		}
 	}
-
diff --git a/lib/libcrypto/bn/bn_opts.c b/lib/libcrypto/bn/bn_opts.c
index 381be529b2f..e69de29bb2d 100644
--- a/lib/libcrypto/bn/bn_opts.c
+++ b/lib/libcrypto/bn/bn_opts.c
@@ -1,324 +0,0 @@
-/* crypto/bn/expspeed.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/* most of this code has been pilfered from my libdes speed.c program */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <signal.h>
-#include <string.h>
-#include <openssl/crypto.h>
-#include <openssl/tmdiff.h>
-#include <openssl/bn.h>
-#include <openssl/err.h>
-
-#define DEFAULT_SIZE	512
-#define DEFAULT_TIME	3
-
-int verbose=1;
-
-typedef struct parms_st
-	{
-	char *name;
-	void (*func)();
-	BIGNUM r;
-	BIGNUM a;
-	BIGNUM b;
-	BIGNUM c;
-	BIGNUM low;
-	BN_CTX *ctx;
-	BN_MONT_CTX *mont;
-	int w;
-	} PARMS;
-
-void do_mul_exp(int num,PARMS *p);
-void do_mul(int num,PARMS *p);
-void do_sqr(int num,PARMS *p);
-void do_mul_low(int num,PARMS *p);
-void do_mul_high(int num,PARMS *p);
-void do_from_montgomery(int num,PARMS *p);
-int time_it(int sec, PARMS *p);
-void do_it(int sec, PARMS *p);
-
-#define P_EXP	1
-#define P_MUL	2
-#define P_SQR	3
-#define P_MULL	4
-#define P_MULH	5
-#define P_MRED	6
-
-int main(int argc, char **argv)
-	{
-	PARMS p;
-	BN_MONT_CTX *mont;
-	int size=0,num;
-	char *name;
-	int type=P_EXP;
-
-	mont=BN_MONT_CTX_new();
-	p.mont=NULL;
-	p.ctx=BN_CTX_new();
-	BN_init(&p.r);
-	BN_init(&p.a);
-	BN_init(&p.b);
-	BN_init(&p.c);
-	BN_init(&p.low);
-	p.w=0;
-
-	for (;;)
-		{
-		if (argc > 1)
-			{
-			if (argv[1][0] == '-')
-				{
-				switch(argv[1][1])
-					{
-				case 'e': type=P_EXP; break;
-				case 'm': type=P_MUL; break;
-				case 's': type=P_SQR; break;
-				case 'l': type=P_MULL; break;
-				case 'h': type=P_MULH; break;
-				case 'r': type=P_MRED; break;
-				default:
-					fprintf(stderr,"options: -[emslhr]\n");
-					exit(1);
-					}
-				}
-			else
-				{
-				size=atoi(argv[1]);
-				}
-			argc--;
-			argv++;
-			}
-		else
-			break;
-		}
-	if (size == 0)
-		size=DEFAULT_SIZE;
-
-	printf("bit size:%5d\n",size);
-
-	BN_rand(&p.a,size,1,0);
-	BN_rand(&p.b,size,1,0);
-	BN_rand(&p.c,size,1,1);
-	BN_mod(&p.a,&p.a,&p.c,p.ctx);
-	BN_mod(&p.b,&p.b,&p.c,p.ctx);
-	p.w=(p.a.top+1)/2;
-
-	BN_mul(&p.low,&p.a,&p.b,p.ctx);
-	p.low.top=p.a.top;
-	
-	switch(type)
-		{
-	case P_EXP:
-		p.name="r=a^b%c";
-		p.func=do_mul_exp;
-		p.mont=mont;
-		break;
-	case P_MUL:
-		p.name="r=a*b";
-		p.func=do_mul;
-		break;
-	case P_SQR:
-		p.name="r=a*a";
-		p.func=do_sqr;
-		break;
-	case P_MULL:
-		p.name="r=low(a*b)";
-		p.func=do_mul_low;
-		break;
-	case P_MULH:
-		p.name="r=high(a*b)";
-		p.func=do_mul_high;
-		break;
-	case P_MRED:
-		p.name="r=montgomery_reduction(a)";
-		p.func=do_from_montgomery;
-		p.mont=mont;
-		break;
-	default:
-		fprintf(stderr,"options: -[emslhr]\n");
-		exit(1);
-		}
-
-	num=time_it(DEFAULT_TIME,&p);
-	do_it(num,&p);
-	}
-
-void do_it(int num, PARMS *p)
-	{
-	char *start,*end;
-	int i,j,number;
-	double d;
-
-	start=ms_time_new();
-	end=ms_time_new();
-
-	number=BN_num_bits_word((BN_ULONG)BN_num_bits(&(p->c)))-
-		BN_num_bits_word(BN_BITS2)+2;
-	for (i=number-1; i >=0; i--)
-		{
-		if (i == 1) continue;
-		BN_set_params(i,i,i,1);
-		if (p->mont != NULL)
-			BN_MONT_CTX_set(p->mont,&(p->c),p->ctx);
-
-		printf("Timing %5d (%2d bit) %2d %2d %2d %2d :",
-			(1<<i)*BN_BITS2,i,
-				BN_get_params(0),
-				BN_get_params(1),
-				BN_get_params(2),
-				BN_get_params(3));
-		fflush(stdout);
-
-		ms_time_get(start);
-		p->func(num,p);
-		ms_time_get(end);
-		d=ms_time_diff(start,end);
-		printf("%6.6f sec, or %d in %.4f seconds\n",
-			(double)d/num,num,d);
-		}
-	}
-
-int time_it(int sec, PARMS *p)
-	{
-	char *start,*end;
-	int i,j;
-	double d;
-
-	if (p->mont != NULL)
-		BN_MONT_CTX_set(p->mont,&(p->c),p->ctx);
-
-	start=ms_time_new();
-	end=ms_time_new();
-
-	i=1;
-	for (;;)
-		{
-		if (verbose)
-			printf("timing %s for %d interations\n",p->name,i);
-
-		ms_time_get(start);
-		p->func(i,p);
-		ms_time_get(end);
-		d=ms_time_diff(start,end);
-
-		if 	(d < 0.01) i*=100;
-		else if (d < 0.1 ) i*=10;
-		else if (d > (double)sec) break;
-		else
-			{
-			i=(int)(1.0*i*sec/d);
-			break;
-			}
-		}
-	if (verbose)
-		printf("using %d interations\n",i);
-	return(i);
-	}
-
-void do_mul_exp(int num, PARMS *p)
-	{
-	int i;
-
-	for (i=0; i<num; i++)
-		BN_mod_exp_mont(&(p->r),&(p->a),&(p->b),&(p->c),
-			p->ctx,p->mont);
-	}
-
-void do_mul(int num, PARMS *p)
-	{
-	int i;
-
-	for (i=0; i<num; i++)
-		BN_mul(&(p->r),&(p->a),&(p->b),p->ctx);
-	}
-
-void do_sqr(int num, PARMS *p)
-	{
-	int i;
-
-	for (i=0; i<num; i++)
-			BN_sqr(&(p->r),&(p->a),p->ctx);
-	}
-
-void do_mul_low(int num, PARMS *p)
-	{
-	int i;
-	
-	for (i=0; i<num; i++)
-		BN_mul_low(&(p->r),&(p->a),&(p->b),p->w,p->ctx);
-	}
-
-void do_mul_high(int num, PARMS *p)
-	{
-	int i;
-
-	for (i=0; i<num; i++)
-		BN_mul_low(&(p->r),&(p->a),&(p->b),&(p->low),p->w,p->ctx);
-	}
-
-void do_from_montgomery(int num, PARMS *p)
-	{
-	int i;
-	
-	for (i=0; i<num; i++)
-		BN_from_montgomery(&(p->r),&(p->a),p->mont,p->ctx);
-	}
-
diff --git a/lib/libcrypto/bn/bn_prime.c b/lib/libcrypto/bn/bn_prime.c
index 6fa0f9be1ee..a5f01b92eb2 100644
--- a/lib/libcrypto/bn/bn_prime.c
+++ b/lib/libcrypto/bn/bn_prime.c
@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <time.h>
@@ -62,26 +115,29 @@
 #include "bn_lcl.h"
 #include <openssl/rand.h>
 
-/* The quick seive algorithm approach to weeding out primes is
+/* The quick sieve algorithm approach to weeding out primes is
  * Philip Zimmermann's, as implemented in PGP.  I have had a read of
  * his comments and implemented my own version.
  */
 #include "bn_prime.h"
 
-static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx,BN_CTX *ctx2,
-	BN_MONT_CTX *mont);
+static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
+	const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont);
 static int probable_prime(BIGNUM *rnd, int bits);
 static int probable_prime_dh(BIGNUM *rnd, int bits,
 	BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
-static int probable_prime_dh_strong(BIGNUM *rnd, int bits,
+static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
 	BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
-BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int strong, BIGNUM *add,
+
+BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add,
 	     BIGNUM *rem, void (*callback)(int,int,void *), void *cb_arg)
 	{
 	BIGNUM *rnd=NULL;
 	BIGNUM t;
+	int found=0;
 	int i,j,c1=0;
 	BN_CTX *ctx;
+	int checks = BN_prime_checks_for_size(bits);
 
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
@@ -100,9 +156,9 @@ loop:
 		}
 	else
 		{
-		if (strong)
+		if (safe)
 			{
-			if (!probable_prime_dh_strong(rnd,bits,add,rem,ctx))
+			if (!probable_prime_dh_safe(rnd,bits,add,rem,ctx))
 				 goto err;
 			}
 		else
@@ -114,160 +170,185 @@ loop:
 	/* if (BN_mod_word(rnd,(BN_ULONG)3) == 1) goto loop; */
 	if (callback != NULL) callback(0,c1++,cb_arg);
 
-	if (!strong)
+	if (!safe)
 		{
-		i=BN_is_prime(rnd,BN_prime_checks,callback,ctx,cb_arg);
+		i=BN_is_prime_fasttest(rnd,checks,callback,ctx,cb_arg,0);
 		if (i == -1) goto err;
 		if (i == 0) goto loop;
 		}
 	else
 		{
-		/* for a strong prime generation,
+		/* for "safe prime" generation,
 		 * check that (p-1)/2 is prime.
 		 * Since a prime is odd, We just
 		 * need to divide by 2 */
 		if (!BN_rshift1(&t,rnd)) goto err;
 
-		for (i=0; i<BN_prime_checks; i++)
+		for (i=0; i<checks; i++)
 			{
-			j=BN_is_prime(rnd,1,callback,ctx,cb_arg);
+			j=BN_is_prime_fasttest(rnd,1,callback,ctx,cb_arg,0);
 			if (j == -1) goto err;
 			if (j == 0) goto loop;
 
-			j=BN_is_prime(&t,1,callback,ctx,cb_arg);
+			j=BN_is_prime_fasttest(&t,1,callback,ctx,cb_arg,0);
 			if (j == -1) goto err;
 			if (j == 0) goto loop;
 
 			if (callback != NULL) callback(2,c1-1,cb_arg);
-			/* We have a strong prime test pass */
+			/* We have a safe prime test pass */
 			}
 		}
 	/* we have a prime :-) */
-	ret=rnd;
+	found = 1;
 err:
-	if ((ret == NULL) && (rnd != NULL)) BN_free(rnd);
+	if (!found && (ret == NULL) && (rnd != NULL)) BN_free(rnd);
 	BN_free(&t);
 	if (ctx != NULL) BN_CTX_free(ctx);
-	return(ret);
+	return(found ? rnd : NULL);
 	}
 
-int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *),
-	     BN_CTX *ctx_passed, void *cb_arg)
+int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int,int,void *),
+	BN_CTX *ctx_passed, void *cb_arg)
 	{
-	int i,j,c2=0,ret= -1;
-	BIGNUM *check;
-	BN_CTX *ctx=NULL,*ctx2=NULL;
-	BN_MONT_CTX *mont=NULL;
+	return BN_is_prime_fasttest(a, checks, callback, ctx_passed, cb_arg, 0);
+	}
 
+int BN_is_prime_fasttest(const BIGNUM *a, int checks,
+		void (*callback)(int,int,void *),
+		BN_CTX *ctx_passed, void *cb_arg,
+		int do_trial_division)
+	{
+	int i, j, ret = -1;
+	int k;
+	BN_CTX *ctx = NULL;
+	BIGNUM *A1, *A1_odd, *check; /* taken from ctx */
+	BN_MONT_CTX *mont = NULL;
+	const BIGNUM *A = NULL;
+
+	if (checks == BN_prime_checks)
+		checks = BN_prime_checks_for_size(BN_num_bits(a));
+
+	/* first look for small factors */
 	if (!BN_is_odd(a))
 		return(0);
+	if (do_trial_division)
+		{
+		for (i = 1; i < NUMPRIMES; i++)
+			if (BN_mod_word(a, primes[i]) == 0) 
+				return 0;
+		if (callback != NULL) callback(1, -1, cb_arg);
+		}
+
 	if (ctx_passed != NULL)
-		ctx=ctx_passed;
+		ctx = ctx_passed;
 	else
-		if ((ctx=BN_CTX_new()) == NULL) goto err;
-
-	if ((ctx2=BN_CTX_new()) == NULL) goto err;
-	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
-
-	check= &(ctx->bn[ctx->tos++]);
+		if ((ctx=BN_CTX_new()) == NULL)
+			goto err;
+	BN_CTX_start(ctx);
 
-	/* Setup the montgomery structure */
-	if (!BN_MONT_CTX_set(mont,a,ctx2)) goto err;
+	/* A := abs(a) */
+	if (a->neg)
+		{
+		BIGNUM *t;
+		if ((t = BN_CTX_get(ctx)) == NULL) goto err;
+		BN_copy(t, a);
+		t->neg = 0;
+		A = t;
+		}
+	else
+		A = a;
+	A1 = BN_CTX_get(ctx);
+	A1_odd = BN_CTX_get(ctx);
+	check = BN_CTX_get(ctx);
+	if (check == NULL) goto err;
+
+	/* compute A1 := A - 1 */
+	if (!BN_copy(A1, A))
+		goto err;
+	if (!BN_sub_word(A1, 1))
+		goto err;
+	if (BN_is_zero(A1))
+		{
+		ret = 0;
+		goto err;
+		}
 
-	for (i=0; i<checks; i++)
+	/* write  A1  as  A1_odd * 2^k */
+	k = 1;
+	while (!BN_is_bit_set(A1, k))
+		k++;
+	if (!BN_rshift(A1_odd, A1, k))
+		goto err;
+
+	/* Montgomery setup for computations mod A */
+	mont = BN_MONT_CTX_new();
+	if (mont == NULL)
+		goto err;
+	if (!BN_MONT_CTX_set(mont, A, ctx))
+		goto err;
+	
+	for (i = 0; i < checks; i++)
 		{
-		if (!BN_rand(check,BN_num_bits(a)-1,0,0)) goto err;
-		j=witness(check,a,ctx,ctx2,mont);
+		if (!BN_pseudo_rand(check, BN_num_bits(A1), 0, 0))
+			goto err;
+		if (BN_cmp(check, A1) >= 0)
+			if (!BN_sub(check, check, A1))
+				goto err;
+		if (!BN_add_word(check, 1))
+			goto err;
+		/* now 1 <= check < A */
+
+		j = witness(check, A, A1, A1_odd, k, ctx, mont);
 		if (j == -1) goto err;
 		if (j)
 			{
 			ret=0;
 			goto err;
 			}
-		if (callback != NULL) callback(1,c2++,cb_arg);
+		if (callback != NULL) callback(1,i,cb_arg);
 		}
 	ret=1;
 err:
-	ctx->tos--;
-	if ((ctx_passed == NULL) && (ctx != NULL))
-		BN_CTX_free(ctx);
-	if (ctx2 != NULL)
-		BN_CTX_free(ctx2);
-	if (mont != NULL) BN_MONT_CTX_free(mont);
-		
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		if (ctx_passed == NULL)
+			BN_CTX_free(ctx);
+		}
+	if (mont != NULL)
+		BN_MONT_CTX_free(mont);
+
 	return(ret);
 	}
 
-#define RECP_MUL_MOD
-
-static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx, BN_CTX *ctx2,
-	     BN_MONT_CTX *mont)
+static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
+	const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont)
 	{
-	int k,i,ret= -1,good;
-	BIGNUM *d,*dd,*tmp,*d1,*d2,*n1;
-	BIGNUM *mont_one,*mont_n1,*mont_a;
-
-	d1= &(ctx->bn[ctx->tos]);
-	d2= &(ctx->bn[ctx->tos+1]);
-	n1= &(ctx->bn[ctx->tos+2]);
-	ctx->tos+=3;
-
-	mont_one= &(ctx2->bn[ctx2->tos]);
-	mont_n1= &(ctx2->bn[ctx2->tos+1]);
-	mont_a= &(ctx2->bn[ctx2->tos+2]);
-	ctx2->tos+=3;
-
-	d=d1;
-	dd=d2;
-	if (!BN_one(d)) goto err;
-	if (!BN_sub(n1,n,d)) goto err; /* n1=n-1; */
-	k=BN_num_bits(n1);
-
-	if (!BN_to_montgomery(mont_one,BN_value_one(),mont,ctx2)) goto err;
-	if (!BN_to_montgomery(mont_n1,n1,mont,ctx2)) goto err;
-	if (!BN_to_montgomery(mont_a,a,mont,ctx2)) goto err;
-
-	BN_copy(d,mont_one);
-	for (i=k-1; i>=0; i--)
+	if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */
+		return -1;
+	if (BN_is_one(w))
+		return 0; /* probably prime */
+	if (BN_cmp(w, a1) == 0)
+		return 0; /* w == -1 (mod a),  'a' is probably prime */
+	while (--k)
 		{
-		if (	(BN_cmp(d,mont_one) != 0) &&
-			(BN_cmp(d,mont_n1) != 0))
-			good=1;
-		else
-			good=0;
-
-		BN_mod_mul_montgomery(dd,d,d,mont,ctx2);
-
-		if (good && (BN_cmp(dd,mont_one) == 0))
-			{
-			ret=1;
-			goto err;
-			}
-		if (BN_is_bit_set(n1,i))
-			{
-			BN_mod_mul_montgomery(d,dd,mont_a,mont,ctx2);
-			}
-		else
-			{
-			tmp=d;
-			d=dd;
-			dd=tmp;
-			}
+		if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */
+			return -1;
+		if (BN_is_one(w))
+			return 1; /* 'a' is composite, otherwise a previous 'w' would
+			           * have been == -1 (mod 'a') */
+		if (BN_cmp(w, a1) == 0)
+			return 0; /* w == -1 (mod a), 'a' is probably prime */
 		}
-	if (BN_cmp(d,mont_one) == 0)
-		i=0;
-	else	i=1;
-	ret=i;
-err:
-	ctx->tos-=3;
-	ctx2->tos-=3;
-	return(ret);
+	/* If we get here, 'w' is the (a-1)/2-th power of the original 'w',
+	 * and it is neither -1 nor +1 -- so 'a' cannot be prime */
+	return 1;
 	}
 
 static int probable_prime(BIGNUM *rnd, int bits)
 	{
 	int i;
-	MS_STATIC BN_ULONG mods[NUMPRIMES];
+	BN_ULONG mods[NUMPRIMES];
 	BN_ULONG delta,d;
 
 again:
@@ -285,7 +366,7 @@ again:
 			d=delta;
 			delta+=2;
 			/* perhaps need to check for overflow of
-			 * delta (but delta can be upto 2^32)
+			 * delta (but delta can be up to 2^32)
 			 * 21-May-98 eay - added overflow check */
 			if (delta < d) goto again;
 			goto loop;
@@ -301,7 +382,8 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, BIGNUM *add, BIGNUM *rem,
 	int i,ret=0;
 	BIGNUM *t1;
 
-	t1= &(ctx->bn[ctx->tos++]);
+	BN_CTX_start(ctx);
+	if ((t1 = BN_CTX_get(ctx)) == NULL) goto err;
 
 	if (!BN_rand(rnd,bits,0,1)) goto err;
 
@@ -327,20 +409,22 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, BIGNUM *add, BIGNUM *rem,
 		}
 	ret=1;
 err:
-	ctx->tos--;
+	BN_CTX_end(ctx);
 	return(ret);
 	}
 
-static int probable_prime_dh_strong(BIGNUM *p, int bits, BIGNUM *padd,
+static int probable_prime_dh_safe(BIGNUM *p, int bits, BIGNUM *padd,
 	     BIGNUM *rem, BN_CTX *ctx)
 	{
 	int i,ret=0;
-	BIGNUM *t1,*qadd=NULL,*q=NULL;
+	BIGNUM *t1,*qadd,*q;
 
 	bits--;
-	t1= &(ctx->bn[ctx->tos++]);
-	q= &(ctx->bn[ctx->tos++]);
-	qadd= &(ctx->bn[ctx->tos++]);
+	BN_CTX_start(ctx);
+	t1 = BN_CTX_get(ctx);
+	q = BN_CTX_get(ctx);
+	qadd = BN_CTX_get(ctx);
+	if (qadd == NULL) goto err;
 
 	if (!BN_rshift1(qadd,padd)) goto err;
 		
@@ -376,72 +460,6 @@ static int probable_prime_dh_strong(BIGNUM *p, int bits, BIGNUM *padd,
 		}
 	ret=1;
 err:
-	ctx->tos-=3;
-	return(ret);
-	}
-
-#if 0
-static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx)
-	{
-	int k,i,nb,ret= -1;
-	BIGNUM *d,*dd,*tmp;
-	BIGNUM *d1,*d2,*x,*n1,*inv;
-
-	d1= &(ctx->bn[ctx->tos]);
-	d2= &(ctx->bn[ctx->tos+1]);
-	x=  &(ctx->bn[ctx->tos+2]);
-	n1= &(ctx->bn[ctx->tos+3]);
-	inv=&(ctx->bn[ctx->tos+4]);
-	ctx->tos+=5;
-
-	d=d1;
-	dd=d2;
-	if (!BN_one(d)) goto err;
-	if (!BN_sub(n1,n,d)) goto err; /* n1=n-1; */
-	k=BN_num_bits(n1);
-
-	/* i=BN_num_bits(n); */
-#ifdef RECP_MUL_MOD
-	nb=BN_reciprocal(inv,n,ctx); /**/
-	if (nb == -1) goto err;
-#endif
-
-	for (i=k-1; i>=0; i--)
-		{
-		if (BN_copy(x,d) == NULL) goto err;
-#ifndef RECP_MUL_MOD
-		if (!BN_mod_mul(dd,d,d,n,ctx)) goto err;
-#else
-		if (!BN_mod_mul_reciprocal(dd,d,d,n,inv,nb,ctx)) goto err;
-#endif
-		if (	BN_is_one(dd) &&
-			!BN_is_one(x) &&
-			(BN_cmp(x,n1) != 0))
-			{
-			ret=1;
-			goto err;
-			}
-		if (BN_is_bit_set(n1,i))
-			{
-#ifndef RECP_MUL_MOD
-			if (!BN_mod_mul(d,dd,a,n,ctx)) goto err;
-#else
-			if (!BN_mod_mul_reciprocal(d,dd,a,n,inv,nb,ctx)) goto err; 
-#endif
-			}
-		else
-			{
-			tmp=d;
-			d=dd;
-			dd=tmp;
-			}
-		}
-	if (BN_is_one(d))
-		i=0;
-	else	i=1;
-	ret=i;
-err:
-	ctx->tos-=5;
+	BN_CTX_end(ctx);
 	return(ret);
 	}
-#endif
diff --git a/lib/libcrypto/bn/bn_prime.h b/lib/libcrypto/bn/bn_prime.h
index 6fce0210cdd..b7cf9a9bfe1 100644
--- a/lib/libcrypto/bn/bn_prime.h
+++ b/lib/libcrypto/bn/bn_prime.h
@@ -1,4 +1,4 @@
-/* crypto/bn/bn_prime.h */
+/* Auto generated by bn_prime.pl */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,7 +61,7 @@
 #else
 #define NUMPRIMES 54
 #endif
-static unsigned int primes[NUMPRIMES]=
+static const unsigned int primes[NUMPRIMES]=
 	{
 	   2,   3,   5,   7,  11,  13,  17,  19,
 	  23,  29,  31,  37,  41,  43,  47,  53,
diff --git a/lib/libcrypto/bn/bn_prime.pl b/lib/libcrypto/bn/bn_prime.pl
index 979385a3343..9fc37654865 100644
--- a/lib/libcrypto/bn/bn_prime.pl
+++ b/lib/libcrypto/bn/bn_prime.pl
@@ -18,13 +18,74 @@ loop: while ($#primes < $num-1)
 	push(@primes,$p);
 	}
 
-print <<"EOF";
+# print <<"EOF";
+# /* Auto generated by bn_prime.pl */
+# /* Copyright (C) 1995-1997 Eric Young (eay\@mincom.oz.au).
+#  * All rights reserved.
+#  * Copyright remains Eric Young's, and as such any Copyright notices in
+#  * the code are not to be removed.
+#  * See the COPYRIGHT file in the SSLeay distribution for more details.
+#  */
+# 
+# EOF
+
+print <<\EOF;
 /* Auto generated by bn_prime.pl */
-/* Copyright (C) 1995-1997 Eric Young (eay\@mincom.oz.au).
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
- * See the COPYRIGHT file in the SSLeay distribution for more details.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 EOF
@@ -43,7 +104,7 @@ printf "#define NUMPRIMES %d\n",$num;
 printf "#else\n";
 printf "#define NUMPRIMES %d\n",$eight;
 printf "#endif\n";
-print "static unsigned int primes[NUMPRIMES]=\n\t{\n\t";
+print "static const unsigned int primes[NUMPRIMES]=\n\t{\n\t";
 $init=0;
 for ($i=0; $i <= $#primes; $i++)
 	{
diff --git a/lib/libcrypto/bn/bn_print.c b/lib/libcrypto/bn/bn_print.c
index 2f5ab2617bd..782a96e7e0a 100644
--- a/lib/libcrypto/bn/bn_print.c
+++ b/lib/libcrypto/bn/bn_print.c
@@ -137,7 +137,7 @@ char *BN_bn2dec(const BIGNUM *a)
 			}
 		lp--;
 		/* We now have a series of blocks, BN_DEC_NUM chars
-		 * in length, where the last one needs trucation.
+		 * in length, where the last one needs truncation.
 		 * The blocks need to be reversed in order. */
 		sprintf(p,BN_DEC_FMT1,*lp);
 		while (*p) p++;
@@ -171,7 +171,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
 	num=i+neg;
 	if (bn == NULL) return(num);
 
-	/* a is the start of the hex digets, and it is 'i' long */
+	/* a is the start of the hex digits, and it is 'i' long */
 	if (*bn == NULL)
 		{
 		if ((ret=BN_new()) == NULL) return(0);
@@ -185,7 +185,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
 	/* i is the number of hex digests; */
 	if (bn_expand(ret,i*4) == NULL) goto err;
 
-	j=i; /* least significate 'hex' */
+	j=i; /* least significant 'hex' */
 	m=0;
 	h=0;
 	while (j > 0)
@@ -236,8 +236,8 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
 	num=i+neg;
 	if (bn == NULL) return(num);
 
-	/* a is the start of the digets, and it is 'i' long.
-	 * We chop it into BN_DEC_NUM digets at a time */
+	/* a is the start of the digits, and it is 'i' long.
+	 * We chop it into BN_DEC_NUM digits at a time */
 	if (*bn == NULL)
 		{
 		if ((ret=BN_new()) == NULL) return(0);
@@ -278,9 +278,8 @@ err:
 	}
 
 #ifndef NO_BIO
-
 #ifndef NO_FP_API
-int BN_print_fp(FILE *fp, BIGNUM *a)
+int BN_print_fp(FILE *fp, const BIGNUM *a)
 	{
 	BIO *b;
 	int ret;
@@ -319,5 +318,15 @@ int BN_print(BIO *bp, const BIGNUM *a)
 end:
 	return(ret);
 	}
+#endif
 
+#ifdef BN_DEBUG
+void bn_dump1(FILE *o, const char *a, BN_ULONG *b,int n)
+	{
+	int i;
+	fprintf(o, "%s=", a);
+	for (i=n-1;i>=0;i--)
+		fprintf(o, "%08lX", b[i]); /* assumes 32-bit BN_ULONG */
+	fprintf(o, "\n");
+	}
 #endif
diff --git a/lib/libcrypto/bn/bn_rand.c b/lib/libcrypto/bn/bn_rand.c
index 91b8e34ae65..943712c15b8 100644
--- a/lib/libcrypto/bn/bn_rand.c
+++ b/lib/libcrypto/bn/bn_rand.c
@@ -62,7 +62,7 @@
 #include "bn_lcl.h"
 #include <openssl/rand.h>
 
-int BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
+static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 	{
 	unsigned char *buf=NULL;
 	int ret=0,bit,bytes,mask;
@@ -81,9 +81,19 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
 
 	/* make a random number and set the top and bottom bits */
 	time(&tim);
-	RAND_seed(&tim,sizeof(tim));
+	RAND_add(&tim,sizeof(tim),0);
+
+	if (pseudorand)
+		{
+		if (RAND_pseudo_bytes(buf, bytes) == -1)
+			goto err;
+		}
+	else
+		{
+		if (RAND_bytes(buf, bytes) <= 0)
+			goto err;
+		}
 
-	RAND_bytes(buf,(int)bytes);
 	if (top)
 		{
 		if (bit == 0)
@@ -115,3 +125,12 @@ err:
 	return(ret);
 	}
 
+int     BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
+	{
+	return bnrand(0, rnd, bits, top, bottom);
+	}
+
+int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
+	{
+	return bnrand(1, rnd, bits, top, bottom);
+	}
diff --git a/lib/libcrypto/bn/bn_recp.c b/lib/libcrypto/bn/bn_recp.c
index c1b0e230ea2..a8796bd0aac 100644
--- a/lib/libcrypto/bn/bn_recp.c
+++ b/lib/libcrypto/bn/bn_recp.c
@@ -106,7 +106,8 @@ int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y, BN_RECP_CTX *recp,
 	int ret=0;
 	BIGNUM *a;
 
-	a= &(ctx->bn[ctx->tos++]);
+	BN_CTX_start(ctx);
+	if ((a = BN_CTX_get(ctx)) == NULL) goto err;
 	if (y != NULL)
 		{
 		if (x == y)
@@ -120,33 +121,34 @@ int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y, BN_RECP_CTX *recp,
 	BN_div_recp(NULL,r,a,recp,ctx);
 	ret=1;
 err:
-	ctx->tos--;
+	BN_CTX_end(ctx);
 	return(ret);
 	}
 
 int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BN_RECP_CTX *recp,
 	     BN_CTX *ctx)
 	{
-	int i,j,tos,ret=0,ex;
+	int i,j,ret=0;
 	BIGNUM *a,*b,*d,*r;
 
-	tos=ctx->tos;
-	a= &(ctx->bn[ctx->tos++]);
-	b= &(ctx->bn[ctx->tos++]);
+	BN_CTX_start(ctx);
+	a=BN_CTX_get(ctx);
+	b=BN_CTX_get(ctx);
 	if (dv != NULL)
 		d=dv;
 	else
-		d= &(ctx->bn[ctx->tos++]);
+		d=BN_CTX_get(ctx);
 	if (rem != NULL)
 		r=rem;
 	else
-		r= &(ctx->bn[ctx->tos++]);
+		r=BN_CTX_get(ctx);
+	if (a == NULL || b == NULL || d == NULL || r == NULL) goto err;
 
 	if (BN_ucmp(m,&(recp->N)) < 0)
 		{
 		BN_zero(d);
 		BN_copy(r,m);
-		ctx->tos=tos;
+		BN_CTX_end(ctx);
 		return(1);
 		}
 
@@ -157,33 +159,24 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BN_RECP_CTX *recp,
 	 */
 	i=BN_num_bits(m);
 
-	j=recp->num_bits*2;
-	if (j > i)
-		{
-		i=j;
-		ex=0;
-		}
-	else
-		{
-		ex=(i-j)/2;
-		}
-
-	j=i/2;
+	j=recp->num_bits<<1;
+	if (j>i) i=j;
+	j>>=1;
 
 	if (i != recp->shift)
 		recp->shift=BN_reciprocal(&(recp->Nr),&(recp->N),
 			i,ctx);
 
-	if (!BN_rshift(a,m,j-ex)) goto err;
+	if (!BN_rshift(a,m,j)) goto err;
 	if (!BN_mul(b,a,&(recp->Nr),ctx)) goto err;
-	if (!BN_rshift(d,b,j+ex)) goto err;
+	if (!BN_rshift(d,b,i-j)) goto err;
 	d->neg=0;
 	if (!BN_mul(b,&(recp->N),d,ctx)) goto err;
 	if (!BN_usub(r,m,b)) goto err;
 	r->neg=0;
 
-	j=0;
 #if 1
+	j=0;
 	while (BN_ucmp(r,&(recp->N)) >= 0)
 		{
 		if (j++ > 2)
@@ -200,7 +193,7 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BN_RECP_CTX *recp,
 	d->neg=m->neg^recp->N.neg;
 	ret=1;
 err:
-	ctx->tos=tos;
+	BN_CTX_end(ctx);
 	return(ret);
 	} 
 
diff --git a/lib/libcrypto/bn/bn_sqr.c b/lib/libcrypto/bn/bn_sqr.c
index 12cce4d7ce2..fe00c5f69a0 100644
--- a/lib/libcrypto/bn/bn_sqr.c
+++ b/lib/libcrypto/bn/bn_sqr.c
@@ -65,14 +65,13 @@
 int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx)
 	{
 	int max,al;
+	int ret = 0;
 	BIGNUM *tmp,*rr;
 
 #ifdef BN_COUNT
 printf("BN_sqr %d * %d\n",a->top,a->top);
 #endif
 	bn_check_top(a);
-	tmp= &(ctx->bn[ctx->tos]);
-	rr=(a != r)?r: (&ctx->bn[ctx->tos+1]);
 
 	al=a->top;
 	if (al <= 0)
@@ -81,8 +80,13 @@ printf("BN_sqr %d * %d\n",a->top,a->top);
 		return(1);
 		}
 
+	BN_CTX_start(ctx);
+	rr=(a != r) ? r : BN_CTX_get(ctx);
+	tmp=BN_CTX_get(ctx);
+	if (tmp == NULL) goto err;
+
 	max=(al+al);
-	if (bn_wexpand(rr,max+1) == NULL) return(0);
+	if (bn_wexpand(rr,max+1) == NULL) goto err;
 
 	r->neg=0;
 	if (al == 4)
@@ -120,18 +124,18 @@ printf("BN_sqr %d * %d\n",a->top,a->top);
 			k=j+j;
 			if (al == j)
 				{
-				if (bn_wexpand(a,k*2) == NULL) return(0);
-				if (bn_wexpand(tmp,k*2) == NULL) return(0);
+				if (bn_wexpand(a,k*2) == NULL) goto err;
+				if (bn_wexpand(tmp,k*2) == NULL) goto err;
 				bn_sqr_recursive(rr->d,a->d,al,tmp->d);
 				}
 			else
 				{
-				if (bn_wexpand(tmp,max) == NULL) return(0);
+				if (bn_wexpand(tmp,max) == NULL) goto err;
 				bn_sqr_normal(rr->d,a->d,al,tmp->d);
 				}
 			}
 #else
-		if (bn_wexpand(tmp,max) == NULL) return(0);
+		if (bn_wexpand(tmp,max) == NULL) goto err;
 		bn_sqr_normal(rr->d,a->d,al,tmp->d);
 #endif
 		}
@@ -139,7 +143,10 @@ printf("BN_sqr %d * %d\n",a->top,a->top);
 	rr->top=max;
 	if ((max > 0) && (rr->d[max-1] == 0)) rr->top--;
 	if (rr != r) BN_copy(r,rr);
-	return(1);
+	ret = 1;
+ err:
+	BN_CTX_end(ctx);
+	return(ret);
 	}
 
 /* tmp must have 2*n words */
@@ -185,7 +192,7 @@ void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp)
  * n must be a power of 2.
  * We multiply and return the result.
  * t must be 2*n words in size
- * We calulate
+ * We calculate
  * a[0]*b[0]
  * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
  * a[1]*b[1]
diff --git a/lib/libcrypto/bn/bn_word.c b/lib/libcrypto/bn/bn_word.c
index c0cfbc67970..73157a7d43f 100644
--- a/lib/libcrypto/bn/bn_word.c
+++ b/lib/libcrypto/bn/bn_word.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
-BN_ULONG BN_mod_word(BIGNUM *a, BN_ULONG w)
+BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w)
 	{
 #ifndef BN_LLONG
 	BN_ULONG ret=0;
diff --git a/lib/libcrypto/bn/bnspeed.c b/lib/libcrypto/bn/bnspeed.c
index 0922aa3e168..20fc7e08ff8 100644
--- a/lib/libcrypto/bn/bnspeed.c
+++ b/lib/libcrypto/bn/bnspeed.c
@@ -1,3 +1,5 @@
+/* unused */
+
 /* crypto/bn/bnspeed.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
diff --git a/lib/libcrypto/bn/bntest.c b/lib/libcrypto/bn/bntest.c
index df4b81f5b2f..41c22f5954d 100644
--- a/lib/libcrypto/bn/bntest.c
+++ b/lib/libcrypto/bn/bntest.c
@@ -72,6 +72,10 @@
 #include "../bio/bss_file.c"
 #endif
 
+const int num0 = 100; /* number of tests */
+const int num1 = 50;  /* additional tests for some functions */
+const int num2 = 5;   /* number of tests for slow functions */
+
 int test_add(BIO *bp);
 int test_sub(BIO *bp);
 int test_lshift1(BIO *bp);
@@ -95,15 +99,33 @@ static int results=0;
 #include "bss_file.c"
 #endif
 
-static unsigned char lst1[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
+static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
 
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+static void message(BIO *out, char *m)
+	{
+	fprintf(stderr, "test %s\n", m);
+#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */
+	BIO_puts(out, "print \"test ");
+	BIO_puts(out, m);
+	BIO_puts(out, "\\n\"\n");
+#endif
+	}
+
 int main(int argc, char *argv[])
 	{
 	BN_CTX *ctx;
 	BIO *out;
 	char *outfile=NULL;
 
+	results = 0;
+
+	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
+	                                       * even check its return value
+	                                       * (which we should) */
+
 	argc--;
 	argv++;
 	while (argc >= 1)
@@ -141,78 +163,81 @@ int main(int argc, char *argv[])
 	if (!results)
 		BIO_puts(out,"obase=16\nibase=16\n");
 
-	fprintf(stderr,"test BN_add\n");
+	message(out,"BN_add");
 	if (!test_add(out)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_sub\n");
+	message(out,"BN_sub");
 	if (!test_sub(out)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_lshift1\n");
+	message(out,"BN_lshift1");
 	if (!test_lshift1(out)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_lshift (fixed)\n");
-	if (!test_lshift(out,ctx,BN_bin2bn(lst1,sizeof(lst1)-1,NULL)))
+	message(out,"BN_lshift (fixed)");
+	if (!test_lshift(out,ctx,BN_bin2bn(lst,sizeof(lst)-1,NULL)))
 	    goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_lshift\n");
+	message(out,"BN_lshift");
 	if (!test_lshift(out,ctx,NULL)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_rshift1\n");
+	message(out,"BN_rshift1");
 	if (!test_rshift1(out)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_rshift\n");
+	message(out,"BN_rshift");
 	if (!test_rshift(out,ctx)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_sqr\n");
+	message(out,"BN_sqr");
 	if (!test_sqr(out,ctx)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_mul\n");
+	message(out,"BN_mul");
 	if (!test_mul(out)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_div\n");
+	message(out,"BN_div");
 	if (!test_div(out,ctx)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_div_recp\n");
+	message(out,"BN_div_recp");
 	if (!test_div_recp(out,ctx)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_mod\n");
+	message(out,"BN_mod");
 	if (!test_mod(out,ctx)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_mod_mul\n");
+	message(out,"BN_mod_mul");
 	if (!test_mod_mul(out,ctx)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-/*
-	fprintf(stderr,"test BN_mont\n");
+	message(out,"BN_mont");
 	if (!test_mont(out,ctx)) goto err;
-	fflush(stdout);
-*/
-	fprintf(stderr,"test BN_mod_exp\n");
+	BIO_flush(out);
+
+	message(out,"BN_mod_exp");
 	if (!test_mod_exp(out,ctx)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
 
-	fprintf(stderr,"test BN_exp\n");
+	message(out,"BN_exp");
 	if (!test_exp(out,ctx)) goto err;
-	fflush(stdout);
+	BIO_flush(out);
+
+	BN_CTX_free(ctx);
+	BIO_free(out);
 
 /**/
 	exit(0);
 err:
 	BIO_puts(out,"1\n"); /* make sure bc fails if we are piping to it */
+	BIO_flush(out);
 	ERR_load_crypto_strings();
-	ERR_print_errors(out);
+	ERR_print_errors_fp(stderr);
 	exit(1);
 	return(1);
 	}
@@ -228,7 +253,7 @@ int test_add(BIO *bp)
 	BN_init(&c);
 
 	BN_rand(&a,512,0,0);
-	for (i=0; i<100; i++)
+	for (i=0; i<num0; i++)
 		{
 		BN_rand(&b,450+i,0,0);
 		a.neg=rand_neg();
@@ -255,7 +280,7 @@ int test_add(BIO *bp)
 		BN_add(&c,&c,&a);
 		if(!BN_is_zero(&c))
 		    {
-		    BIO_puts(bp,"Add test failed!\n");
+		    fprintf(stderr,"Add test failed!\n");
 		    return 0;
 		    }
 		}
@@ -275,12 +300,21 @@ int test_sub(BIO *bp)
 	BN_init(&b);
 	BN_init(&c);
 
-	BN_rand(&a,512,0,0);
-	for (i=0; i<100; i++)
+	for (i=0; i<num0+num1; i++)
 		{
-		BN_rand(&b,400+i,0,0);
-		a.neg=rand_neg();
-		b.neg=rand_neg();
+		if (i < num1)
+			{
+			BN_rand(&a,512,0,0);
+			BN_copy(&b,&a);
+			if (BN_set_bit(&a,i)==0) return(0);
+			BN_add_word(&b,i);
+			}
+		else
+			{
+			BN_rand(&b,400+i-num1,0,0);
+			a.neg=rand_neg();
+			b.neg=rand_neg();
+			}
 		if (bp == NULL)
 			for (j=0; j<10000; j++)
 				BN_sub(&c,&a,&b);
@@ -301,7 +335,7 @@ int test_sub(BIO *bp)
 		BN_sub(&c,&c,&a);
 		if(!BN_is_zero(&c))
 		    {
-		    BIO_puts(bp,"Subtract test failed!\n");
+		    fprintf(stderr,"Subtract test failed!\n");
 		    return 0;
 		    }
 		}
@@ -323,10 +357,17 @@ int test_div(BIO *bp, BN_CTX *ctx)
 	BN_init(&d);
 	BN_init(&e);
 
-	BN_rand(&a,400,0,0);
-	for (i=0; i<100; i++)
+	for (i=0; i<num0+num1; i++)
 		{
-		BN_rand(&b,50+i,0,0);
+		if (i < num1)
+			{
+			BN_rand(&a,400,0,0);
+			BN_copy(&b,&a);
+			BN_lshift(&a,&a,i);
+			BN_add_word(&a,i);
+			}
+		else
+			BN_rand(&b,50+3*(i-num1),0,0);
 		a.neg=rand_neg();
 		b.neg=rand_neg();
 		if (bp == NULL)
@@ -360,7 +401,7 @@ int test_div(BIO *bp, BN_CTX *ctx)
 		BN_sub(&d,&d,&a);
 		if(!BN_is_zero(&d))
 		    {
-		    BIO_puts(bp,"Division test failed!\n");
+		    fprintf(stderr,"Division test failed!\n");
 		    return 0;
 		    }
 		}
@@ -386,10 +427,17 @@ int test_div_recp(BIO *bp, BN_CTX *ctx)
 	BN_init(&d);
 	BN_init(&e);
 
-	BN_rand(&a,400,0,0);
-	for (i=0; i<100; i++)
+	for (i=0; i<num0+num1; i++)
 		{
-		BN_rand(&b,50+i,0,0);
+		if (i < num1)
+			{
+			BN_rand(&a,400,0,0);
+			BN_copy(&b,&a);
+			BN_lshift(&a,&a,i);
+			BN_add_word(&a,i);
+			}
+		else
+			BN_rand(&b,50+3*(i-num1),0,0);
 		a.neg=rand_neg();
 		b.neg=rand_neg();
 		BN_RECP_CTX_set(&recp,&b,ctx);
@@ -424,7 +472,12 @@ int test_div_recp(BIO *bp, BN_CTX *ctx)
 		BN_sub(&d,&d,&a);
 		if(!BN_is_zero(&d))
 		    {
-		    BIO_puts(bp,"Reciprocal division test failed!\n");
+		    fprintf(stderr,"Reciprocal division test failed!\n");
+		    fprintf(stderr,"a=");
+		    BN_print_fp(stderr,&a);
+		    fprintf(stderr,"\nb=");
+		    BN_print_fp(stderr,&b);
+		    fprintf(stderr,"\n");
 		    return 0;
 		    }
 		}
@@ -451,11 +504,15 @@ int test_mul(BIO *bp)
 	BN_init(&d);
 	BN_init(&e);
 
-	BN_rand(&a,200,0,0);
-	for (i=0; i<100; i++)
+	for (i=0; i<num0+num1; i++)
 		{
-		BN_rand(&b,250+i,0,0);
-		BN_rand(&b,200,0,0);
+		if (i <= num1)
+			{
+			BN_rand(&a,100,0,0);
+			BN_rand(&b,100,0,0);
+			}
+		else
+			BN_rand(&b,i-num1,0,0);
 		a.neg=rand_neg();
 		b.neg=rand_neg();
 		if (bp == NULL)
@@ -478,7 +535,7 @@ int test_mul(BIO *bp)
 		BN_sub(&d,&d,&b);
 		if(!BN_is_zero(&d) || !BN_is_zero(&e))
 		    {
-		    BIO_puts(bp,"Multiplication test failed!\n");
+		    fprintf(stderr,"Multiplication test failed!\n");
 		    return 0;
 		    }
 		}
@@ -502,7 +559,7 @@ int test_sqr(BIO *bp, BN_CTX *ctx)
 	BN_init(&d);
 	BN_init(&e);
 
-	for (i=0; i<40; i++)
+	for (i=0; i<num0; i++)
 		{
 		BN_rand(&a,40+i*10,0,0);
 		a.neg=rand_neg();
@@ -526,7 +583,7 @@ int test_sqr(BIO *bp, BN_CTX *ctx)
 		BN_sub(&d,&d,&a);
 		if(!BN_is_zero(&d) || !BN_is_zero(&e))
 		    {
-		    BIO_puts(bp,"Square test failed!\n");
+		    fprintf(stderr,"Square test failed!\n");
 		    return 0;
 		    }
 		}
@@ -557,9 +614,13 @@ int test_mont(BIO *bp, BN_CTX *ctx)
 
 	BN_rand(&a,100,0,0); /**/
 	BN_rand(&b,100,0,0); /**/
-	for (i=0; i<10; i++)
+	for (i=0; i<num2; i++)
 		{
-		BN_rand(&n,(100%BN_BITS2+1)*BN_BITS2*i*BN_BITS2,0,1); /**/
+		int bits = (200*(i+1))/num2;
+
+		if (bits == 0)
+			continue;
+		BN_rand(&n,bits,0,1);
 		BN_MONT_CTX_set(mont,&n,ctx);
 
 		BN_to_montgomery(&A,&a,mont,ctx);
@@ -594,7 +655,7 @@ BN_num_bits(mont->N));
 		BN_sub(&d,&d,&A);
 		if(!BN_is_zero(&d))
 		    {
-		    BIO_puts(bp,"Montgomery multiplication test failed!\n");
+		    fprintf(stderr,"Montgomery multiplication test failed!\n");
 		    return 0;
 		    }
 		}
@@ -622,7 +683,7 @@ int test_mod(BIO *bp, BN_CTX *ctx)
 	e=BN_new();
 
 	BN_rand(a,1024,0,0); /**/
-	for (i=0; i<20; i++)
+	for (i=0; i<num0; i++)
 		{
 		BN_rand(b,450+i*10,0,0); /**/
 		a->neg=rand_neg();
@@ -647,7 +708,7 @@ int test_mod(BIO *bp, BN_CTX *ctx)
 		BN_sub(e,e,c);
 		if(!BN_is_zero(e))
 		    {
-		    BIO_puts(bp,"Modulo test failed!\n");
+		    fprintf(stderr,"Modulo test failed!\n");
 		    return 0;
 		    }
 		}
@@ -671,10 +732,10 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
 	e=BN_new();
 
 	BN_rand(c,1024,0,0); /**/
-	for (i=0; i<10; i++)
+	for (i=0; i<num0; i++)
 		{
 		BN_rand(a,475+i*10,0,0); /**/
-		BN_rand(b,425+i*10,0,0); /**/
+		BN_rand(b,425+i*11,0,0); /**/
 		a->neg=rand_neg();
 		b->neg=rand_neg();
 	/*	if (bp == NULL)
@@ -709,7 +770,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
 		BN_div(a,b,d,c,ctx);
 		if(!BN_is_zero(b))
 		    {
-		    BIO_puts(bp,"Modulo multiply test failed!\n");
+		    fprintf(stderr,"Modulo multiply test failed!\n");
 		    return 0;
 		    }
 		}
@@ -733,7 +794,7 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
 	e=BN_new();
 
 	BN_rand(c,30,0,1); /* must be odd for montgomery */
-	for (i=0; i<6; i++)
+	for (i=0; i<num2; i++)
 		{
 		BN_rand(a,20+i*5,0,0); /**/
 		BN_rand(b,2+i,0,0); /**/
@@ -760,7 +821,7 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
 		BN_div(a,b,e,c,ctx);
 		if(!BN_is_zero(b))
 		    {
-		    BIO_puts(bp,"Modulo exponentiation test failed!\n");
+		    fprintf(stderr,"Modulo exponentiation test failed!\n");
 		    return 0;
 		    }
 		}
@@ -784,7 +845,7 @@ int test_exp(BIO *bp, BN_CTX *ctx)
 	one=BN_new();
 	BN_one(one);
 
-	for (i=0; i<6; i++)
+	for (i=0; i<num2; i++)
 		{
 		BN_rand(a,20+i*5,0,0); /**/
 		BN_rand(b,2+i,0,0); /**/
@@ -810,7 +871,7 @@ int test_exp(BIO *bp, BN_CTX *ctx)
 		BN_sub(e,e,d);
 		if(!BN_is_zero(e))
 		    {
-		    BIO_puts(bp,"Exponentiation test failed!\n");
+		    fprintf(stderr,"Exponentiation test failed!\n");
 		    return 0;
 		    }
 		}
@@ -840,7 +901,7 @@ int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_)
 	    BN_rand(a,200,0,0); /**/
 	    a->neg=rand_neg();
 	    }
-	for (i=0; i<70; i++)
+	for (i=0; i<num0; i++)
 		{
 		BN_lshift(b,a,i+1);
 		BN_add(c,c,c);
@@ -860,16 +921,16 @@ int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_)
 		BN_sub(d,d,b);
 		if(!BN_is_zero(d))
 		    {
-		    BIO_puts(bp,"Left shift test failed!\n");
-		    BIO_puts(bp,"a=");
-		    BN_print(bp,a);
-		    BIO_puts(bp,"\nb=");
-		    BN_print(bp,b);
-		    BIO_puts(bp,"\nc=");
-		    BN_print(bp,c);
-		    BIO_puts(bp,"\nd=");
-		    BN_print(bp,d);
-		    BIO_puts(bp,"\n");
+		    fprintf(stderr,"Left shift test failed!\n");
+		    fprintf(stderr,"a=");
+		    BN_print_fp(stderr,a);
+		    fprintf(stderr,"\nb=");
+		    BN_print_fp(stderr,b);
+		    fprintf(stderr,"\nc=");
+		    BN_print_fp(stderr,c);
+		    fprintf(stderr,"\nd=");
+		    BN_print_fp(stderr,d);
+		    fprintf(stderr,"\n");
 		    return 0;
 		    }
 		}
@@ -891,7 +952,7 @@ int test_lshift1(BIO *bp)
 
 	BN_rand(a,200,0,0); /**/
 	a->neg=rand_neg();
-	for (i=0; i<70; i++)
+	for (i=0; i<num0; i++)
 		{
 		BN_lshift1(b,a);
 		if (bp != NULL)
@@ -909,7 +970,7 @@ int test_lshift1(BIO *bp)
 		BN_sub(a,b,c);
 		if(!BN_is_zero(a))
 		    {
-		    BIO_puts(bp,"Left shift one test failed!\n");
+		    fprintf(stderr,"Left shift one test failed!\n");
 		    return 0;
 		    }
 		
@@ -935,7 +996,7 @@ int test_rshift(BIO *bp,BN_CTX *ctx)
 
 	BN_rand(a,200,0,0); /**/
 	a->neg=rand_neg();
-	for (i=0; i<70; i++)
+	for (i=0; i<num0; i++)
 		{
 		BN_rshift(b,a,i+1);
 		BN_add(c,c,c);
@@ -955,7 +1016,7 @@ int test_rshift(BIO *bp,BN_CTX *ctx)
 		BN_sub(d,d,b);
 		if(!BN_is_zero(d))
 		    {
-		    BIO_puts(bp,"Right shift test failed!\n");
+		    fprintf(stderr,"Right shift test failed!\n");
 		    return 0;
 		    }
 		}
@@ -978,7 +1039,7 @@ int test_rshift1(BIO *bp)
 
 	BN_rand(a,200,0,0); /**/
 	a->neg=rand_neg();
-	for (i=0; i<70; i++)
+	for (i=0; i<num0; i++)
 		{
 		BN_rshift1(b,a);
 		if (bp != NULL)
@@ -996,7 +1057,7 @@ int test_rshift1(BIO *bp)
 		BN_sub(c,c,b);
 		if(!BN_is_zero(c) && !BN_is_one(c))
 		    {
-		    BIO_puts(bp,"Right shift one test failed!\n");
+		    fprintf(stderr,"Right shift one test failed!\n");
 		    return 0;
 		    }
 		BN_copy(a,b);
diff --git a/lib/libcrypto/bn/comba.pl b/lib/libcrypto/bn/comba.pl
index 211a8b45c78..e69de29bb2d 100644
--- a/lib/libcrypto/bn/comba.pl
+++ b/lib/libcrypto/bn/comba.pl
@@ -1,285 +0,0 @@
-#!/usr/local/bin/perl
-
-$num=8;
-$num2=8/2;
-
-print <<"EOF";
-/* crypto/bn/bn_comba.c */
-#include <stdio.h>
-#include "bn_lcl.h"
-/* Auto generated from crypto/bn/comba.pl
- */
-
-#undef bn_mul_comba8
-#undef bn_mul_comba4
-#undef bn_sqr_comba8
-#undef bn_sqr_comba4
-
-#ifdef BN_LLONG
-#define mul_add_c(a,b,c0,c1,c2) \\
-	t=(BN_ULLONG)a*b; \\
-	t1=(BN_ULONG)Lw(t); \\
-	t2=(BN_ULONG)Hw(t); \\
-	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \\
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define mul_add_c2(a,b,c0,c1,c2) \\
-	t=(BN_ULLONG)a*b; \\
-	tt=(t+t)&BN_MASK; \\
-	if (tt < t) c2++; \\
-	t1=(BN_ULONG)Lw(tt); \\
-	t2=(BN_ULONG)Hw(tt); \\
-	c0=(c0+t1)&BN_MASK2;  \\
-	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \\
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define sqr_add_c(a,i,c0,c1,c2) \\
-	t=(BN_ULLONG)a[i]*a[i]; \\
-	t1=(BN_ULONG)Lw(t); \\
-	t2=(BN_ULONG)Hw(t); \\
-	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \\
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define sqr_add_c2(a,i,j,c0,c1,c2) \\
-	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
-#else
-#define mul_add_c(a,b,c0,c1,c2) \\
-	t1=LBITS(a); t2=HBITS(a); \\
-	bl=LBITS(b); bh=HBITS(b); \\
-	mul64(t1,t2,bl,bh); \\
-	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \\
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define mul_add_c2(a,b,c0,c1,c2) \\
-	t1=LBITS(a); t2=HBITS(a); \\
-	bl=LBITS(b); bh=HBITS(b); \\
-	mul64(t1,t2,bl,bh); \\
-	if (t2 & BN_TBIT) c2++; \\
-	t2=(t2+t2)&BN_MASK2; \\
-	if (t1 & BN_TBIT) t2++; \\
-	t1=(t1+t1)&BN_MASK2; \\
-	c0=(c0+t1)&BN_MASK2;  \\
-	if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \\
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define sqr_add_c(a,i,c0,c1,c2) \\
-	sqr64(t1,t2,(a)[i]); \\
-	c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \\
-	c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
-
-#define sqr_add_c2(a,i,j,c0,c1,c2) \\
-	mul_add_c2((a)[i],(a)[j],c0,c1,c2)
-#endif
-
-void bn_mul_comba${num}(r,a,b)
-BN_ULONG *r,*a,*b;
-	{
-#ifdef BN_LLONG
-	BN_ULLONG t;
-#else
-	BN_ULONG bl,bh;
-#endif
-	BN_ULONG t1,t2;
-	BN_ULONG c1,c2,c3;
-
-EOF
-$ret=&combas_mul("r","a","b",$num,"c1","c2","c3");
-printf <<"EOF";
-	}
-
-void bn_mul_comba${num2}(r,a,b)
-BN_ULONG *r,*a,*b;
-	{
-#ifdef BN_LLONG
-	BN_ULLONG t;
-#else
-	BN_ULONG bl,bh;
-#endif
-	BN_ULONG t1,t2;
-	BN_ULONG c1,c2,c3;
-
-EOF
-$ret=&combas_mul("r","a","b",$num2,"c1","c2","c3");
-printf <<"EOF";
-	}
-
-void bn_sqr_comba${num}(r,a)
-BN_ULONG *r,*a;
-	{
-#ifdef BN_LLONG
-	BN_ULLONG t,tt;
-#else
-	BN_ULONG bl,bh;
-#endif
-	BN_ULONG t1,t2;
-	BN_ULONG c1,c2,c3;
-
-EOF
-$ret=&combas_sqr("r","a",$num,"c1","c2","c3");
-printf <<"EOF";
-	}
-
-void bn_sqr_comba${num2}(r,a)
-BN_ULONG *r,*a;
-	{
-#ifdef BN_LLONG
-	BN_ULLONG t,tt;
-#else
-	BN_ULONG bl,bh;
-#endif
-	BN_ULONG t1,t2;
-	BN_ULONG c1,c2,c3;
-
-EOF
-$ret=&combas_sqr("r","a",$num2,"c1","c2","c3");
-printf <<"EOF";
-	}
-EOF
-
-sub bn_str
-	{
-	local($var,$val)=@_;
-	print "\t$var=$val;\n";
-	}
-
-sub bn_ary
-	{
-	local($var,$idx)=@_;
-	return("${var}[$idx]");
-	}
-
-sub bn_clr
-	{
-	local($var)=@_;
-
-	print "\t$var=0;\n";
-	}
-
-sub bn_mad
-	{
-	local($a,$b,$c0,$c1,$c2,$num)=@_;
-
-	if ($num == 2)
-		{ printf("\tmul_add_c2($a,$b,$c0,$c1,$c2);\n"); }
-	else
-		{ printf("\tmul_add_c($a,$b,$c0,$c1,$c2);\n"); }
-	}
-
-sub bn_sad
-	{
-	local($a,$i,$j,$c0,$c1,$c2,$num)=@_;
-
-	if ($num == 2)
-		{ printf("\tsqr_add_c2($a,$i,$j,$c0,$c1,$c2);\n"); }
-	else
-		{ printf("\tsqr_add_c($a,$i,$c0,$c1,$c2);\n"); }
-	}
-
-sub combas_mul
-	{
-	local($r,$a,$b,$num,$c0,$c1,$c2)=@_;
-	local($i,$as,$ae,$bs,$be,$ai,$bi);
-	local($tot,$end);
-
-	$as=0;
-	$ae=0;
-	$bs=0;
-	$be=0;
-	$tot=$num+$num-1;
-	&bn_clr($c0);
-	&bn_clr($c1);
-	for ($i=0; $i<$tot; $i++)
-		{
-		$ai=$as;
-		$bi=$bs;
-		$end=$be+1;
-		@numa=@numb=();
-
-#print "($as $ae) ($bs $be) $bs -> $end [$i $num]\n";
-		for ($j=$bs; $j<$end; $j++)
-			{
-			push(@numa,$ai);
-			push(@numb,$bi);
-			$ai--;
-			$bi++;
-			}
-
-		if ($i & 1)
-			{
-			@numa=reverse(@numa);
-			@numb=reverse(@numb);
-			}
-
-		&bn_clr($c2);
-		for ($j=0; $j<=$#numa; $j++)
-			{
-			&bn_mad(&bn_ary($a,$numa[$j]),
-				&bn_ary($b,$numb[$j]),$c0,$c1,$c2,1);
-			}
-		&bn_str(&bn_ary($r,$i),$c0);
-		($c0,$c1,$c2)=($c1,$c2,$c0);
-
-		$as++ if ($i < ($num-1));
-		$ae++ if ($i >= ($num-1));
-
-		$bs++ if ($i >= ($num-1));
-		$be++ if ($i < ($num-1));
-		}
-	&bn_str(&bn_ary($r,$i),$c0);
-	}
-
-sub combas_sqr
-	{
-	local($r,$a,$num,$c0,$c1,$c2)=@_;
-	local($i,$as,$ae,$bs,$be,$ai,$bi);
-	local($b,$tot,$end,$half);
-
-	$b=$a;
-	$as=0;
-	$ae=0;
-	$bs=0;
-	$be=0;
-	$tot=$num+$num-1;
-	&bn_clr($c0);
-	&bn_clr($c1);
-	for ($i=0; $i<$tot; $i++)
-		{
-		$ai=$as;
-		$bi=$bs;
-		$end=$be+1;
-		@numa=@numb=();
-
-#print "($as $ae) ($bs $be) $bs -> $end [$i $num]\n";
-		for ($j=$bs; $j<$end; $j++)
-			{
-			push(@numa,$ai);
-			push(@numb,$bi);
-			$ai--;
-			$bi++;
-			last if ($ai < $bi);
-			}
-		if (!($i & 1))
-			{
-			@numa=reverse(@numa);
-			@numb=reverse(@numb);
-			}
-
-		&bn_clr($c2);
-		for ($j=0; $j <= $#numa; $j++)
-			{
-			if ($numa[$j] == $numb[$j])
-				{&bn_sad($a,$numa[$j],$numb[$j],$c0,$c1,$c2,1);}
-			else
-				{&bn_sad($a,$numa[$j],$numb[$j],$c0,$c1,$c2,2);}
-			}
-		&bn_str(&bn_ary($r,$i),$c0);
-		($c0,$c1,$c2)=($c1,$c2,$c0);
-
-		$as++ if ($i < ($num-1));
-		$ae++ if ($i >= ($num-1));
-
-		$bs++ if ($i >= ($num-1));
-		$be++ if ($i < ($num-1));
-		}
-	&bn_str(&bn_ary($r,$i),$c0);
-	}
diff --git a/lib/libcrypto/bn/d.c b/lib/libcrypto/bn/d.c
index ced2291b255..e69de29bb2d 100644
--- a/lib/libcrypto/bn/d.c
+++ b/lib/libcrypto/bn/d.c
@@ -1,72 +0,0 @@
-#include <stdio.h>
-#include <openssl/bio.h>
-#include "bn_lcl.h"
-
-#define SIZE_A (100*4+4)
-#define SIZE_B (13*4)
-
-main(argc,argv)
-int argc;
-char *argv[];
-	{
-	BN_CTX ctx;
-	BN_RECP_CTX recp;
-	BIGNUM a,b,dd,d,r,rr,t,l;
-	int i;
-
-	MemCheck_start();
-	MemCheck_on();
-	BN_CTX_init(&ctx);
-	BN_RECP_CTX_init(&recp);
-
-	BN_init(&r);
-	BN_init(&rr);
-	BN_init(&d);
-	BN_init(&dd);
-	BN_init(&a);
-	BN_init(&b);
-
-	{
-	BN_rand(&a,SIZE_A,0,0);
-	BN_rand(&b,SIZE_B,0,0);
-
-	a.neg=1;
-	BN_RECP_CTX_set(&recp,&b,&ctx);
-
-	BN_print_fp(stdout,&a); printf(" a\n");
-	BN_print_fp(stdout,&b); printf(" b\n");
-
-	BN_print_fp(stdout,&recp.N); printf(" N\n");
-	BN_print_fp(stdout,&recp.Nr); printf(" Nr num_bits=%d\n",recp.num_bits);
-
-	BN_div_recp(&r,&d,&a,&recp,&ctx);
-
-for (i=0; i<300; i++)
-	BN_div(&rr,&dd,&a,&b,&ctx);
-
-	BN_print_fp(stdout,&r); printf(" div recp\n");
-	BN_print_fp(stdout,&rr); printf(" div\n");
-	BN_print_fp(stdout,&d); printf(" rem recp\n");
-	BN_print_fp(stdout,&dd); printf(" rem\n");
-	}
-	BN_CTX_free(&ctx);
-	BN_RECP_CTX_free(&recp);
-
-	BN_free(&r);
-	BN_free(&rr);
-	BN_free(&d);
-	BN_free(&dd);
-	BN_free(&a);
-	BN_free(&b);
-
-	{
-	BIO *out;
-
-	if ((out=BIO_new(BIO_s_file())) != NULL)
-		BIO_set_fp(out,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
-
-        CRYPTO_mem_leaks(out);
-	BIO_free(out);
-	}
-
-	}
diff --git a/lib/libcrypto/bn/exp.c b/lib/libcrypto/bn/exp.c
index ec443459d81..4865b0ef742 100644
--- a/lib/libcrypto/bn/exp.c
+++ b/lib/libcrypto/bn/exp.c
@@ -1,3 +1,5 @@
+/* unused */
+
 #include <stdio.h>
 #include <openssl/tmdiff.h>
 #include "bn_lcl.h"
diff --git a/lib/libcrypto/bn/expspeed.c b/lib/libcrypto/bn/expspeed.c
index 3656d5bb4ce..2044ab9bfff 100644
--- a/lib/libcrypto/bn/expspeed.c
+++ b/lib/libcrypto/bn/expspeed.c
@@ -1,3 +1,5 @@
+/* unused */
+
 /* crypto/bn/expspeed.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
diff --git a/lib/libcrypto/bn/exptest.c b/lib/libcrypto/bn/exptest.c
index 9e4ae91d201..3e86f2ea0e0 100644
--- a/lib/libcrypto/bn/exptest.c
+++ b/lib/libcrypto/bn/exptest.c
@@ -69,6 +69,8 @@
 
 #define NUM_BITS	(BN_BITS*2)
 
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
 int main(int argc, char *argv[])
 	{
 	BN_CTX *ctx;
@@ -77,6 +79,10 @@ int main(int argc, char *argv[])
 	unsigned char c;
 	BIGNUM *r_mont,*r_recp,*r_simple,*a,*b,*m;
 
+	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
+	                                       * even check its return value
+	                                       * (which we should) */
+
 	ERR_load_BN_strings();
 
 	ctx=BN_CTX_new();
@@ -160,7 +166,16 @@ int main(int argc, char *argv[])
 			exit(1);
 			}
 		}
+	BN_free(r_mont);
+	BN_free(r_recp);
+	BN_free(r_simple);
+	BN_free(a);
+	BN_free(b);
+	BN_free(m);
+	BN_CTX_free(ctx);
+	ERR_remove_state(0);
 	CRYPTO_mem_leaks(out);
+	BIO_free(out);
 	printf(" done\n");
 	exit(0);
 err:
diff --git a/lib/libcrypto/bn/new b/lib/libcrypto/bn/new
index 285d506f199..e69de29bb2d 100644
--- a/lib/libcrypto/bn/new
+++ b/lib/libcrypto/bn/new
@@ -1,23 +0,0 @@
-void BN_RECP_CTX_init(BN_RECP_CTX *recp);
-BN_RECP_CTX *BN_RECP_CTX_new();
-void BN_RECP_CTX_free(BN_RECP_CTX *recp);
-int BN_RECP_CTX_set(BN_RECP_CTX *recp,BIGNUM *div,BN_CTX *ctx);
-
-int BN_mod_exp_recp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
-	BN_RECP_CTX *recp,BN_CTX *ctx);
-
-int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BIGNUM *d,
-	BN_RECP_CTX *recp, BN_CTX *ctx);
-int BN_mod_recp(BIGNUM *rem, BIGNUM *m, BIGNUM *d,
-	BN_RECP_CTX *recp, BN_CTX *ctx);
-int BN_mod_mul_recp(BIGNUM *ret,BIGNUM *a,BIGNUM *b,BIGNUM *m
-
-int BN_mod_exp_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *p,
-	BN_MONT_CTX *m_ctx,BN_CTX *ctx);
-int BN_mod_exp2_montgomery(BIGNUM *r, BIGNUM *a1, BIGNUM *p1,BIGNUM *a2,
-                BIGNUM *p2,BN_MONT_CTX *m_ctx,BN_CTX *ctx);
-
-
-bn_div64 -> bn_div_words
-
-
diff --git a/lib/libcrypto/bn/old/b_sqr.c b/lib/libcrypto/bn/old/b_sqr.c
index 715cb1c8abb..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/b_sqr.c
+++ b/lib/libcrypto/bn/old/b_sqr.c
@@ -1,199 +0,0 @@
-/* crypto/bn/bn_mul.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include "cryptlib.h"
-#include "bn_lcl.h"
-
-static int bn_mm(BIGNUM *m,BIGNUM *A,BIGNUM *B, BIGNUM *sk,BN_CTX *ctx);
-
-/* r must be different to a and b */
-/* int BN_mmul(r, a, b) */
-int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b)
-	{
-	BN_ULONG *ap,*bp,*rp;
-	BIGNUM *sk;
-	int i,n,ret;
-	int max,al,bl;
-	BN_CTX ctx;
-
-	bn_check_top(a);
-	bn_check_top(b);
-
-	al=a->top;
-	bl=b->top;
-	if ((al == 0) || (bl == 0))
-		{
-		r->top=0;
-		return(1);
-		}
-#ifdef BN_MUL_DEBUG
-printf("BN_mul(%d,%d)\n",a->top,b->top);
-#endif
-
-	if (	(bn_limit_bits > 0) &&
-		(bl > bn_limit_num) && (al > bn_limit_num))
-		{
-		n=(BN_num_bits_word(al|bl)-bn_limit_bits);
-		n*=2;
-		sk=(BIGNUM *)Malloc(sizeof(BIGNUM)*n);
-		memset(sk,0,sizeof(BIGNUM)*n);
-		memset(&ctx,0,sizeof(ctx));
-
-		ret=bn_mm(r,a,b,&(sk[0]),&ctx);
-		for (i=0; i<n; i+=2)
-			{
-			BN_clear_free(&sk[i]);
-			BN_clear_free(&sk[i+1]);
-			}
-		Free(sk);
-		return(ret);
-		}
-
-	max=(al+bl);
-	if (bn_wexpand(r,max) == NULL) return(0);
-	r->top=max;
-	r->neg=a->neg^b->neg;
-	ap=a->d;
-	bp=b->d;
-	rp=r->d;
-
-	rp[al]=bn_mul_words(rp,ap,al,*(bp++));
-	rp++;
-	for (i=1; i<bl; i++)
-		{
-		rp[al]=bn_mul_add_words(rp,ap,al,*(bp++));
-		rp++;
-		}
-	if ((max > 0) && (r->d[max-1] == 0)) r->top--;
-	return(1);
-	}
-
-
-#define ahal	(sk[0])
-#define blbh	(sk[1])
-
-/* r must be different to a and b */
-int bn_mm(BIGNUM *m, BIGNUM *A, BIGNUM *B, BIGNUM *sk, BN_CTX *ctx)
-	{
-	int n,num,sqr=0;
-	int an,bn;
-	BIGNUM ah,al,bh,bl;
-
-	an=A->top;
-	bn=B->top;
-#ifdef BN_MUL_DEBUG
-printf("bn_mm(%d,%d)\n",A->top,B->top);
-#endif
-
-	if (A == B) sqr=1;
-	num=(an>bn)?an:bn;
-	n=(num+1)/2;
-	/* Are going to now chop things into 'num' word chunks. */
-
-	BN_init(&ah);
-	BN_init(&al);
-	BN_init(&bh);
-	BN_init(&bl);
-
-	bn_set_low (&al,A,n);
-	bn_set_high(&ah,A,n);
-	bn_set_low (&bl,B,n);
-	bn_set_high(&bh,B,n);
-
-	BN_sub(&ahal,&ah,&al);
-	BN_sub(&blbh,&bl,&bh);
-
-	if (num <= (bn_limit_num+bn_limit_num))
-		{
-		BN_mul(m,&ahal,&blbh);
-		if (sqr)
-			{
-			BN_sqr(&ahal,&al,ctx);
-			BN_sqr(&blbh,&ah,ctx);
-			}
-		else
-			{
-			BN_mul(&ahal,&al,&bl);
-			BN_mul(&blbh,&ah,&bh);
-			}
-		}
-	else
-		{
-		bn_mm(m,&ahal,&blbh,&(sk[2]),ctx);
-		bn_mm(&ahal,&al,&bl,&(sk[2]),ctx);
-		bn_mm(&blbh,&ah,&bh,&(sk[2]),ctx);
-		}
-
-	BN_add(m,m,&ahal);
-	BN_add(m,m,&blbh);
-
-	BN_lshift(m,m,n*BN_BITS2);
-	BN_lshift(&blbh,&blbh,n*BN_BITS2*2);
-
-	BN_add(m,m,&ahal);
-	BN_add(m,m,&blbh);
-
-	m->neg=A->neg^B->neg;
-	return(1);
-	}
-#undef ahal	(sk[0])
-#undef blbh	(sk[1])
-
-#include "bn_low.c"
-#include "bn_high.c"
diff --git a/lib/libcrypto/bn/old/bn_com.c b/lib/libcrypto/bn/old/bn_com.c
index 7666b2304c8..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/bn_com.c
+++ b/lib/libcrypto/bn/old/bn_com.c
@@ -1,90 +0,0 @@
-/* crypto/bn/bn_mulw.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include "cryptlib.h"
-#include "bn_lcl.h"
-
-#ifdef BN_LLONG 
-
-ab
-12
-   a2 b2
-a1 b1
-
-abc
-123
-      a3 b3 c3
-   a2 b2 c2
-a1 b1 c1
-
-abcd
-1234
-         a4 b4 c4 d4
-      a3 b3 c3 d3
-   a2 b2 c2 d2
-a1 b1 c1 d1
-
-abcde
-01234
-               a5 b5 c5 d5 e5
-            a4 b4 c4 d4 e4
-         a3 b3 c3 d3 e3
-      a2 b2 c2 d2 e2
-   a1 b1 c1 d1 e1
-a0 b0 c0 d0 e0
diff --git a/lib/libcrypto/bn/old/bn_high.c b/lib/libcrypto/bn/old/bn_high.c
index 763bcb605b3..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/bn_high.c
+++ b/lib/libcrypto/bn/old/bn_high.c
@@ -1,135 +0,0 @@
-#include <stdio.h>
-#include "cryptlib.h"
-#include "bn_lcl.h"
-
-#undef BN_MUL_HIGH_DEBUG
-
-#ifdef BN_MUL_HIGH_DEBUG
-#define debug_BN_print(a,b,c) BN_print_fp(a,b); printf(c);
-#else
-#define debug_BN_print(a,b,c)
-#endif
-
-int BN_mul_high(BIGNUM *r,BIGNUM *a,BIGNUM *b,BIGNUM *low, int words);
-
-#undef t1
-#undef t2
-
-int BN_mul_high(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *low, int words)
-	{
-	int w2,borrow=0,full=0;
-	BIGNUM t1,t2,t3,h,ah,al,bh,bl,m,s0,s1;
-	BN_ULONG ul1,ul2;
-	
-	BN_mul(r,a,b);
-	BN_rshift(r,r,words*BN_BITS2);
-	return(1);
-
-	w2=(words+1)/2;
-
-#ifdef BN_MUL_HIGH_DEBUG
-fprintf(stdout,"words=%d w2=%d\n",words,w2);
-#endif
-debug_BN_print(stdout,a," a\n");
-debug_BN_print(stdout,b," b\n");
-debug_BN_print(stdout,low," low\n");
-	BN_init(&al); BN_init(&ah);
-	BN_init(&bl); BN_init(&bh);
-	BN_init(&t1); BN_init(&t2); BN_init(&t3);
-	BN_init(&s0); BN_init(&s1);
-	BN_init(&h); BN_init(&m);
-
-	bn_set_low (&al,a,w2);
-	bn_set_high(&ah,a,w2);
-	bn_set_low (&bl,b,w2);
-	bn_set_high(&bh,b,w2);
-
-	bn_set_low(&s0,low,w2);
-	bn_set_high(&s1,low,w2);
-
-debug_BN_print(stdout,&al," al\n");
-debug_BN_print(stdout,&ah," ah\n");
-debug_BN_print(stdout,&bl," bl\n");
-debug_BN_print(stdout,&bh," bh\n");
-debug_BN_print(stdout,&s0," s0\n");
-debug_BN_print(stdout,&s1," s1\n");
-
-	/* Calculate (al-ah)*(bh-bl) */
-	BN_sub(&t1,&al,&ah);
-	BN_sub(&t2,&bh,&bl);
-	BN_mul(&m,&t1,&t2);
-
-	/* Calculate ah*bh */
-	BN_mul(&h,&ah,&bh);
-
-	/* s0 == low(al*bl)
-	 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
-	 * We know s0 and s1 so the only unknown is high(al*bl)
-	 * high(al*bl) == s1 - low(ah*bh+(al-ah)*(bh-bl)+s0)
-	 */
-	BN_add(&m,&m,&h);
-	BN_add(&t2,&m,&s0);
-
-debug_BN_print(stdout,&t2," middle value\n");
-
-	/* Quick and dirty mask off of high words */
-	if (w2 < t2.top) t2.top=w2;
-#if 0
-	bn_set_low(&t3,&t2,w2);
-#endif
-
-debug_BN_print(stdout,&t2," low middle value\n");
-	BN_sub(&t1,&s1,&t2);
-
-	if (t1.neg)
-		{
-debug_BN_print(stdout,&t1," before\n");
-		BN_zero(&t2);
-		BN_set_bit(&t2,w2*BN_BITS2);
-		BN_add(&t1,&t2,&t1);
-		/* BN_mask_bits(&t1,w2*BN_BITS2); */
-		/* if (words < t1.top) t1.top=words; */
-debug_BN_print(stdout,&t1," after\n");
-		borrow=1;
-		}
-
-/* XXXXX SPEED THIS UP */
-	/* al*bl == high(al*bl)<<words+s0 */
-	BN_lshift(&t1,&t1,w2*BN_BITS2);
-	BN_add(&t1,&t1,&s0);
-	if (w2*2 < t1.top) t1.top=w2*2; /* This should not happen? */
-	
-	/* We now have
-	 * al*bl			- t1
-	 * (al-ah)*(bh-bl)+ah*bh	- m
-	 * ah*bh			- h
-	 */
-#if 0
-	BN_add(&m,&m,&t1);
-debug_BN_print(stdout,&t1," s10\n");
-debug_BN_print(stdout,&m," s21\n");
-debug_BN_print(stdout,&h," s32\n");
-	BN_lshift(&m,&m,w2*BN_BITS2);
-	BN_lshift(&h,&h,w2*2*BN_BITS2);
-	BN_add(r,&m,&t1);
-	BN_add(r,r,&h);
-	BN_rshift(r,r,w2*2*BN_BITS2);
-#else
-	BN_add(&m,&m,&t1); 		/* Do a cmp then +1 if needed? */
-	bn_set_high(&t3,&t1,w2);
-	BN_add(&m,&m,&t3);
-	bn_set_high(&t3,&m,w2);
-	BN_add(r,&h,&t3);
-#endif
-
-#ifdef BN_MUL_HIGH_DEBUG
-printf("carry=%d\n",borrow);
-#endif
-debug_BN_print(stdout,r," ret\n");
-	BN_free(&t1); BN_free(&t2);
-	BN_free(&m); BN_free(&h);
-	return(1);
-	}
-
-
-
diff --git a/lib/libcrypto/bn/old/bn_ka.c b/lib/libcrypto/bn/old/bn_ka.c
index 378c94dc5a7..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/bn_ka.c
+++ b/lib/libcrypto/bn/old/bn_ka.c
@@ -1,567 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <strings.h>
-#include "bn_lcl.h"
-
-/* r is 2*n2 words in size,
- * a and b are both n2 words in size.
- * n2 must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n2 words in size
- * We calulate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
-void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
-	     BN_ULONG *t)
-	{
-	int n=n2/2;
-	int neg,zero,c1,c2;
-	BN_ULONG ln,lo,*p;
-
-#ifdef BN_COUNT
-printf(" bn_mul_recursive %d * %d\n",n2,n2);
-#endif
-	if (n2 <= 8)
-		{
-		if (n2 == 8)
-			bn_mul_comba8(r,a,b);
-		else
-			bn_mul_normal(r,a,n2,b,n2);
-		return;
-		}
-
-	if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
-		{
-		/* This should not happen */
-		/*abort(); */
-		bn_mul_normal(r,a,n2,b,n2);
-		return;
-		}
-	/* r=(a[0]-a[1])*(b[1]-b[0]) */
-	c1=bn_cmp_words(a,&(a[n]),n);
-	c2=bn_cmp_words(&(b[n]),b,n);
-	zero=neg=0;
-	switch (c1*3+c2)
-		{
-	case -4:
-		bn_sub_words(t,      &(a[n]),a,      n); /* - */
-		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
-		break;
-	case -3:
-		zero=1;
-		break;
-	case -2:
-		bn_sub_words(t,      &(a[n]),a,      n); /* - */
-		bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
-		neg=1;
-		break;
-	case -1:
-	case 0:
-	case 1:
-		zero=1;
-		break;
-	case 2:
-		bn_sub_words(t,      a,      &(a[n]),n); /* + */
-		bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
-		neg=1;
-		break;
-	case 3:
-		zero=1;
-		break;
-	case 4:
-		bn_sub_words(t,      a,      &(a[n]),n);
-		bn_sub_words(&(t[n]),&(b[n]),b,      n);
-		break;
-		}
-
-	if (n == 8)
-		{
-		if (!zero)
-			bn_mul_comba8(&(t[n2]),t,&(t[n]));
-		else
-			memset(&(t[n2]),0,8*sizeof(BN_ULONG));
-		
-		bn_mul_comba8(r,a,b);
-		bn_mul_comba8(&(r[n2]),&(a[n]),&(b[n]));
-		}
-	else
-		{
-		p= &(t[n2*2]);
-		if (!zero)
-			bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
-		else
-			memset(&(t[n2]),0,n*sizeof(BN_ULONG));
-		bn_mul_recursive(r,a,b,n,p);
-		bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,p);
-		}
-
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-	 * r[10] holds (a[0]*b[0])
-	 * r[32] holds (b[1]*b[1])
-	 */
-
-	c1=bn_add_words(t,r,&(r[n2]),n2);
-
-	if (neg) /* if t[32] is negative */
-		{
-		c1-=bn_sub_words(&(t[n2]),t,&(t[n2]),n2);
-		}
-	else
-		{
-		/* Might have a carry */
-		c1+=bn_add_words(&(t[n2]),&(t[n2]),t,n2);
-		}
-
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-	 * r[10] holds (a[0]*b[0])
-	 * r[32] holds (b[1]*b[1])
-	 * c1 holds the carry bits
-	 */
-	c1+=bn_add_words(&(r[n]),&(r[n]),&(t[n2]),n2);
-	if (c1)
-		{
-		p= &(r[n+n2]);
-		lo= *p;
-		ln=(lo+c1)&BN_MASK2;
-		*p=ln;
-
-		/* The overflow will stop before we over write
-		 * words we should not overwrite */
-		if (ln < c1)
-			{
-			do	{
-				p++;
-				lo= *p;
-				ln=(lo+1)&BN_MASK2;
-				*p=ln;
-				} while (ln == 0);
-			}
-		}
-	}
-
-/* n+tn is the word length
- * t needs to be n*4 is size, as does r */
-void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
-	     int n, BN_ULONG *t)
-	{
-	int n2=n*2,i,j;
-	int c1;
-	BN_ULONG ln,lo,*p;
-
-#ifdef BN_COUNT
-printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
-#endif
-	if (n < 8)
-		{
-		i=tn+n;
-		bn_mul_normal(r,a,i,b,i);
-		return;
-		}
-
-	/* r=(a[0]-a[1])*(b[1]-b[0]) */
-	bn_sub_words(t,      a,      &(a[n]),n); /* + */
-	bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
-
-	if (n == 8)
-		{
-		bn_mul_comba8(&(t[n2]),t,&(t[n]));
-		bn_mul_comba8(r,a,b);
-		bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
-		memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2));
-		}
-	else
-		{
-		p= &(t[n2*2]);
-		bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
-		bn_mul_recursive(r,a,b,n,p);
-		i=n/2;
-		/* If there is only a bottom half to the number,
-		 * just do it */
-		j=tn-i;
-		if (j == 0)
-			{
-			bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),i,p);
-			memset(&(r[n2+i*2]),0,sizeof(BN_ULONG)*(n2-i*2));
-			}
-		else if (j > 0) /* eg, n == 16, i == 8 and tn == 11 */
-				{
-				bn_mul_part_recursive(&(r[n2]),&(a[n]),&(b[n]),
-					j,i,p);
-				memset(&(r[n2+tn*2]),0,
-					sizeof(BN_ULONG)*(n2-tn*2));
-				}
-		else /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
-			{
-			memset(&(r[n2]),0,sizeof(BN_ULONG)*(tn*2));
-			for (;;)
-				{
-				i/=2;
-				if (i < tn)
-					{
-					bn_mul_part_recursive(&(r[n2]),
-						&(a[n]),&(b[n]),
-						tn-i,i,p);
-					break;
-					}
-				else if (i == tn)
-					{
-					bn_mul_recursive(&(r[n2]),
-						&(a[n]),&(b[n]),
-						i,p);
-					break;
-					}
-				}
-			}
-		}
-
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-	 * r[10] holds (a[0]*b[0])
-	 * r[32] holds (b[1]*b[1])
-	 */
-
-	c1=bn_add_words(t,r,&(r[n2]),n2);
-	c1-=bn_sub_words(&(t[n2]),t,&(t[n2]),n2);
-
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-	 * r[10] holds (a[0]*b[0])
-	 * r[32] holds (b[1]*b[1])
-	 * c1 holds the carry bits
-	 */
-	c1+=bn_add_words(&(r[n]),&(r[n]),&(t[n2]),n2);
-	if (c1)
-		{
-		p= &(r[n+n2]);
-		lo= *p;
-		ln=(lo+c1)&BN_MASK2;
-		*p=ln;
-
-		/* The overflow will stop before we over write
-		 * words we should not overwrite */
-		if (ln < c1)
-			{
-			do	{
-				p++;
-				lo= *p;
-				ln=(lo+1)&BN_MASK2;
-				*p=ln;
-				} while (ln == 0);
-			}
-		}
-	}
-
-/* r is 2*n words in size,
- * a and b are both n words in size.
- * n must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n words in size
- * We calulate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
-void bn_sqr_recursive(BN_ULONG *r, BN_ULONG *a, int n2, BN_ULONG *t)
-	{
-	int n=n2/2;
-	int zero,c1;
-	BN_ULONG ln,lo,*p;
-
-#ifdef BN_COUNT
-printf(" bn_sqr_recursive %d * %d\n",n2,n2);
-#endif
-	if (n2 == 4)
-		{
-		bn_sqr_comba4(r,a);
-		return;
-		}
-	else if (n2 == 8)
-		{
-		bn_sqr_comba8(r,a);
-		return;
-		}
-	if (n2 < BN_SQR_RECURSIVE_SIZE_NORMAL)
-		{
-		bn_sqr_normal(r,a,n2,t);
-		return;
-		abort();
-		}
-	/* r=(a[0]-a[1])*(a[1]-a[0]) */
-	c1=bn_cmp_words(a,&(a[n]),n);
-	zero=0;
-	if (c1 > 0)
-		bn_sub_words(t,a,&(a[n]),n);
-	else if (c1 < 0)
-		bn_sub_words(t,&(a[n]),a,n);
-	else
-		zero=1;
-
-	/* The result will always be negative unless it is zero */
-
-	if (n == 8)
-		{
-		if (!zero)
-			bn_sqr_comba8(&(t[n2]),t);
-		else
-			memset(&(t[n2]),0,8*sizeof(BN_ULONG));
-		
-		bn_sqr_comba8(r,a);
-		bn_sqr_comba8(&(r[n2]),&(a[n]));
-		}
-	else
-		{
-		p= &(t[n2*2]);
-		if (!zero)
-			bn_sqr_recursive(&(t[n2]),t,n,p);
-		else
-			memset(&(t[n2]),0,n*sizeof(BN_ULONG));
-		bn_sqr_recursive(r,a,n,p);
-		bn_sqr_recursive(&(r[n2]),&(a[n]),n,p);
-		}
-
-	/* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
-	 * r[10] holds (a[0]*b[0])
-	 * r[32] holds (b[1]*b[1])
-	 */
-
-	c1=bn_add_words(t,r,&(r[n2]),n2);
-
-	/* t[32] is negative */
-	c1-=bn_sub_words(&(t[n2]),t,&(t[n2]),n2);
-
-	/* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
-	 * r[10] holds (a[0]*a[0])
-	 * r[32] holds (a[1]*a[1])
-	 * c1 holds the carry bits
-	 */
-	c1+=bn_add_words(&(r[n]),&(r[n]),&(t[n2]),n2);
-	if (c1)
-		{
-		p= &(r[n+n2]);
-		lo= *p;
-		ln=(lo+c1)&BN_MASK2;
-		*p=ln;
-
-		/* The overflow will stop before we over write
-		 * words we should not overwrite */
-		if (ln < c1)
-			{
-			do	{
-				p++;
-				lo= *p;
-				ln=(lo+1)&BN_MASK2;
-				*p=ln;
-				} while (ln == 0);
-			}
-		}
-	}
-
-#if 1
-/* a and b must be the same size, which is n2.
- * r needs to be n2 words and t needs to be n2*2
- */
-void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
-	     BN_ULONG *t)
-	{
-	int n=n2/2;
-
-#ifdef BN_COUNT
-printf(" bn_mul_low_recursive %d * %d\n",n2,n2);
-#endif
-
-	bn_mul_recursive(r,a,b,n,&(t[0]));
-	if (n > BN_MUL_LOW_RECURSIVE_SIZE_NORMAL)
-		{
-		bn_mul_low_recursive(&(t[0]),&(a[0]),&(b[n]),n,&(t[n2]));
-		bn_add_words(&(r[n]),&(r[n]),&(t[0]),n);
-		bn_mul_low_recursive(&(t[0]),&(a[n]),&(b[0]),n,&(t[n2]));
-		bn_add_words(&(r[n]),&(r[n]),&(t[0]),n);
-		}
-	else
-		{
-		bn_mul_low_normal(&(t[0]),&(a[0]),&(b[n]),n);
-		bn_mul_low_normal(&(t[n]),&(a[n]),&(b[0]),n);
-		bn_add_words(&(r[n]),&(r[n]),&(t[0]),n);
-		bn_add_words(&(r[n]),&(r[n]),&(t[n]),n);
-		}
-	}
-
-/* a and b must be the same size, which is n2.
- * r needs to be n2 words and t needs to be n2*2
- * l is the low words of the output.
- * t needs to be n2*3
- */
-void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
-	     BN_ULONG *t)
-	{
-	int j,i,n,c1,c2;
-	int neg,oneg,zero;
-	BN_ULONG ll,lc,*lp,*mp;
-
-#ifdef BN_COUNT
-printf(" bn_mul_high %d * %d\n",n2,n2);
-#endif
-	n=(n2+1)/2;
-
-	/* Calculate (al-ah)*(bh-bl) */
-	neg=zero=0;
-	c1=bn_cmp_words(&(a[0]),&(a[n]),n);
-	c2=bn_cmp_words(&(b[n]),&(b[0]),n);
-	switch (c1*3+c2)
-		{
-	case -4:
-		bn_sub_words(&(r[0]),&(a[n]),&(a[0]),n);
-		bn_sub_words(&(r[n]),&(b[0]),&(b[n]),n);
-		break;
-	case -3:
-		zero=1;
-		break;
-	case -2:
-		bn_sub_words(&(r[0]),&(a[n]),&(a[0]),n);
-		bn_sub_words(&(r[n]),&(b[n]),&(b[0]),n);
-		neg=1;
-		break;
-	case -1:
-	case 0:
-	case 1:
-		zero=1;
-		break;
-	case 2:
-		bn_sub_words(&(r[0]),&(a[0]),&(a[n]),n);
-		bn_sub_words(&(r[n]),&(b[0]),&(b[n]),n);
-		neg=1;
-		break;
-	case 3:
-		zero=1;
-		break;
-	case 4:
-		bn_sub_words(&(r[0]),&(a[0]),&(a[n]),n);
-		bn_sub_words(&(r[n]),&(b[n]),&(b[0]),n);
-		break;
-		}
-		
-	oneg=neg;
-	/* t[10] = (a[0]-a[1])*(b[1]-b[0]) */
-	bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,&(t[n2]));
-	/* r[10] = (a[1]*b[1]) */
-	bn_mul_recursive(r,&(a[n]),&(b[n]),n,&(t[n2]));
-
-	/* s0 == low(al*bl)
-	 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
-	 * We know s0 and s1 so the only unknown is high(al*bl)
-	 * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
-	 * high(al*bl) == s1 - (r[0]+l[0]+t[0])
-	 */
-	if (l != NULL)
-		{
-		lp= &(t[n2+n]);
-		c1=bn_add_words(lp,&(r[0]),&(l[0]),n);
-		}
-	else
-		{
-		c1=0;
-		lp= &(r[0]);
-		}
-
-	if (neg)
-		neg=bn_sub_words(&(t[n2]),lp,&(t[0]),n);
-	else
-		{
-		bn_add_words(&(t[n2]),lp,&(t[0]),n);
-		neg=0;
-		}
-
-	if (l != NULL)
-		{
-		bn_sub_words(&(t[n2+n]),&(l[n]),&(t[n2]),n);
-		}
-	else
-		{
-		lp= &(t[n2+n]);
-		mp= &(t[n2]);
-		for (i=0; i<n; i++)
-			lp[i]=((~mp[i])+1)&BN_MASK2;
-		}
-
-	/* s[0] = low(al*bl)
-	 * t[3] = high(al*bl)
-	 * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
-	 * r[10] = (a[1]*b[1])
-	 */
-	/* R[10] = al*bl
-	 * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
-	 * R[32] = ah*bh
-	 */
-	/* R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
-	 * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
-	 * R[3]=r[1]+(carry/borrow)
-	 */
-	if (l != NULL)
-		{
-		lp= &(t[n2]);
-		c1= bn_add_words(lp,&(t[n2+n]),&(l[0]),n);
-		}
-	else
-		{
-		lp= &(t[n2+n]);
-		c1=0;
-		}
-	c1+=bn_add_words(&(t[n2]),lp,  &(r[0]),n);
-	if (oneg)
-		c1-=bn_sub_words(&(t[n2]),&(t[n2]),&(t[0]),n);
-	else
-		c1+=bn_add_words(&(t[n2]),&(t[n2]),&(t[0]),n);
-
-	c2 =bn_add_words(&(r[0]),&(r[0]),&(t[n2+n]),n);
-	c2+=bn_add_words(&(r[0]),&(r[0]),&(r[n]),n);
-	if (oneg)
-		c2-=bn_sub_words(&(r[0]),&(r[0]),&(t[n]),n);
-	else
-		c2+=bn_add_words(&(r[0]),&(r[0]),&(t[n]),n);
-	
-	if (c1 != 0) /* Add starting at r[0], could be +ve or -ve */
-		{
-		i=0;
-		if (c1 > 0)
-			{
-			lc=c1;
-			do	{
-				ll=(r[i]+lc)&BN_MASK2;
-				r[i++]=ll;
-				lc=(lc > ll);
-				} while (lc);
-			}
-		else
-			{
-			lc= -c1;
-			do	{
-				ll=r[i];
-				r[i++]=(ll-lc)&BN_MASK2;
-				lc=(lc > ll);
-				} while (lc);
-			}
-		}
-	if (c2 != 0) /* Add starting at r[1] */
-		{
-		i=n;
-		if (c2 > 0)
-			{
-			lc=c2;
-			do	{
-				ll=(r[i]+lc)&BN_MASK2;
-				r[i++]=ll;
-				lc=(lc > ll);
-				} while (lc);
-			}
-		else
-			{
-			lc= -c2;
-			do	{
-				ll=r[i];
-				r[i++]=(ll-lc)&BN_MASK2;
-				lc=(lc > ll);
-				} while (lc);
-			}
-		}
-	}
-#endif
diff --git a/lib/libcrypto/bn/old/bn_low.c b/lib/libcrypto/bn/old/bn_low.c
index cbc406751c0..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/bn_low.c
+++ b/lib/libcrypto/bn/old/bn_low.c
@@ -1,194 +0,0 @@
-/* crypto/bn/bn_mul.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include "cryptlib.h"
-#include "bn_lcl.h"
-
-static int bn_mm_low(BIGNUM *m,BIGNUM *A,BIGNUM *B, int num,
-		BIGNUM *sk,BN_CTX *ctx);
-int BN_mul_low(BIGNUM *r, BIGNUM *a, BIGNUM *b,int words);
-
-/* r must be different to a and b */
-int BN_mul_low(BIGNUM *r, BIGNUM *a, BIGNUM *b, int num)
-	{
-	BN_ULONG *ap,*bp,*rp;
-	BIGNUM *sk;
-	int j,i,n,ret;
-	int max,al,bl;
-	BN_CTX ctx;
-
-	bn_check_top(a);
-	bn_check_top(b);
-
-#ifdef BN_MUL_DEBUG
-printf("BN_mul_low(%d,%d,%d)\n",a->top,b->top,num);
-#endif
-
-	al=a->top;
-	bl=b->top;
-	if ((al == 0) || (bl == 0))
-		{
-		r->top=0;
-		return(1);
-		}
-
-	if ((bn_limit_bits_low > 0) && (num > bn_limit_num_low))
-		{
-		n=BN_num_bits_word(num*2)-bn_limit_bits_low;
-		n*=2;
-		sk=(BIGNUM *)Malloc(sizeof(BIGNUM)*n);
-		memset(sk,0,sizeof(BIGNUM)*n);
-		memset(&ctx,0,sizeof(ctx));
-
-		ret=bn_mm_low(r,a,b,num,&(sk[0]),&ctx);
-		for (i=0; i<n; i+=2)
-			{
-			BN_clear_free(&sk[i]);
-			BN_clear_free(&sk[i+1]);
-			}
-		Free(sk);
-		return(ret);
-		}
-
-	max=(al+bl);
-	if (bn_wexpand(r,max) == NULL) return(0);
-	r->neg=a->neg^b->neg;
-	ap=a->d;
-	bp=b->d;
-	rp=r->d;
-	r->top=(max > num)?num:max;
-
-	rp[al]=bn_mul_words(rp,ap,al,*(bp++));
-	rp++;
-	j=bl;
-	for (i=1; i<j; i++)
-		{
-		if (al >= num--)
-			{
-			al--;
-			if (al <= 0) break;
-			}
-		rp[al]=bn_mul_add_words(rp,ap,al,*(bp++));
-		rp++;
-		}
-	
-	while ((r->top > 0) && (r->d[r->top-1] == 0))
-		r->top--;
-	return(1);
-	}
-
-
-#define t1	(sk[0])
-#define t2	(sk[1])
-
-/* r must be different to a and b */
-int bn_mm_low(BIGNUM *m, BIGNUM *A, BIGNUM *B, int num, BIGNUM *sk,
-	     BN_CTX *ctx)
-	{
-	int n; /* ,sqr=0; */
-	int an,bn;
-	BIGNUM ah,al,bh,bl;
-
-	bn_wexpand(m,num+3);
-	an=A->top;
-	bn=B->top;
-
-#ifdef BN_MUL_DEBUG
-printf("bn_mm_low(%d,%d,%d)\n",A->top,B->top,num);
-#endif
-
-	n=(num+1)/2;
-
-	BN_init(&ah); BN_init(&al); BN_init(&bh); BN_init(&bl);
-
-	bn_set_low( &al,A,n);
-	bn_set_high(&ah,A,n);
-	bn_set_low( &bl,B,n);
-	bn_set_high(&bh,B,n);
-
-	if (num <= (bn_limit_num_low+bn_limit_num_low))
-		{
-		BN_mul(m,&al,&bl);
-		BN_mul_low(&t1,&al,&bh,n);
-		BN_mul_low(&t2,&ah,&bl,n);
-		}
-	else
-		{
-		bn_mm(m  ,&al,&bl,&(sk[2]),ctx);
-		bn_mm_low(&t1,&al,&bh,n,&(sk[2]),ctx);
-		bn_mm_low(&t2,&ah,&bl,n,&(sk[2]),ctx);
-		}
-
-	BN_add(&t1,&t1,&t2);
-
-	/* We will now do an evil hack instead of
-	 * BN_lshift(&t1,&t1,n*BN_BITS2);
-	 * BN_add(m,m,&t1);
-	 * BN_mask_bits(m,num*BN_BITS2);
-	 */
-	bn_set_high(&ah,m,n); ah.max=num+2;
-	BN_add(&ah,&ah,&t1);
-	m->top=num;
-
-	m->neg=A->neg^B->neg;
-	return(1);
-	}
-
-#undef t1	(sk[0])
-#undef t2	(sk[1])
diff --git a/lib/libcrypto/bn/old/bn_m.c b/lib/libcrypto/bn/old/bn_m.c
index 522beb02bca..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/bn_m.c
+++ b/lib/libcrypto/bn/old/bn_m.c
@@ -1,139 +0,0 @@
-/* crypto/bn/bn_m.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-/*#include "cryptlib.h"*/
-#include "bn_lcl.h"
-
-#define limit_bits 5			/* 2^5, or 32 words */
-#define limit_num (1<<limit_bits)
-
-int BN_m(BIGNUM *r, BIGNUM *a, BIGNUM *b)
-	{
-	BIGNUM *sk;
-	int i,n;
-
-	n=(BN_num_bits_word(a->top|b->top)-limit_bits);
-	n*=2;
-	sk=(BIGNUM *)malloc(sizeof(BIGNUM)*n);
-	for (i=0; i<n; i++)
-		BN_init(&(sk[i]));
-
-	return(BN_mm(r,a,b,&(sk[0])));
-	}
-
-#define ahal	(sk[0])
-#define blbh	(sk[1])
-
-/* r must be different to a and b */
-int BN_mm(BIGNUM *m, BIGNUM *A, BIGNUM *B, BIGNUM *sk)
-	{
-	int i,num,anum,bnum;
-	int an,bn;
-	BIGNUM ah,al,bh,bl;
-
-	an=A->top;
-	bn=B->top;
-	if ((an <= limit_num) || (bn <= limit_num))
-		{
-		return(BN_mul(m,A,B));
-		}
-
-	anum=(an>bn)?an:bn;
-	num=(anum)/2;
-
-	/* Are going to now chop things into 'num' word chunks. */
-	bnum=num*BN_BITS2;
-
-	BN_init(&ahal);
-	BN_init(&blbh);
-	BN_init(&ah);
-	BN_init(&al);
-	BN_init(&bh);
-	BN_init(&bl);
-
-	al.top=num;
-	al.d=A->d;
-	ah.top=A->top-num;
-	ah.d= &(A->d[num]);
-
-	bl.top=num;
-	bl.d=B->d;
-	bh.top=B->top-num;
-	bh.d= &(B->d[num]);
-
-	BN_sub(&ahal,&ah,&al);
-	BN_sub(&blbh,&bl,&bh);
-
-	BN_mm(m,&ahal,&blbh,&(sk[2]));
-	BN_mm(&ahal,&al,&bl,&(sk[2]));
-	BN_mm(&blbh,&ah,&bh,&(sk[2]));
-
-	BN_add(m,m,&ahal);
-	BN_add(m,m,&blbh);
-
-	BN_lshift(m,m,bnum);
-	BN_add(m,m,&ahal);
-
-	BN_lshift(&blbh,&blbh,bnum*2);
-	BN_add(m,m,&blbh);
-
-	m->neg=A->neg^B->neg;
-	return(1);
-	}
-
diff --git a/lib/libcrypto/bn/old/bn_mul.c.works b/lib/libcrypto/bn/old/bn_mul.c.works
index 6d565d44a27..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/bn_mul.c.works
+++ b/lib/libcrypto/bn/old/bn_mul.c.works
@@ -1,219 +0,0 @@
-/* crypto/bn/bn_mul.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include "cryptlib.h"
-#include "bn_lcl.h"
-
-int bn_mm(BIGNUM *m,BIGNUM *A,BIGNUM *B, BIGNUM *sk,BN_CTX *ctx);
-
-/* r must be different to a and b */
-int BN_mul(r, a, b)
-BIGNUM *r;
-BIGNUM *a;
-BIGNUM *b;
-	{
-	BN_ULONG *ap,*bp,*rp;
-	BIGNUM *sk;
-	int i,n,ret;
-	int max,al,bl;
-	BN_CTX ctx;
-
-	bn_check_top(a);
-	bn_check_top(b);
-
-	al=a->top;
-	bl=b->top;
-	if ((al == 0) || (bl == 0))
-		{
-		r->top=0;
-		return(1);
-		}
-#ifdef BN_MUL_DEBUG
-printf("BN_mul(%d,%d)\n",a->top,b->top);
-#endif
-
-#ifdef BN_RECURSION
-	if (	(bn_limit_bits > 0) &&
-		(bl > bn_limit_num) && (al > bn_limit_num))
-		{
-		n=(BN_num_bits_word(al|bl)-bn_limit_bits);
-		n*=2;
-		sk=(BIGNUM *)Malloc(sizeof(BIGNUM)*n);
-		memset(sk,0,sizeof(BIGNUM)*n);
-		memset(&ctx,0,sizeof(ctx));
-
-		ret=bn_mm(r,a,b,&(sk[0]),&ctx);
-		for (i=0; i<n; i+=2)
-			{
-			BN_clear_free(&sk[i]);
-			BN_clear_free(&sk[i+1]);
-			}
-		Free(sk);
-		return(ret);
-		}
-#endif
-
-	max=(al+bl);
-	if (bn_wexpand(r,max) == NULL) return(0);
-	r->top=max;
-	r->neg=a->neg^b->neg;
-	ap=a->d;
-	bp=b->d;
-	rp=r->d;
-
-#ifdef BN_RECURSION
-	if ((al == bl) && (al == 8))
-		{
-		bn_mul_comba8(rp,ap,bp);
-		}
-	else
-#endif
-		{
-		rp[al]=bn_mul_words(rp,ap,al,*(bp++));
-		rp++;
-		for (i=1; i<bl; i++)
-			{
-			rp[al]=bn_mul_add_words(rp,ap,al,*(bp++));
-			rp++;
-			}
-		}
-	if ((max > 0) && (r->d[max-1] == 0)) r->top--;
-	return(1);
-	}
-
-#ifdef BN_RECURSION
-
-#define ahal	(sk[0])
-#define blbh	(sk[1])
-
-/* r must be different to a and b */
-int bn_mm(m, A, B, sk,ctx)
-BIGNUM *m,*A,*B;
-BIGNUM *sk;
-BN_CTX *ctx;
-	{
-	int n,num,sqr=0;
-	int an,bn;
-	BIGNUM ah,al,bh,bl;
-
-	an=A->top;
-	bn=B->top;
-#ifdef BN_MUL_DEBUG
-printf("bn_mm(%d,%d)\n",A->top,B->top);
-#endif
-
-	if (A == B) sqr=1;
-	num=(an>bn)?an:bn;
-	n=(num+1)/2;
-	/* Are going to now chop things into 'num' word chunks. */
-
-	BN_init(&ah);
-	BN_init(&al);
-	BN_init(&bh);
-	BN_init(&bl);
-
-	bn_set_low (&al,A,n);
-	bn_set_high(&ah,A,n);
-	bn_set_low (&bl,B,n);
-	bn_set_high(&bh,B,n);
-
-	BN_sub(&ahal,&ah,&al);
-	BN_sub(&blbh,&bl,&bh);
-
-	if (num <= (bn_limit_num+bn_limit_num))
-		{
-		BN_mul(m,&ahal,&blbh);
-		if (sqr)
-			{
-			BN_sqr(&ahal,&al,ctx);
-			BN_sqr(&blbh,&ah,ctx);
-			}
-		else
-			{
-			BN_mul(&ahal,&al,&bl);
-			BN_mul(&blbh,&ah,&bh);
-			}
-		}
-	else
-		{
-		bn_mm(m,&ahal,&blbh,&(sk[2]),ctx);
-		bn_mm(&ahal,&al,&bl,&(sk[2]),ctx);
-		bn_mm(&blbh,&ah,&bh,&(sk[2]),ctx);
-		}
-
-	BN_add(m,m,&ahal);
-	BN_add(m,m,&blbh);
-
-	BN_lshift(m,m,n*BN_BITS2);
-	BN_lshift(&blbh,&blbh,n*BN_BITS2*2);
-
-	BN_add(m,m,&ahal);
-	BN_add(m,m,&blbh);
-
-	m->neg=A->neg^B->neg;
-	return(1);
-	}
-#undef ahal	(sk[0])
-#undef blbh	(sk[1])
-
-#include "bn_low.c"
-#include "bn_high.c"
-#include "f.c"
-
-#endif
diff --git a/lib/libcrypto/bn/old/bn_wmul.c b/lib/libcrypto/bn/old/bn_wmul.c
index a467b2f17aa..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/bn_wmul.c
+++ b/lib/libcrypto/bn/old/bn_wmul.c
@@ -1,173 +0,0 @@
-#include <stdio.h>
-#include "bn_lcl.h"
-
-#if 1
-
-int bn_mull(BIGNUM *r,BIGNUM *a,BIGNUM *b, BN_CTX *ctx);
-
-int bn_mull(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
-	{
-	int top,i,j,k,al,bl;
-	BIGNUM *t;
-
-#ifdef BN_COUNT
-printf("bn_mull %d * %d\n",a->top,b->top);
-#endif
-
-	bn_check_top(a);
-	bn_check_top(b);
-	bn_check_top(r);
-
-	al=a->top;
-	bl=b->top;
-	r->neg=a->neg^b->neg;
-
-	top=al+bl;
-	if ((al < 4) || (bl < 4))
-		{
-		if (bn_wexpand(r,top) == NULL) return(0);
-		r->top=top;
-		bn_mul_normal(r->d,a->d,al,b->d,bl);
-		goto end;
-		}
-	else if (al == bl) /* A good start, they are the same size */
-		goto symetric;
-	else
-		{
-		i=(al-bl);
-		if ((i ==  1) && !BN_get_flags(b,BN_FLG_STATIC_DATA))
-			{
-			bn_wexpand(b,al);
-			b->d[bl]=0;
-			bl++;
-			goto symetric;
-			}
-		else if ((i ==  -1) && !BN_get_flags(a,BN_FLG_STATIC_DATA))
-			{
-			bn_wexpand(a,bl);
-			a->d[al]=0;
-			al++;
-			goto symetric;
-			}
-		}
-
-	/* asymetric and >= 4 */ 
-	if (bn_wexpand(r,top) == NULL) return(0);
-	r->top=top;
-	bn_mul_normal(r->d,a->d,al,b->d,bl);
-
-	if (0)
-		{
-		/* symetric and > 4 */
-symetric:
-		if (al == 4)
-			{
-			if (bn_wexpand(r,al*2) == NULL) return(0);
-			r->top=top;
-			bn_mul_comba4(r->d,a->d,b->d);
-			goto end;
-			}
-		if (al == 8)
-			{
-			if (bn_wexpand(r,al*2) == NULL) return(0);
-			r->top=top;
-			bn_mul_comba8(r->d,a->d,b->d);
-			goto end;
-			}
-		if (al <= BN_MULL_NORMAL_SIZE)
-			{
-			if (bn_wexpand(r,al*2) == NULL) return(0);
-			r->top=top;
-			bn_mul_normal(r->d,a->d,al,b->d,bl);
-			goto end;
-			}
-		/* 16 or larger */
-		j=BN_num_bits_word((BN_ULONG)al);
-		j=1<<(j-1);
-		k=j+j;
-		t= &(ctx->bn[ctx->tos]);
-		if (al == j) /* exact multiple */
-			{
-			bn_wexpand(t,k*2);
-			bn_wexpand(r,k*2);
-			bn_mul_recursive(r->d,a->d,b->d,al,t->d);
-			}
-		else
-			{
-			bn_wexpand(a,k);
-			bn_wexpand(b,k);
-			bn_wexpand(t,k*4);
-			bn_wexpand(r,k*4);
-			for (i=a->top; i<k; i++)
-				a->d[i]=0;
-			for (i=b->top; i<k; i++)
-				b->d[i]=0;
-			bn_mul_part_recursive(r->d,a->d,b->d,al-j,j,t->d);
-			}
-		r->top=top;
-		}
-end:
-	bn_fix_top(r);
-	return(1);
-	}
-#endif
-
-void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
-	{
-	BN_ULONG *rr;
-
-#ifdef BN_COUNT
-printf(" bn_mul_normal %d * %d\n",na,nb);
-#endif
-
-	if (na < nb)
-		{
-		int itmp;
-		BN_ULONG *ltmp;
-
-		itmp=na; na=nb; nb=itmp;
-		ltmp=a;   a=b;   b=ltmp;
-
-		}
-	rr= &(r[na]);
-	rr[0]=bn_mul_words(r,a,na,b[0]);
-
-	for (;;)
-		{
-		if (--nb <= 0) return;
-		rr[1]=bn_mul_add_words(&(r[1]),a,na,b[1]);
-		if (--nb <= 0) return;
-		rr[2]=bn_mul_add_words(&(r[2]),a,na,b[2]);
-		if (--nb <= 0) return;
-		rr[3]=bn_mul_add_words(&(r[3]),a,na,b[3]);
-		if (--nb <= 0) return;
-		rr[4]=bn_mul_add_words(&(r[4]),a,na,b[4]);
-		rr+=4;
-		r+=4;
-		b+=4;
-		}
-	}
-
-#if 1
-void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
-	{
-#ifdef BN_COUNT
-printf(" bn_mul_low_normal %d * %d\n",n,n);
-#endif
-	bn_mul_words(r,a,n,b[0]);
-
-	for (;;)
-		{
-		if (--n <= 0) return;
-		bn_mul_add_words(&(r[1]),a,n,b[1]);
-		if (--n <= 0) return;
-		bn_mul_add_words(&(r[2]),a,n,b[2]);
-		if (--n <= 0) return;
-		bn_mul_add_words(&(r[3]),a,n,b[3]);
-		if (--n <= 0) return;
-		bn_mul_add_words(&(r[4]),a,n,b[4]);
-		r+=4;
-		b+=4;
-		}
-	}
-#endif
diff --git a/lib/libcrypto/bn/old/build b/lib/libcrypto/bn/old/build
index 8cd99e5f179..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/build
+++ b/lib/libcrypto/bn/old/build
@@ -1,3 +0,0 @@
-#!/bin/sh -x
-
-gcc -g -I../../include test.c -L../.. -lcrypto
diff --git a/lib/libcrypto/bn/old/info b/lib/libcrypto/bn/old/info
index 5ac99c3b237..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/info
+++ b/lib/libcrypto/bn/old/info
@@ -1,22 +0,0 @@
-Given A1A0 * B1B0 == S3S2S1S0
-
-S0=     low(A0*B0)
-S1=     low( (A1-A0)*(B0-B1)) +low( A1*B1) +high(A0*B0)
-S2=     high((A1-A0)*(B0-B1)) +high(A1*B1) +low( A1*B1)
-S3=     high(A1*B1);
-
-Assume we know S1 and S0, and can calulate A1*B1 and high((A1-A0)*(B0-B1))
-
-k0=	S0 == low(A0*B0)
-k1=	S1
-k2=	low( A1*B1)
-k3=	high(A1*B1)
-k4=	high((A1-A0)*(B0-B1))
-
-k1=	low((A1-A0)*(B0-B1)) +k2 +high(A0*B0)
-S2=	k4 +k3 +k2
-S3=	k3
-
-S1-k2= low((A1-A0)*(B0-B1)) +high(A0*B0)
-
-We potentially have a carry or a borrow from S1
diff --git a/lib/libcrypto/bn/old/test.works b/lib/libcrypto/bn/old/test.works
index 127c7b415d8..e69de29bb2d 100644
--- a/lib/libcrypto/bn/old/test.works
+++ b/lib/libcrypto/bn/old/test.works
@@ -1,205 +0,0 @@
-#include <stdio.h>
-#include "cryptlib.h"
-#include "bn_lcl.h"
-
-#define SIZE	128
-
-#define BN_MONT_CTX_set		bn_mcs
-#define BN_from_montgomery	bn_fm
-#define BN_mod_mul_montgomery	bn_mmm
-#undef BN_to_montgomery
-#define BN_to_montgomery(r,a,mont,ctx)	bn_mmm(\
-	r,a,(mont)->RR,(mont),ctx)
-
-main()
-	{
-	BIGNUM prime,a,b,r,A,B,R;
-	BN_MONT_CTX *mont;
-	BN_CTX *ctx;
-	int i;
-
-	ctx=BN_CTX_new();
-	BN_init(&prime);
-	BN_init(&a); BN_init(&b); BN_init(&r);
-	BN_init(&A); BN_init(&B); BN_init(&R);
-
-	BN_generate_prime(&prime,SIZE,0,NULL,NULL,NULL,NULL);
-	BN_rand(&A,SIZE,1,0);
-	BN_rand(&B,SIZE,1,0);
-	BN_mod(&A,&A,&prime,ctx);
-	BN_mod(&B,&B,&prime,ctx);
-
-	mont=BN_MONT_CTX_new();
-	BN_MONT_CTX_set(mont,&prime,ctx);
-
-	BN_to_montgomery(&a,&A,mont,ctx);
-	BN_to_montgomery(&b,&B,mont,ctx);
-
-	BN_mul(&r,&a,&b);
-	BN_print_fp(stdout,&r); printf("\n");
-	BN_from_montgomery(&r,&r,mont,ctx);
-	BN_print_fp(stdout,&r); printf("\n");
-	BN_from_montgomery(&r,&r,mont,ctx);
-	BN_print_fp(stdout,&r); printf("\n");
-
-	BN_mod_mul(&R,&A,&B,&prime,ctx);
-
-	BN_print_fp(stdout,&a); printf("\n");
-	BN_print_fp(stdout,&b); printf("\n");
-	BN_print_fp(stdout,&prime); printf("\n");
-	BN_print_fp(stdout,&r); printf("\n\n");
-
-	BN_print_fp(stdout,&A); printf("\n");
-	BN_print_fp(stdout,&B); printf("\n");
-	BN_print_fp(stdout,&prime); printf("\n");
-	BN_print_fp(stdout,&R); printf("\n\n");
-
-	BN_mul(&r,&a,&b);
-	BN_print_fp(stdout,&r); printf(" <- BA*DC\n");
-	BN_copy(&A,&r);
-	i=SIZE/2;
-	BN_mask_bits(&A,i*2);
-//	BN_print_fp(stdout,&A); printf(" <- low(BA*DC)\n");
-	bn_do_lower(&r,&a,&b,&A,i);
-//	BN_print_fp(stdout,&r); printf(" <- low(BA*DC)\n");
-	}
-
-int bn_mul_low(r,a,b,low,i)
-BIGNUM *r,*a,*b,*low;
-int i;
-	{
-	int w;
-	BIGNUM Kh,Km,t1,t2,h,ah,al,bh,bl,l,m,s0,s1;
-
-	BN_init(&Kh); BN_init(&Km); BN_init(&t1); BN_init(&t2); BN_init(&l);
-	BN_init(&ah); BN_init(&al); BN_init(&bh); BN_init(&bl); BN_init(&h);
-	BN_init(&m); BN_init(&s0); BN_init(&s1);
-
-	BN_copy(&al,a); BN_mask_bits(&al,i); BN_rshift(&ah,a,i);
-	BN_copy(&bl,b); BN_mask_bits(&bl,i); BN_rshift(&bh,b,i);
-
-
-	BN_sub(&t1,&al,&ah);
-	BN_sub(&t2,&bh,&bl);
-	BN_mul(&m,&t1,&t2);
-	BN_mul(&h,&ah,&bh);
-
-	BN_copy(&s0,low); BN_mask_bits(&s0,i);
-	BN_rshift(&s1,low,i);
-
-	BN_add(&t1,&h,&m);
-	BN_add(&t1,&t1,&s0);
-
-	BN_copy(&t2,&t1); BN_mask_bits(&t2,i);
-	BN_sub(&t1,&s1,&t2);
-	BN_lshift(&t1,&t1,i);
-	BN_add(&t1,&t1,&s0);
-	if (t1.neg)
-		{
-		BN_lshift(&t2,BN_value_one(),i*2);
-		BN_add(&t1,&t2,&t1);
-		BN_mask_bits(&t1,i*2);
-		}
-	
-	BN_free(&Kh); BN_free(&Km); BN_free(&t1); BN_free(&t2);
-	BN_free(&ah); BN_free(&al); BN_free(&bh); BN_free(&bl);
-	}
-
-int BN_mod_mul_montgomery(r,a,b,mont,ctx)
-BIGNUM *r,*a,*b;
-BN_MONT_CTX *mont;
-BN_CTX *ctx;
-	{
-	BIGNUM *tmp;
-
-        tmp= &(ctx->bn[ctx->tos++]);
-
-	if (a == b)
-		{
-		if (!BN_sqr(tmp,a,ctx)) goto err;
-		}
-	else
-		{
-		if (!BN_mul(tmp,a,b)) goto err;
-		}
-	/* reduce from aRR to aR */
-	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
-	ctx->tos--;
-	return(1);
-err:
-	return(0);
-	}
-
-int BN_from_montgomery(r,a,mont,ctx)
-BIGNUM *r;
-BIGNUM *a;
-BN_MONT_CTX *mont;
-BN_CTX *ctx;
-	{
-	BIGNUM z1;
-	BIGNUM *t1,*t2;
-	BN_ULONG *ap,*bp,*rp;
-	int j,i,bl,al;
-
-	BN_init(&z1);
-	t1= &(ctx->bn[ctx->tos]);
-	t2= &(ctx->bn[ctx->tos+1]);
-
-	if (!BN_copy(t1,a)) goto err;
-	/* can cheat */
-	BN_mask_bits(t1,mont->ri);
-	if (!BN_mul(t2,t1,mont->Ni)) goto err;
-	BN_mask_bits(t2,mont->ri);
-
-	if (!BN_mul(t1,t2,mont->N)) goto err;
-	if (!BN_add(t2,t1,a)) goto err;
-
-	/* At this point, t2 has the bottom ri bits set to zero.
-	 * This means that the bottom ri bits == the 1^ri minus the bottom
-	 * ri bits of a.
-	 * This means that only the bits above 'ri' in a need to be added,
-	 * and XXXXXXXXXXXXXXXXXXXXXXXX
-	 */
-BN_print_fp(stdout,t2); printf("\n");
-	BN_rshift(r,t2,mont->ri);
-
-	if (BN_ucmp(r,mont->N) >= 0)
-		bn_qsub(r,r,mont->N);
-
-	return(1);
-err:
-	return(0);
-	}
-
-int BN_MONT_CTX_set(mont,mod,ctx)
-BN_MONT_CTX *mont;
-BIGNUM *mod;
-BN_CTX *ctx;
-	{
-	BIGNUM *Ri=NULL,*R=NULL;
-
-	if (mont->RR == NULL) mont->RR=BN_new();
-	if (mont->N == NULL)  mont->N=BN_new();
-
-	R=mont->RR;					/* grab RR as a temp */
-	BN_copy(mont->N,mod);				/* Set N */
-
-	mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
-	BN_lshift(R,BN_value_one(),mont->ri);			/* R */
-	if ((Ri=BN_mod_inverse(NULL,R,mod,ctx)) == NULL) goto err;/* Ri */
-	BN_lshift(Ri,Ri,mont->ri);				/* R*Ri */
-	bn_qsub(Ri,Ri,BN_value_one());				/* R*Ri - 1 */
-	BN_div(Ri,NULL,Ri,mod,ctx);
-	if (mont->Ni != NULL) BN_free(mont->Ni);
-	mont->Ni=Ri;					/* Ni=(R*Ri-1)/N */
-
-	/* setup RR for conversions */
-	BN_lshift(mont->RR,BN_value_one(),mont->ri*2);
-	BN_mod(mont->RR,mont->RR,mont->N,ctx);
-
-	return(1);
-err:
-	return(0);
-	}
-
-
diff --git a/lib/libcrypto/bn/test.c b/lib/libcrypto/bn/test.c
index a048b9f878d..e69de29bb2d 100644
--- a/lib/libcrypto/bn/test.c
+++ b/lib/libcrypto/bn/test.c
@@ -1,241 +0,0 @@
-#include <stdio.h>
-#include "cryptlib.h"
-#include "bn_lcl.h"
-
-#define SIZE	32
-
-#define BN_MONT_CTX_set		bn_mcs
-#define BN_from_montgomery	bn_fm
-#define BN_mod_mul_montgomery	bn_mmm
-#undef BN_to_montgomery
-#define BN_to_montgomery(r,a,mont,ctx)	bn_mmm(\
-	r,a,(mont)->RR,(mont),ctx)
-
-main()
-	{
-	BIGNUM prime,a,b,r,A,B,R;
-	BN_MONT_CTX *mont;
-	BN_CTX *ctx;
-	int i;
-
-	ctx=BN_CTX_new();
-	BN_init(&prime);
-	BN_init(&a); BN_init(&b); BN_init(&r);
-	BN_init(&A); BN_init(&B); BN_init(&R);
-
-	BN_generate_prime(&prime,SIZE,0,NULL,NULL,NULL,NULL);
-	BN_rand(&A,SIZE,1,0);
-	BN_rand(&B,SIZE,1,0);
-	BN_mod(&A,&A,&prime,ctx);
-	BN_mod(&B,&B,&prime,ctx);
-
-	i=A.top;
-	BN_mul(&R,&A,&B,ctx);
-	BN_mask_bits(&R,i*BN_BITS2);
-
-
-	BN_print_fp(stdout,&A); printf(" <- a\n");
-	BN_print_fp(stdout,&B); printf(" <- b\n");
-	BN_mul_high(&r,&A,&B,&R,i);
-	BN_print_fp(stdout,&r); printf(" <- high(BA*DC)\n");
-
-	BN_mask_bits(&A,i*32);
-	BN_mask_bits(&B,i*32);
-
-	BN_mul(&R,&A,&B);
-	BN_rshift(&R,&R,i*32);
-	BN_print_fp(stdout,&R); printf(" <- norm BA*DC\n");
-	BN_sub(&R,&R,&r);
-	BN_print_fp(stdout,&R); printf(" <- diff\n");
-	}
-
-#if 0
-int bn_mul_high(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *low, int words)
-	{
-	int i;
-	BIGNUM t1,t2,t3,h,ah,al,bh,bl,m,s0,s1;
-
-	BN_init(&al); BN_init(&ah);
-	BN_init(&bl); BN_init(&bh);
-	BN_init(&t1); BN_init(&t2); BN_init(&t3);
-	BN_init(&s0); BN_init(&s1);
-	BN_init(&h); BN_init(&m);
-
-	i=a->top;
-	if (i >= words)
-		{
-		al.top=words;
-		ah.top=a->top-words;
-		ah.d= &(a->d[ah.top]);
-		}
-	else
-		al.top=i;
-	al.d=a->d;
-
-	i=b->top;
-	if (i >= words)
-		{
-		bl.top=words;
-		bh.top=i-words;
-		bh.d= &(b->d[bh.top]);
-		}
-	else
-		bl.top=i;
-	bl.d=b->d;
-
-	i=low->top;
-	if (i >= words)
-		{
-		s0.top=words;
-		s1.top=i-words;
-		s1.d= &(low->d[s1.top]);
-		}
-	else
-		s0.top=i;
-	s0.d=low->d;
-
-al.max=al.top; ah.max=ah.top;
-bl.max=bl.top; bh.max=bh.top;
-s0.max=bl.top; s1.max=bh.top;
-
-	/* Calculate (al-ah)*(bh-bl) */
-	BN_sub(&t1,&al,&ah);
-	BN_sub(&t2,&bh,&bl);
-	BN_mul(&m,&t1,&t2);
-
-	/* Calculate ah*bh */
-	BN_mul(&h,&ah,&bh);
-
-	/* s0 == low(al*bl)
-	 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
-	 * We know s0 and s1 so the only unknown is high(al*bl)
-	 * high(al*bl) == s1 - low(ah*bh+(al-ah)*(bh-bl)+s0)
-	 */
-	BN_add(&m,&m,&h);
-	BN_add(&t2,&m,&s0);
-	/* Quick and dirty mask off of high words */
-	t3.d=t2.d;
-	t3.top=(t2.top > words)?words:t2.top;
-	t3.neg=t2.neg;
-t3.max=t3.top;
-/* BN_print_fp(stdout,&s1); printf(" s1\n"); */
-/* BN_print_fp(stdout,&t2); printf(" middle value\n"); */
-/* BN_print_fp(stdout,&t3); printf(" low middle value\n"); */
-	BN_sub(&t1,&s1,&t3);
-
-	if (t1.neg)
-		{
-/*printf("neg fixup\n"); BN_print_fp(stdout,&t1); printf(" before\n"); */
-		BN_lshift(&t2,BN_value_one(),words*32);
-		BN_add(&t1,&t2,&t1);
-		BN_mask_bits(&t1,words*32);
-/* BN_print_fp(stdout,&t1); printf(" after\n"); */
-		}
-	/* al*bl == high(al*bl)<<words+s0 */
-	BN_lshift(&t1,&t1,words*32);
-	BN_add(&t1,&t1,&s0);
-	
-	/* We now have
-	 * al*bl			- t1
-	 * (al-ah)*(bh-bl)+ah*bh	- m
-	 * ah*bh			- h
-	 */
-	BN_copy(r,&t1);
-	BN_mask_bits(r,words*32*2);
-
-	/*BN_lshift(&m,&m,words*/
-
-	BN_free(&t1); BN_free(&t2);
-	BN_free(&m); BN_free(&h);
-	}
-
-int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_MONT_CTX *mont,
-	     BN_CTX *ctx)
-	{
-	BIGNUM *tmp;
-
-        tmp= &(ctx->bn[ctx->tos++]);
-
-	if (a == b)
-		{
-		if (!BN_sqr(tmp,a,ctx)) goto err;
-		}
-	else
-		{
-		if (!BN_mul(tmp,a,b)) goto err;
-		}
-	/* reduce from aRR to aR */
-	if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
-	ctx->tos--;
-	return(1);
-err:
-	return(0);
-	}
-
-int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx)
-	{
-	BIGNUM z1;
-	BIGNUM *t1,*t2;
-	BN_ULONG *ap,*bp,*rp;
-	int j,i,bl,al;
-
-	BN_init(&z1);
-	t1= &(ctx->bn[ctx->tos]);
-	t2= &(ctx->bn[ctx->tos+1]);
-
-	if (!BN_copy(t1,a)) goto err;
-	/* can cheat */
-	BN_mask_bits(t1,mont->ri);
-	if (!BN_mul(t2,t1,mont->Ni)) goto err;
-	BN_mask_bits(t2,mont->ri);
-
-	if (!BN_mul(t1,t2,mont->N)) goto err;
-	if (!BN_add(t2,t1,a)) goto err;
-
-	/* At this point, t2 has the bottom ri bits set to zero.
-	 * This means that the bottom ri bits == the 1^ri minus the bottom
-	 * ri bits of a.
-	 * This means that only the bits above 'ri' in a need to be added,
-	 * and XXXXXXXXXXXXXXXXXXXXXXXX
-	 */
-BN_print_fp(stdout,t2); printf("\n");
-	BN_rshift(r,t2,mont->ri);
-
-	if (BN_ucmp(r,mont->N) >= 0)
-		BN_usub(r,r,mont->N);
-
-	return(1);
-err:
-	return(0);
-	}
-
-int BN_MONT_CTX_set(BN_MONT_CTX *mont, BIGNUM *mod, BN_CTX *ctx)
-	{
-	BIGNUM *Ri=NULL,*R=NULL;
-
-	if (mont->RR == NULL) mont->RR=BN_new();
-	if (mont->N == NULL)  mont->N=BN_new();
-
-	R=mont->RR;					/* grab RR as a temp */
-	BN_copy(mont->N,mod);				/* Set N */
-
-	mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
-	BN_lshift(R,BN_value_one(),mont->ri);			/* R */
-	if ((Ri=BN_mod_inverse(NULL,R,mod,ctx)) == NULL) goto err;/* Ri */
-	BN_lshift(Ri,Ri,mont->ri);				/* R*Ri */
-	BN_usub(Ri,Ri,BN_value_one());				/* R*Ri - 1 */
-	BN_div(Ri,NULL,Ri,mod,ctx);
-	if (mont->Ni != NULL) BN_free(mont->Ni);
-	mont->Ni=Ri;					/* Ni=(R*Ri-1)/N */
-
-	/* setup RR for conversions */
-	BN_lshift(mont->RR,BN_value_one(),mont->ri*2);
-	BN_mod(mont->RR,mont->RR,mont->N,ctx);
-
-	return(1);
-err:
-	return(0);
-	}
-
-
-#endif
diff --git a/lib/libcrypto/buffer/Makefile.ssl b/lib/libcrypto/buffer/Makefile.ssl
index f23de89e338..506708c37f7 100644
--- a/lib/libcrypto/buffer/Makefile.ssl
+++ b/lib/libcrypto/buffer/Makefile.ssl
@@ -83,4 +83,5 @@ buffer.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 buffer.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 buffer.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 buffer.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-buffer.o: ../../include/openssl/stack.h ../cryptlib.h
+buffer.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+buffer.o: ../cryptlib.h
diff --git a/lib/libcrypto/cast/c_ecb.c b/lib/libcrypto/cast/c_ecb.c
index 33182f2b712..0b3da9ad871 100644
--- a/lib/libcrypto/cast/c_ecb.c
+++ b/lib/libcrypto/cast/c_ecb.c
@@ -60,7 +60,7 @@
 #include "cast_lcl.h"
 #include <openssl/opensslv.h>
 
-char *CAST_version="CAST" OPENSSL_VERSION_PTEXT;
+const char *CAST_version="CAST" OPENSSL_VERSION_PTEXT;
 
 void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
 		      CAST_KEY *ks, int enc)
diff --git a/lib/libcrypto/cast/cast_lcl.h b/lib/libcrypto/cast/cast_lcl.h
index 83cf382a914..cfe3842e91f 100644
--- a/lib/libcrypto/cast/cast_lcl.h
+++ b/lib/libcrypto/cast/cast_lcl.h
@@ -216,11 +216,11 @@
 	}
 #endif
 
-OPENSSL_EXTERN CAST_LONG CAST_S_table0[256];
-OPENSSL_EXTERN CAST_LONG CAST_S_table1[256];
-OPENSSL_EXTERN CAST_LONG CAST_S_table2[256];
-OPENSSL_EXTERN CAST_LONG CAST_S_table3[256];
-OPENSSL_EXTERN CAST_LONG CAST_S_table4[256];
-OPENSSL_EXTERN CAST_LONG CAST_S_table5[256];
-OPENSSL_EXTERN CAST_LONG CAST_S_table6[256];
-OPENSSL_EXTERN CAST_LONG CAST_S_table7[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table0[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table1[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table2[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table3[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table4[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table5[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table6[256];
+OPENSSL_EXTERN const CAST_LONG CAST_S_table7[256];
diff --git a/lib/libcrypto/cast/cast_s.h b/lib/libcrypto/cast/cast_s.h
index 9af28972c51..c483fd5e43e 100644
--- a/lib/libcrypto/cast/cast_s.h
+++ b/lib/libcrypto/cast/cast_s.h
@@ -55,7 +55,7 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
-OPENSSL_GLOBAL CAST_LONG CAST_S_table0[256]={
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table0[256]={
 	0x30fb40d4,0x9fa0ff0b,0x6beccd2f,0x3f258c7a,
 	0x1e213f2f,0x9c004dd3,0x6003e540,0xcf9fc949,
 	0xbfd4af27,0x88bbbdb5,0xe2034090,0x98d09675,
@@ -121,7 +121,7 @@ OPENSSL_GLOBAL CAST_LONG CAST_S_table0[256]={
 	0x1a69e783,0x02cc4843,0xa2f7c579,0x429ef47d,
 	0x427b169c,0x5ac9f049,0xdd8f0f00,0x5c8165bf,
 	};
-OPENSSL_GLOBAL CAST_LONG CAST_S_table1[256]={
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table1[256]={
 	0x1f201094,0xef0ba75b,0x69e3cf7e,0x393f4380,
 	0xfe61cf7a,0xeec5207a,0x55889c94,0x72fc0651,
 	0xada7ef79,0x4e1d7235,0xd55a63ce,0xde0436ba,
@@ -187,7 +187,7 @@ OPENSSL_GLOBAL CAST_LONG CAST_S_table1[256]={
 	0x43d79572,0x7e6dd07c,0x06dfdf1e,0x6c6cc4ef,
 	0x7160a539,0x73bfbe70,0x83877605,0x4523ecf1,
 	};
-OPENSSL_GLOBAL CAST_LONG CAST_S_table2[256]={
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table2[256]={
 	0x8defc240,0x25fa5d9f,0xeb903dbf,0xe810c907,
 	0x47607fff,0x369fe44b,0x8c1fc644,0xaececa90,
 	0xbeb1f9bf,0xeefbcaea,0xe8cf1950,0x51df07ae,
@@ -253,7 +253,7 @@ OPENSSL_GLOBAL CAST_LONG CAST_S_table2[256]={
 	0xf7baefd5,0x4142ed9c,0xa4315c11,0x83323ec5,
 	0xdfef4636,0xa133c501,0xe9d3531c,0xee353783,
 	};
-OPENSSL_GLOBAL CAST_LONG CAST_S_table3[256]={
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table3[256]={
 	0x9db30420,0x1fb6e9de,0xa7be7bef,0xd273a298,
 	0x4a4f7bdb,0x64ad8c57,0x85510443,0xfa020ed1,
 	0x7e287aff,0xe60fb663,0x095f35a1,0x79ebf120,
@@ -319,7 +319,7 @@ OPENSSL_GLOBAL CAST_LONG CAST_S_table3[256]={
 	0x7ae5290c,0x3cb9536b,0x851e20fe,0x9833557e,
 	0x13ecf0b0,0xd3ffb372,0x3f85c5c1,0x0aef7ed2,
 	};
-OPENSSL_GLOBAL CAST_LONG CAST_S_table4[256]={
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table4[256]={
 	0x7ec90c04,0x2c6e74b9,0x9b0e66df,0xa6337911,
 	0xb86a7fff,0x1dd358f5,0x44dd9d44,0x1731167f,
 	0x08fbf1fa,0xe7f511cc,0xd2051b00,0x735aba00,
@@ -385,7 +385,7 @@ OPENSSL_GLOBAL CAST_LONG CAST_S_table4[256]={
 	0xe822fe15,0x88570983,0x750e6249,0xda627e55,
 	0x5e76ffa8,0xb1534546,0x6d47de08,0xefe9e7d4,
 	};
-OPENSSL_GLOBAL CAST_LONG CAST_S_table5[256]={
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table5[256]={
 	0xf6fa8f9d,0x2cac6ce1,0x4ca34867,0xe2337f7c,
 	0x95db08e7,0x016843b4,0xeced5cbc,0x325553ac,
 	0xbf9f0960,0xdfa1e2ed,0x83f0579d,0x63ed86b9,
@@ -451,7 +451,7 @@ OPENSSL_GLOBAL CAST_LONG CAST_S_table5[256]={
 	0xa2d762cf,0x49c92f54,0x38b5f331,0x7128a454,
 	0x48392905,0xa65b1db8,0x851c97bd,0xd675cf2f,
 	};
-OPENSSL_GLOBAL CAST_LONG CAST_S_table6[256]={
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table6[256]={
 	0x85e04019,0x332bf567,0x662dbfff,0xcfc65693,
 	0x2a8d7f6f,0xab9bc912,0xde6008a1,0x2028da1f,
 	0x0227bce7,0x4d642916,0x18fac300,0x50f18b82,
@@ -517,7 +517,7 @@ OPENSSL_GLOBAL CAST_LONG CAST_S_table6[256]={
 	0x518f36b2,0x84b1d370,0x0fedce83,0x878ddada,
 	0xf2a279c7,0x94e01be8,0x90716f4b,0x954b8aa3,
 	};
-OPENSSL_GLOBAL CAST_LONG CAST_S_table7[256]={
+OPENSSL_GLOBAL const CAST_LONG CAST_S_table7[256]={
 	0xe216300d,0xbbddfffc,0xa7ebdabd,0x35648095,
 	0x7789f8b7,0xe6c1121b,0x0e241600,0x052ce8b5,
 	0x11a9cfb0,0xe5952f11,0xece7990a,0x9386d174,
diff --git a/lib/libcrypto/cast/cast_spd.c b/lib/libcrypto/cast/cast_spd.c
index c0726906c20..0af915cf206 100644
--- a/lib/libcrypto/cast/cast_spd.c
+++ b/lib/libcrypto/cast/cast_spd.c
@@ -183,7 +183,7 @@ int main(int argc, char **argv)
 #endif
 
 #ifndef TIMES
-	printf("To get the most acurate results, try to run this\n");
+	printf("To get the most accurate results, try to run this\n");
 	printf("program when this computer is idle.\n");
 #endif
 
diff --git a/lib/libcrypto/cast/castopts.c b/lib/libcrypto/cast/castopts.c
index 642e9725af6..c7837966101 100644
--- a/lib/libcrypto/cast/castopts.c
+++ b/lib/libcrypto/cast/castopts.c
@@ -252,7 +252,7 @@ int main(int argc, char **argv)
 		}
 
 #ifndef TIMES
-	fprintf(stderr,"To get the most acurate results, try to run this\n");
+	fprintf(stderr,"To get the most accurate results, try to run this\n");
 	fprintf(stderr,"program when this computer is idle.\n");
 #endif
 
diff --git a/lib/libcrypto/cast/casttest.c b/lib/libcrypto/cast/casttest.c
index 3244b119e95..ab2aeac606e 100644
--- a/lib/libcrypto/cast/casttest.c
+++ b/lib/libcrypto/cast/casttest.c
@@ -71,32 +71,32 @@ int main(int argc, char *argv[])
 
 #define FULL_TEST
 
-unsigned char k[16]={
+static unsigned char k[16]={
 	0x01,0x23,0x45,0x67,0x12,0x34,0x56,0x78,
 	0x23,0x45,0x67,0x89,0x34,0x56,0x78,0x9A
 	};
 
-unsigned char in[8]={ 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF};
+static unsigned char in[8]={ 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF};
 
-int k_len[3]={16,10,5};
-unsigned char c[3][8]={
+static int k_len[3]={16,10,5};
+static unsigned char c[3][8]={
 	{0x23,0x8B,0x4F,0xE5,0x84,0x7E,0x44,0xB2},
 	{0xEB,0x6A,0x71,0x1A,0x2C,0x02,0x27,0x1B},
 	{0x7A,0xC8,0x16,0xD1,0x6E,0x9B,0x30,0x2E},
 	};
-unsigned char out[80];
+static unsigned char out[80];
 
-unsigned char in_a[16]={
+static unsigned char in_a[16]={
 	0x01,0x23,0x45,0x67,0x12,0x34,0x56,0x78,
 	0x23,0x45,0x67,0x89,0x34,0x56,0x78,0x9A};
-unsigned char in_b[16]={
+static unsigned char in_b[16]={
 	0x01,0x23,0x45,0x67,0x12,0x34,0x56,0x78,
 	0x23,0x45,0x67,0x89,0x34,0x56,0x78,0x9A};
 
-unsigned char c_a[16]={
+static unsigned char c_a[16]={
 	0xEE,0xA9,0xD0,0xA2,0x49,0xFD,0x3B,0xA6,
 	0xB3,0x43,0x6F,0xB8,0x9D,0x6D,0xCA,0x92};
-unsigned char c_b[16]={
+static unsigned char c_b[16]={
 	0xB2,0xC9,0x5E,0xB0,0x0C,0x31,0xAD,0x71,
 	0x80,0xAC,0x05,0xB8,0xE8,0x3D,0x69,0x6E};
 
diff --git a/lib/libcrypto/comp/comp.h b/lib/libcrypto/comp/comp.h
index 93bd9c34c80..811cb5833d3 100644
--- a/lib/libcrypto/comp/comp.h
+++ b/lib/libcrypto/comp/comp.h
@@ -17,6 +17,7 @@ typedef struct comp_method_st
 	int (*compress)();
 	int (*expand)();
 	long (*ctrl)();
+	long (*callback_ctrl)();
 	} COMP_METHOD;
 
 typedef struct comp_ctx_st
diff --git a/lib/libcrypto/conf/conf.c b/lib/libcrypto/conf/conf.c
index 7d8b89168a2..3031fa3b449 100644
--- a/lib/libcrypto/conf/conf.c
+++ b/lib/libcrypto/conf/conf.c
@@ -86,28 +86,25 @@ const char *CONF_version="CONF" OPENSSL_VERSION_PTEXT;
 LHASH *CONF_load(LHASH *h, const char *file, long *line)
 	{
 	LHASH *ltmp;
-	FILE *in=NULL;
+	BIO *in=NULL;
 
 #ifdef VMS
-	in=fopen(file,"r");
+	in=BIO_new_file(file, "r");
 #else
-	in=fopen(file,"rb");
+	in=BIO_new_file(file, "rb");
 #endif
 	if (in == NULL)
 		{
-		SYSerr(SYS_F_FOPEN,get_last_sys_error());
-		ERR_set_error_data(BUF_strdup(file),
-			ERR_TXT_MALLOCED|ERR_TXT_STRING);
 		CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
 		return NULL;
 		}
 
-	ltmp = CONF_load_fp(h, in, line);
-	fclose(in);
+	ltmp = CONF_load_bio(h, in, line);
+	BIO_free(in);
 
 	return ltmp;
 }
-
+#ifndef NO_FP_API
 LHASH *CONF_load_fp(LHASH *h, FILE *in, long *line)
 {
 	BIO *btmp;
@@ -120,6 +117,7 @@ LHASH *CONF_load_fp(LHASH *h, FILE *in, long *line)
 	BIO_free(btmp);
 	return ltmp;
 }
+#endif
 
 LHASH *CONF_load_bio(LHASH *h, BIO *in, long *line)
 	{
@@ -338,7 +336,7 @@ again:
 							ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
-			vv=(CONF_VALUE *)lh_insert(ret,(char *)v);
+			vv=(CONF_VALUE *)lh_insert(ret,v);
 			if (vv != NULL)
 				{
 				sk_CONF_VALUE_delete_ptr(ts,vv);
@@ -380,7 +378,7 @@ char *CONF_get_string(LHASH *conf, char *section, char *name)
 			{
 			vv.name=name;
 			vv.section=section;
-			v=(CONF_VALUE *)lh_retrieve(conf,(char *)&vv);
+			v=(CONF_VALUE *)lh_retrieve(conf,&vv);
 			if (v != NULL) return(v->value);
 			if (strcmp(section,"ENV") == 0)
 				{
@@ -390,7 +388,7 @@ char *CONF_get_string(LHASH *conf, char *section, char *name)
 			}
 		vv.section="default";
 		vv.name=name;
-		v=(CONF_VALUE *)lh_retrieve(conf,(char *)&vv);
+		v=(CONF_VALUE *)lh_retrieve(conf,&vv);
 		if (v != NULL)
 			return(v->value);
 		else
@@ -407,7 +405,7 @@ static CONF_VALUE *get_section(LHASH *conf, char *section)
 	if ((conf == NULL) || (section == NULL)) return(NULL);
 	vv.name=NULL;
 	vv.section=section;
-	v=(CONF_VALUE *)lh_retrieve(conf,(char *)&vv);
+	v=(CONF_VALUE *)lh_retrieve(conf,&vv);
 	return(v);
 	}
 
@@ -445,12 +443,12 @@ void CONF_free(LHASH *conf)
 
 	conf->down_load=0; 	/* evil thing to make sure the 'Free()'
 				 * works as expected */
-	lh_doall_arg(conf,(void (*)())value_free_hash,(char *)conf);
+	lh_doall_arg(conf,(void (*)())value_free_hash,conf);
 
 	/* We now have only 'section' entries in the hash table.
 	 * Due to problems with */
 
-	lh_doall_arg(conf,(void (*)())value_free_stack,(char *)conf);
+	lh_doall_arg(conf,(void (*)())value_free_stack,conf);
 	lh_free(conf);
 	}
 
@@ -458,7 +456,7 @@ static void value_free_hash(CONF_VALUE *a, LHASH *conf)
 	{
 	if (a->name != NULL)
 		{
-		a=(CONF_VALUE *)lh_delete(conf,(char *)a);
+		a=(CONF_VALUE *)lh_delete(conf,a);
 		}
 	}
 
@@ -710,7 +708,7 @@ static CONF_VALUE *new_section(LHASH *conf, char *section)
 	v->name=NULL;
 	v->value=(char *)sk;
 	
-	vv=(CONF_VALUE *)lh_insert(conf,(char *)v);
+	vv=(CONF_VALUE *)lh_insert(conf,v);
 	if (vv != NULL)
 		{
 #if !defined(NO_STDIO) && !defined(WIN16)
diff --git a/lib/libcrypto/conf/conf.h b/lib/libcrypto/conf/conf.h
index e7c51500970..21831a92a35 100644
--- a/lib/libcrypto/conf/conf.h
+++ b/lib/libcrypto/conf/conf.h
@@ -78,7 +78,9 @@ typedef struct
 DECLARE_STACK_OF(CONF_VALUE)
 
 LHASH *CONF_load(LHASH *conf,const char *file,long *eline);
+#ifndef NO_FP_API
 LHASH *CONF_load_fp(LHASH *conf, FILE *fp,long *eline);
+#endif
 LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline);
 STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section);
 char *CONF_get_string(LHASH *conf,char *group,char *name);
diff --git a/lib/libcrypto/cryptlib.c b/lib/libcrypto/cryptlib.c
index 356c476a993..a8f29f1e65c 100644
--- a/lib/libcrypto/cryptlib.c
+++ b/lib/libcrypto/cryptlib.c
@@ -92,7 +92,9 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
 	"getservbyname",
 	"readdir",
 	"RSA_blinding",
-#if CRYPTO_NUM_LOCKS != 24
+	"dh",
+	"debug_malloc2",
+#if CRYPTO_NUM_LOCKS != 26
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
 	};
@@ -181,7 +183,7 @@ unsigned long CRYPTO_thread_id(void)
 		ret=(unsigned long)GetCurrentTask();
 #elif defined(WIN32)
 		ret=(unsigned long)GetCurrentThreadId();
-#elif defined(MSDOS)
+#elif defined(GETPID_IS_MEANINGLESS)
 		ret=1L;
 #else
 		ret=(unsigned long)getpid();
diff --git a/lib/libcrypto/crypto-lib.com b/lib/libcrypto/crypto-lib.com
index bf916528ebd..79d86771e83 100644
--- a/lib/libcrypto/crypto-lib.com
+++ b/lib/libcrypto/crypto-lib.com
@@ -14,7 +14,14 @@ $!
 $!  It was re-written so it would try to determine what "C" compiler to use 
 $!  or you can specify which "C" compiler to use.
 $!
-$!  Specify RSAREF as P1 to compile with the RSAREF library instead of
+$!  Specify the following as P1 to build just that part or ALL to just
+$!  build everything.
+$!
+$!    		LIBRARY    To just compile the [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library.
+$!    		APPS       To just compile the [.xxx.EXE.CRYPTO]*.EXE
+$!		ALL	   To do both LIBRARY and APPS
+$!
+$!  Specify RSAREF as P2 to compile with the RSAREF library instead of
 $!  the regular one.  If you specify NORSAREF it will compile with the
 $!  regular RSAREF routines.  (Note: If you are in the United States
 $!  you MUST compile with RSAREF unless you have a license from RSA).
@@ -26,10 +33,10 @@ $!        directory structure stored.  You have to extract the file
 $!        into the [.RSAREF] directory under the root directory as that
 $!        is where the scripts will look for the files.
 $!
-$!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
+$!  Specify DEBUG or NODEBUG as P3 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P3 to try to compile under.
+$!  Specify which compiler at P4 to try to compile under.
 $!
 $!	   VAXC	 For VAX C.
 $!	   DECC	 For DEC C.
@@ -38,15 +45,15 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P4, if defined, sets a TCP/IP library to use, through one of the following
+$!  P5, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!	UCX		for UCX
 $!	SOCKETSHR	for SOCKETSHR+NETLIB
 $!
-$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
-$!  P6, if defined, sets a choice of crypto methods to compile.
+$!  P7, if defined, sets a choice of crypto methods to compile.
 $!  WARNING: this should only be done to recompile some part of an already
 $!  fully compiled library.
 $!
@@ -79,12 +86,13 @@ $ ENDIF
 $!
 $! Define The Different Encryption Types.
 $!
-$ ENCRYPT_TYPES = ",MD2,MD5,SHA,MDC2,HMAC,RIPEMD,"+ -
+$ ENCRYPT_TYPES = "Basic,MD2,MD5,SHA,MDC2,HMAC,RIPEMD,"+ -
 		  "DES,RC2,RC4,RC5,IDEA,BF,CAST,"+ -
 		  "BN,RSA,DSA,DH,"+ -
 		  "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ -
 		  "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
 		  "CONF,TXT_DB,PKCS7,PKCS12,COMP"
+$ ENCRYPT_PROGRAMS = "DES,PKCS7"
 $!
 $! Check To Make Sure We Have Valid Command Line Parameters.
 $!
@@ -136,6 +144,14 @@ $! Define The Library Name.
 $!
 $ LIB_NAME := 'EXE_DIR'LIBCRYPTO.OLB
 $!
+$! Define The CRYPTO-LIB We Are To Use.
+$!
+$ CRYPTO_LIB := 'EXE_DIR'LIBCRYPTO.OLB
+$!
+$! Define The RSAREF-LIB We Are To Use.
+$!
+$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
+$!
 $! Check To See If We Already Have A "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library...
 $!
 $ IF (F$SEARCH(LIB_NAME).EQS."")
@@ -149,9 +165,16 @@ $! End The Library Check.
 $!
 $ ENDIF
 $!
+$! Build our options file for the application
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
 $! Define The Different Encryption "library" Strings.
 $!
-$ LIB_ = "cryptlib,mem,cversion,ex_data,tmdiff,cpt_err"
+$ APPS_DES = "DES/DES,CBC3_ENC"
+$ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
+$
+$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
 $ LIB_SHA = "sha_dgst,sha1dgst,sha_one,sha1_one"
@@ -171,14 +194,14 @@ $ LIB_IDEA = "i_cbc,i_cfb64,i_ofb64,i_ecb,i_skey"
 $ LIB_BF = "bf_skey,bf_ecb,bf_enc,bf_cfb64,bf_ofb64"
 $ LIB_CAST = "c_skey,c_ecb,c_enc,c_cfb64,c_ofb64"
 $ LIB_BN_ASM = "[.asm]vms.mar,vms-helper"
-$ IF F$TRNLNM("OPENSSL_NO_ASM") .NES. "" THEN LIB_BN_ASM = "bn_asm"
-$ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_mul,"+ -
+$ IF F$TRNLNM("OPENSSL_NO_ASM").OR.ARCH.EQS."AXP" THEN LIB_BN_ASM = "bn_asm"
+$ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,"+ -
 	"bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
 	"bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+",bn_recp,bn_mont,"+ -
 	"bn_mpi,bn_exp2"
 $ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ -
-	"rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk"
-$ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err"
+	"rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null"
+$ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err,dsa_ossl"
 $ LIB_DH = "dh_gen,dh_key,dh_lib,dh_check,dh_err"
 $ LIB_BUFFER = "buffer,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
@@ -188,7 +211,7 @@ $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
 	"b_sock,bss_acpt,bf_nbio,bss_rtcp,bss_bio" ! + ",bss_log" for syslog
 $ LIB_STACK = "stack"
 $ LIB_LHASH = "lhash,lh_stats"
-$ LIB_RAND = "md_rand,randfile,rand_lib"
+$ LIB_RAND = "md_rand,randfile,rand_lib,rand_err,rand_egd"
 $ LIB_ERR = "err,err_all,err_prn"
 $ LIB_OBJECTS = "o_names,obj_dat,obj_lib,obj_err"
 $ LIB_EVP = "encode,digest,evp_enc,evp_key,"+ -
@@ -204,38 +227,39 @@ $ LIB_EVP_2 = "e_ecb_c,e_cbc_c,e_cfb_c,e_ofb_c,"+ -
 	"m_ripemd,"+ -
 	"p_open,p_seal,p_sign,p_verify,p_lib,p_enc,p_dec,"+ -
 	"bio_md,bio_b64,bio_enc,evp_err,e_null,"+ -
-	"c_all,evp_lib,bio_ok,evp_pkey,evp_pbe,p5_crpt,p5_crpt2"
+	"c_all,c_allc,c_alld,evp_lib,bio_ok,"+-
+	"evp_pkey,evp_pbe,p5_crpt,p5_crpt2"
 $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
-	"a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,a_bmp,"+ -
-	"a_enum,a_vis,a_utf8,a_sign,a_digest,a_verify,"+ -
+	"a_null,a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,a_bmp,"+ -
+	"a_enum,a_vis,a_utf8,a_sign,a_digest,a_verify,a_mbstr,"+ -
 	"x_algor,x_val,x_pubkey,x_sig,x_req,x_attrib,"+ -
-	"x_name,x_cinf,x_x509,x_crl,x_info,x_spki,nsseq,"+ -
+	"x_name,x_cinf,x_x509,x_x509a,x_crl,x_info,x_spki,nsseq,"+ -
 	"d2i_r_pr,i2d_r_pr,d2i_r_pu,i2d_r_pu,"+ -
 	"d2i_s_pr,i2d_s_pr,d2i_s_pu,i2d_s_pu,"+ -
 	"d2i_pu,d2i_pr,i2d_pu,i2d_pr"
-$ LIB_ASN1_2 = "t_req,t_x509,t_crl,t_pkey,"+ -
+$ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ -
 	"p7_i_s,p7_signi,p7_signd,p7_recip,p7_enc_c,p7_evp,"+ -
 	"p7_dgst,p7_s_e,p7_enc,p7_lib,"+ -
 	"f_int,f_string,i2d_dhp,i2d_dsap,d2i_dhp,d2i_dsap,n_pkey,"+ -
 	"f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ -
-	"asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,"+ -
+	"asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ -
 	"evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey"
 $ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err"
 $ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ -
-	"x509_obj,x509_req,x509_vfy,"+ -
+	"x509_obj,x509_req,x509spki,x509_vfy,"+ -
 	"x509_set,x509rset,x509_err,"+ -
-	"x509name,x509_v3,x509_ext,"+ -
+	"x509name,x509_v3,x509_ext,x509_att,"+ -
 	"x509type,x509_lu,x_all,x509_txt,"+ -
-	"by_file,by_dir"
+	"x509_trs,by_file,by_dir"
 $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ -
 	"v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ -
-	"v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld"
+	"v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info"
 $ LIB_CONF = "conf,conf_err"
 $ LIB_TXT_DB = "txt_db"
-$ LIB_PKCS7 = "pk7_lib,pkcs7err,pk7_doit"
+$ LIB_PKCS7 = "pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,pk7_mime"
 $ LIB_PKCS12 = "p12_add,p12_attr,p12_bags,p12_crpt,p12_crt,p12_decr,"+ -
 	"p12_init,p12_key,p12_kiss,p12_lib,p12_mac,p12_mutl,"+ -
-	"p12_sbag,p12_utl,pk12err"
+	"p12_sbag,p12_utl,p12_npas,pk12err"
 $ LIB_COMP = "comp_lib,"+ -
 	"c_rle,c_zlib"
 $!
@@ -248,7 +272,8 @@ $ COMPILEWITH_CC5 = ",md2_dgst,md5_dgst,mdc2dgst,sha_dgst,sha1dgst," + -
 $!
 $! Check To See If We Are Going To Use RSAREF.
 $!
-$ IF (RSAREF.EQS."TRUE" .AND. ENCRYPT_TYPES - "RSA".NES.ENCRYPT_TYPES)
+$ IF (RSAREF.EQS."TRUE" .AND. ENCRYPT_TYPES - "RSA".NES.ENCRYPT_TYPES -
+      .AND. (BUILDALL .EQS. "TRUE" .OR. BUILDALL .EQS. "LIBRARY"))
 $ THEN
 $!
 $!  Check To See If The File [-.RSAREF]RSAREF.C Is Actually There.
@@ -340,6 +365,8 @@ $!
 $! Extract The Module Name From The Encryption List.
 $!
 $ MODULE_NAME = F$ELEMENT(MODULE_COUNTER,",",ENCRYPT_TYPES)
+$ IF MODULE_NAME.EQS."Basic" THEN MODULE_NAME = ""
+$ MODULE_NAME1 = MODULE_NAME
 $!
 $! Check To See If We Are At The End Of The Module List.
 $!
@@ -358,20 +385,10 @@ $! Increment The Moudle Counter.
 $!
 $ MODULE_COUNTER = MODULE_COUNTER + 1
 $!
-$! Tell The User What Module We Are Building.
-$!
-$ IF (MODULE_NAME.NES."") 
-$ THEN
-$   WRITE SYS$OUTPUT "Compiling The ",MODULE_NAME," Files."
-$ ENDIF
-$!
-$!  Define A File Counter And Set It To "0".
-$!
-$ FILE_COUNTER = 0
-$!
-$! Create The Library Module Name.
+$! Create The Library and Apps Module Names.
 $!
 $ LIB_MODULE = "LIB_" + MODULE_NAME
+$ APPS_MODULE = "APPS_" + MODULE_NAME
 $ IF (MODULE_NAME.EQS."ASN1_2")
 $ THEN
 $   MODULE_NAME = "ASN1"
@@ -381,6 +398,11 @@ $ THEN
 $   MODULE_NAME = "EVP"
 $ ENDIF
 $!
+$! Set state (can be LIB and APPS)
+$!
+$ STATE = "LIB"
+$ IF BUILDALL .EQS. "APPS" THEN STATE = "APPS"
+$!
 $! Check if the library module name actually is defined
 $!
 $ IF F$TYPE('LIB_MODULE') .EQS. ""
@@ -391,22 +413,92 @@ $   WRITE SYS$ERROR ""
 $   GOTO MODULE_NEXT
 $ ENDIF
 $!
+$! Top Of The Module Loop.
+$!
+$ MODULE_AGAIN:
+$!
+$! Tell The User What Module We Are Building.
+$!
+$ IF (MODULE_NAME1.NES."") 
+$ THEN
+$   IF STATE .EQS. "LIB"
+$   THEN
+$     WRITE SYS$OUTPUT "Compiling The ",MODULE_NAME1," Library Files. (",BUILDALL,",",STATE,")"
+$   ELSE IF F$TYPE('APPS_MODULE') .NES. ""
+$     THEN
+$       WRITE SYS$OUTPUT "Compiling The ",MODULE_NAME1," Applications. (",BUILDALL,",",STATE,")"
+$     ENDIF
+$   ENDIF
+$ ENDIF
+$!
+$!  Define A File Counter And Set It To "0".
+$!
+$ FILE_COUNTER = 0
+$ APPLICATION = ""
+$ APPLICATION_COUNTER = 0
+$!
 $! Top Of The File Loop.
 $!
 $ NEXT_FILE:
 $!
-$! O.K, Extract The File Name From The File List.
+$! Look in the LIB_MODULE is we're in state LIB
+$!
+$ IF STATE .EQS. "LIB"
+$ THEN
+$!
+$!   O.K, Extract The File Name From The File List.
+$!
+$   FILE_NAME = F$ELEMENT(FILE_COUNTER,",",'LIB_MODULE')
+$!
+$!   else
+$!
+$ ELSE
+$   FILE_NAME = ","
+$!
+$   IF F$TYPE('APPS_MODULE') .NES. ""
+$   THEN
+$!
+$!     Extract The File Name From The File List.
+$!     This part is a bit more complicated.
 $!
-$ FILE_NAME = F$ELEMENT(FILE_COUNTER,",",'LIB_MODULE')
+$     IF APPLICATION .EQS. ""
+$     THEN
+$       APPLICATION = F$ELEMENT(APPLICATION_COUNTER,";",'APPS_MODULE')
+$       APPLICATION_COUNTER = APPLICATION_COUNTER + 1
+$       APPLICATION_OBJECTS = F$ELEMENT(1,"/",APPLICATION)
+$       APPLICATION = F$ELEMENT(0,"/",APPLICATION)
+$       FILE_COUNTER = 0
+$     ENDIF
+$
+$!     WRITE SYS$OUTPUT "DEBUG: SHOW SYMBOL APPLICATION*"
+$!     SHOW SYMBOL APPLICATION*
+$!
+$     IF APPLICATION .NES. ";"
+$     THEN
+$       FILE_NAME = F$ELEMENT(FILE_COUNTER,",",APPLICATION_OBJECTS)
+$       IF FILE_NAME .EQS. ","
+$       THEN
+$         APPLICATION = ""
+$         GOTO NEXT_FILE
+$       ENDIF
+$     ENDIF
+$   ENDIF
+$ ENDIF
 $!
 $! Check To See If We Are At The End Of The File List.
 $!
 $ IF (FILE_NAME.EQS.",") 
 $ THEN 
 $!
-$!  We Are At The End Of The File List, Goto FILE_DONE.
+$!  We Are At The End Of The File List, Change State Or Goto FILE_DONE.
 $!
-$   GOTO FILE_DONE
+$   IF STATE .EQS. "LIB" .AND. BUILDALL .NES. "LIBRARY"
+$   THEN
+$     STATE = "APPS"
+$     GOTO MODULE_AGAIN
+$   ELSE
+$     GOTO FILE_DONE
+$   ENDIF
 $!
 $! End The File List Check.
 $!
@@ -458,7 +550,7 @@ $! Tell The User We Are Compiling The File.
 $!
 $ IF (MODULE_NAME.EQS."")
 $ THEN
-     WRITE SYS$OUTPUT "Compiling The ",FILE_NAME," File."
+$   WRITE SYS$OUTPUT "Compiling The ",FILE_NAME," File.  (",BUILDALL,",",STATE,")"
 $ ENDIF
 $ IF (MODULE_NAME.NES."")
 $ THEN 
@@ -490,14 +582,17 @@ $       ENDIF
 $     ENDIF
 $   ENDIF
 $ ENDIF
+$ IF STATE .EQS. "LIB"
+$ THEN 
 $!
-$! Add It To The Library.
+$!   Add It To The Library.
 $!
-$ LIBRARY/REPLACE 'LIB_NAME' 'OBJECT_FILE'
+$   LIBRARY/REPLACE 'LIB_NAME' 'OBJECT_FILE'
 $!
-$! Time To Clean Up The Object File.
+$!   Time To Clean Up The Object File.
 $!
-$ DELETE 'OBJECT_FILE';*
+$   DELETE 'OBJECT_FILE';*
+$ ENDIF
 $!
 $! Go Back And Do It Again.
 $!
@@ -507,6 +602,99 @@ $! All Done With This Library Part.
 $!
 $ FILE_DONE:
 $!
+$! Time To Build Some Applications
+$!
+$ IF F$TYPE('APPS_MODULE') .NES. "" .AND. BUILDALL .NES. "LIBRARY"
+$ THEN
+$   APPLICATION_COUNTER = 0
+$ NEXT_APPLICATION:
+$   APPLICATION = F$ELEMENT(APPLICATION_COUNTER,";",'APPS_MODULE')
+$   IF APPLICATION .EQS. ";" THEN GOTO APPLICATION_DONE
+$
+$   APPLICATION_COUNTER = APPLICATION_COUNTER + 1
+$   APPLICATION_OBJECTS = F$ELEMENT(1,"/",APPLICATION)
+$   APPLICATION = F$ELEMENT(0,"/",APPLICATION)
+$
+$!   WRITE SYS$OUTPUT "DEBUG: SHOW SYMBOL APPLICATION*"
+$!   SHOW SYMBOL APPLICATION*
+$!
+$! Tell the user what happens
+$!
+$   WRITE SYS$OUTPUT "	",APPLICATION,".exe"
+$!
+$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$!
+$   IF (RSAREF.EQS."TRUE")
+$   THEN
+$!
+$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$     IF (TCPIP_LIB.NES."")
+$     THEN
+$!
+$!    Link With The RSAREF Library And A Specific TCP/IP Library.
+$!
+$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+            'OBJ_DIR''APPLICATION_OBJECTS', -
+	    'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+	    'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Link With The RSAREF Library And NO TCP/IP Library.
+$!
+$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+            'OBJ_DIR''APPLICATION_OBJECTS', -
+	    'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+	    'OPT_FILE'/OPTION
+$!
+$!    End The TCP/IP Library Check.
+$!
+$     ENDIF
+$!
+$!   Else...
+$!
+$   ELSE
+$!
+$!    Don't Link With The RSAREF Routines.
+$!
+$!
+$!    Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$     IF (TCPIP_LIB.NES."")
+$     THEN
+$!
+$!      Don't Link With The RSAREF Routines And TCP/IP Library.
+$!
+$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+            'OBJ_DIR''APPLICATION_OBJECTS', -
+	    'CRYPTO_LIB'/LIBRARY, -
+            'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
+$!
+$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+            'OBJ_DIR''APPLICATION_OBJECTS',-
+	    'CRYPTO_LIB'/LIBRARY, -
+            'OPT_FILE'/OPTION
+$!
+$!    End The TCP/IP Library Check.
+$!
+$     ENDIF
+$!
+$!   End The RSAREF Link Check.
+$!
+$   ENDIF
+$   GOTO NEXT_APPLICATION
+$  APPLICATION_DONE:
+$ ENDIF
+$!
 $! Go Back And Get The Next Module.
 $!
 $ GOTO MODULE_NEXT
@@ -653,17 +841,70 @@ $ CHECK_OPTIONS:
 $!
 $! Check To See If P1 Is Blank.
 $!
-$ IF (P1.EQS."NORSAREF")
+$ IF (P1.EQS."ALL")
 $ THEN
 $!
-$!   P1 Is NORSAREF, So Compile With The Regular RSA Libraries.
+$!   P1 Is Blank, So Build Everything.
+$!
+$    BUILDALL = "TRUE"
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Else, Check To See If P1 Has A Valid Arguement.
+$!
+$   IF (P1.EQS."LIBRARY").OR.(P1.EQS."APPS")
+$   THEN
+$!
+$!    A Valid Arguement.
+$!
+$     BUILDALL = P1
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Tell The User We Don't Know What They Want.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything."
+$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.SSL]LIBCRYPTO.OLB Library."
+$     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.SSL]*.EXE Programs."
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "        AXP  :  Alpha Architecture."
+$     WRITE SYS$OUTPUT "        VAX  :  VAX Architecture."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P1 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P2 Is Blank.
+$!
+$ IF (P2.EQS."NORSAREF")
+$ THEN
+$!
+$!   P2 Is NORSAREF, So Compile With The Regular RSA Libraries.
 $!
 $    RSAREF = "FALSE"
 $ ELSE
 $!
 $!  Check To See If We Are To Use The RSAREF Library.
 $!
-$   IF (P1.EQS."RSAREF")
+$   IF (P2.EQS."RSAREF")
 $   THEN
 $!
 $!    Check To Make Sure We Have The RSAREF Source Code Directory.
@@ -697,7 +938,7 @@ $!
 $!    They Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
 $     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
@@ -711,16 +952,16 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P1 Check.
+$! End The P2 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P2 Is Blank.
+$! Check To See If P3 Is Blank.
 $!
-$ IF (P2.EQS."NODEBUG")
+$ IF (P3.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NODEBUG, So Compile Without The Debugger Information.
+$!   P3 Is NODEBUG, So Compile Without The Debugger Information.
 $!
 $    DEBUGGER = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -733,7 +974,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P2.EQS."DEBUG")
+$   IF (P3.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -750,7 +991,7 @@ $!
 $!    They Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "     DEBUG   :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "     NODEBUG :  Compile Without The Debugger Information."
@@ -764,7 +1005,7 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P2 Check.
+$! End The P3 Check.
 $!
 $ ENDIF
 $!
@@ -774,9 +1015,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P6.
 $!
-$ IF (P5.EQS."")
+$ IF (P6.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -798,13 +1039,13 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P5 Check.
+$! End The P6 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P3 Is Blank.
+$! Check To See If P4 Is Blank.
 $!
-$ IF (P3.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -817,7 +1058,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P3 = "GNUC"
+$     P4 = "GNUC"
 $!
 $!  Else...
 $!
@@ -830,7 +1071,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P3 = "DECC"
+$       P4 = "DECC"
 $!
 $!    Else...
 $!
@@ -838,7 +1079,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P3 = "VAXC"
+$       P4 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -852,9 +1093,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P4.
+$! Check To See If We Have A Option For P5.
 $!
-$ IF (P4.EQS."")
+$ IF (P5.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -864,7 +1105,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P4 = "SOCKETSHR"
+$     P5 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -884,7 +1125,7 @@ $     THEN
 $!
 $!	Last resort: a UCX or UCX-compatible library
 $!
-$	P4 = "UCX"
+$	P5 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -898,22 +1139,46 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "VMS=1,TCPIP_TYPE_''P4'"
+$ CCDEFS = "VMS=1,TCPIP_TYPE_''P5'"
+$ IF F$TRNLNM("OPENSSL_NO_ASM") THEN CCDEFS = CCDEFS + ",NO_ASM"
+$ IF F$TRNLNM("OPENSSL_NO_RSA") THEN CCDEFS = CCDEFS + ",NO_RSA"
+$ IF F$TRNLNM("OPENSSL_NO_DSA") THEN CCDEFS = CCDEFS + ",NO_DSA"
+$ IF F$TRNLNM("OPENSSL_NO_DH") THEN CCDEFS = CCDEFS + ",NO_DH"
+$ IF F$TRNLNM("OPENSSL_NO_MD2") THEN CCDEFS = CCDEFS + ",NO_MD2"
+$ IF F$TRNLNM("OPENSSL_NO_MD5") THEN CCDEFS = CCDEFS + ",NO_MD5"
+$ IF F$TRNLNM("OPENSSL_NO_RIPEMD") THEN CCDEFS = CCDEFS + ",NO_RIPEMD"
+$ IF F$TRNLNM("OPENSSL_NO_SHA") THEN CCDEFS = CCDEFS + ",NO_SHA"
+$ IF F$TRNLNM("OPENSSL_NO_SHA0") THEN CCDEFS = CCDEFS + ",NO_SHA0"
+$ IF F$TRNLNM("OPENSSL_NO_SHA1") THEN CCDEFS = CCDEFS + ",NO_SHA1"
+$ IF F$TRNLNM("OPENSSL_NO_DES")
+$ THEN
+$   CCDEFS = CCDEFS + ",NO_DES,NO_MDC2"
+$ ELSE
+$   IF F$TRNLNM("OPENSSL_NO_MDC2") THEN CCDEFS = CCDEFS + ",NO_MDC2"
+$ ENDIF
+$ IF F$TRNLNM("OPENSSL_NO_RC2") THEN CCDEFS = CCDEFS + ",NO_RC2"
+$ IF F$TRNLNM("OPENSSL_NO_RC4") THEN CCDEFS = CCDEFS + ",NO_RC4"
+$ IF F$TRNLNM("OPENSSL_NO_RC5") THEN CCDEFS = CCDEFS + ",NO_RC5"
+$ IF F$TRNLNM("OPENSSL_NO_IDEA") THEN CCDEFS = CCDEFS + ",NO_IDEA"
+$ IF F$TRNLNM("OPENSSL_NO_BF") THEN CCDEFS = CCDEFS + ",NO_BF"
+$ IF F$TRNLNM("OPENSSL_NO_CAST") THEN CCDEFS = CCDEFS + ",NO_CAST"
+$ IF F$TRNLNM("OPENSSL_NO_HMAC") THEN CCDEFS = CCDEFS + ",NO_HMAC"
+$ IF F$TRNLNM("OPENSSL_NO_SSL2") THEN CCDEFS = CCDEFS + ",NO_SSL2"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = ""
+$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
-	CCDISABLEWARNINGS = USER_CCDISABLEWARNINGS
+	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC")
 $ THEN
 $!
 $!    Check To See If The User Wanted DECC.
 $!
-$   IF (P3.EQS."DECC")
+$   IF (P4.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -942,7 +1207,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P3.EQS."VAXC")
+$   IF (P4.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -980,7 +1245,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P3.EQS."GNUC")
+$   IF (P4.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -1051,7 +1316,7 @@ $     CC4DISABLEWARNINGS = ""
 $   ENDIF
 $   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
 $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
-$   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P2 .NES. "DEBUG"
+$   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P3 .NES. "DEBUG"
 $   THEN
 $     CC5 = CC + "/OPTIMIZE=NODISJOINT"
 $   ELSE
@@ -1070,7 +1335,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -1096,12 +1361,12 @@ $   WRITE SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX"
+$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P4.EQS."SOCKETSHR"
+$   IF P5.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
@@ -1114,12 +1379,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P4.EQS."MULTINET"
+$   IF P5.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UCX emulation.
 $!
-$     P4 = "UCX"
+$     P5 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -1127,7 +1392,7 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P4.EQS."UCX"
+$   IF P5.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
@@ -1156,7 +1421,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P5," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
@@ -1173,9 +1438,9 @@ $!
 $! Check if the user wanted to compile just a subset of all the encryption
 $! methods.
 $!
-$ IF P6 .NES. ""
+$ IF P7 .NES. ""
 $ THEN
-$   ENCRYPT_TYPES = P6
+$   ENCRYPT_TYPES = P7
 $ ENDIF
 $!
 $!  Time To RETURN...
diff --git a/lib/libcrypto/crypto.h b/lib/libcrypto/crypto.h
index 8ad8c25e5a4..41c937966ee 100644
--- a/lib/libcrypto/crypto.h
+++ b/lib/libcrypto/crypto.h
@@ -63,17 +63,25 @@
 extern "C" {
 #endif
 
+#include <stdlib.h>
+
 #ifndef NO_FP_API
 #include <stdio.h>
 #endif
 
 #include <openssl/stack.h>
+#include <openssl/safestack.h>
 #include <openssl/opensslv.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
 #endif
 
+#if defined(VMS) || defined(__VMS)
+#include "vms_idhacks.h"
+#endif
+
+
 /* Backward compatibility to SSLeay */
 /* This is more to be used to check the correct DLL is being used
  * in the MS world. */
@@ -111,7 +119,9 @@ extern "C" {
 #define	CRYPTO_LOCK_GETSERVBYNAME	21
 #define	CRYPTO_LOCK_READDIR		22
 #define	CRYPTO_LOCK_RSA_BLINDING	23
-#define	CRYPTO_NUM_LOCKS		24
+#define	CRYPTO_LOCK_DH			24
+#define	CRYPTO_LOCK_MALLOC2		25
+#define	CRYPTO_NUM_LOCKS		26
 
 #define CRYPTO_LOCK		1
 #define CRYPTO_UNLOCK		2
@@ -147,14 +157,16 @@ extern "C" {
 #define CRYPTO_MEM_CHECK_ENABLE	0x2	/* a bit */
 #define CRYPTO_MEM_CHECK_DISABLE 0x3	/* an enume */
 
-/*
-typedef struct crypto_mem_st
-	{
-	char *(*malloc_func)();
-	char *(*realloc_func)();
-	void (*free_func)();
-	} CRYPTO_MEM_FUNC;
-*/
+/* The following are bit values to turn on or off options connected to the
+ * malloc checking functionality */
+
+/* Adds time to the memory checking information */
+#define V_CRYPTO_MDEBUG_TIME	0x1 /* a bit */
+/* Adds thread number to the memory checking information */
+#define V_CRYPTO_MDEBUG_THREAD	0x2 /* a bit */
+
+#define V_CRYPTO_MDEBUG_ALL (V_CRYPTO_MDEBUG_TIME | V_CRYPTO_MDEBUG_THREAD)
+
 
 /* predec of the BIO type */
 typedef struct bio_st BIO_dummy;
@@ -165,24 +177,30 @@ typedef struct crypto_ex_data_st
 	int dummy; /* gcc is screwing up this data structure :-( */
 	} CRYPTO_EX_DATA;
 
+/* Called when a new object is created */
+typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+/* Called when an object is free()ed */
+typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+					int idx, long argl, void *argp);
+/* Called when we need to dup an object */
+typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, 
+					int idx, long argl, void *argp);
+
 /* This stuff is basically class callback functions
- * The current classes are SSL_CTX, SSL, SSL_SESION, and a few more */
+ * The current classes are SSL_CTX, SSL, SSL_SESSION, and a few more */
+
 typedef struct crypto_ex_data_func_st
 	{
 	long argl;	/* Arbitary long */
-	char *argp;	/* Arbitary char * */
-	/* Called when a new object is created */
-	int (*new_func)(/*char *obj,
-			char *item,int index,long argl,char *argp*/);
-	/* Called when this object is free()ed */
-	void (*free_func)(/*char *obj,
-			char *item,int index,long argl,char *argp*/);
-
-	/* Called when we need to dup this one */
-	int (*dup_func)(/*char *obj_to,char *obj_from,
-			char **new,int index,long argl,char *argp*/);
+	void *argp;	/* Arbitary void * */
+	CRYPTO_EX_new *new_func;
+	CRYPTO_EX_free *free_func;
+	CRYPTO_EX_dup *dup_func;
 	} CRYPTO_EX_DATA_FUNCS;
 
+DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
+
 /* Per class, we have a STACK of CRYPTO_EX_DATA_FUNCS for each CRYPTO_EX_DATA
  * entry.
  */
@@ -194,63 +212,54 @@ typedef struct crypto_ex_data_func_st
 #define CRYPTO_EX_INDEX_X509_STORE	4
 #define CRYPTO_EX_INDEX_X509_STORE_CTX	5
 
-/* Use this for win32 DLL's */
-#define CRYPTO_malloc_init()	CRYPTO_set_mem_functions(\
-	(char *(*)())malloc,\
-	(char *(*)())realloc,\
-	(void (*)())free)
 
-#ifdef CRYPTO_MDEBUG_ALL
-# ifndef CRYPTO_MDEBUG_TIME
-#  define CRYPTO_MDEBUG_TIME
-# endif
-# ifndef CRYPTO_MDEBUG_THREAD
-#  define CRYPTO_MDEBUG_THREAD
-# endif
-#endif
+/* This is the default callbacks, but we can have others as well:
+ * this is needed in Win32 where the application malloc and the
+ * library malloc may not be the same.
+ */
+#define CRYPTO_malloc_init()	CRYPTO_set_mem_functions(\
+	malloc, realloc, free)
 
-#if defined CRYPTO_MDEBUG_TIME || defined CRYPTO_MDEBUG_THREAD
+#if defined CRYPTO_MDEBUG_ALL || defined CRYPTO_MDEBUG_TIME || defined CRYPTO_MDEBUG_THREAD
 # ifndef CRYPTO_MDEBUG /* avoid duplicate #define */
 #  define CRYPTO_MDEBUG
 # endif
 #endif
 
-#ifdef CRYPTO_MDEBUG
+/* Set standard debugging functions (not done by default
+ * unless CRYPTO_MDEBUG is defined) */
+#define CRYPTO_malloc_debug_init()	do {\
+	CRYPTO_set_mem_debug_functions(\
+		(void (*)())CRYPTO_dbg_malloc,\
+		(void (*)())CRYPTO_dbg_realloc,\
+		(void (*)())CRYPTO_dbg_free,\
+		(void (*)())CRYPTO_dbg_set_options,\
+		(long (*)())CRYPTO_dbg_get_options);\
+	} while(0)
+
+int CRYPTO_mem_ctrl(int mode);
+int CRYPTO_is_mem_check_on(void);
+
+/* for applications */
 #define MemCheck_start() CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON)
 #define MemCheck_stop()	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF)
+
+/* for library-internal use */
 #define MemCheck_on()	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE)
 #define MemCheck_off()	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE)
-#define Malloc(num)	CRYPTO_dbg_malloc((int)num,__FILE__,__LINE__)
+#define is_MemCheck_on() CRYPTO_is_mem_check_on()
+
+#define Malloc(num)	CRYPTO_malloc((int)num,__FILE__,__LINE__)
 #define Realloc(addr,num) \
-	CRYPTO_dbg_realloc((char *)addr,(int)num,__FILE__,__LINE__)
+	CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
 #define Remalloc(addr,num) \
-	CRYPTO_dbg_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
-#define FreeFunc	CRYPTO_dbg_free
-#define Free(addr)	CRYPTO_dbg_free(addr)
-#define Malloc_locked(num) CRYPTO_malloc_locked((int)num)
-#define Free_locked(addr) CRYPTO_free_locked(addr)
-#else
-#define MemCheck_start()
-#define MemCheck_stop()
-#define MemCheck_on()
-#define MemCheck_off()
-#define Remalloc	CRYPTO_remalloc
-#if defined(WIN32) || defined(MFUNC)
-#define Malloc		CRYPTO_malloc
-#define Realloc(a,n)	CRYPTO_realloc(a,(n))
+	CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
 #define FreeFunc	CRYPTO_free
 #define Free(addr)	CRYPTO_free(addr)
-#define Malloc_locked	CRYPTO_malloc_locked
+
+#define Malloc_locked(num) CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)
 #define Free_locked(addr) CRYPTO_free_locked(addr)
-#else
-#define Malloc		malloc
-#define Realloc		realloc
-#define FreeFunc	free
-#define Free(addr)	free(addr)
-#define Malloc_locked	malloc
-#define Free_locked(addr) free(addr)
-#endif /* WIN32 || MFUNC */
-#endif /* MDEBUG */
+
 
 /* Case insensiteve linking causes problems.... */
 #if defined(WIN16) || defined(VMS)
@@ -261,15 +270,15 @@ typedef struct crypto_ex_data_func_st
 const char *SSLeay_version(int type);
 unsigned long SSLeay(void);
 
-int CRYPTO_get_ex_new_index(int idx,STACK **sk,long argl,char *argp,
-	int (*new_func)(),int (*dup_func)(),void (*free_func)());
-int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad,int idx,char *val);
-char *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad,int idx);
-int CRYPTO_dup_ex_data(STACK *meth,CRYPTO_EX_DATA *from,CRYPTO_EX_DATA *to);
-void CRYPTO_free_ex_data(STACK *meth,char *obj,CRYPTO_EX_DATA *ad);
-void CRYPTO_new_ex_data(STACK *meth, char *obj, CRYPTO_EX_DATA *ad);
+int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp,
+	     CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val);
+void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad,int idx);
+int CRYPTO_dup_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, CRYPTO_EX_DATA *to,
+	     CRYPTO_EX_DATA *from);
+void CRYPTO_free_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad);
+void CRYPTO_new_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad);
 
-int CRYPTO_mem_ctrl(int mode);
 int CRYPTO_get_new_lockid(char *name);
 
 int CRYPTO_num_locks(void); /* return CRYPTO_NUM_LOCKS (shared libs!) */
@@ -289,22 +298,51 @@ const char *CRYPTO_get_lock_name(int type);
 int CRYPTO_add_lock(int *pointer,int amount,int type, const char *file,
 		    int line);
 
-void CRYPTO_set_mem_functions(char *(*m)(),char *(*r)(), void (*free_func)());
-void CRYPTO_get_mem_functions(char *(**m)(),char *(**r)(), void (**f)());
-void CRYPTO_set_locked_mem_functions(char *(*m)(), void (*free_func)());
-void CRYPTO_get_locked_mem_functions(char *(**m)(), void (**f)());
+/* CRYPTO_set_mem_functions includes CRYPTO_set_locked_mem_functions --
+ * call the latter last if you need different functions */
+int CRYPTO_set_mem_functions(void *(*m)(size_t),void *(*r)(void *,size_t), void (*f)(void *));
+int CRYPTO_set_locked_mem_functions(void *(*m)(size_t), void (*free_func)(void *));
+int CRYPTO_set_mem_debug_functions(void (*m)(),void (*r)(),void (*f)(),void (*so)(),long (*go)());
+void CRYPTO_get_mem_functions(void *(**m)(size_t),void *(**r)(void *, size_t), void (**f)(void *));
+void CRYPTO_get_locked_mem_functions(void *(**m)(size_t), void (**f)(void *));
+void CRYPTO_get_mem_debug_functions(void (**m)(),void (**r)(),void (**f)(),void (**so)(),long (**go)());
 
-void *CRYPTO_malloc_locked(int num);
+void *CRYPTO_malloc_locked(int num, const char *file, int line);
 void CRYPTO_free_locked(void *);
-void *CRYPTO_malloc(int num);
+void *CRYPTO_malloc(int num, const char *file, int line);
 void CRYPTO_free(void *);
-void *CRYPTO_realloc(void *addr,int num);
-void *CRYPTO_remalloc(void *addr,int num);
+void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
+void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
+
+void CRYPTO_set_mem_debug_options(long bits);
+long CRYPTO_get_mem_debug_options(void);
+
+#define CRYPTO_push_info(info) \
+        CRYPTO_push_info_(info, __FILE__, __LINE__);
+int CRYPTO_push_info_(const char *info, const char *file, int line);
+int CRYPTO_pop_info(void);
+int CRYPTO_remove_all_info(void);
+
+/* The last argument has the following significance:
+ *
+ * 0:	called before the actual memory allocation has taken place
+ * 1:	called after the actual memory allocation has taken place
+ */
+void CRYPTO_dbg_malloc(void *addr,int num,const char *file,int line,int before_p);
+void CRYPTO_dbg_realloc(void *addr1,void *addr2,int num,const char *file,int line,int before_p);
+void CRYPTO_dbg_free(void *addr,int before_p);
+
+/* Tell the debugging code about options.  By default, the following values
+ * apply:
+ *
+ * 0:	Clear all options.
+ * 1:	Set the "Show Time" option.
+ * 2:	Set the "Show Thread Number" option.
+ * 3:	1 + 2
+ */
+void CRYPTO_dbg_set_options(long bits);
+long CRYPTO_dbg_get_options(void);
 
-void *CRYPTO_dbg_malloc(int num,const char *file,int line);
-void *CRYPTO_dbg_realloc(void *addr,int num,const char *file,int line);
-void CRYPTO_dbg_free(void *);
-void *CRYPTO_dbg_remalloc(void *addr,int num,const char *file,int line);
 #ifndef NO_FP_API
 void CRYPTO_mem_leaks_fp(FILE *);
 #endif
@@ -312,7 +350,7 @@ void CRYPTO_mem_leaks(struct bio_st *bio);
 /* unsigned long order, char *file, int line, int num_bytes, char *addr */
 void CRYPTO_mem_leaks_cb(void (*cb)());
 
-void ERR_load_CRYPTO_strings(void );
+void ERR_load_CRYPTO_strings(void);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/lib/libcrypto/des/Makefile.ssl b/lib/libcrypto/des/Makefile.ssl
index 7f9600cf025..41976655e9e 100644
--- a/lib/libcrypto/des/Makefile.ssl
+++ b/lib/libcrypto/des/Makefile.ssl
@@ -15,6 +15,7 @@ MAKE=		make -f Makefile.ssl
 MAKEDEPEND=	$(TOP)/util/domd $(TOP)
 MAKEFILE=	Makefile.ssl
 AR=		ar r
+RANLIB=		ranlib
 DES_ENC=	des_enc.o fcrypt_b.o
 # or use
 #DES_ENC=	dx86-elf.o yx86-elf.o
@@ -162,14 +163,15 @@ enc_read.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 enc_read.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 enc_read.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 enc_read.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-enc_read.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-enc_read.o: ../cryptlib.h des_locl.h
+enc_read.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+enc_read.o: ../../include/openssl/stack.h ../cryptlib.h des_locl.h
 enc_writ.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 enc_writ.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 enc_writ.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 enc_writ.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 enc_writ.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-enc_writ.o: ../../include/openssl/stack.h ../cryptlib.h des_locl.h
+enc_writ.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+enc_writ.o: ../cryptlib.h des_locl.h
 fcrypt.o: ../../include/openssl/des.h ../../include/openssl/des.h
 fcrypt.o: ../../include/openssl/e_os2.h ../../include/openssl/e_os2.h
 fcrypt.o: ../../include/openssl/opensslconf.h
@@ -187,15 +189,15 @@ pcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h
 qud_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 qud_cksm.o: ../../include/openssl/opensslconf.h des_locl.h
 rand_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-rand_key.o: ../../include/openssl/opensslconf.h des_locl.h
+rand_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
 read2pwd.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 read2pwd.o: ../../include/openssl/opensslconf.h des_locl.h
 read_pwd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 read_pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 read_pwd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 read_pwd.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
-read_pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-read_pwd.o: ../cryptlib.h des_locl.h
+read_pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+read_pwd.o: ../../include/openssl/stack.h ../cryptlib.h des_locl.h
 rpc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 rpc_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_ver.h rpc_des.h
 set_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
diff --git a/lib/libcrypto/des/cbc3_enc.c b/lib/libcrypto/des/cbc3_enc.c
index 3863a676d41..527e74f3ded 100644
--- a/lib/libcrypto/des/cbc3_enc.c
+++ b/lib/libcrypto/des/cbc3_enc.c
@@ -58,7 +58,7 @@
 
 #include "des_locl.h"
 
-/* HAS BUGS? DON'T USE - this is only present for use in des.c */
+/* HAS BUGS! DON'T USE - this is only present for use in des.c */
 void des_3cbc_encrypt(des_cblock *input, des_cblock *output, long length,
 	     des_key_schedule ks1, des_key_schedule ks2, des_cblock *iv1,
 	     des_cblock *iv2, int enc)
@@ -69,11 +69,14 @@ void des_3cbc_encrypt(des_cblock *input, des_cblock *output, long length,
 
 	if (enc == DES_ENCRYPT)
 		{
-		des_cbc_encrypt(input,output,length,ks1,iv1,enc);
+		des_cbc_encrypt((unsigned char*)input,
+				(unsigned char*)output,length,ks1,iv1,enc);
 		if (length >= sizeof(des_cblock))
 			memcpy(niv1,output[off],sizeof(des_cblock));
-		des_cbc_encrypt(output,output,l8,ks2,iv1,!enc);
-		des_cbc_encrypt(output,output,l8,ks1,iv2, enc);
+		des_cbc_encrypt((unsigned char*)output,
+				(unsigned char*)output,l8,ks2,iv1,!enc);
+		des_cbc_encrypt((unsigned char*)output,
+				(unsigned char*)output,l8,ks1,iv2,enc);
 		if (length >= sizeof(des_cblock))
 			memcpy(niv2,output[off],sizeof(des_cblock));
 		}
@@ -81,11 +84,14 @@ void des_3cbc_encrypt(des_cblock *input, des_cblock *output, long length,
 		{
 		if (length >= sizeof(des_cblock))
 			memcpy(niv2,input[off],sizeof(des_cblock));
-		des_cbc_encrypt(input,output,l8,ks1,iv2,enc);
-		des_cbc_encrypt(output,output,l8,ks2,iv1,!enc);
+		des_cbc_encrypt((unsigned char*)input,
+				(unsigned char*)output,l8,ks1,iv2,enc);
+		des_cbc_encrypt((unsigned char*)output,
+				(unsigned char*)output,l8,ks2,iv1,!enc);
 		if (length >= sizeof(des_cblock))
 			memcpy(niv1,output[off],sizeof(des_cblock));
-		des_cbc_encrypt(output,output,length,ks1,iv1, enc);
+		des_cbc_encrypt((unsigned char*)output,
+				(unsigned char*)output,length,ks1,iv1,enc);
 		}
 	memcpy(*iv1,niv1,sizeof(des_cblock));
 	memcpy(*iv2,niv2,sizeof(des_cblock));
diff --git a/lib/libcrypto/des/des.c b/lib/libcrypto/des/des.c
index b2d7f0da783..91d7153b346 100644
--- a/lib/libcrypto/des/des.c
+++ b/lib/libcrypto/des/des.c
@@ -325,25 +325,25 @@ void usage(void)
 "des <options> [input-file [output-file]]",
 "options:",
 "-v         : des(1) version number",
-"-e         : encrypt using sunOS compatible user key to DES key conversion.",
+"-e         : encrypt using SunOS compatible user key to DES key conversion.",
 "-E         : encrypt ",
-"-d         : decrypt using sunOS compatible user key to DES key conversion.",
+"-d         : decrypt using SunOS compatible user key to DES key conversion.",
 "-D         : decrypt ",
-"-c[ckname] : generate a cbc_cksum using sunOS compatible user key to",
+"-c[ckname] : generate a cbc_cksum using SunOS compatible user key to",
 "             DES key conversion and output to ckname (stdout default,",
 "             stderr if data being output on stdout).  The checksum is",
 "             generated before encryption and after decryption if used",
 "             in conjunction with -[eEdD].",
 "-C[ckname] : generate a cbc_cksum as for -c but compatible with -[ED].",
 "-k key     : use key 'key'",
-"-h         : the key that is entered will be a hexidecimal number",
+"-h         : the key that is entered will be a hexadecimal number",
 "             that is used directly as the des key",
 "-u[uuname] : input file is uudecoded if -[dD] or output uuencoded data if -[eE]",
 "             (uuname is the filename to put in the uuencode header).",
-"-b         : encrypt using DES in ecb encryption mode, the defaut is cbc mode.",
-"-3         : encrypt using tripple DES encryption.  This uses 2 keys",
+"-b         : encrypt using DES in ecb encryption mode, the default is cbc mode.",
+"-3         : encrypt using triple DES encryption.  This uses 2 keys",
 "             generated from the input key.  If the input key is less",
-"             than 8 characters long, this is equivelent to normal",
+"             than 8 characters long, this is equivalent to normal",
 "             encryption.  Default is triple cbc, -b makes it triple ecb.",
 NULL
 };
@@ -425,7 +425,7 @@ void doencryption(void)
 			else
 				k2[i-8]=k;
 			}
-		des_set_key(&k2,ks2);
+		des_set_key_unchecked(&k2,ks2);
 		memset(k2,0,sizeof(k2));
 		}
 	else if (longk || flag3)
@@ -433,7 +433,7 @@ void doencryption(void)
 		if (flag3)
 			{
 			des_string_to_2keys(key,&kk,&k2);
-			des_set_key(&k2,ks2);
+			des_set_key_unchecked(&k2,ks2);
 			memset(k2,0,sizeof(k2));
 			}
 		else
@@ -455,7 +455,7 @@ void doencryption(void)
 				kk[i]=key[i]|0x80;
 			}
 
-	des_set_key(&kk,ks);
+	des_set_key_unchecked(&kk,ks);
 	memset(key,0,sizeof(key));
 	memset(kk,0,sizeof(kk));
 	/* woops - A bug that does not showup under unix :-( */
@@ -484,7 +484,7 @@ void doencryption(void)
 			if (feof(DES_IN))
 				{
 				for (i=7-rem; i>0; i--)
-					RAND_bytes(buf + l++, 1);
+					RAND_pseudo_bytes(buf + l++, 1);
 				buf[l++]=rem;
 				ex=1;
 				len+=rem;
diff --git a/lib/libcrypto/des/des.h b/lib/libcrypto/des/des.h
index 67f90aaf172..98a9c4127c8 100644
--- a/lib/libcrypto/des/des.h
+++ b/lib/libcrypto/des/des.h
@@ -186,15 +186,20 @@ void des_pcbc_encrypt(const unsigned char *input,unsigned char *output,
 DES_LONG des_quad_cksum(const unsigned char *input,des_cblock output[],
 			long length,int out_count,des_cblock *seed);
 void des_random_seed(des_cblock *key);
-void des_random_key(des_cblock *ret);
+int des_random_key(des_cblock *ret);
 int des_read_password(des_cblock *key,const char *prompt,int verify);
 int des_read_2passwords(des_cblock *key1,des_cblock *key2,
 			const char *prompt,int verify);
 int des_read_pw_string(char *buf,int length,const char *prompt,int verify);
 void des_set_odd_parity(des_cblock *key);
 int des_is_weak_key(const_des_cblock *key);
+/* des_set_key (= set_key = des_key_sched = key_sched) calls
+ * des_set_key_checked if global variable des_check_key is set,
+ * des_set_key_unchecked otherwise. */
 int des_set_key(const_des_cblock *key,des_key_schedule schedule);
 int des_key_sched(const_des_cblock *key,des_key_schedule schedule);
+int des_set_key_checked(const_des_cblock *key,des_key_schedule schedule);
+void des_set_key_unchecked(const_des_cblock *key,des_key_schedule schedule);
 void des_string_to_key(const char *str,des_cblock *key);
 void des_string_to_2keys(const char *str,des_cblock *key1,des_cblock *key2);
 void des_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
diff --git a/lib/libcrypto/des/des_locl.h b/lib/libcrypto/des/des_locl.h
index d6ea17cb681..4dfed199a71 100644
--- a/lib/libcrypto/des/des_locl.h
+++ b/lib/libcrypto/des/des_locl.h
@@ -72,7 +72,11 @@
 
 #ifndef MSDOS
 #if !defined(VMS) || defined(__DECC)
-#include OPENSSL_UNISTD
+#ifdef OPENSSL_UNISTD
+# include OPENSSL_UNISTD
+#else
+# include <unistd.h>
+#endif
 #include <math.h>
 #endif
 #endif
@@ -178,14 +182,14 @@
 #endif
 
 /* The changes to this macro may help or hinder, depending on the
- * compiler and the achitecture.  gcc2 always seems to do well :-).
+ * compiler and the architecture.  gcc2 always seems to do well :-).
  * Inspired by Dana How <how@isl.stanford.edu>
  * DO NOT use the alternative version on machines with 8 byte longs.
  * It does not seem to work on the Alpha, even when DES_LONG is 4
  * bytes, probably an issue of accessing non-word aligned objects :-( */
 #ifdef DES_PTR
 
-/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there
+/* It recently occurred to me that 0^0^0^0^0^0^0 == 0, so there
  * is no reason to not xor all the sub items together.  This potentially
  * saves a register since things can be xored directly into L */
 
diff --git a/lib/libcrypto/des/des_opts.c b/lib/libcrypto/des/des_opts.c
index 746c456f8fa..b2ca7ac31d6 100644
--- a/lib/libcrypto/des/des_opts.c
+++ b/lib/libcrypto/des/des_opts.c
@@ -434,17 +434,17 @@ int main(int argc, char **argv)
 		}
 
 #ifndef TIMES
-	fprintf(stderr,"To get the most acurate results, try to run this\n");
+	fprintf(stderr,"To get the most accurate results, try to run this\n");
 	fprintf(stderr,"program when this computer is idle.\n");
 #endif
 
-	des_set_key(&key,sch);
-	des_set_key(&key2,sch2);
-	des_set_key(&key3,sch3);
+	des_set_key_unchecked(&key,sch);
+	des_set_key_unchecked(&key2,sch2);
+	des_set_key_unchecked(&key3,sch3);
 
 #ifndef SIGALRM
 	fprintf(stderr,"First we calculate the approximate speed ...\n");
-	des_set_key(&key,sch);
+	des_set_key_unchecked(&key,sch);
 	count=10;
 	do	{
 		long i;
diff --git a/lib/libcrypto/des/destest.c b/lib/libcrypto/des/destest.c
index 5a04fc92983..9ad4ecb0728 100644
--- a/lib/libcrypto/des/destest.c
+++ b/lib/libcrypto/des/destest.c
@@ -234,7 +234,7 @@ static unsigned char cipher_ecb2[NUM_TESTS-1][8]={
 	{0x08,0xD7,0xB4,0xFB,0x62,0x9D,0x08,0x85}};
 
 static unsigned char cbc_key [8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};
-static unsigned char cbc2_key[8]={0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87};
+static unsigned char cbc2_key[8]={0xf1,0xe0,0xd3,0xc2,0xb5,0xa4,0x97,0x86};
 static unsigned char cbc3_key[8]={0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10};
 static unsigned char cbc_iv  [8]={0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10};
 /* Changed the following text constant to binary so it will work on ebcdic
@@ -254,12 +254,24 @@ static unsigned char cbc_ok[32]={
 	0x46,0x8e,0x91,0x15,0x78,0x88,0xba,0x68,
 	0x1d,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
 
+#ifdef SCREW_THE_PARITY
+#error "SCREW_THE_PARITY is not ment to be defined."
+#error "Original vectors are preserved for reference only."
+static unsigned char cbc2_key[8]={0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87};
 static unsigned char xcbc_ok[32]={
 	0x86,0x74,0x81,0x0D,0x61,0xA4,0xA5,0x48,
 	0xB9,0x93,0x03,0xE1,0xB8,0xBB,0xBD,0xBD,
 	0x64,0x30,0x0B,0xB9,0x06,0x65,0x81,0x76,
 	0x04,0x1D,0x77,0x62,0x17,0xCA,0x2B,0xD2,
 	};
+#else
+static unsigned char xcbc_ok[32]={
+	0x84,0x6B,0x29,0x14,0x85,0x1E,0x9A,0x29,
+	0x54,0x73,0x2F,0x8A,0xA0,0xA6,0x11,0xC1,
+	0x15,0xCD,0xC2,0xD7,0x95,0x1B,0x10,0x53,
+	0xA6,0x3C,0x5E,0x03,0xB2,0x1A,0xA3,0xC4,
+	};
+#endif
 
 static unsigned char cbc3_ok[32]={
 	0x3F,0xE3,0x01,0xC9,0x62,0xAC,0x01,0xD0,
@@ -309,8 +321,8 @@ static unsigned char ofb_cipher[24]=
 	0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3
 	};
 
-DES_LONG cbc_cksum_ret=0xB462FEF7L;
-unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
+static DES_LONG cbc_cksum_ret=0xB462FEF7L;
+static unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
 
 static char *pt(unsigned char *p);
 static int cfb_test(int bits, unsigned char *cfb_cipher);
@@ -331,17 +343,17 @@ int main(int argc, char *argv[])
 
 #ifndef NO_DESCBCM
 	printf("Doing cbcm\n");
-	if ((j=des_key_sched(&cbc_key,ks)) != 0)
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
 		{
 		printf("Key error %d\n",j);
 		err=1;
 		}
-	if ((j=des_key_sched(&cbc2_key,ks2)) != 0)
+	if ((j=des_set_key_checked(&cbc2_key,ks2)) != 0)
 		{
 		printf("Key error %d\n",j);
 		err=1;
 		}
-	if ((j=des_key_sched(&cbc3_key,ks3)) != 0)
+	if ((j=des_set_key_checked(&cbc3_key,ks3)) != 0)
 		{
 		printf("Key error %d\n",j);
 		err=1;
@@ -385,11 +397,7 @@ int main(int argc, char *argv[])
 	printf("Doing ecb\n");
 	for (i=0; i<NUM_TESTS; i++)
 		{
-		if ((j=des_key_sched(&key_data[i],ks)) != 0)
-			{
-			printf("Key error %2d:%d\n",i+1,j);
-			err=1;
-			}
+		des_set_key_unchecked(&key_data[i],ks);
 		memcpy(in,plain_data[i],8);
 		memset(out,0,8);
 		memset(outin,0,8);
@@ -415,21 +423,9 @@ int main(int argc, char *argv[])
 	printf("Doing ede ecb\n");
 	for (i=0; i<(NUM_TESTS-1); i++)
 		{
-		if ((j=des_key_sched(&key_data[i],ks)) != 0)
-			{
-			err=1;
-			printf("Key error %2d:%d\n",i+1,j);
-			}
-		if ((j=des_key_sched(&key_data[i+1],ks2)) != 0)
-			{
-			printf("Key error %2d:%d\n",i+2,j);
-			err=1;
-			}
-		if ((j=des_key_sched(&key_data[i+2],ks3)) != 0)
-			{
-			printf("Key error %2d:%d\n",i+3,j);
-			err=1;
-			}
+		des_set_key_unchecked(&key_data[i],ks);
+		des_set_key_unchecked(&key_data[i+1],ks2);
+		des_set_key_unchecked(&key_data[i+2],ks3);
 		memcpy(in,plain_data[i],8);
 		memset(out,0,8);
 		memset(outin,0,8);
@@ -453,7 +449,7 @@ int main(int argc, char *argv[])
 #endif
 
 	printf("Doing cbc\n");
-	if ((j=des_key_sched(&cbc_key,ks)) != 0)
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
 		{
 		printf("Key error %d\n",j);
 		err=1;
@@ -464,7 +460,10 @@ int main(int argc, char *argv[])
 	des_ncbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,ks,
 			 &iv3,DES_ENCRYPT);
 	if (memcmp(cbc_out,cbc_ok,32) != 0)
+		{
 		printf("cbc_encrypt encrypt error\n");
+		err=1;
+		}
 
 	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
 	des_ncbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,ks,
@@ -477,7 +476,7 @@ int main(int argc, char *argv[])
 
 #ifndef LIBDES_LIT
 	printf("Doing desx cbc\n");
-	if ((j=des_key_sched(&cbc_key,ks)) != 0)
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
 		{
 		printf("Key error %d\n",j);
 		err=1;
@@ -490,6 +489,7 @@ int main(int argc, char *argv[])
 	if (memcmp(cbc_out,xcbc_ok,32) != 0)
 		{
 		printf("des_xcbc_encrypt encrypt error\n");
+		err=1;
 		}
 	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
 	des_xcbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,ks,
@@ -502,17 +502,17 @@ int main(int argc, char *argv[])
 #endif
 
 	printf("Doing ede cbc\n");
-	if ((j=des_key_sched(&cbc_key,ks)) != 0)
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
 		{
 		printf("Key error %d\n",j);
 		err=1;
 		}
-	if ((j=des_key_sched(&cbc2_key,ks2)) != 0)
+	if ((j=des_set_key_checked(&cbc2_key,ks2)) != 0)
 		{
 		printf("Key error %d\n",j);
 		err=1;
 		}
-	if ((j=des_key_sched(&cbc3_key,ks3)) != 0)
+	if ((j=des_set_key_checked(&cbc3_key,ks3)) != 0)
 		{
 		printf("Key error %d\n",j);
 		err=1;
@@ -543,7 +543,7 @@ int main(int argc, char *argv[])
 
 #ifndef LIBDES_LIT
 	printf("Doing pcbc\n");
-	if ((j=des_key_sched(&cbc_key,ks)) != 0)
+	if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
 		{
 		printf("Key error %d\n",j);
 		err=1;
@@ -606,7 +606,7 @@ int main(int argc, char *argv[])
 	printf("done\n");
 
 	printf("Doing ofb\n");
-	des_key_sched(&ofb_key,ks);
+	des_set_key_checked(&ofb_key,ks);
 	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
 	des_ofb_encrypt(plain,ofb_buf1,64,sizeof(plain)/8,ks,&ofb_tmp);
 	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
@@ -635,7 +635,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 		}
 
 	printf("Doing ofb64\n");
-	des_key_sched(&ofb_key,ks);
+	des_set_key_checked(&ofb_key,ks);
 	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
 	memset(ofb_buf1,0,sizeof(ofb_buf1));
 	memset(ofb_buf2,0,sizeof(ofb_buf1));
@@ -660,7 +660,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 		}
 
 	printf("Doing ede_ofb64\n");
-	des_key_sched(&ofb_key,ks);
+	des_set_key_checked(&ofb_key,ks);
 	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
 	memset(ofb_buf1,0,sizeof(ofb_buf1));
 	memset(ofb_buf2,0,sizeof(ofb_buf1));
@@ -686,7 +686,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 		}
 
 	printf("Doing cbc_cksum\n");
-	des_key_sched(&cbc_key,ks);
+	des_set_key_checked(&cbc_key,ks);
 	cs=des_cbc_cksum(cbc_data,&cret,strlen((char *)cbc_data),ks,&cbc_iv);
 	if (cs != cbc_cksum_ret)
 		{
@@ -795,8 +795,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 		err=1;
 		}
 	printf("\n");
-	exit(err);
-	return(0);
+	return(err);
 	}
 
 static char *pt(unsigned char *p)
@@ -825,7 +824,7 @@ static int cfb_test(int bits, unsigned char *cfb_cipher)
 	des_key_schedule ks;
 	int i,err=0;
 
-	des_key_sched(&cfb_key,ks);
+	des_set_key_checked(&cfb_key,ks);
 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
 	des_cfb_encrypt(plain,cfb_buf1,bits,sizeof(plain),ks,&cfb_tmp,
 			DES_ENCRYPT);
@@ -854,7 +853,7 @@ static int cfb64_test(unsigned char *cfb_cipher)
 	des_key_schedule ks;
 	int err=0,i,n;
 
-	des_key_sched(&cfb_key,ks);
+	des_set_key_checked(&cfb_key,ks);
 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
 	n=0;
 	des_cfb64_encrypt(plain,cfb_buf1,12,ks,&cfb_tmp,&n,DES_ENCRYPT);
@@ -887,7 +886,7 @@ static int ede_cfb64_test(unsigned char *cfb_cipher)
 	des_key_schedule ks;
 	int err=0,i,n;
 
-	des_key_sched(&cfb_key,ks);
+	des_set_key_checked(&cfb_key,ks);
 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
 	n=0;
 	des_ede3_cfb64_encrypt(plain,cfb_buf1,12,ks,ks,ks,&cfb_tmp,&n,
diff --git a/lib/libcrypto/des/enc_read.c b/lib/libcrypto/des/enc_read.c
index 694970ccd2a..7399ff72698 100644
--- a/lib/libcrypto/des/enc_read.c
+++ b/lib/libcrypto/des/enc_read.c
@@ -147,7 +147,7 @@ int des_enc_read(int fd, void *buf, int len, des_key_schedule sched,
 	/* first - get the length */
 	while (net_num < HDRSIZE) 
 		{
-		i=read(fd,&(net[net_num]),HDRSIZE-net_num);
+		i=read(fd,(void *)&(net[net_num]),HDRSIZE-net_num);
 #ifdef EINTR
 		if ((i == -1) && (errno == EINTR)) continue;
 #endif
@@ -169,7 +169,7 @@ int des_enc_read(int fd, void *buf, int len, des_key_schedule sched,
 	net_num=0;
 	while (net_num < rnum)
 		{
-		i=read(fd,&(net[net_num]),rnum-net_num);
+		i=read(fd,(void *)&(net[net_num]),rnum-net_num);
 #ifdef EINTR
 		if ((i == -1) && (errno == EINTR)) continue;
 #endif
diff --git a/lib/libcrypto/des/enc_writ.c b/lib/libcrypto/des/enc_writ.c
index ba3f0822ef0..4d3452724ec 100644
--- a/lib/libcrypto/des/enc_writ.c
+++ b/lib/libcrypto/des/enc_writ.c
@@ -130,12 +130,12 @@ int des_enc_write(int fd, const void *_buf, int len,
 		{
 		cp=shortbuf;
 		memcpy(shortbuf,buf,len);
-		RAND_bytes(shortbuf+len, 8-len);
+		RAND_pseudo_bytes(shortbuf+len, 8-len);
 		rnum=8;
 		}
 	else
 		{
-		cp=(unsigned char*)buf;
+		cp=buf;
 		rnum=((len+7)/8*8); /* round up to nearest eight */
 		}
 
@@ -152,13 +152,16 @@ int des_enc_write(int fd, const void *_buf, int len,
 	for (j=0; j<outnum; j+=i)
 		{
 		/* eay 26/08/92 I was not doing writing from where we
-		 * got upto. */
-		i=write(fd,&(outbuf[j]),outnum-j);
+		 * got up to. */
+		i=write(fd,(void *)&(outbuf[j]),outnum-j);
 		if (i == -1)
 			{
+#ifdef EINTR
 			if (errno == EINTR)
 				i=0;
-			else 	/* This is really a bad error - very bad
+			else
+#endif
+			        /* This is really a bad error - very bad
 				 * It will stuff-up both ends. */
 				return(-1);
 			}
diff --git a/lib/libcrypto/des/fcrypt.c b/lib/libcrypto/des/fcrypt.c
index f36746b3764..fa1b8aa34ad 100644
--- a/lib/libcrypto/des/fcrypt.c
+++ b/lib/libcrypto/des/fcrypt.c
@@ -1,7 +1,7 @@
 /* NOCW */
 #include <stdio.h>
 
-/* This version of crypt has been developed from my MIT compatable
+/* This version of crypt has been developed from my MIT compatible
  * DES library.
  * The library is available at pub/Crypto/DES at ftp.psy.uq.oz.au
  * Eric Young (eay@cryptsoft.com)
@@ -11,7 +11,7 @@
  * I have included directive PARA for shared memory computers.
  * I have included a directive LONGCRYPT to using this routine to cipher
  * passwords with more then 8 bytes like HP-UX 10.x it used. The MAXPLEN
- * definition is the maximum of lenght of password and can changed. I have
+ * definition is the maximum of length of password and can changed. I have
  * defined 24.
  */
 
@@ -103,8 +103,8 @@ char *ret;
 	 * returns *\0XXXXXXXXX
 	 * The \0 makes the string look like * so the pwd "*" would
 	 * crypt to "*".  This was found when replacing the crypt in
-	 * our shared libraries.  People found that the disbled
-	 * accounts effectivly had no passwd :-(. */
+	 * our shared libraries.  People found that the disabled
+	 * accounts effectively had no passwd :-(. */
 	x=ret[0]=((salt[0] == '\0')?'A':salt[0]);
 	Eswap0=con_salt[x]<<2;
 	x=ret[1]=((salt[1] == '\0')?'A':salt[1]);
@@ -123,7 +123,7 @@ r=(r+7)/8;
 	for (; i<8; i++)
 		key[i]=0;
 
-	des_set_key((des_cblock *)(key),ks);
+	des_set_key_unchecked(&key,ks);
 	fcrypt_body(&(out[0]),ks,Eswap0,Eswap1);
 
 	ll=out[0]; l2c(ll,b);
diff --git a/lib/libcrypto/des/fcrypt_b.c b/lib/libcrypto/des/fcrypt_b.c
index 9cbea97c1fc..83c94054e3c 100644
--- a/lib/libcrypto/des/fcrypt_b.c
+++ b/lib/libcrypto/des/fcrypt_b.c
@@ -58,7 +58,7 @@
 
 #include <stdio.h>
 
-/* This version of crypt has been developed from my MIT compatable
+/* This version of crypt has been developed from my MIT compatible
  * DES library.
  * The library is available at pub/Crypto/DES at ftp.psy.uq.oz.au
  * Eric Young (eay@cryptsoft.com)
diff --git a/lib/libcrypto/des/rand_key.c b/lib/libcrypto/des/rand_key.c
index fc11792cdaa..7816a8f25c1 100644
--- a/lib/libcrypto/des/rand_key.c
+++ b/lib/libcrypto/des/rand_key.c
@@ -1,114 +1,69 @@
 /* crypto/des/rand_key.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
  *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
  * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
  */
 
-#include "des_locl.h"
-#include <time.h>
-
-static int seed=0;
-static des_cblock init;
+#include <openssl/des.h>
+#include <openssl/rand.h>
 
 void des_random_seed(des_cblock *key)
 	{
-	memcpy(&init,key,sizeof(des_cblock));
-	seed=1;
+	RAND_seed(key, sizeof(des_cblock));
 	}
 
-void des_random_key(des_cblock *ret)
+int des_random_key(des_cblock *ret)
 	{
-	des_key_schedule ks;
-	static DES_LONG c=0;
-	static unsigned short pid=0;
-	static des_cblock data={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};
-	des_cblock key;
-	unsigned char *p;
-	DES_LONG t;
-	int i;
-
-#ifdef MSDOS
-	pid=1;
-#else
-	if (!pid) pid=getpid();
-#endif
-	p=key;
-	if (seed)
-		{
-		for (i=0; i<8; i++)
-			{
-			data[i] ^= init[i];
-			init[i]=0;
-			}
-		seed=0;
-		}
-	t=(DES_LONG)time(NULL);
-	l2c(t,p);
-	t=(DES_LONG)((pid)|((c++)<<16));
-	l2c(t,p);
-
-	des_set_odd_parity(&data);
-	des_set_key(&data,ks);
-	des_cbc_cksum(key,&key,sizeof(key),ks,&data);
-
-	des_set_odd_parity(&key);
-	des_set_key(&key,ks);
-	des_cbc_cksum(key,&data,sizeof(key),ks,&key);
-
-	memcpy(ret,data,sizeof(key));
-	memset(key,0,sizeof(key));
-	memset(ks,0,sizeof(ks));
-	t=0;
+	int r = RAND_bytes((unsigned char *)ret, sizeof(des_cblock));
+	des_set_odd_parity(ret);
+	return r;
 	}
diff --git a/lib/libcrypto/des/read_pwd.c b/lib/libcrypto/des/read_pwd.c
index fed49652c0d..fa2d67da643 100644
--- a/lib/libcrypto/des/read_pwd.c
+++ b/lib/libcrypto/des/read_pwd.c
@@ -58,7 +58,11 @@
 
 #if !defined(MSDOS) && !defined(VMS) && !defined(WIN32)
 #include <openssl/opensslconf.h>
-#include OPENSSL_UNISTD
+#ifdef OPENSSL_UNISTD
+# include OPENSSL_UNISTD
+#else
+# include <unistd.h>
+#endif
 /* If unistd.h defines _POSIX_VERSION, we conclude that we
  * are on a POSIX system and have sigaction and termios. */
 #if defined(_POSIX_VERSION)
@@ -123,7 +127,7 @@
 #undef  SGTTY
 #endif
 
-#if !defined(TERMIO) && !defined(TERMIOS) && !defined(VMS) && !defined(MSDOS)
+#if !defined(TERMIO) && !defined(TERMIOS) && !defined(VMS) && !defined(MSDOS) && !defined(MAC_OS_pre_X) && !defined(MAC_OS_GUSI_SOURCE)
 #undef  TERMIOS
 #undef  TERMIO
 #define SGTTY
@@ -153,7 +157,7 @@
 #define TTY_set(tty,data)	ioctl(tty,TIOCSETP,data)
 #endif
 
-#if !defined(_LIBC) && !defined(MSDOS) && !defined(VMS)
+#if !defined(_LIBC) && !defined(MSDOS) && !defined(VMS) && !defined(MAC_OS_pre_X)
 #include <sys/ioctl.h>
 #endif
 
@@ -174,6 +178,15 @@ struct IOSB {
 	};
 #endif
 
+#if defined(MAC_OS_pre_X) || defined(MAC_OS_GUSI_SOURCE)
+/*
+ * This one needs work. As a matter of fact the code is unoperational
+ * and this is only a trick to get it compiled.
+ *					<appro@fy.chalmers.se>
+ */
+#define TTY_STRUCT int
+#endif
+
 #ifndef NX509_SIG
 #define NX509_SIG 32
 #endif
diff --git a/lib/libcrypto/des/rpc_enc.c b/lib/libcrypto/des/rpc_enc.c
index c96c204147a..32d96d5cae6 100644
--- a/lib/libcrypto/des/rpc_enc.c
+++ b/lib/libcrypto/des/rpc_enc.c
@@ -66,7 +66,7 @@ int _des_crypt(char *buf, int len, struct desparams *desp)
 	des_key_schedule ks;
 	int enc;
 
-	des_set_key(&desp->des_key,ks);
+	des_set_key_unchecked(&desp->des_key,ks);
 	enc=(desp->des_dir == ENCRYPT)?DES_ENCRYPT:DES_DECRYPT;
 
 	if (desp->des_mode == CBC)
diff --git a/lib/libcrypto/des/set_key.c b/lib/libcrypto/des/set_key.c
index 52553a4c166..bbdc71ba6bd 100644
--- a/lib/libcrypto/des/set_key.c
+++ b/lib/libcrypto/des/set_key.c
@@ -125,7 +125,7 @@ int des_is_weak_key(const_des_cblock *key)
 	int i;
 
 	for (i=0; i<NUM_WEAK_KEY; i++)
-		/* Added == 0 to comparision, I obviously don't run
+		/* Added == 0 to comparison, I obviously don't run
 		 * this section very often :-(, thanks to
 		 * engineering@MorningStar.Com for the fix
 		 * eay 93/06/29
@@ -145,11 +145,34 @@ int des_is_weak_key(const_des_cblock *key)
 #define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
 	(a)=(a)^(t)^(t>>(16-(n))))
 
+int des_set_key(const_des_cblock *key, des_key_schedule schedule)
+	{
+	if (des_check_key)
+		{
+		return des_set_key_checked(key, schedule);
+		}
+	else
+		{
+		des_set_key_unchecked(key, schedule);
+		return 0;
+		}
+	}
+
 /* return 0 if key parity is odd (correct),
  * return -1 if key parity error,
  * return -2 if illegal weak key.
  */
-int des_set_key(const_des_cblock *key, des_key_schedule schedule)
+int des_set_key_checked(const_des_cblock *key, des_key_schedule schedule)
+	{
+	if (!check_parity(key))
+		return(-1);
+	if (des_is_weak_key(key))
+		return(-2);
+	des_set_key_unchecked(key, schedule);
+	return 0;
+	}
+
+void des_set_key_unchecked(const_des_cblock *key, des_key_schedule schedule)
 	{
 	static int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
 	register DES_LONG c,d,t,s,t2;
@@ -157,15 +180,6 @@ int des_set_key(const_des_cblock *key, des_key_schedule schedule)
 	register DES_LONG *k;
 	register int i;
 
-	if (des_check_key)
-		{
-		if (!check_parity(key))
-			return(-1);
-
-		if (des_is_weak_key(key))
-			return(-2);
-		}
-
 	k = &schedule->ks.deslong[0];
 	in = &(*key)[0];
 
@@ -225,7 +239,6 @@ int des_set_key(const_des_cblock *key, des_key_schedule schedule)
 		t2=((s>>16L)|(t&0xffff0000L));
 		*(k++)=ROTATE(t2,26)&0xffffffffL;
 		}
-	return(0);
 	}
 
 int des_key_sched(const_des_cblock *key, des_key_schedule schedule)
diff --git a/lib/libcrypto/des/speed.c b/lib/libcrypto/des/speed.c
index da41abcb03d..814b86f4aee 100644
--- a/lib/libcrypto/des/speed.c
+++ b/lib/libcrypto/des/speed.c
@@ -186,16 +186,16 @@ int main(int argc, char **argv)
 #endif
 
 #ifndef TIMES
-	printf("To get the most acurate results, try to run this\n");
+	printf("To get the most accurate results, try to run this\n");
 	printf("program when this computer is idle.\n");
 #endif
 
-	des_set_key(&key2,sch2);
-	des_set_key(&key3,sch3);
+	des_set_key_unchecked(&key2,sch2);
+	des_set_key_unchecked(&key3,sch3);
 
 #ifndef SIGALRM
 	printf("First we calculate the approximate speed ...\n");
-	des_set_key(&key,sch);
+	des_set_key_unchecked(&key,sch);
 	count=10;
 	do	{
 		long i;
@@ -225,7 +225,7 @@ int main(int argc, char **argv)
 
 	Time_F(START);
 	for (count=0,run=1; COND(ca); count++)
-		des_set_key(&key,sch);
+		des_set_key_unchecked(&key,sch);
 	d=Time_F(STOP);
 	printf("%ld set_key's in %.2f seconds\n",count,d);
 	a=((double)COUNT(ca))/d;
diff --git a/lib/libcrypto/des/str2key.c b/lib/libcrypto/des/str2key.c
index 24841452f1f..c6abb872012 100644
--- a/lib/libcrypto/des/str2key.c
+++ b/lib/libcrypto/des/str2key.c
@@ -58,8 +58,6 @@
 
 #include "des_locl.h"
 
-OPENSSL_EXTERN int des_check_key;
-
 void des_string_to_key(const char *str, des_cblock *key)
 	{
 	des_key_schedule ks;
@@ -88,11 +86,8 @@ void des_string_to_key(const char *str, des_cblock *key)
 		}
 #endif
 	des_set_odd_parity(key);
-	i=des_check_key;
-	des_check_key=0;
-	des_set_key(key,ks);
-	des_check_key=i;
-	des_cbc_cksum((unsigned char*)str,key,length,ks,key);
+	des_set_key_unchecked(key,ks);
+	des_cbc_cksum((const unsigned char*)str,key,length,ks,key);
 	memset(ks,0,sizeof(ks));
 	des_set_odd_parity(key);
 	}
@@ -150,13 +145,10 @@ void des_string_to_2keys(const char *str, des_cblock *key1, des_cblock *key2)
 #endif
 	des_set_odd_parity(key1);
 	des_set_odd_parity(key2);
-	i=des_check_key;
-	des_check_key=0;
-	des_set_key(key1,ks);
-	des_cbc_cksum((unsigned char*)str,key1,length,ks,key1);
-	des_set_key(key2,ks);
-	des_cbc_cksum((unsigned char*)str,key2,length,ks,key2);
-	des_check_key=i;
+	des_set_key_unchecked(key1,ks);
+	des_cbc_cksum((const unsigned char*)str,key1,length,ks,key1);
+	des_set_key_unchecked(key2,ks);
+	des_cbc_cksum((const unsigned char*)str,key2,length,ks,key2);
 	memset(ks,0,sizeof(ks));
 	des_set_odd_parity(key1);
 	des_set_odd_parity(key2);
diff --git a/lib/libcrypto/dh/Makefile.ssl b/lib/libcrypto/dh/Makefile.ssl
index 3b5ec0e1152..8df60872ef3 100644
--- a/lib/libcrypto/dh/Makefile.ssl
+++ b/lib/libcrypto/dh/Makefile.ssl
@@ -83,26 +83,30 @@ dh_check.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dh_check.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
 dh_check.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 dh_check.o: ../../include/openssl/opensslconf.h
-dh_check.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-dh_check.o: ../cryptlib.h
-dh_err.o: ../../include/openssl/bn.h ../../include/openssl/dh.h
-dh_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dh_check.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dh_check.o: ../../include/openssl/stack.h ../cryptlib.h
+dh_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+dh_err.o: ../../include/openssl/dh.h ../../include/openssl/err.h
+dh_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dh_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dh_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dh_gen.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
 dh_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dh_gen.o: ../../include/openssl/stack.h ../cryptlib.h
+dh_gen.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_gen.o: ../cryptlib.h
 dh_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dh_key.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
 dh_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dh_key.o: ../../include/openssl/rand.h ../../include/openssl/stack.h
-dh_key.o: ../cryptlib.h
+dh_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dh_key.o: ../../include/openssl/stack.h ../cryptlib.h
 dh_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
 dh_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 dh_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dh_lib.o: ../../include/openssl/stack.h ../cryptlib.h
+dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_lib.o: ../cryptlib.h
diff --git a/lib/libcrypto/dh/dh.h b/lib/libcrypto/dh/dh.h
index 2cc3797a94e..c15b2ad4836 100644
--- a/lib/libcrypto/dh/dh.h
+++ b/lib/libcrypto/dh/dh.h
@@ -68,10 +68,28 @@ extern "C" {
 #endif
 
 #include <openssl/bn.h>
+#include <openssl/crypto.h>
 	
 #define DH_FLAG_CACHE_MONT_P	0x01
 
-typedef struct dh_st
+typedef struct dh_st DH;
+
+typedef struct dh_method {
+	const char *name;
+	/* Methods here */
+	int (*generate_key)(DH *dh);
+	int (*compute_key)(unsigned char *key,BIGNUM *pub_key,DH *dh);
+	int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+				const BIGNUM *m, BN_CTX *ctx,
+				BN_MONT_CTX *m_ctx); /* Can be null */
+
+	int (*init)(DH *dh);
+	int (*finish)(DH *dh);
+	int flags;
+	char *app_data;
+} DH_METHOD;
+
+struct dh_st
 	{
 	/* This first argument is used to pick up errors when
 	 * a DH is passed instead of a EVP_PKEY */
@@ -80,12 +98,22 @@ typedef struct dh_st
 	BIGNUM *p;
 	BIGNUM *g;
 	int length; /* optional */
-	BIGNUM *pub_key;	/* y */
+	BIGNUM *pub_key;	/* g^x */
 	BIGNUM *priv_key;	/* x */
 
 	int flags;
 	char *method_mont_p;
-	} DH;
+	/* Place holders if we want to do X9.42 DH */
+	BIGNUM *q;
+	BIGNUM *j;
+	unsigned char *seed;
+	int seedlen;
+	BIGNUM *counter;
+
+	int references;
+	CRYPTO_EX_DATA ex_data;
+	DH_METHOD *meth;
+	};
 
 #define DH_GENERATOR_2		2
 /* #define DH_GENERATOR_3	3 */
@@ -93,10 +121,14 @@ typedef struct dh_st
 
 /* DH_check error codes */
 #define DH_CHECK_P_NOT_PRIME		0x01
-#define DH_CHECK_P_NOT_STRONG_PRIME	0x02
+#define DH_CHECK_P_NOT_SAFE_PRIME	0x02
 #define DH_UNABLE_TO_CHECK_GENERATOR	0x04
 #define DH_NOT_SUITABLE_GENERATOR	0x08
 
+/* primes p where (p-1)/2 is prime too are called "safe"; we define
+   this for backward compatibility: */
+#define DH_CHECK_P_NOT_STRONG_PRIME	DH_CHECK_P_NOT_SAFE_PRIME
+
 #define DHparams_dup(x) (DH *)ASN1_dup((int (*)())i2d_DHparams, \
 		(char *(*)())d2i_DHparams,(char *)(x))
 #define d2i_DHparams_fp(fp,x) (DH *)ASN1_d2i_fp((char *(*)())DH_new, \
@@ -113,9 +145,20 @@ typedef struct dh_st
 		(unsigned char *)(x))
 #endif
 
+DH_METHOD *DH_OpenSSL(void);
+
+void DH_set_default_method(DH_METHOD *meth);
+DH_METHOD *DH_get_default_method(void);
+DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
+DH *DH_new_method(DH_METHOD *meth);
+
 DH *	DH_new(void);
 void	DH_free(DH *dh);
 int	DH_size(DH *dh);
+int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int DH_set_ex_data(DH *d, int idx, void *arg);
+void *DH_get_ex_data(DH *d, int idx);
 DH *	DH_generate_parameters(int prime_len,int generator,
 		void (*callback)(int,int,void *),void *cb_arg);
 int	DH_check(DH *dh,int *codes);
diff --git a/lib/libcrypto/dh/dh_check.c b/lib/libcrypto/dh/dh_check.c
index 95ce9cfad01..7e5cfd8bfcb 100644
--- a/lib/libcrypto/dh/dh_check.c
+++ b/lib/libcrypto/dh/dh_check.c
@@ -61,7 +61,7 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
-/* Check that p is a strong prime and
+/* Check that p is a safe prime and
  * if g is 2, 3 or 5, check that is is a suitable generator
  * where
  * for 2, p mod 24 == 11
@@ -88,11 +88,13 @@ int DH_check(DH *dh, int *ret)
 		l=BN_mod_word(dh->p,24);
 		if (l != 11) *ret|=DH_NOT_SUITABLE_GENERATOR;
 		}
-/*	else if (BN_is_word(dh->g,DH_GENERATOR_3))
+#if 0
+	else if (BN_is_word(dh->g,DH_GENERATOR_3))
 		{
 		l=BN_mod_word(dh->p,12);
 		if (l != 5) *ret|=DH_NOT_SUITABLE_GENERATOR;
-		}*/
+		}
+#endif
 	else if (BN_is_word(dh->g,DH_GENERATOR_5))
 		{
 		l=BN_mod_word(dh->p,10);
@@ -108,7 +110,7 @@ int DH_check(DH *dh, int *ret)
 		{
 		if (!BN_rshift1(q,dh->p)) goto err;
 		if (!BN_is_prime(q,BN_prime_checks,NULL,ctx,NULL))
-			*ret|=DH_CHECK_P_NOT_STRONG_PRIME;
+			*ret|=DH_CHECK_P_NOT_SAFE_PRIME;
 		}
 	ok=1;
 err:
diff --git a/lib/libcrypto/dh/dh_gen.c b/lib/libcrypto/dh/dh_gen.c
index b7bcd2c7a41..7a6a38fbb48 100644
--- a/lib/libcrypto/dh/dh_gen.c
+++ b/lib/libcrypto/dh/dh_gen.c
@@ -72,14 +72,14 @@
  * Having said all that,
  * there is another special case method for the generators 2, 3 and 5.
  * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5  <<<<< does not work for strong primes.
+ * for 3, p mod 12 == 5  <<<<< does not work for safe primes.
  * for 5, p mod 10 == 3 or 7
  *
  * Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
  * special generators and for answering some of my questions.
  *
  * I've implemented the second simple method :-).
- * Since DH should be using a strong prime (both p and q are prime),
+ * Since DH should be using a safe prime (both p and q are prime),
  * this generator function can take a very very long time to run.
  */
 
@@ -95,9 +95,10 @@ DH *DH_generate_parameters(int prime_len, int generator,
 	if (ret == NULL) goto err;
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
-	t1= &(ctx->bn[0]);
-	t2= &(ctx->bn[1]);
-	ctx->tos=2;
+	BN_CTX_start(ctx);
+	t1 = BN_CTX_get(ctx);
+	t2 = BN_CTX_get(ctx);
+	if (t1 == NULL || t2 == NULL) goto err;
 	
 	if (generator == DH_GENERATOR_2)
 		{
@@ -105,7 +106,7 @@ DH *DH_generate_parameters(int prime_len, int generator,
 		BN_set_word(t2,11);
 		g=2;
 		}
-#ifdef undef  /* does not work for strong primes */
+#ifdef undef  /* does not work for safe primes */
 	else if (generator == DH_GENERATOR_3)
 		{
 		BN_set_word(t1,12);
@@ -138,7 +139,11 @@ err:
 		ok=0;
 		}
 
-	if (ctx != NULL) BN_CTX_free(ctx);
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
 	if (!ok && (ret != NULL))
 		{
 		DH_free(ret);
diff --git a/lib/libcrypto/dh/dh_key.c b/lib/libcrypto/dh/dh_key.c
index cede53bfc17..0c7eeaf260b 100644
--- a/lib/libcrypto/dh/dh_key.c
+++ b/lib/libcrypto/dh/dh_key.c
@@ -62,8 +62,42 @@
 #include <openssl/rand.h>
 #include <openssl/dh.h>
 
+static int generate_key(DH *dh);
+static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
+static int dh_bn_mod_exp(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx,
+			BN_MONT_CTX *m_ctx);
+static int dh_init(DH *dh);
+static int dh_finish(DH *dh);
+
 int DH_generate_key(DH *dh)
 	{
+	return dh->meth->generate_key(dh);
+	}
+
+int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
+	{
+	return dh->meth->compute_key(key, pub_key, dh);
+	}
+
+static DH_METHOD dh_ossl = {
+"OpenSSL DH Method",
+generate_key,
+compute_key,
+dh_bn_mod_exp,
+dh_init,
+dh_finish,
+0,
+NULL
+};
+
+DH_METHOD *DH_OpenSSL(void)
+{
+	return &dh_ossl;
+}
+
+static int generate_key(DH *dh)
+	{
 	int ok=0;
 	unsigned int i;
 	BN_CTX ctx;
@@ -103,7 +137,8 @@ int DH_generate_key(DH *dh)
 		}
 	mont=(BN_MONT_CTX *)dh->method_mont_p;
 
-	if (!BN_mod_exp_mont(pub_key,dh->g,priv_key,dh->p,&ctx,mont)) goto err;
+	if (!dh->meth->bn_mod_exp(dh, pub_key,dh->g,priv_key,dh->p,&ctx,mont))
+								goto err;
 		
 	dh->pub_key=pub_key;
 	dh->priv_key=priv_key;
@@ -118,7 +153,7 @@ err:
 	return(ok);
 	}
 
-int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
+static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
 	{
 	BN_CTX ctx;
 	BN_MONT_CTX *mont;
@@ -126,7 +161,8 @@ int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
 	int ret= -1;
 
 	BN_CTX_init(&ctx);
-	tmp= &(ctx.bn[ctx.tos++]);
+	BN_CTX_start(&ctx);
+	tmp = BN_CTX_get(&ctx);
 	
 	if (dh->priv_key == NULL)
 		{
@@ -141,7 +177,7 @@ int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
 		}
 
 	mont=(BN_MONT_CTX *)dh->method_mont_p;
-	if (!BN_mod_exp_mont(tmp,pub_key,dh->priv_key,dh->p,&ctx,mont))
+	if (!dh->meth->bn_mod_exp(dh, tmp,pub_key,dh->priv_key,dh->p,&ctx,mont))
 		{
 		DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
 		goto err;
@@ -149,6 +185,27 @@ int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
 
 	ret=BN_bn2bin(tmp,key);
 err:
+	BN_CTX_end(&ctx);
 	BN_CTX_free(&ctx);
 	return(ret);
 	}
+
+static int dh_bn_mod_exp(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+			const BIGNUM *m, BN_CTX *ctx,
+			BN_MONT_CTX *m_ctx)
+{
+	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+}
+
+static int dh_init(DH *dh)
+{
+	dh->flags |= DH_FLAG_CACHE_MONT_P;
+	return(1);
+}
+
+static int dh_finish(DH *dh)
+{
+	if(dh->method_mont_p)
+		BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
+	return(1);
+}
diff --git a/lib/libcrypto/dh/dh_lib.c b/lib/libcrypto/dh/dh_lib.c
index 61e0720e8a7..6c21463028a 100644
--- a/lib/libcrypto/dh/dh_lib.c
+++ b/lib/libcrypto/dh/dh_lib.c
@@ -63,16 +63,49 @@
 
 const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
 
+static DH_METHOD *default_DH_method;
+static int dh_meth_num = 0;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;
+
+void DH_set_default_method(DH_METHOD *meth)
+{
+	default_DH_method = meth;
+}
+
+DH_METHOD *DH_get_default_method(void)
+{
+	if(!default_DH_method) default_DH_method = DH_OpenSSL();
+	return default_DH_method;
+}
+
+DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth)
+{
+        DH_METHOD *mtmp;
+        mtmp = dh->meth;
+        if (mtmp->finish) mtmp->finish(dh);
+        dh->meth = meth;
+        if (meth->init) meth->init(dh);
+        return mtmp;
+}
+
 DH *DH_new(void)
+{
+	return DH_new_method(NULL);
+}
+
+DH *DH_new_method(DH_METHOD *meth)
 	{
 	DH *ret;
-
 	ret=(DH *)Malloc(sizeof(DH));
+
 	if (ret == NULL)
 		{
 		DHerr(DH_F_DH_NEW,ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}
+	if(!default_DH_method) default_DH_method = DH_OpenSSL();
+	if(meth) ret->meth = meth;
+	else ret->meth = default_DH_method;
 	ret->pad=0;
 	ret->version=0;
 	ret->p=NULL;
@@ -80,23 +113,74 @@ DH *DH_new(void)
 	ret->length=0;
 	ret->pub_key=NULL;
 	ret->priv_key=NULL;
-	ret->flags=DH_FLAG_CACHE_MONT_P;
+	ret->q=NULL;
+	ret->j=NULL;
+	ret->seed = NULL;
+	ret->seedlen = 0;
+	ret->counter = NULL;
 	ret->method_mont_p=NULL;
+	ret->references = 1;
+	ret->flags=ret->meth->flags;
+	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+		{
+		Free(ret);
+		ret=NULL;
+		}
+	else
+		CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data);
 	return(ret);
 	}
 
 void DH_free(DH *r)
 	{
+	int i;
 	if(r == NULL) return;
+	i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_DH);
+#ifdef REF_PRINT
+	REF_PRINT("DH",r);
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"DH_free, bad reference count\n");
+		abort();
+	}
+#endif
+
+	CRYPTO_free_ex_data(dh_meth, r, &r->ex_data);
+
+	if(r->meth->finish) r->meth->finish(r);
+
 	if (r->p != NULL) BN_clear_free(r->p);
 	if (r->g != NULL) BN_clear_free(r->g);
+	if (r->q != NULL) BN_clear_free(r->q);
+	if (r->j != NULL) BN_clear_free(r->j);
+	if (r->seed) Free(r->seed);
+	if (r->counter != NULL) BN_clear_free(r->counter);
 	if (r->pub_key != NULL) BN_clear_free(r->pub_key);
 	if (r->priv_key != NULL) BN_clear_free(r->priv_key);
-	if (r->method_mont_p != NULL)
-		BN_MONT_CTX_free((BN_MONT_CTX *)r->method_mont_p);
 	Free(r);
 	}
 
+int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+	dh_meth_num++;
+	return(CRYPTO_get_ex_new_index(dh_meth_num-1,
+		&dh_meth,argl,argp,new_func,dup_func,free_func));
+        }
+
+int DH_set_ex_data(DH *d, int idx, void *arg)
+	{
+	return(CRYPTO_set_ex_data(&d->ex_data,idx,arg));
+	}
+
+void *DH_get_ex_data(DH *d, int idx)
+	{
+	return(CRYPTO_get_ex_data(&d->ex_data,idx));
+	}
+
 int DH_size(DH *dh)
 	{
 	return(BN_num_bytes(dh->p));
diff --git a/lib/libcrypto/dh/dhtest.c b/lib/libcrypto/dh/dhtest.c
index 770331971f2..d66c28455ec 100644
--- a/lib/libcrypto/dh/dhtest.c
+++ b/lib/libcrypto/dh/dhtest.c
@@ -65,6 +65,7 @@
 #include <openssl/crypto.h>
 #include <openssl/bio.h>
 #include <openssl/bn.h>
+#include <openssl/rand.h>
 
 #ifdef NO_DH
 int main(int argc, char *argv[])
@@ -87,19 +88,23 @@ static void MS_CALLBACK cb(int p, int n, void *arg);
 #include "bss_file.c"
 #endif
 
-BIO *out=NULL;
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
 
 int main(int argc, char *argv[])
 	{
-	DH *a,*b;
+	DH *a;
+	DH *b=NULL;
 	char buf[12];
 	unsigned char *abuf=NULL,*bbuf=NULL;
 	int i,alen,blen,aout,bout,ret=1;
+	BIO *out;
 
 #ifdef WIN32
 	CRYPTO_malloc_init();
 #endif
 
+	RAND_seed(rnd_seed, sizeof rnd_seed);
+
 	out=BIO_new(BIO_s_file());
 	if (out == NULL) exit(1);
 	BIO_set_fp(out,stdout,BIO_NOCLOSE);
@@ -167,6 +172,9 @@ int main(int argc, char *argv[])
 err:
 	if (abuf != NULL) Free(abuf);
 	if (bbuf != NULL) Free(bbuf);
+	if(b != NULL) DH_free(b);
+	if(a != NULL) DH_free(a);
+	BIO_free(out);
 	exit(ret);
 	return(ret);
 	}
diff --git a/lib/libcrypto/dsa/Makefile.ssl b/lib/libcrypto/dsa/Makefile.ssl
index 4bc74a2f7c4..b0bcf974fbf 100644
--- a/lib/libcrypto/dsa/Makefile.ssl
+++ b/lib/libcrypto/dsa/Makefile.ssl
@@ -22,8 +22,10 @@ TEST=dsatest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c dsa_err.c
-LIBOBJ= dsa_gen.o dsa_key.o dsa_lib.o dsa_asn1.o dsa_vrf.o dsa_sign.o dsa_err.o
+LIBSRC= dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c \
+	dsa_err.c dsa_ossl.c
+LIBOBJ= dsa_gen.o dsa_key.o dsa_lib.o dsa_asn1.o dsa_vrf.o dsa_sign.o \
+	dsa_err.o dsa_ossl.o
 
 SRC= $(LIBSRC)
 
@@ -86,25 +88,27 @@ dsa_asn1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 dsa_asn1.o: ../../include/openssl/stack.h ../cryptlib.h
-dsa_err.o: ../../include/openssl/bn.h ../../include/openssl/dh.h
-dsa_err.o: ../../include/openssl/dsa.h ../../include/openssl/err.h
-dsa_err.o: ../../include/openssl/opensslconf.h
+dsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+dsa_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+dsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dsa_err.o: ../../include/openssl/stack.h
 dsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_gen.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 dsa_gen.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 dsa_gen.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 dsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_gen.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dsa_gen.o: ../cryptlib.h
+dsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dsa_gen.o: ../../include/openssl/stack.h ../cryptlib.h
 dsa_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 dsa_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 dsa_key.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 dsa_key.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dsa_key.o: ../cryptlib.h
+dsa_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dsa_key.o: ../../include/openssl/stack.h ../cryptlib.h
 dsa_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dsa_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
@@ -113,6 +117,15 @@ dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dsa_lib.o: ../cryptlib.h
+dsa_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dsa_ossl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_ossl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_ossl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_ossl.o: ../../include/openssl/opensslconf.h
+dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+dsa_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_ossl.o: ../cryptlib.h
 dsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dsa_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
diff --git a/lib/libcrypto/dsa/dsa.h b/lib/libcrypto/dsa/dsa.h
index 20b3f8d90a0..68d9912cbc5 100644
--- a/lib/libcrypto/dsa/dsa.h
+++ b/lib/libcrypto/dsa/dsa.h
@@ -74,13 +74,41 @@ extern "C" {
 #endif
 
 #include <openssl/bn.h>
+#include <openssl/crypto.h>
 #ifndef NO_DH
 # include <openssl/dh.h>
 #endif
 
 #define DSA_FLAG_CACHE_MONT_P	0x01
 
-typedef struct dsa_st
+typedef struct dsa_st DSA;
+
+typedef struct DSA_SIG_st
+	{
+	BIGNUM *r;
+	BIGNUM *s;
+	} DSA_SIG;
+
+typedef struct dsa_method {
+	const char *name;
+	DSA_SIG * (*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa);
+	int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+								BIGNUM **rp);
+	int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
+							DSA_SIG *sig, DSA *dsa);
+	int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+			BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+			BN_MONT_CTX *in_mont);
+	int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+				const BIGNUM *m, BN_CTX *ctx,
+				BN_MONT_CTX *m_ctx); /* Can be null */
+	int (*init)(DSA *dsa);
+	int (*finish)(DSA *dsa);
+	int flags;
+	char *app_data;
+} DSA_METHOD;
+
+struct dsa_st
 	{
 	/* This first variable is used to pick up errors where
 	 * a DSA is passed instead of of a EVP_PKEY */
@@ -100,15 +128,10 @@ typedef struct dsa_st
 	int flags;
 	/* Normally used to cache montgomery values */
 	char *method_mont_p;
-
 	int references;
-	} DSA;
-
-typedef struct DSA_SIG_st
-	{
-	BIGNUM *r;
-	BIGNUM *s;
-	} DSA_SIG;
+	CRYPTO_EX_DATA ex_data;
+	DSA_METHOD *meth;
+	};
 
 #define DSAparams_dup(x) (DSA *)ASN1_dup((int (*)())i2d_DSAparams, \
 		(char *(*)())d2i_DSAparams,(char *)(x))
@@ -131,7 +154,14 @@ DSA_SIG * DSA_do_sign(const unsigned char *dgst,int dlen,DSA *dsa);
 int	DSA_do_verify(const unsigned char *dgst,int dgst_len,
 		      DSA_SIG *sig,DSA *dsa);
 
+DSA_METHOD *DSA_OpenSSL(void);
+
+void        DSA_set_default_method(DSA_METHOD *);
+DSA_METHOD *DSA_get_default_method(void);
+DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *);
+
 DSA *	DSA_new(void);
+DSA *	DSA_new_method(DSA_METHOD *meth);
 int	DSA_size(DSA *);
 	/* next 4 return -1 on error */
 int	DSA_sign_setup( DSA *dsa,BN_CTX *ctx_in,BIGNUM **kinvp,BIGNUM **rp);
@@ -140,6 +170,10 @@ int	DSA_sign(int type,const unsigned char *dgst,int dlen,
 int	DSA_verify(int type,const unsigned char *dgst,int dgst_len,
 		unsigned char *sigbuf, int siglen, DSA *dsa);
 void	DSA_free (DSA *r);
+int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int DSA_set_ex_data(DSA *d, int idx, void *arg);
+void *DSA_get_ex_data(DSA *d, int idx);
 
 void	ERR_load_DSA_strings(void );
 
@@ -148,7 +182,7 @@ DSA *	d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
 DSA * 	d2i_DSAparams(DSA **a, unsigned char **pp, long length);
 DSA *	DSA_generate_parameters(int bits, unsigned char *seed,int seed_len,
 		int *counter_ret, unsigned long *h_ret,void
-		(*callback)(),char *cb_arg);
+		(*callback)(int, int, void *),void *cb_arg);
 int	DSA_generate_key(DSA *a);
 int	i2d_DSAPublicKey(DSA *a, unsigned char **pp);
 int 	i2d_DSAPrivateKey(DSA *a, unsigned char **pp);
@@ -163,7 +197,11 @@ int	DSAparams_print_fp(FILE *fp, DSA *x);
 int	DSA_print_fp(FILE *bp, DSA *x, int off);
 #endif
 
-int DSA_is_prime(BIGNUM *q,void (*callback)(),char *cb_arg);
+#define DSS_prime_checks 50
+/* Primality test according to FIPS PUB 186[-1], Appendix 2.1:
+ * 50 rounds of Rabin-Miller */
+#define DSA_is_prime(n, callback, cb_arg) \
+	BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
 
 #ifndef NO_DH
 /* Convert DSA structure (key or just parameters) into DH structure
@@ -184,7 +222,6 @@ DH *DSA_dup_DH(DSA *r);
 #define DSA_F_DSAPARAMS_PRINT_FP			 101
 #define DSA_F_DSA_DO_SIGN				 112
 #define DSA_F_DSA_DO_VERIFY				 113
-#define DSA_F_DSA_IS_PRIME				 102
 #define DSA_F_DSA_NEW					 103
 #define DSA_F_DSA_PRINT					 104
 #define DSA_F_DSA_PRINT_FP				 105
diff --git a/lib/libcrypto/dsa/dsa_asn1.c b/lib/libcrypto/dsa/dsa_asn1.c
index 7523b21654d..c9b32b4db78 100644
--- a/lib/libcrypto/dsa/dsa_asn1.c
+++ b/lib/libcrypto/dsa/dsa_asn1.c
@@ -83,7 +83,7 @@ DSA_SIG *d2i_DSA_SIG(DSA_SIG **a, unsigned char **pp, long length)
 	M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
 	if ((ret->s=BN_bin2bn(bs->data,bs->length,ret->s)) == NULL)
 		goto err_bn;
-	ASN1_BIT_STRING_free(bs);
+	M_ASN1_BIT_STRING_free(bs);
 	M_ASN1_D2I_Finish_2(a);
 
 err_bn:
@@ -91,6 +91,6 @@ err_bn:
 err:
 	DSAerr(DSA_F_D2I_DSA_SIG,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_SIG_free(ret);
-	if (bs != NULL) ASN1_BIT_STRING_free(bs);
+	if (bs != NULL) M_ASN1_BIT_STRING_free(bs);
 	return(NULL);
 }
diff --git a/lib/libcrypto/dsa/dsa_err.c b/lib/libcrypto/dsa/dsa_err.c
index 33a8270afde..38e4af968cb 100644
--- a/lib/libcrypto/dsa/dsa_err.c
+++ b/lib/libcrypto/dsa/dsa_err.c
@@ -70,7 +70,6 @@ static ERR_STRING_DATA DSA_str_functs[]=
 {ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0),	"DSAparams_print_fp"},
 {ERR_PACK(0,DSA_F_DSA_DO_SIGN,0),	"DSA_do_sign"},
 {ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0),	"DSA_do_verify"},
-{ERR_PACK(0,DSA_F_DSA_IS_PRIME,0),	"DSA_is_prime"},
 {ERR_PACK(0,DSA_F_DSA_NEW,0),	"DSA_new"},
 {ERR_PACK(0,DSA_F_DSA_PRINT,0),	"DSA_print"},
 {ERR_PACK(0,DSA_F_DSA_PRINT_FP,0),	"DSA_print_fp"},
diff --git a/lib/libcrypto/dsa/dsa_gen.c b/lib/libcrypto/dsa/dsa_gen.c
index b5e5ec06e5e..2294a362d99 100644
--- a/lib/libcrypto/dsa/dsa_gen.c
+++ b/lib/libcrypto/dsa/dsa_gen.c
@@ -59,12 +59,18 @@
 #undef GENUINE_DSA
 
 #ifdef GENUINE_DSA
+/* Parameter generation follows the original release of FIPS PUB 186,
+ * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */
 #define HASH    SHA
 #else
+/* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
+ * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in
+ * FIPS PUB 180-1) */
 #define HASH    SHA1
 #endif 
 
 #ifndef NO_SHA
+
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
@@ -74,8 +80,9 @@
 #include <openssl/rand.h>
 
 DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
-	     int *counter_ret, unsigned long *h_ret, void (*callback)(),
-	     char *cb_arg)
+		int *counter_ret, unsigned long *h_ret,
+		void (*callback)(int, int, void *),
+		void *cb_arg)
 	{
 	int ok=0;
 	unsigned char seed[SHA_DIGEST_LENGTH];
@@ -86,47 +93,63 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 	BN_MONT_CTX *mont=NULL;
 	int k,n=0,i,b,m=0;
 	int counter=0;
-	BN_CTX *ctx=NULL,*ctx2=NULL;
+	int r=0;
+	BN_CTX *ctx=NULL,*ctx2=NULL,*ctx3=NULL;
 	unsigned int h=2;
 	DSA *ret=NULL;
 
 	if (bits < 512) bits=512;
 	bits=(bits+63)/64*64;
 
+	if (seed_len < 20)
+		seed_in = NULL; /* seed buffer too small -- ignore */
+	if (seed_len > 20) 
+		seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
+		                * but our internal buffers are restricted to 160 bits*/
 	if ((seed_in != NULL) && (seed_len == 20))
 		memcpy(seed,seed_in,seed_len);
 
 	if ((ctx=BN_CTX_new()) == NULL) goto err;
 	if ((ctx2=BN_CTX_new()) == NULL) goto err;
+	if ((ctx3=BN_CTX_new()) == NULL) goto err;
 	if ((ret=DSA_new()) == NULL) goto err;
 
 	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
 
-	r0= &(ctx2->bn[0]);
-	g= &(ctx2->bn[1]);
-	W= &(ctx2->bn[2]);
-	q= &(ctx2->bn[3]);
-	X= &(ctx2->bn[4]);
-	c= &(ctx2->bn[5]);
-	p= &(ctx2->bn[6]);
-	test= &(ctx2->bn[7]);
+	BN_CTX_start(ctx2);
+	r0 = BN_CTX_get(ctx2);
+	g = BN_CTX_get(ctx2);
+	W = BN_CTX_get(ctx2);
+	q = BN_CTX_get(ctx2);
+	X = BN_CTX_get(ctx2);
+	c = BN_CTX_get(ctx2);
+	p = BN_CTX_get(ctx2);
+	test = BN_CTX_get(ctx2);
 
 	BN_lshift(test,BN_value_one(),bits-1);
 
 	for (;;)
 		{
-		for (;;)
+		for (;;) /* find q */
 			{
+			int seed_is_random;
+
 			/* step 1 */
 			if (callback != NULL) callback(0,m++,cb_arg);
 
 			if (!seed_len)
-				RAND_bytes(seed,SHA_DIGEST_LENGTH);
+				{
+				RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH);
+				seed_is_random = 1;
+				}
 			else
-				seed_len=0;
-
+				{
+				seed_is_random = 0;
+				seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
+				}
 			memcpy(buf,seed,SHA_DIGEST_LENGTH);
 			memcpy(buf2,seed,SHA_DIGEST_LENGTH);
+			/* precompute "SEED + 1" for step 7: */
 			for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
 				{
 				buf[i]++;
@@ -142,10 +165,15 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 			/* step 3 */
 			md[0]|=0x80;
 			md[SHA_DIGEST_LENGTH-1]|=0x01;
-			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) abort();
+			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err;
 
 			/* step 4 */
-			if (DSA_is_prime(q,callback,cb_arg) > 0) break;
+			r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, cb_arg, seed_is_random);
+			if (r > 0)
+				break;
+			if (r != 0)
+				goto err;
+
 			/* do a callback call */
 			/* step 5 */
 			}
@@ -155,16 +183,22 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 
 		/* step 6 */
 		counter=0;
+		/* "offset = 2" */
 
 		n=(bits-1)/160;
 		b=(bits-1)-n*160;
 
 		for (;;)
 			{
+			if (callback != NULL && counter != 0)
+				callback(0,counter,cb_arg);
+
 			/* step 7 */
 			BN_zero(W);
+			/* now 'buf' contains "SEED + offset - 1" */
 			for (k=0; k<=n; k++)
 				{
+				/* obtain "SEED + offset + k" by incrementing: */
 				for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
 					{
 					buf[i]++;
@@ -174,7 +208,8 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 				HASH(buf,SHA_DIGEST_LENGTH,md);
 
 				/* step 8 */
-				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) abort();
+				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
+					goto err;
 				BN_lshift(r0,r0,160*k);
 				BN_add(W,W,r0);
 				}
@@ -194,23 +229,25 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 			if (BN_cmp(p,test) >= 0)
 				{
 				/* step 11 */
-				if (DSA_is_prime(p,callback,cb_arg) > 0)
-					goto end;
+				r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, cb_arg, 1);
+				if (r > 0)
+						goto end; /* found it */
+				if (r != 0)
+					goto err;
 				}
 
 			/* step 13 */
 			counter++;
+			/* "offset = offset + n + 1" */
 
 			/* step 14 */
 			if (counter >= 4096) break;
-
-			if (callback != NULL) callback(0,counter,cb_arg);
 			}
 		}
 end:
 	if (callback != NULL) callback(2,1,cb_arg);
 
-	/* We now need to gernerate g */
+	/* We now need to generate g */
 	/* Set r0=(p-1)/q */
 	BN_sub(test,p,BN_value_one());
 	BN_div(r0,NULL,test,q,ctx);
@@ -245,89 +282,13 @@ err:
 		if (h_ret != NULL) *h_ret=h;
 		}
 	if (ctx != NULL) BN_CTX_free(ctx);
-	if (ctx != NULL) BN_CTX_free(ctx2);
-	if (mont != NULL) BN_MONT_CTX_free(mont);
-	return(ok?ret:NULL);
-	}
-
-int DSA_is_prime(BIGNUM *w, void (*callback)(), char *cb_arg)
-	{
-	int ok= -1,j,i,n;
-	BN_CTX *ctx=NULL,*ctx2=NULL;
-	BIGNUM *w_1,*b,*m,*z,*tmp,*mont_1;
-	int a;
-	BN_MONT_CTX *mont=NULL;
-
-	if (!BN_is_bit_set(w,0)) return(0);
-
-	if ((ctx=BN_CTX_new()) == NULL) goto err;
-	if ((ctx2=BN_CTX_new()) == NULL) goto err;
-	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
-
-	m=   &(ctx2->bn[2]);
-	b=   &(ctx2->bn[3]);
-	z=   &(ctx2->bn[4]);
-	w_1= &(ctx2->bn[5]);
-	tmp= &(ctx2->bn[6]);
-	mont_1= &(ctx2->bn[7]);
-
-	/* step 1 */
-	n=50;
-
-	/* step 2 */
-	if (!BN_sub(w_1,w,BN_value_one())) goto err;
-	for (a=1; !BN_is_bit_set(w_1,a); a++)
-		;
-	if (!BN_rshift(m,w_1,a)) goto err;
-
-	BN_MONT_CTX_set(mont,w,ctx);
-	BN_to_montgomery(mont_1,BN_value_one(),mont,ctx);
-	BN_to_montgomery(w_1,w_1,mont,ctx);
-	for (i=1; i < n; i++)
+	if (ctx2 != NULL)
 		{
-		/* step 3 */
-		BN_rand(b,BN_num_bits(w)-2/*-1*/,0,0);
-		/* BN_set_word(b,0x10001L); */
-
-		/* step 4 */
-		j=0;
-		if (!BN_mod_exp_mont(z,b,m,w,ctx,mont)) goto err;
-
-		if (!BN_to_montgomery(z,z,mont,ctx)) goto err;
-
-		/* step 5 */
-		for (;;)
-			{
-			if (((j == 0) && (BN_cmp(z,mont_1) == 0)) ||
-				(BN_cmp(z,w_1) == 0))
-				break;
-
-			/* step 6 */
-			if ((j > 0) && (BN_cmp(z,mont_1) == 0))
-				{
-				ok=0;
-				goto err;
-				}
-
-			j++;
-			if (j >= a)
-				{
-				ok=0;
-				goto err;
-				}
-
-			if (!BN_mod_mul_montgomery(z,z,z,mont,ctx)) goto err;
-			if (callback != NULL) callback(1,j,cb_arg);
-			}
+		BN_CTX_end(ctx2);
+		BN_CTX_free(ctx2);
 		}
-
-	ok=1;
-err:
-	if (ok == -1) DSAerr(DSA_F_DSA_IS_PRIME,ERR_R_BN_LIB);
-	BN_CTX_free(ctx);
-	BN_CTX_free(ctx2);
-	BN_MONT_CTX_free(mont);
-	
-	return(ok);
+	if (ctx3 != NULL) BN_CTX_free(ctx3);
+	if (mont != NULL) BN_MONT_CTX_free(mont);
+	return(ok?ret:NULL);
 	}
 #endif
diff --git a/lib/libcrypto/dsa/dsa_lib.c b/lib/libcrypto/dsa/dsa_lib.c
index ce8e204f7e6..224e412afc4 100644
--- a/lib/libcrypto/dsa/dsa_lib.c
+++ b/lib/libcrypto/dsa/dsa_lib.c
@@ -66,7 +66,38 @@
 
 const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;
 
+static DSA_METHOD *default_DSA_method;
+static int dsa_meth_num = 0;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;
+
+void DSA_set_default_method(DSA_METHOD *meth)
+{
+	default_DSA_method = meth;
+}
+
+DSA_METHOD *DSA_get_default_method(void)
+{
+	if(!default_DSA_method) default_DSA_method = DSA_OpenSSL();
+	return default_DSA_method;
+}
+
 DSA *DSA_new(void)
+{
+	return DSA_new_method(NULL);
+}
+
+DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth)
+{
+        DSA_METHOD *mtmp;
+        mtmp = dsa->meth;
+        if (mtmp->finish) mtmp->finish(dsa);
+        dsa->meth = meth;
+        if (meth->init) meth->init(dsa);
+        return mtmp;
+}
+
+
+DSA *DSA_new_method(DSA_METHOD *meth)
 	{
 	DSA *ret;
 
@@ -76,13 +107,15 @@ DSA *DSA_new(void)
 		DSAerr(DSA_F_DSA_NEW,ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}
+	if(!default_DSA_method) default_DSA_method = DSA_OpenSSL();
+	if(meth) ret->meth = meth;
+	else ret->meth = default_DSA_method;
 	ret->pad=0;
 	ret->version=0;
 	ret->write_params=1;
 	ret->p=NULL;
 	ret->q=NULL;
 	ret->g=NULL;
-	ret->flags=DSA_FLAG_CACHE_MONT_P;
 
 	ret->pub_key=NULL;
 	ret->priv_key=NULL;
@@ -92,6 +125,15 @@ DSA *DSA_new(void)
 	ret->method_mont_p=NULL;
 
 	ret->references=1;
+	ret->flags=ret->meth->flags;
+	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+		{
+		Free(ret);
+		ret=NULL;
+		}
+	else
+		CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
+	
 	return(ret);
 	}
 
@@ -114,6 +156,10 @@ void DSA_free(DSA *r)
 		}
 #endif
 
+	CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
+
+	if(r->meth->finish) r->meth->finish(r);
+
 	if (r->p != NULL) BN_clear_free(r->p);
 	if (r->q != NULL) BN_clear_free(r->q);
 	if (r->g != NULL) BN_clear_free(r->g);
@@ -121,8 +167,6 @@ void DSA_free(DSA *r)
 	if (r->priv_key != NULL) BN_clear_free(r->priv_key);
 	if (r->kinv != NULL) BN_clear_free(r->kinv);
 	if (r->r != NULL) BN_clear_free(r->r);
-	if (r->method_mont_p != NULL)
-		BN_MONT_CTX_free((BN_MONT_CTX *)r->method_mont_p);
 	Free(r);
 	}
 
@@ -145,6 +189,24 @@ int DSA_size(DSA *r)
 	return(ret);
 	}
 
+int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+	dsa_meth_num++;
+	return(CRYPTO_get_ex_new_index(dsa_meth_num-1,
+		&dsa_meth,argl,argp,new_func,dup_func,free_func));
+        }
+
+int DSA_set_ex_data(DSA *d, int idx, void *arg)
+	{
+	return(CRYPTO_set_ex_data(&d->ex_data,idx,arg));
+	}
+
+void *DSA_get_ex_data(DSA *d, int idx)
+	{
+	return(CRYPTO_get_ex_data(&d->ex_data,idx));
+	}
+
 #ifndef NO_DH
 DH *DSA_dup_DH(DSA *r)
 	{
diff --git a/lib/libcrypto/dsa/dsa_sign.c b/lib/libcrypto/dsa/dsa_sign.c
index 774c1619643..89205026f01 100644
--- a/lib/libcrypto/dsa/dsa_sign.c
+++ b/lib/libcrypto/dsa/dsa_sign.c
@@ -67,73 +67,9 @@
 
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
-	BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
-	BIGNUM m;
-	BIGNUM xr;
-	BN_CTX *ctx=NULL;
-	int i,reason=ERR_R_BN_LIB;
-	DSA_SIG *ret=NULL;
-
-	BN_init(&m);
-	BN_init(&xr);
-	s=BN_new();
-	if (s == NULL) goto err;
-
-	i=BN_num_bytes(dsa->q); /* should be 20 */
-	if ((dlen > i) || (dlen > 50))
-		{
-		reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
-		goto err;
-		}
-
-	ctx=BN_CTX_new();
-	if (ctx == NULL) goto err;
-
-	if ((dsa->kinv == NULL) || (dsa->r == NULL))
-		{
-		if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
-		}
-	else
-		{
-		kinv=dsa->kinv;
-		dsa->kinv=NULL;
-		r=dsa->r;
-		dsa->r=NULL;
-		}
-
-	if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err;
-
-	/* Compute  s = inv(k) (m + xr) mod q */
-	if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
-	if (!BN_add(s, &xr, &m)) goto err;		/* s = m + xr */
-	if (BN_cmp(s,dsa->q) > 0)
-		BN_sub(s,s,dsa->q);
-	if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
-
-	ret=DSA_SIG_new();
-	if (ret == NULL) goto err;
-	ret->r = r;
-	ret->s = s;
-	
-err:
-	if (!ret)
-		{
-		DSAerr(DSA_F_DSA_DO_SIGN,reason);
-		BN_free(r);
-		BN_free(s);
-		}
-	if (ctx != NULL) BN_CTX_free(ctx);
-	BN_clear_free(&m);
-	BN_clear_free(&xr);
-	if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
-	    BN_clear_free(kinv);
-	return(ret);
+	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
 	}
 
-/* data has already been hashed (probably with SHA or SHA-1). */
-
-/* unsigned char *sig:  out    */
-/* unsigned int *siglen:  out    */
 int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 	     unsigned int *siglen, DSA *dsa)
 	{
@@ -151,61 +87,6 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
-	BN_CTX *ctx;
-	BIGNUM k,*kinv=NULL,*r=NULL;
-	int ret=0;
-
-	if (ctx_in == NULL)
-		{
-		if ((ctx=BN_CTX_new()) == NULL) goto err;
-		}
-	else
-		ctx=ctx_in;
-
-	BN_init(&k);
-	if ((r=BN_new()) == NULL) goto err;
-	kinv=NULL;
-
-	/* Get random k */
-	for (;;)
-		{
-		if (!BN_rand(&k, BN_num_bits(dsa->q), 1, 0)) goto err;
-		if (BN_cmp(&k,dsa->q) >= 0)
-			BN_sub(&k,&k,dsa->q);
-		if (!BN_is_zero(&k)) break;
-		}
-
-	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
-		{
-		if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-				dsa->p,ctx)) goto err;
-		}
-
-	/* Compute r = (g^k mod p) mod q */
-	if (!BN_mod_exp_mont(r,dsa->g,&k,dsa->p,ctx,
-		(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
-	if (!BN_mod(r,r,dsa->q,ctx)) goto err;
-
-	/* Compute  part of 's = inv(k) (m + xr) mod q' */
-	if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
-
-	if (*kinvp != NULL) BN_clear_free(*kinvp);
-	*kinvp=kinv;
-	kinv=NULL;
-	if (*rp != NULL) BN_clear_free(*rp);
-	*rp=r;
-	ret=1;
-err:
-	if (!ret)
-		{
-		DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
-		if (kinv != NULL) BN_clear_free(kinv);
-		if (r != NULL) BN_clear_free(r);
-		}
-	if (ctx_in == NULL) BN_CTX_free(ctx);
-	if (kinv != NULL) BN_clear_free(kinv);
-	BN_clear_free(&k);
-	return(ret);
+	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
 	}
 
diff --git a/lib/libcrypto/dsa/dsa_vrf.c b/lib/libcrypto/dsa/dsa_vrf.c
index ff552208aa2..03277f80fdc 100644
--- a/lib/libcrypto/dsa/dsa_vrf.c
+++ b/lib/libcrypto/dsa/dsa_vrf.c
@@ -69,73 +69,7 @@
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		  DSA *dsa)
 	{
-	BN_CTX *ctx;
-	BIGNUM u1,u2,t1;
-	BN_MONT_CTX *mont=NULL;
-	int ret = -1;
-
-	if ((ctx=BN_CTX_new()) == NULL) goto err;
-	BN_init(&u1);
-	BN_init(&u2);
-	BN_init(&t1);
-
-	/* Calculate W = inv(S) mod Q
-	 * save W in u2 */
-	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
-
-	/* save M in u1 */
-	if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
-
-	/* u1 = M * w mod q */
-	if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
-
-	/* u2 = r * w mod q */
-	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
-
-	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
-		{
-		if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-				dsa->p,ctx)) goto err;
-		}
-	mont=(BN_MONT_CTX *)dsa->method_mont_p;
-
-#if 0
-	{
-	BIGNUM t2;
-
-	BN_init(&t2);
-	/* v = ( g^u1 * y^u2 mod p ) mod q */
-	/* let t1 = g ^ u1 mod p */
-	if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err;
-	/* let t2 = y ^ u2 mod p */
-	if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err;
-	/* let u1 = t1 * t2 mod p */
-	if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn;
-	BN_free(&t2);
-	}
-	/* let u1 = u1 mod q */
-	if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
-#else
-	{
-	if (!BN_mod_exp2_mont(&t1,dsa->g,&u1,dsa->pub_key,&u2,dsa->p,ctx,mont))
-		goto err;
-	/* BN_copy(&u1,&t1); */
-	/* let u1 = u1 mod q */
-	if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
-	}
-#endif
-	/* V is now in u1.  If the signature is correct, it will be
-	 * equal to R. */
-	ret=(BN_ucmp(&u1, sig->r) == 0);
-
-	err:
-	if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
-	if (ctx != NULL) BN_CTX_free(ctx);
-	BN_free(&u1);
-	BN_free(&u2);
-	BN_free(&t1);
-	return(ret);
+	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
 	}
 
 /* data has already been hashed (probably with SHA or SHA-1). */
diff --git a/lib/libcrypto/dsa/dsatest.c b/lib/libcrypto/dsa/dsatest.c
index fc25c9a1b79..309a7cda899 100644
--- a/lib/libcrypto/dsa/dsatest.c
+++ b/lib/libcrypto/dsa/dsatest.c
@@ -84,7 +84,10 @@ int main(int argc, char *argv[])
 #define MS_CALLBACK
 #endif
 
-static void MS_CALLBACK dsa_cb(int p, int n, char *arg);
+static void MS_CALLBACK dsa_cb(int p, int n, void *arg);
+
+/* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
+ * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
 static unsigned char seed[20]={
 	0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
 	0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
@@ -120,6 +123,8 @@ static unsigned char out_g[]={
 
 static const unsigned char str1[]="12345678901234567890";
 
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
 static BIO *bio_err=NULL;
 
 int main(int argc, char **argv)
@@ -131,15 +136,17 @@ int main(int argc, char **argv)
 	unsigned char sig[256];
 	unsigned int siglen;
 
+	ERR_load_crypto_strings();
+	RAND_seed(rnd_seed, sizeof rnd_seed);
+
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
 	BIO_printf(bio_err,"test generation of DSA parameters\n");
-	BIO_printf(bio_err,"expect '.*' followed by 5 lines of '.'s and '+'s\n");
-	dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb,
-		(char *)bio_err);
+
+	dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb,bio_err);
 
 	BIO_printf(bio_err,"seed\n");
 	for (i=0; i<20; i+=4)
@@ -193,13 +200,18 @@ end:
 	if (!ret)
 		ERR_print_errors(bio_err);
 	if (dsa != NULL) DSA_free(dsa);
+	ERR_remove_state(0);
 	CRYPTO_mem_leaks(bio_err);
-	if (bio_err != NULL) BIO_free(bio_err);
+	if (bio_err != NULL)
+		{
+		BIO_free(bio_err);
+		bio_err = NULL;
+		}
 	exit(!ret);
 	return(0);
 	}
 
-static void MS_CALLBACK dsa_cb(int p, int n, char *arg)
+static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
 	{
 	char c='*';
 	static int ok=0,num=0;
@@ -208,8 +220,8 @@ static void MS_CALLBACK dsa_cb(int p, int n, char *arg)
 	if (p == 1) c='+';
 	if (p == 2) { c='*'; ok++; }
 	if (p == 3) c='\n';
-	BIO_write((BIO *)arg,&c,1);
-	(void)BIO_flush((BIO *)arg);
+	BIO_write(arg,&c,1);
+	(void)BIO_flush(arg);
 
 	if (!ok && (p == 0) && (num > 1))
 		{
diff --git a/lib/libcrypto/ebcdic.h b/lib/libcrypto/ebcdic.h
index d3b4e98b120..6d65afcf9e7 100644
--- a/lib/libcrypto/ebcdic.h
+++ b/lib/libcrypto/ebcdic.h
@@ -1,17 +1,19 @@
+/* crypto/ebcdic.h */
+
 #ifndef HEADER_EBCDIC_H
 #define HEADER_EBCDIC_H
 
 #include <sys/types.h>
 
 /* Avoid name clashes with other applications */
-#define os_toascii   _eay2000_os_toascii
-#define os_toebcdic  _eay2000_os_toebcdic
-#define ebcdic2ascii _eay2000_ebcdic2ascii
-#define ascii2ebcdic _eay2000_ascii2ebcdic
+#define os_toascii   _openssl_os_toascii
+#define os_toebcdic  _openssl_os_toebcdic
+#define ebcdic2ascii _openssl_ebcdic2ascii
+#define ascii2ebcdic _openssl_ascii2ebcdic
 
 extern const unsigned char os_toascii[256];
 extern const unsigned char os_toebcdic[256];
-void ebcdic2ascii(unsigned char *dest, const unsigned char *srce, size_t count);
-void ascii2ebcdic(unsigned char *dest, const unsigned char *srce, size_t count);
+void *ebcdic2ascii(void *dest, const void *srce, size_t count);
+void *ascii2ebcdic(void *dest, const void *srce, size_t count);
 
 #endif
diff --git a/lib/libcrypto/err/Makefile.ssl b/lib/libcrypto/err/Makefile.ssl
index ae827edddba..fb74e4eb13f 100644
--- a/lib/libcrypto/err/Makefile.ssl
+++ b/lib/libcrypto/err/Makefile.ssl
@@ -82,8 +82,8 @@ err.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-err.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-err.o: ../cryptlib.h
+err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+err.o: ../../include/openssl/stack.h ../cryptlib.h
 err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 err_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 err_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -96,15 +96,16 @@ err_all.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
 err_all.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
 err_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 err_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
-err_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-err_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-err_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-err_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-err_all.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
-err_all.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+err_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+err_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+err_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+err_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+err_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+err_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+err_all.o: ../../include/openssl/x509v3.h
 err_prn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 err_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 err_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 err_prn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-err_prn.o: ../cryptlib.h
+err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+err_prn.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/lib/libcrypto/err/err.c b/lib/libcrypto/err/err.c
index 8810d838c64..93c64cbc4f2 100644
--- a/lib/libcrypto/err/err.c
+++ b/lib/libcrypto/err/err.c
@@ -91,7 +91,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_PEM,0,0)		,"PEM routines"},
 {ERR_PACK(ERR_LIB_ASN1,0,0)		,"asn1 encoding routines"},
 {ERR_PACK(ERR_LIB_X509,0,0)		,"x509 certificate routines"},
-{ERR_PACK(ERR_LIB_CONF,0,0)		,"configuation file routines"},
+{ERR_PACK(ERR_LIB_CONF,0,0)		,"configuration file routines"},
 {ERR_PACK(ERR_LIB_METH,0,0)		,"X509 lookup 'method' routines"},
 {ERR_PACK(ERR_LIB_SSL,0,0)		,"SSL routines"},
 {ERR_PACK(ERR_LIB_RSAREF,0,0)		,"RSAref routines"},
@@ -100,6 +100,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_PKCS7,0,0)		,"PKCS7 routines"},
 {ERR_PACK(ERR_LIB_X509V3,0,0)		,"X509 V3 routines"},
 {ERR_PACK(ERR_LIB_PKCS12,0,0)		,"PKCS12 routines"},
+{ERR_PACK(ERR_LIB_RAND,0,0)		,"random number generator"},
 {0,NULL},
 	};
 
@@ -221,7 +222,7 @@ void ERR_load_strings(int lib, ERR_STRING_DATA *str)
 	while (str->error)
 		{
 		str->error|=ERR_PACK(lib,0,0);
-		lh_insert(error_hash,(char *)str);
+		lh_insert(error_hash,str);
 		str++;
 		}
 	CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
@@ -427,7 +428,7 @@ const char *ERR_lib_error_string(unsigned long e)
 	if (error_hash != NULL)
 		{
 		d.error=ERR_PACK(l,0,0);
-		p=(ERR_STRING_DATA *)lh_retrieve(error_hash,(char *)&d);
+		p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
 		}
 
 	CRYPTO_r_unlock(CRYPTO_LOCK_ERR_HASH);
@@ -448,7 +449,7 @@ const char *ERR_func_error_string(unsigned long e)
 	if (error_hash != NULL)
 		{
 		d.error=ERR_PACK(l,f,0);
-		p=(ERR_STRING_DATA *)lh_retrieve(error_hash,(char *)&d);
+		p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
 		}
 
 	CRYPTO_r_unlock(CRYPTO_LOCK_ERR_HASH);
@@ -469,12 +470,11 @@ const char *ERR_reason_error_string(unsigned long e)
 	if (error_hash != NULL)
 		{
 		d.error=ERR_PACK(l,0,r);
-		p=(ERR_STRING_DATA *)lh_retrieve(error_hash,(char *)&d);
+		p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
 		if (p == NULL)
 			{
 			d.error=ERR_PACK(0,0,r);
-			p=(ERR_STRING_DATA *)lh_retrieve(error_hash,
-				(char *)&d);
+			p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
 			}
 		}
 
@@ -517,7 +517,7 @@ void ERR_remove_state(unsigned long pid)
 		pid=(unsigned long)CRYPTO_thread_id();
 	tmp.pid=pid;
 	CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-	p=(ERR_STATE *)lh_delete(thread_hash,(char *)&tmp);
+	p=(ERR_STATE *)lh_delete(thread_hash,&tmp);
 	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 
 	if (p != NULL) ERR_STATE_free(p);
@@ -551,7 +551,7 @@ ERR_STATE *ERR_get_state(void)
 	else
 		{
 		tmp.pid=pid;
-		ret=(ERR_STATE *)lh_retrieve(thread_hash,(char *)&tmp);
+		ret=(ERR_STATE *)lh_retrieve(thread_hash,&tmp);
 		CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
 		}
 
@@ -569,7 +569,7 @@ ERR_STATE *ERR_get_state(void)
 			ret->err_data_flags[i]=0;
 			}
 		CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-		tmpp=(ERR_STATE *)lh_insert(thread_hash,(char *)ret);
+		tmpp=(ERR_STATE *)lh_insert(thread_hash,ret);
 		CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 		if (tmpp != NULL) /* old entry - should not happen */
 			{
diff --git a/lib/libcrypto/err/err.h b/lib/libcrypto/err/err.h
index 9411fb3568e..15bafbff437 100644
--- a/lib/libcrypto/err/err.h
+++ b/lib/libcrypto/err/err.h
@@ -122,6 +122,7 @@ typedef struct err_state_st
 #define ERR_LIB_PKCS7		33
 #define ERR_LIB_X509V3		34
 #define ERR_LIB_PKCS12		35
+#define ERR_LIB_RAND		36
 
 #define ERR_LIB_USER		128
 
@@ -149,6 +150,7 @@ typedef struct err_state_st
 #define PKCS7err(f,r) ERR_PUT_error(ERR_LIB_PKCS7,(f),(r),ERR_file_name,__LINE__)
 #define X509V3err(f,r) ERR_PUT_error(ERR_LIB_X509V3,(f),(r),ERR_file_name,__LINE__)
 #define PKCS12err(f,r) ERR_PUT_error(ERR_LIB_PKCS12,(f),(r),ERR_file_name,__LINE__)
+#define RANDerr(f,r) ERR_PUT_error(ERR_LIB_RAND,(f),(r),ERR_file_name,__LINE__)
 
 /* Borland C seems too stupid to be able to shift and do longs in
  * the pre-processor :-( */
@@ -160,7 +162,7 @@ typedef struct err_state_st
 #define ERR_GET_REASON(l)	(int)((l)&0xfffL)
 #define ERR_FATAL_ERROR(l)	(int)((l)&ERR_R_FATAL)
 
-/* OS fuctions */
+/* OS functions */
 #define SYS_F_FOPEN		1
 #define SYS_F_CONNECT		2
 #define SYS_F_GETSERVBYNAME	3
@@ -239,9 +241,9 @@ void ERR_print_errors(BIO *bp);
 void ERR_add_error_data(int num, ...);
 #endif
 void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
-void ERR_load_ERR_strings(void );
-void ERR_load_crypto_strings(void );
-void ERR_free_strings(void );
+void ERR_load_ERR_strings(void);
+void ERR_load_crypto_strings(void);
+void ERR_free_strings(void);
 
 void ERR_remove_state(unsigned long pid); /* if zero we look it up */
 ERR_STATE *ERR_get_state(void);
diff --git a/lib/libcrypto/err/err_all.c b/lib/libcrypto/err/err_all.c
index ad820227d24..10c463b389b 100644
--- a/lib/libcrypto/err/err_all.c
+++ b/lib/libcrypto/err/err_all.c
@@ -80,6 +80,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/conf.h>
 #include <openssl/pkcs12.h>
+#include <openssl/rand.h>
 #include <openssl/err.h>
 
 void ERR_load_crypto_strings(void)
@@ -116,5 +117,6 @@ void ERR_load_crypto_strings(void)
 	ERR_load_CRYPTO_strings();
 	ERR_load_PKCS7_strings();
 	ERR_load_PKCS12_strings();
+	ERR_load_RAND_strings();
 #endif
 	}
diff --git a/lib/libcrypto/err/openssl.ec b/lib/libcrypto/err/openssl.ec
index c2a8acff0c1..e132ba31821 100644
--- a/lib/libcrypto/err/openssl.ec
+++ b/lib/libcrypto/err/openssl.ec
@@ -21,6 +21,7 @@ L PKCS12	crypto/pkcs12/pkcs12.h		crypto/pkcs12/pk12err.c
 L RSAREF	rsaref/rsaref.h			rsaref/rsar_err.c
 L SSL		ssl/ssl.h			ssl/ssl_err.c
 L COMP		crypto/comp/comp.h		crypto/comp/comp_err.c
+L RAND		crypto/rand/rand.h		crypto/rand/rand_err.c
 
 
 F RSAREF_F_RSA_BN2BIN
@@ -47,11 +48,11 @@ R SSL_R_TLSV1_ALERT_UNKNOWN_CA			1048
 R SSL_R_TLSV1_ALERT_ACCESS_DENIED		1049
 R SSL_R_TLSV1_ALERT_DECODE_ERROR		1050
 R SSL_R_TLSV1_ALERT_DECRYPT_ERROR		1051
-R SSL_R_TLSV1_ALERT_EXPORT_RESTRICION		1060
+R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION		1060
 R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION		1070
 R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY	1071
 R SSL_R_TLSV1_ALERT_INTERNAL_ERROR		1080
-R SSL_R_TLSV1_ALERT_USER_CANCLED		1090
+R SSL_R_TLSV1_ALERT_USER_CANCELLED		1090
 R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION		1100
 
 R RSAREF_R_CONTENT_ENCODING			0x0400
diff --git a/lib/libcrypto/evp/Makefile.ssl b/lib/libcrypto/evp/Makefile.ssl
index 753479a015d..c763b5ccd66 100644
--- a/lib/libcrypto/evp/Makefile.ssl
+++ b/lib/libcrypto/evp/Makefile.ssl
@@ -35,7 +35,8 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c \
 	m_ripemd.c \
 	p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
 	bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
-	c_all.c evp_lib.c bio_ok.c evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
+	c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
+	evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
 
 LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o \
 	e_ecb_d.o e_cbc_d.o e_cfb_d.o e_ofb_d.o \
@@ -50,7 +51,8 @@ LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o \
 	m_ripemd.o \
 	p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
 	bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
-	c_all.o evp_lib.o bio_ok.o evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o
+	c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
+	evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o
 
 SRC= $(LIBSRC)
 
@@ -176,13 +178,45 @@ c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 c_all.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
 c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
 c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-c_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
 c_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
 c_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 c_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-c_all.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
-c_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+c_all.o: ../../include/openssl/stack.h ../cryptlib.h
+c_allc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_allc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+c_allc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+c_allc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+c_allc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+c_allc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_allc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_allc.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+c_allc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_allc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_allc.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+c_allc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+c_allc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+c_allc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+c_allc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_allc.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+c_allc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+c_alld.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_alld.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+c_alld.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+c_alld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+c_alld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+c_alld.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_alld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_alld.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+c_alld.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_alld.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_alld.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
+c_alld.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+c_alld.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+c_alld.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+c_alld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_alld.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+c_alld.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
diff --git a/lib/libcrypto/evp/bio_b64.c b/lib/libcrypto/evp/bio_b64.c
index 84729119df2..bd5e24f9939 100644
--- a/lib/libcrypto/evp/bio_b64.c
+++ b/lib/libcrypto/evp/bio_b64.c
@@ -69,6 +69,7 @@ static int b64_read(BIO *h,char *buf,int size);
 static long b64_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int b64_new(BIO *h);
 static int b64_free(BIO *data);
+static long b64_callback_ctrl(BIO *h,int cmd,void (*fp)());
 #define B64_BLOCK_SIZE	1024
 #define B64_BLOCK_SIZE2	768
 #define B64_NONE	0
@@ -100,6 +101,7 @@ static BIO_METHOD methods_b64=
 	b64_ctrl,
 	b64_new,
 	b64_free,
+	b64_callback_ctrl,
 	};
 
 BIO_METHOD *BIO_f_base64(void)
@@ -237,8 +239,8 @@ static int b64_read(BIO *b, char *out, int outl)
 							&(ctx->tmp[0]));
 						for (x=0; x < i; x++)
 							ctx->tmp[x]=p[x];
-						EVP_DecodeInit(&ctx->base64);
 						}
+					EVP_DecodeInit(&ctx->base64);
 					ctx->start=0;
 					break;
 					}
@@ -522,3 +524,17 @@ again:
 	return(ret);
 	}
 
+static long b64_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
diff --git a/lib/libcrypto/evp/bio_enc.c b/lib/libcrypto/evp/bio_enc.c
index 0a7b1ecf07c..629bf4b95d9 100644
--- a/lib/libcrypto/evp/bio_enc.c
+++ b/lib/libcrypto/evp/bio_enc.c
@@ -69,6 +69,7 @@ static int enc_read(BIO *h,char *buf,int size);
 static long enc_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int enc_new(BIO *h);
 static int enc_free(BIO *data);
+static long enc_callback_ctrl(BIO *h,int cmd,void (*fp)());
 #define ENC_BLOCK_SIZE	(1024*4)
 
 typedef struct enc_struct
@@ -92,6 +93,7 @@ static BIO_METHOD methods_enc=
 	enc_ctrl,
 	enc_new,
 	enc_free,
+	enc_callback_ctrl,
 	};
 
 BIO_METHOD *BIO_f_cipher(void)
@@ -184,9 +186,11 @@ static int enc_read(BIO *b, char *out, int outl)
 				ctx->ok=i;
 				ctx->buf_off=0;
 				}
-			else
+			else 
+				{
 				ret=(ret == 0)?i:ret;
-			break;
+				break;
+				}
 			}
 		else
 			{
@@ -194,13 +198,19 @@ static int enc_read(BIO *b, char *out, int outl)
 				(unsigned char *)ctx->buf,&ctx->buf_len,
 				(unsigned char *)&(ctx->buf[8]),i);
 			ctx->cont=1;
+			/* Note: it is possible for EVP_CipherUpdate to
+			 * decrypt zero bytes because this is or looks like
+			 * the final block: if this happens we should retry
+			 * and either read more data or decrypt the final
+			 * block
+			 */
+			if(ctx->buf_len == 0) continue;
 			}
 
 		if (ctx->buf_len <= outl)
 			i=ctx->buf_len;
 		else
 			i=outl;
-
 		if (i <= 0) break;
 		memcpy(out,ctx->buf,i);
 		ret+=i;
@@ -360,6 +370,20 @@ again:
 	return(ret);
 	}
 
+static long enc_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
 /*
 void BIO_set_cipher_ctx(b,c)
 BIO *b;
diff --git a/lib/libcrypto/evp/bio_md.c b/lib/libcrypto/evp/bio_md.c
index 317167f9c46..aef928dd8fb 100644
--- a/lib/libcrypto/evp/bio_md.c
+++ b/lib/libcrypto/evp/bio_md.c
@@ -72,6 +72,8 @@ static int md_gets(BIO *h,char *str,int size);
 static long md_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int md_new(BIO *h);
 static int md_free(BIO *data);
+static long md_callback_ctrl(BIO *h,int cmd,void (*fp)());
+
 static BIO_METHOD methods_md=
 	{
 	BIO_TYPE_MD,"message digest",
@@ -82,6 +84,7 @@ static BIO_METHOD methods_md=
 	md_ctrl,
 	md_new,
 	md_free,
+	md_callback_ctrl,
 	};
 
 BIO_METHOD *BIO_f_md(void)
@@ -220,6 +223,20 @@ static long md_ctrl(BIO *b, int cmd, long num, char *ptr)
 	return(ret);
 	}
 
+static long md_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
 static int md_gets(BIO *bp, char *buf, int size)
 	{
 	EVP_MD_CTX *ctx;
diff --git a/lib/libcrypto/evp/bio_ok.c b/lib/libcrypto/evp/bio_ok.c
index 101275d6487..e6ff5f2cdb6 100644
--- a/lib/libcrypto/evp/bio_ok.c
+++ b/lib/libcrypto/evp/bio_ok.c
@@ -67,7 +67,7 @@
 	and everything was OK. BUT if user types wrong password 
 	BIO_f_cipher outputs only garbage and my function crashes. Yes
 	I can and I should fix my function, but BIO_f_cipher is 
-	easy way to add encryption support to many exisiting applications
+	easy way to add encryption support to many existing applications
 	and it's hard to debug and fix them all. 
 
 	So I wanted another BIO which would catch the incorrect passwords and
@@ -80,10 +80,10 @@
 	1) you must somehow separate checksum from actual data. 
 	2) you need lot's of memory when reading the file, because you 
 	must read to the end of the file and verify the checksum before
-	leting the application to read the data. 
+	letting the application to read the data. 
 	
 	BIO_f_reliable tries to solve both problems, so that you can 
-	read and write arbitraly long streams using only fixed amount
+	read and write arbitrary long streams using only fixed amount
 	of memory.
 
 	BIO_f_reliable splits data stream into blocks. Each block is prefixed
@@ -91,7 +91,7 @@
 	several Kbytes of memory to buffer single block before verifying 
 	it's digest. 
 
-	BIO_f_reliable goes futher and adds several important capabilities:
+	BIO_f_reliable goes further and adds several important capabilities:
 
 	1) the digest of the block is computed over the whole stream 
 	-- so nobody can rearrange the blocks or remove or replace them.
@@ -110,7 +110,7 @@
 	and then compare the digest output.
 
 	Bad things: BIO_f_reliable knows what's going on in EVP_Digest. I 
-	initialy wrote and tested this code on x86 machine and wrote the
+	initially wrote and tested this code on x86 machine and wrote the
 	digests out in machine-dependent order :( There are people using
 	this code and I cannot change this easily without making existing
 	data files unreadable.
@@ -130,6 +130,8 @@ static int ok_read(BIO *h,char *buf,int size);
 static long ok_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int ok_new(BIO *h);
 static int ok_free(BIO *data);
+static long ok_callback_ctrl(BIO *h,int cmd,void (*fp)());
+
 static void sig_out(BIO* b);
 static void sig_in(BIO* b);
 static void block_out(BIO* b);
@@ -173,6 +175,7 @@ static BIO_METHOD methods_ok=
 	ok_ctrl,
 	ok_new,
 	ok_free,
+	ok_callback_ctrl,
 	};
 
 BIO_METHOD *BIO_f_reliable(void)
@@ -428,6 +431,20 @@ static long ok_ctrl(BIO *b, int cmd, long num, char *ptr)
 	return(ret);
 	}
 
+static long ok_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
 static void longswap(void *_ptr, int len)
 {
 #ifndef L_ENDIAN
@@ -451,12 +468,12 @@ static void sig_out(BIO* b)
 	if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return;
 
 	EVP_DigestInit(md, md->digest);
-	RAND_bytes(&(md->md.base[0]), md->digest->md_size);
+	RAND_pseudo_bytes(&(md->md.base[0]), md->digest->md_size);
 	memcpy(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]), md->digest->md_size);
 	longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
 	ctx->buf_len+= md->digest->md_size;
 
-	EVP_DigestUpdate(md, (unsigned char*)WELLKNOWN, strlen(WELLKNOWN));
+	EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN));
 	md->digest->final(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]));
 	ctx->buf_len+= md->digest->md_size;
 	ctx->blockout= 1;
@@ -480,7 +497,7 @@ static void sig_in(BIO* b)
 	longswap(&(md->md.base[0]), md->digest->md_size);
 	ctx->buf_off+= md->digest->md_size;
 
-	EVP_DigestUpdate(md, (unsigned char*)WELLKNOWN, strlen(WELLKNOWN));
+	EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN));
 	md->digest->final(tmp, &(md->md.base[0]));
 	ret= memcmp(&(ctx->buf[ctx->buf_off]), tmp, md->digest->md_size) == 0;
 	ctx->buf_off+= md->digest->md_size;
diff --git a/lib/libcrypto/evp/c_all.c b/lib/libcrypto/evp/c_all.c
index a4d3b43fb9d..1e185830a35 100644
--- a/lib/libcrypto/evp/c_all.c
+++ b/lib/libcrypto/evp/c_all.c
@@ -59,135 +59,9 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
-#include <openssl/pkcs12.h>
-#include <openssl/objects.h>
 
-void SSLeay_add_all_algorithms(void)
-	{
-	SSLeay_add_all_ciphers();
-	SSLeay_add_all_digests();
-	}
-
-void SSLeay_add_all_ciphers(void)
-	{
-#ifndef NO_DES
-	EVP_add_cipher(EVP_des_cfb());
-	EVP_add_cipher(EVP_des_ede_cfb());
-	EVP_add_cipher(EVP_des_ede3_cfb());
-
-	EVP_add_cipher(EVP_des_ofb());
-	EVP_add_cipher(EVP_des_ede_ofb());
-	EVP_add_cipher(EVP_des_ede3_ofb());
-
-	EVP_add_cipher(EVP_desx_cbc());
-	EVP_add_cipher_alias(SN_desx_cbc,"DESX");
-	EVP_add_cipher_alias(SN_desx_cbc,"desx");
-
-	EVP_add_cipher(EVP_des_cbc());
-	EVP_add_cipher_alias(SN_des_cbc,"DES");
-	EVP_add_cipher_alias(SN_des_cbc,"des");
-	EVP_add_cipher(EVP_des_ede_cbc());
-	EVP_add_cipher(EVP_des_ede3_cbc());
-	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
-	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
-
-	EVP_add_cipher(EVP_des_ecb());
-	EVP_add_cipher(EVP_des_ede());
-	EVP_add_cipher(EVP_des_ede3());
-#endif
-
-#ifndef NO_RC4
-	EVP_add_cipher(EVP_rc4());
-	EVP_add_cipher(EVP_rc4_40());
-#endif
-
-#ifndef NO_IDEA
-	EVP_add_cipher(EVP_idea_ecb());
-	EVP_add_cipher(EVP_idea_cfb());
-	EVP_add_cipher(EVP_idea_ofb());
-	EVP_add_cipher(EVP_idea_cbc());
-	EVP_add_cipher_alias(SN_idea_cbc,"IDEA");
-	EVP_add_cipher_alias(SN_idea_cbc,"idea");
-#endif
-
-#ifndef NO_RC2
-	EVP_add_cipher(EVP_rc2_ecb());
-	EVP_add_cipher(EVP_rc2_cfb());
-	EVP_add_cipher(EVP_rc2_ofb());
-	EVP_add_cipher(EVP_rc2_cbc());
-	EVP_add_cipher(EVP_rc2_40_cbc());
-	EVP_add_cipher(EVP_rc2_64_cbc());
-	EVP_add_cipher_alias(SN_rc2_cbc,"RC2");
-	EVP_add_cipher_alias(SN_rc2_cbc,"rc2");
-#endif
-
-#ifndef NO_BF
-	EVP_add_cipher(EVP_bf_ecb());
-	EVP_add_cipher(EVP_bf_cfb());
-	EVP_add_cipher(EVP_bf_ofb());
-	EVP_add_cipher(EVP_bf_cbc());
-	EVP_add_cipher_alias(SN_bf_cbc,"BF");
-	EVP_add_cipher_alias(SN_bf_cbc,"bf");
-	EVP_add_cipher_alias(SN_bf_cbc,"blowfish");
-#endif
-
-#ifndef NO_CAST
-	EVP_add_cipher(EVP_cast5_ecb());
-	EVP_add_cipher(EVP_cast5_cfb());
-	EVP_add_cipher(EVP_cast5_ofb());
-	EVP_add_cipher(EVP_cast5_cbc());
-	EVP_add_cipher_alias(SN_cast5_cbc,"CAST");
-	EVP_add_cipher_alias(SN_cast5_cbc,"cast");
-	EVP_add_cipher_alias(SN_cast5_cbc,"CAST-cbc");
-	EVP_add_cipher_alias(SN_cast5_cbc,"cast-cbc");
-#endif
-
-#ifndef NO_RC5
-	EVP_add_cipher(EVP_rc5_32_12_16_ecb());
-	EVP_add_cipher(EVP_rc5_32_12_16_cfb());
-	EVP_add_cipher(EVP_rc5_32_12_16_ofb());
-	EVP_add_cipher(EVP_rc5_32_12_16_cbc());
-	EVP_add_cipher_alias(SN_rc5_cbc,"rc5");
-	EVP_add_cipher_alias(SN_rc5_cbc,"RC5");
-#endif
-	}
-
-
-void SSLeay_add_all_digests(void)
-	{
-#ifndef NO_MD2
-	EVP_add_digest(EVP_md2());
-#endif
-#ifndef NO_MD5
-	EVP_add_digest(EVP_md5());
-	EVP_add_digest_alias(SN_md5,"ssl2-md5");
-	EVP_add_digest_alias(SN_md5,"ssl3-md5");
-#endif
-#ifndef NO_SHA
-	EVP_add_digest(EVP_sha());
-#ifndef NO_DSA
-	EVP_add_digest(EVP_dss());
-#endif
-#endif
-#ifndef NO_SHA
-	EVP_add_digest(EVP_sha1());
-	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
-	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-#ifndef NO_DSA
-	EVP_add_digest(EVP_dss1());
-	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
-	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
-#endif
-#endif
-#if !defined(NO_MDC2) && !defined(NO_DES)
-	EVP_add_digest(EVP_mdc2());
-#endif
-#ifndef NO_RIPEMD
-	EVP_add_digest(EVP_ripemd160());
-	EVP_add_digest_alias(SN_ripemd160,"ripemd");
-	EVP_add_digest_alias(SN_ripemd160,"rmd160");
-#endif
-	PKCS12_PBE_add();
-	PKCS5_PBE_add();
-	}
+void OpenSSL_add_all_algorithms(void)
+{
+	OpenSSL_add_all_ciphers();
+	OpenSSL_add_all_digests();
+}
diff --git a/lib/libcrypto/evp/e_cbc_3d.c b/lib/libcrypto/evp/e_cbc_3d.c
index 02ccc6dc907..5d16b865c58 100644
--- a/lib/libcrypto/evp/e_cbc_3d.c
+++ b/lib/libcrypto/evp/e_cbc_3d.c
@@ -115,8 +115,8 @@ static void des_cbc_ede_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 
 	if (deskey != NULL)
 		{
-		des_set_key(&deskey[0],ctx->c.des_ede.ks1);
-		des_set_key(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
 		memcpy( (char *)ctx->c.des_ede.ks3,
 			(char *)ctx->c.des_ede.ks1,
 			sizeof(ctx->c.des_ede.ks1));
@@ -134,9 +134,9 @@ static void des_cbc_ede3_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 
 	if (deskey != NULL)
 		{
-		des_set_key(&deskey[0],ctx->c.des_ede.ks1);
-		des_set_key(&deskey[1],ctx->c.des_ede.ks2);
-		des_set_key(&deskey[2],ctx->c.des_ede.ks3);
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
 		}
 	}
 
diff --git a/lib/libcrypto/evp/e_cbc_d.c b/lib/libcrypto/evp/e_cbc_d.c
index 9203f3f52d9..5b4e5b8601e 100644
--- a/lib/libcrypto/evp/e_cbc_d.c
+++ b/lib/libcrypto/evp/e_cbc_d.c
@@ -93,7 +93,7 @@ static void des_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 		memcpy(&(ctx->oiv[0]),iv,8);
 	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
 	if (deskey != NULL)
-		des_set_key(deskey,ctx->c.des_ks);
+		des_set_key_unchecked(deskey,ctx->c.des_ks);
 	}
 
 static void des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
diff --git a/lib/libcrypto/evp/e_cfb_3d.c b/lib/libcrypto/evp/e_cfb_3d.c
index bd32b072e2b..b364bd4e318 100644
--- a/lib/libcrypto/evp/e_cfb_3d.c
+++ b/lib/libcrypto/evp/e_cfb_3d.c
@@ -116,8 +116,8 @@ static void des_ede_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
 	if (deskey != NULL)
 		{
-		des_set_key(&deskey[0],ctx->c.des_ede.ks1);
-		des_set_key(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
 		memcpy( (char *)ctx->c.des_ede.ks3,
 			(char *)ctx->c.des_ede.ks1,
 			sizeof(ctx->c.des_ede.ks1));
@@ -136,9 +136,9 @@ static void des_ede3_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
 	if (deskey != NULL)
 		{
-		des_set_key(&deskey[0],ctx->c.des_ede.ks1);
-		des_set_key(&deskey[1],ctx->c.des_ede.ks2);
-		des_set_key(&deskey[2],ctx->c.des_ede.ks3);
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
 		}
 	}
 
diff --git a/lib/libcrypto/evp/e_cfb_d.c b/lib/libcrypto/evp/e_cfb_d.c
index 6bdf20b6460..9e1714bd15d 100644
--- a/lib/libcrypto/evp/e_cfb_d.c
+++ b/lib/libcrypto/evp/e_cfb_d.c
@@ -95,7 +95,7 @@ static void des_cfb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 		memcpy(&(ctx->oiv[0]),iv,8);
 	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
 	if (deskey != NULL)
-		des_set_key(deskey,ctx->c.des_ks);
+		des_set_key_unchecked(deskey,ctx->c.des_ks);
 	}
 
 static void des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
diff --git a/lib/libcrypto/evp/e_ecb_3d.c b/lib/libcrypto/evp/e_ecb_3d.c
index 354a8b79a79..806e971d369 100644
--- a/lib/libcrypto/evp/e_ecb_3d.c
+++ b/lib/libcrypto/evp/e_ecb_3d.c
@@ -110,8 +110,8 @@ static void des_ede_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 
 	if (deskey != NULL)
 		{
-		des_set_key(&deskey[0],ctx->c.des_ede.ks1);
-		des_set_key(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
 		memcpy( (char *)ctx->c.des_ede.ks3,
 			(char *)ctx->c.des_ede.ks1,
 			sizeof(ctx->c.des_ede.ks1));
@@ -125,9 +125,9 @@ static void des_ede3_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 
 	if (deskey != NULL)
 		{
-		des_set_key(&deskey[0],ctx->c.des_ede.ks1);
-		des_set_key(&deskey[1],ctx->c.des_ede.ks2);
-		des_set_key(&deskey[2],ctx->c.des_ede.ks3);
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
 		}
 	}
 
diff --git a/lib/libcrypto/evp/e_ecb_d.c b/lib/libcrypto/evp/e_ecb_d.c
index 5fb4e64b1ca..c11bef55efc 100644
--- a/lib/libcrypto/evp/e_ecb_d.c
+++ b/lib/libcrypto/evp/e_ecb_d.c
@@ -90,7 +90,7 @@ static void des_ecb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 	des_cblock *deskey = (des_cblock *)key;
 
 	if (deskey != NULL)
-		des_set_key(deskey,ctx->c.des_ks);
+		des_set_key_unchecked(deskey,ctx->c.des_ks);
 	}
 
 static void des_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
diff --git a/lib/libcrypto/evp/e_ofb_3d.c b/lib/libcrypto/evp/e_ofb_3d.c
index 5233567c0cc..d1a33e2ecd5 100644
--- a/lib/libcrypto/evp/e_ofb_3d.c
+++ b/lib/libcrypto/evp/e_ofb_3d.c
@@ -116,8 +116,8 @@ static void des_ede_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
 	if (deskey != NULL)
 		{
-		des_set_key(&deskey[0],ctx->c.des_ede.ks1);
-		des_set_key(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
 		memcpy( (char *)ctx->c.des_ede.ks3,
 			(char *)ctx->c.des_ede.ks1,
 			sizeof(ctx->c.des_ede.ks1));
@@ -136,9 +136,9 @@ static void des_ede3_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
 	if (deskey != NULL)
 		{
-		des_set_key(&deskey[0],ctx->c.des_ede.ks1);
-		des_set_key(&deskey[1],ctx->c.des_ede.ks2);
-		des_set_key(&deskey[2],ctx->c.des_ede.ks3);
+		des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+		des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+		des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
 		}
 	}
 
diff --git a/lib/libcrypto/evp/e_ofb_d.c b/lib/libcrypto/evp/e_ofb_d.c
index 398b3a002ea..d51ce230f4d 100644
--- a/lib/libcrypto/evp/e_ofb_d.c
+++ b/lib/libcrypto/evp/e_ofb_d.c
@@ -95,7 +95,7 @@ static void des_ofb_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 		memcpy(&(ctx->oiv[0]),iv,8);
 	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
 	if (deskey != NULL)
-		des_set_key(deskey,ctx->c.des_ks);
+		des_set_key_unchecked(deskey,ctx->c.des_ks);
 	}
 
 static void des_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
diff --git a/lib/libcrypto/evp/e_xcbc_d.c b/lib/libcrypto/evp/e_xcbc_d.c
index 3a6628a75c9..7568fad4ff7 100644
--- a/lib/libcrypto/evp/e_xcbc_d.c
+++ b/lib/libcrypto/evp/e_xcbc_d.c
@@ -94,7 +94,7 @@ static void desx_cbc_init_key(EVP_CIPHER_CTX *ctx, unsigned char *key,
 	memcpy(&(ctx->iv[0]),&(ctx->oiv[0]),8);
 	if (deskey != NULL)
 		{
-		des_set_key(deskey,ctx->c.desx_cbc.ks);
+		des_set_key_unchecked(deskey,ctx->c.desx_cbc.ks);
 		memcpy(&(ctx->c.desx_cbc.inw[0]),&(key[8]),8);
 		memcpy(&(ctx->c.desx_cbc.outw[0]),&(key[16]),8);
 		}
diff --git a/lib/libcrypto/evp/encode.c b/lib/libcrypto/evp/encode.c
index 0152624a769..14a4cb11f6c 100644
--- a/lib/libcrypto/evp/encode.c
+++ b/lib/libcrypto/evp/encode.c
@@ -185,7 +185,7 @@ void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl)
 	*outl=ret;
 	}
 
-int EVP_EncodeBlock(unsigned char *t, unsigned char *f, int dlen)
+int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int dlen)
 	{
 	int i,ret=0;
 	unsigned long l;
@@ -337,7 +337,7 @@ end:
 	return(rv);
 	}
 
-int EVP_DecodeBlock(unsigned char *t, unsigned char *f, int n)
+int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n)
 	{
 	int i,ret=0,a,b,c,d;
 	unsigned long l;
diff --git a/lib/libcrypto/evp/evp.h b/lib/libcrypto/evp/evp.h
index 570fe27d39b..54215b09056 100644
--- a/lib/libcrypto/evp/evp.h
+++ b/lib/libcrypto/evp/evp.h
@@ -149,7 +149,7 @@ extern "C" {
 
 /* Type needs to be a bit field
  * Sub-type needs to be for variations on the method, as in, can it do
- * arbitary encryption.... */
+ * arbitrary encryption.... */
 typedef struct evp_pkey_st
 	{
 	int type;
@@ -343,7 +343,7 @@ typedef struct evp_cipher_ctx_st
 	unsigned char buf[EVP_MAX_IV_LENGTH];	/* saved partial block */
 	int num;				/* used by cfb/ofb mode */
 
-	char *app_data;		/* aplication stuff */
+	char *app_data;		/* application stuff */
 	union	{
 #ifndef NO_RC4
 		struct
@@ -421,9 +421,10 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 #define EVP_MD_size(e)			((e)->md_size)
 #define EVP_MD_block_size(e)		((e)->block_size)
 
+#define EVP_MD_CTX_md(e)		((e)->digest)
 #define EVP_MD_CTX_size(e)		EVP_MD_size((e)->digest)
 #define EVP_MD_CTX_block_size(e)	EVP_MD_block_size((e)->digest)
-#define EVP_MD_CTX_type(e)		((e)->digest)
+#define EVP_MD_CTX_type(e)		EVP_MD_type((e)->digest)
 
 #define EVP_CIPHER_nid(e)		((e)->nid)
 #define EVP_CIPHER_block_size(e)	((e)->block_size)
@@ -521,15 +522,14 @@ void	EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
 void	EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,
 		int *outl,unsigned char *in,int inl);
 void	EVP_EncodeFinal(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl);
-int	EVP_EncodeBlock(unsigned char *t, unsigned char *f, int n);
+int	EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n);
 
 void	EVP_DecodeInit(EVP_ENCODE_CTX *ctx);
 int	EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl,
 		unsigned char *in, int inl);
 int	EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned
 		char *out, int *outl);
-int	EVP_DecodeBlock(unsigned char *t, unsigned
-		char *f, int n);
+int	EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);
 
 void	ERR_load_EVP_strings(void );
 
@@ -594,9 +594,12 @@ EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
 EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
 EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
 
-void SSLeay_add_all_algorithms(void);
-void SSLeay_add_all_ciphers(void);
-void SSLeay_add_all_digests(void);
+void OpenSSL_add_all_algorithms(void);
+void OpenSSL_add_all_ciphers(void);
+void OpenSSL_add_all_digests(void);
+#define SSLeay_add_all_algorithms() OpenSSL_add_all_algorithms()
+#define SSLeay_add_all_ciphers() OpenSSL_add_all_ciphers()
+#define SSLeay_add_all_digests() OpenSSL_add_all_digests()
 
 int EVP_add_cipher(EVP_CIPHER *cipher);
 int EVP_add_digest(EVP_MD *digest);
@@ -613,6 +616,18 @@ int		EVP_PKEY_type(int type);
 int		EVP_PKEY_bits(EVP_PKEY *pkey);
 int		EVP_PKEY_size(EVP_PKEY *pkey);
 int 		EVP_PKEY_assign(EVP_PKEY *pkey,int type,char *key);
+#ifndef NO_RSA
+int 		EVP_PKEY_set1_RSA(EVP_PKEY *pkey,RSA *key);
+RSA *		EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
+#endif
+#ifndef NO_DSA
+int 		EVP_PKEY_set1_DSA(EVP_PKEY *pkey,DSA *key);
+DSA *		EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
+#endif
+#ifndef NO_DH
+int 		EVP_PKEY_set1_DH(EVP_PKEY *pkey,DH *key);
+DH *		EVP_PKEY_get1_DH(EVP_PKEY *pkey);
+#endif
 EVP_PKEY *	EVP_PKEY_new(void);
 void		EVP_PKEY_free(EVP_PKEY *pkey);
 EVP_PKEY *	d2i_PublicKey(int type,EVP_PKEY **a, unsigned char **pp,
@@ -621,6 +636,8 @@ int		i2d_PublicKey(EVP_PKEY *a, unsigned char **pp);
 
 EVP_PKEY *	d2i_PrivateKey(int type,EVP_PKEY **a, unsigned char **pp,
 			long length);
+EVP_PKEY *	d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
+			long length);
 int		i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp);
 
 int EVP_PKEY_copy_parameters(EVP_PKEY *to,EVP_PKEY *from);
@@ -677,6 +694,9 @@ void EVP_PBE_cleanup(void);
 #define EVP_F_EVP_PKEY_COPY_PARAMETERS			 103
 #define EVP_F_EVP_PKEY_DECRYPT				 104
 #define EVP_F_EVP_PKEY_ENCRYPT				 105
+#define EVP_F_EVP_PKEY_GET1_DH				 119
+#define EVP_F_EVP_PKEY_GET1_DSA				 120
+#define EVP_F_EVP_PKEY_GET1_RSA				 121
 #define EVP_F_EVP_PKEY_NEW				 106
 #define EVP_F_EVP_SIGNFINAL				 107
 #define EVP_F_EVP_VERIFYFINAL				 108
@@ -693,10 +713,13 @@ void EVP_PBE_cleanup(void);
 #define EVP_R_DIFFERENT_KEY_TYPES			 101
 #define EVP_R_ENCODE_ERROR				 115
 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR			 119
+#define EVP_R_EXPECTING_AN_RSA_KEY			 127
+#define EVP_R_EXPECTING_A_DH_KEY			 128
+#define EVP_R_EXPECTING_A_DSA_KEY			 129
 #define EVP_R_INPUT_NOT_INITIALIZED			 111
 #define EVP_R_IV_TOO_LARGE				 102
 #define EVP_R_KEYGEN_FAILURE				 120
-#define EVP_R_MISSING_PARMATERS				 103
+#define EVP_R_MISSING_PARAMETERS			 103
 #define EVP_R_NO_DSA_PARAMETERS				 116
 #define EVP_R_NO_SIGN_FUNCTION_CONFIGURED		 104
 #define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED		 105
diff --git a/lib/libcrypto/evp/evp_err.c b/lib/libcrypto/evp/evp_err.c
index c61cc922e83..97953a0fc18 100644
--- a/lib/libcrypto/evp/evp_err.c
+++ b/lib/libcrypto/evp/evp_err.c
@@ -77,6 +77,9 @@ static ERR_STRING_DATA EVP_str_functs[]=
 {ERR_PACK(0,EVP_F_EVP_PKEY_COPY_PARAMETERS,0),	"EVP_PKEY_copy_parameters"},
 {ERR_PACK(0,EVP_F_EVP_PKEY_DECRYPT,0),	"EVP_PKEY_decrypt"},
 {ERR_PACK(0,EVP_F_EVP_PKEY_ENCRYPT,0),	"EVP_PKEY_encrypt"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DH,0),	"EVP_PKEY_get1_DH"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DSA,0),	"EVP_PKEY_get1_DSA"},
+{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_RSA,0),	"EVP_PKEY_get1_RSA"},
 {ERR_PACK(0,EVP_F_EVP_PKEY_NEW,0),	"EVP_PKEY_new"},
 {ERR_PACK(0,EVP_F_EVP_SIGNFINAL,0),	"EVP_SignFinal"},
 {ERR_PACK(0,EVP_F_EVP_VERIFYFINAL,0),	"EVP_VerifyFinal"},
@@ -96,10 +99,13 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {EVP_R_DIFFERENT_KEY_TYPES               ,"different key types"},
 {EVP_R_ENCODE_ERROR                      ,"encode error"},
 {EVP_R_EVP_PBE_CIPHERINIT_ERROR          ,"evp pbe cipherinit error"},
+{EVP_R_EXPECTING_AN_RSA_KEY              ,"expecting an rsa key"},
+{EVP_R_EXPECTING_A_DH_KEY                ,"expecting a dh key"},
+{EVP_R_EXPECTING_A_DSA_KEY               ,"expecting a dsa key"},
 {EVP_R_INPUT_NOT_INITIALIZED             ,"input not initialized"},
 {EVP_R_IV_TOO_LARGE                      ,"iv too large"},
 {EVP_R_KEYGEN_FAILURE                    ,"keygen failure"},
-{EVP_R_MISSING_PARMATERS                 ,"missing parmaters"},
+{EVP_R_MISSING_PARAMETERS                ,"missing parameters"},
 {EVP_R_NO_DSA_PARAMETERS                 ,"no dsa parameters"},
 {EVP_R_NO_SIGN_FUNCTION_CONFIGURED       ,"no sign function configured"},
 {EVP_R_NO_VERIFY_FUNCTION_CONFIGURED     ,"no verify function configured"},
diff --git a/lib/libcrypto/evp/evp_key.c b/lib/libcrypto/evp/evp_key.c
index 21eda418bc9..667c21cca8d 100644
--- a/lib/libcrypto/evp/evp_key.c
+++ b/lib/libcrypto/evp/evp_key.c
@@ -81,15 +81,18 @@ char *EVP_get_pw_prompt(void)
 		return(prompt_string);
 	}
 
-#ifdef NO_DES
-int des_read_pw_string(char *buf,int len,const char *prompt,int verify);
-#endif
-
+/* For historical reasons, the standard function for reading passwords is
+ * in the DES library -- if someone ever wants to disable DES,
+ * this function will fail */
 int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
 	{
+#ifndef NO_DES
 	if ((prompt == NULL) && (prompt_string[0] != '\0'))
 		prompt=prompt_string;
 	return(des_read_pw_string(buf,len,prompt,verify));
+#else
+	return -1;
+#endif
 	}
 
 int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, unsigned char *salt,
diff --git a/lib/libcrypto/evp/evp_lib.c b/lib/libcrypto/evp/evp_lib.c
index 3f9bf55828a..a431945ef5c 100644
--- a/lib/libcrypto/evp/evp_lib.c
+++ b/lib/libcrypto/evp/evp_lib.c
@@ -115,6 +115,7 @@ int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 int EVP_CIPHER_type(const EVP_CIPHER *ctx)
 {
 	int nid;
+	ASN1_OBJECT *otmp;
 	nid = EVP_CIPHER_nid(ctx);
 
 	switch(nid) {
@@ -131,7 +132,10 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx)
 		return NID_rc4;
 
 		default:
-
+		/* Check it has an OID and it is valid */
+		otmp = OBJ_nid2obj(nid);
+		if(!otmp || !otmp->data) nid = NID_undef;
+		ASN1_OBJECT_free(otmp);
 		return nid;
 	}
 }
diff --git a/lib/libcrypto/evp/evp_pkey.c b/lib/libcrypto/evp/evp_pkey.c
index 421e452db11..d5e6f5880ff 100644
--- a/lib/libcrypto/evp/evp_pkey.c
+++ b/lib/libcrypto/evp/evp_pkey.c
@@ -62,19 +62,22 @@
 #include <openssl/x509.h>
 #include <openssl/rand.h>
 
+static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8inf, EVP_PKEY *pkey);
+
 /* Extract a private key from a PKCS8 structure */
 
 EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 {
-	EVP_PKEY *pkey;
+	EVP_PKEY *pkey = NULL;
 #ifndef NO_RSA
-	RSA *rsa;
+	RSA *rsa = NULL;
 #endif
 #ifndef NO_DSA
-	DSA *dsa;
-	ASN1_INTEGER *dsapriv;
-	STACK *ndsa;
-	BN_CTX *ctx;
+	DSA *dsa = NULL;
+	ASN1_INTEGER *privkey;
+	ASN1_TYPE *t1, *t2, *param = NULL;
+	STACK *ndsa = NULL;
+	BN_CTX *ctx = NULL;
 	int plen;
 #endif
 	X509_ALGOR *a;
@@ -82,21 +85,14 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 	int pkeylen;
 	char obj_tmp[80];
 
-	switch (p8->broken) {
-		case PKCS8_OK:
+	if(p8->pkey->type == V_ASN1_OCTET_STRING) {
+		p8->broken = PKCS8_OK;
 		p = p8->pkey->value.octet_string->data;
 		pkeylen = p8->pkey->value.octet_string->length;
-		break;
-
-		case PKCS8_NO_OCTET:
+	} else {
+		p8->broken = PKCS8_NO_OCTET;
 		p = p8->pkey->value.sequence->data;
 		pkeylen = p8->pkey->value.sequence->length;
-		break;
-
-		default:
-		EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);
-		return NULL;
-		break;
 	}
 	if (!(pkey = EVP_PKEY_new())) {
 		EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
@@ -121,65 +117,83 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 		 * be recalculated.
 		 */
 	
-		/* Check for broken Netscape Database DSA PKCS#8, UGH! */
+		/* Check for broken DSA PKCS#8, UGH! */
 		if(*p == (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
 		    if(!(ndsa = ASN1_seq_unpack(p, pkeylen, 
-					(char *(*)())d2i_ASN1_INTEGER,
-							 ASN1_STRING_free))) {
+					(char *(*)())d2i_ASN1_TYPE,
+							 ASN1_TYPE_free))) {
 			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
-			return NULL;
+			goto dsaerr;
 		    }
 		    if(sk_num(ndsa) != 2 ) {
 			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
-			sk_pop_free(ndsa, ASN1_STRING_free);
-			return NULL;
+			goto dsaerr;
 		    }
-		    dsapriv = (ASN1_INTEGER *) sk_pop(ndsa);
-		    sk_pop_free(ndsa, ASN1_STRING_free);
-		} else if (!(dsapriv=d2i_ASN1_INTEGER (NULL, &p, pkeylen))) {
+		    /* Handle Two broken types:
+		     * SEQUENCE {parameters, priv_key}
+		     * SEQUENCE {pub_key, priv_key}
+		     */
+                     
+		    t1 = (ASN1_TYPE *)sk_value(ndsa, 0);
+		    t2 = (ASN1_TYPE *)sk_value(ndsa, 1);
+		    if(t1->type == V_ASN1_SEQUENCE) {
+			p8->broken = PKCS8_EMBEDDED_PARAM;
+			param = t1;
+		    } else if(a->parameter->type == V_ASN1_SEQUENCE) {
+			p8->broken = PKCS8_NS_DB;
+			param = a->parameter;
+		    } else {
 			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
-			return NULL;
-		}
-		/* Retrieve parameters */
-		if (a->parameter->type != V_ASN1_SEQUENCE) {
-			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_NO_DSA_PARAMETERS);
-			return NULL;
+			goto dsaerr;
+		    }
+
+		    if(t2->type != V_ASN1_INTEGER) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto dsaerr;
+		    }
+		    privkey = t2->value.integer;
+		} else if (!(privkey=d2i_ASN1_INTEGER (NULL, &p, pkeylen))) {
+			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+			goto dsaerr;
 		}
-		p = a->parameter->value.sequence->data;
-		plen = a->parameter->value.sequence->length;
+		p = param->value.sequence->data;
+		plen = param->value.sequence->length;
 		if (!(dsa = d2i_DSAparams (NULL, &p, plen))) {
 			EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
-			return NULL;
+			goto dsaerr;
 		}
 		/* We have parameters now set private key */
-		if (!(dsa->priv_key = ASN1_INTEGER_to_BN(dsapriv, NULL))) {
+		if (!(dsa->priv_key = ASN1_INTEGER_to_BN(privkey, NULL))) {
 			EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_DECODE_ERROR);
-			DSA_free (dsa);
-			return NULL;
+			goto dsaerr;
 		}
 		/* Calculate public key (ouch!) */
 		if (!(dsa->pub_key = BN_new())) {
 			EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
-			DSA_free (dsa);
-			return NULL;
+			goto dsaerr;
 		}
 		if (!(ctx = BN_CTX_new())) {
 			EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
-			DSA_free (dsa);
-			return NULL;
+			goto dsaerr;
 		}
 			
 		if (!BN_mod_exp(dsa->pub_key, dsa->g,
 						 dsa->priv_key, dsa->p, ctx)) {
 			
 			EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_PUBKEY_ERROR);
-			BN_CTX_free (ctx);
-			DSA_free (dsa);
-			return NULL;
+			goto dsaerr;
 		}
 
-		EVP_PKEY_assign_DSA (pkey, dsa);
+		EVP_PKEY_assign_DSA(pkey, dsa);
 		BN_CTX_free (ctx);
+		sk_pop_free(ndsa, ASN1_TYPE_free);
+		break;
+		dsaerr:
+		BN_CTX_free (ctx);
+		sk_pop_free(ndsa, ASN1_TYPE_free);
+		DSA_free(dsa);
+		EVP_PKEY_free(pkey);
+		return NULL;
 		break;
 #endif
 		default:
@@ -193,30 +207,35 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 	return pkey;
 }
 
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey)
+{
+	return EVP_PKEY2PKCS8_broken(pkey, PKCS8_OK);
+}
+
 /* Turn a private key into a PKCS8 structure */
 
-PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey)
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
 {
 	PKCS8_PRIV_KEY_INFO *p8;
-#ifndef NO_DSA
-	ASN1_INTEGER *dpkey;
-	unsigned char *p, *q;
-	int len;
-#endif
+
 	if (!(p8 = PKCS8_PRIV_KEY_INFO_new())) {	
 		EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
+	p8->broken = broken;
 	ASN1_INTEGER_set (p8->version, 0);
 	if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) {
 		EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
 		PKCS8_PRIV_KEY_INFO_free (p8);
 		return NULL;
 	}
+	p8->pkey->type = V_ASN1_OCTET_STRING;
 	switch (EVP_PKEY_type(pkey->type)) {
 #ifndef NO_RSA
 		case EVP_PKEY_RSA:
 
+		if(p8->broken == PKCS8_NO_OCTET) p8->pkey->type = V_ASN1_SEQUENCE;
+
 		p8->pkeyalg->algorithm = OBJ_nid2obj(NID_rsaEncryption);
 		p8->pkeyalg->parameter->type = V_ASN1_NULL;
 		if (!ASN1_pack_string ((char *)pkey, i2d_PrivateKey,
@@ -229,36 +248,11 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey)
 #endif
 #ifndef NO_DSA
 		case EVP_PKEY_DSA:
-		p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa);
-
-		/* get paramaters and place in AlgorithmIdentifier */
-		len = i2d_DSAparams (pkey->pkey.dsa, NULL);
-		if (!(p = Malloc(len))) {
-			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		if(!dsa_pkey2pkcs8(p8, pkey)) {
 			PKCS8_PRIV_KEY_INFO_free (p8);
 			return NULL;
 		}
-		q = p;
-		i2d_DSAparams (pkey->pkey.dsa, &q);
-		p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
-		p8->pkeyalg->parameter->value.sequence = ASN1_STRING_new();
-		ASN1_STRING_set(p8->pkeyalg->parameter->value.sequence, p, len);
-		Free(p);
-		/* Get private key into an integer and pack */
-		if (!(dpkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) {
-			EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
-			PKCS8_PRIV_KEY_INFO_free (p8);
-			return NULL;
-		}
-		
-		if (!ASN1_pack_string((char *)dpkey, i2d_ASN1_INTEGER,
-					 &p8->pkey->value.octet_string)) {
-			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-			ASN1_INTEGER_free (dpkey);
-			PKCS8_PRIV_KEY_INFO_free (p8);
-			return NULL;
-		}
-		ASN1_INTEGER_free (dpkey);
+
 		break;
 #endif
 		default:
@@ -266,9 +260,8 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey)
 		PKCS8_PRIV_KEY_INFO_free (p8);
 		return NULL;
 	}
-	p8->pkey->type = V_ASN1_OCTET_STRING;
-	RAND_seed (p8->pkey->value.octet_string->data,
-					 p8->pkey->value.octet_string->length);
+	RAND_add(p8->pkey->value.octet_string->data,
+		 p8->pkey->value.octet_string->length, 0);
 	return p8;
 }
 
@@ -295,4 +288,112 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
 	}
 }
 
+#ifndef NO_DSA
+static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
+{
+	ASN1_STRING *params;
+	ASN1_INTEGER *prkey;
+	ASN1_TYPE *ttmp;
+	STACK *ndsa;
+	unsigned char *p, *q;
+	int len;
+	p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa);
+	len = i2d_DSAparams (pkey->pkey.dsa, NULL);
+	if (!(p = Malloc(len))) {
+		EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+		PKCS8_PRIV_KEY_INFO_free (p8);
+		return 0;
+	}
+	q = p;
+	i2d_DSAparams (pkey->pkey.dsa, &q);
+	params = ASN1_STRING_new();
+	ASN1_STRING_set(params, p, len);
+	Free(p);
+	/* Get private key into integer */
+	if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) {
+		EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
+		return 0;
+	}
+
+	switch(p8->broken) {
 
+		case PKCS8_OK:
+		case PKCS8_NO_OCTET:
+
+		if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER,
+					 &p8->pkey->value.octet_string)) {
+			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			M_ASN1_INTEGER_free (prkey);
+			return 0;
+		}
+
+		M_ASN1_INTEGER_free (prkey);
+		p8->pkeyalg->parameter->value.sequence = params;
+		p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
+
+		break;
+
+		case PKCS8_NS_DB:
+
+		p8->pkeyalg->parameter->value.sequence = params;
+		p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
+		ndsa = sk_new_null();
+		ttmp = ASN1_TYPE_new();
+		if (!(ttmp->value.integer = BN_to_ASN1_INTEGER (pkey->pkey.dsa->pub_key, NULL))) {
+			EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
+			PKCS8_PRIV_KEY_INFO_free(p8);
+			return 0;
+		}
+		ttmp->type = V_ASN1_INTEGER;
+		sk_push(ndsa, (char *)ttmp);
+
+		ttmp = ASN1_TYPE_new();
+		ttmp->value.integer = prkey;
+		ttmp->type = V_ASN1_INTEGER;
+		sk_push(ndsa, (char *)ttmp);
+
+		p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+
+		if (!ASN1_seq_pack(ndsa, i2d_ASN1_TYPE,
+					 &p8->pkey->value.octet_string->data,
+					 &p8->pkey->value.octet_string->length)) {
+
+			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			sk_pop_free(ndsa, ASN1_TYPE_free);
+			M_ASN1_INTEGER_free(prkey);
+			return 0;
+		}
+		sk_pop_free(ndsa, ASN1_TYPE_free);
+		break;
+
+		case PKCS8_EMBEDDED_PARAM:
+
+		p8->pkeyalg->parameter->type = V_ASN1_NULL;
+		ndsa = sk_new_null();
+		ttmp = ASN1_TYPE_new();
+		ttmp->value.sequence = params;
+		ttmp->type = V_ASN1_SEQUENCE;
+		sk_push(ndsa, (char *)ttmp);
+
+		ttmp = ASN1_TYPE_new();
+		ttmp->value.integer = prkey;
+		ttmp->type = V_ASN1_INTEGER;
+		sk_push(ndsa, (char *)ttmp);
+
+		p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+
+		if (!ASN1_seq_pack(ndsa, i2d_ASN1_TYPE,
+					 &p8->pkey->value.octet_string->data,
+					 &p8->pkey->value.octet_string->length)) {
+
+			EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+			sk_pop_free(ndsa, ASN1_TYPE_free);
+			M_ASN1_INTEGER_free (prkey);
+			return 0;
+		}
+		sk_pop_free(ndsa, ASN1_TYPE_free);
+		break;
+	}
+	return 1;
+}
+#endif
diff --git a/lib/libcrypto/evp/p_lib.c b/lib/libcrypto/evp/p_lib.c
index 3422b77de6e..4cb387f8de1 100644
--- a/lib/libcrypto/evp/p_lib.c
+++ b/lib/libcrypto/evp/p_lib.c
@@ -119,7 +119,7 @@ int EVP_PKEY_copy_parameters(EVP_PKEY *to, EVP_PKEY *from)
 
 	if (EVP_PKEY_missing_parameters(from))
 		{
-		EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS,EVP_R_MISSING_PARMATERS);
+		EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS,EVP_R_MISSING_PARAMETERS);
 		goto err;
 		}
 #ifndef NO_DSA
@@ -202,8 +202,66 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, char *key)
 	pkey->type=EVP_PKEY_type(type);
 	pkey->save_type=type;
 	pkey->pkey.ptr=key;
-	return(1);
+	return(key != NULL);
+	}
+
+#ifndef NO_RSA
+int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
+{
+	int ret = EVP_PKEY_assign_RSA(pkey, key);
+	if(ret) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_RSA);
+	return ret;
+}
+
+RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
+	{
+	if(pkey->type != EVP_PKEY_RSA) {
+		EVPerr(EVP_F_EVP_PKEY_GET1_RSA, EVP_R_EXPECTING_AN_RSA_KEY);
+		return NULL;
+	}
+	CRYPTO_add(&pkey->pkey.rsa->references, 1, CRYPTO_LOCK_RSA);
+	return pkey->pkey.rsa;
+}
+#endif
+
+#ifndef NO_DSA
+int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key)
+{
+	int ret = EVP_PKEY_assign_DSA(pkey, key);
+	if(ret) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_DSA);
+	return ret;
+}
+
+DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
+	{
+	if(pkey->type != EVP_PKEY_DSA) {
+		EVPerr(EVP_F_EVP_PKEY_GET1_DSA, EVP_R_EXPECTING_A_DSA_KEY);
+		return NULL;
+	}
+	CRYPTO_add(&pkey->pkey.dsa->references, 1, CRYPTO_LOCK_DSA);
+	return pkey->pkey.dsa;
+}
+#endif
+
+#ifndef NO_DH
+
+int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
+{
+	int ret = EVP_PKEY_assign_DH(pkey, key);
+	if(ret) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_DH);
+	return ret;
+}
+
+DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
+	{
+	if(pkey->type != EVP_PKEY_DH) {
+		EVPerr(EVP_F_EVP_PKEY_GET1_DH, EVP_R_EXPECTING_A_DH_KEY);
+		return NULL;
 	}
+	CRYPTO_add(&pkey->pkey.dh->references, 1, CRYPTO_LOCK_DH);
+	return pkey->pkey.dh;
+}
+#endif
 
 int EVP_PKEY_type(int type)
 	{
@@ -244,7 +302,7 @@ void EVP_PKEY_free(EVP_PKEY *x)
 		}
 #endif
 	EVP_PKEY_free_it(x);
-	Free((char *)x);
+	Free(x);
 	}
 
 static void EVP_PKEY_free_it(EVP_PKEY *x)
diff --git a/lib/libcrypto/evp/p_open.c b/lib/libcrypto/evp/p_open.c
index ddb9fd6942d..b9ca7892c2e 100644
--- a/lib/libcrypto/evp/p_open.c
+++ b/lib/libcrypto/evp/p_open.c
@@ -110,4 +110,10 @@ int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	EVP_DecryptInit(ctx,NULL,NULL,NULL);
 	return(i);
 	}
+#else /* !NO_RSA */
+
+# ifdef PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
diff --git a/lib/libcrypto/evp/p_seal.c b/lib/libcrypto/evp/p_seal.c
index 09b46f4b0e1..d449e892bf7 100644
--- a/lib/libcrypto/evp/p_seal.c
+++ b/lib/libcrypto/evp/p_seal.c
@@ -73,9 +73,10 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
 	int i;
 	
 	if (npubk <= 0) return(0);
-	RAND_bytes(key,EVP_MAX_KEY_LENGTH);
+	if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0)
+		return(0);
 	if (type->iv_len > 0)
-		RAND_bytes(iv,type->iv_len);
+		RAND_pseudo_bytes(iv,type->iv_len);
 
 	EVP_CIPHER_CTX_init(ctx);
 	EVP_EncryptInit(ctx,type,key,iv);
diff --git a/lib/libcrypto/ex_data.c b/lib/libcrypto/ex_data.c
index 176574766b8..a057dd3b686 100644
--- a/lib/libcrypto/ex_data.c
+++ b/lib/libcrypto/ex_data.c
@@ -63,15 +63,15 @@
 #include <openssl/lhash.h>
 #include "cryptlib.h"
 
-int CRYPTO_get_ex_new_index(int idx, STACK **skp, long argl, char *argp,
-	     int (*new_func)(), int (*dup_func)(), void (*free_func)())
+int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp,
+	     CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
 	{
 	int ret= -1;
 	CRYPTO_EX_DATA_FUNCS *a;
 
 	MemCheck_off();
 	if (*skp == NULL)
-		*skp=sk_new_null();
+		*skp=sk_CRYPTO_EX_DATA_FUNCS_new_null();
 	if (*skp == NULL)
 		{
 		CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,ERR_R_MALLOC_FAILURE);
@@ -88,23 +88,23 @@ int CRYPTO_get_ex_new_index(int idx, STACK **skp, long argl, char *argp,
 	a->new_func=new_func;
 	a->dup_func=dup_func;
 	a->free_func=free_func;
-	while (sk_num(*skp) <= idx)
+	while (sk_CRYPTO_EX_DATA_FUNCS_num(*skp) <= idx)
 		{
-		if (!sk_push(*skp,NULL))
+		if (!sk_CRYPTO_EX_DATA_FUNCS_push(*skp,NULL))
 			{
 			CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,ERR_R_MALLOC_FAILURE);
 			Free(a);
 			goto err;
 			}
 		}
-	sk_set(*skp,idx, (char *)a);
+	sk_CRYPTO_EX_DATA_FUNCS_set(*skp,idx, a);
 	ret=idx;
 err:
 	MemCheck_on();
 	return(idx);
 	}
 
-int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, char *val)
+int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val)
 	{
 	int i;
 
@@ -131,7 +131,7 @@ int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, char *val)
 	return(1);
 	}
 
-char *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad, int idx)
+void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad, int idx)
 	{
 	if (ad->sk == NULL)
 		return(0);
@@ -145,7 +145,7 @@ char *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad, int idx)
  * being duplicated, a pointer to the
  * 'new' object to be inserted, the index, and the argi/argp
  */
-int CRYPTO_dup_ex_data(STACK *meth, CRYPTO_EX_DATA *to,
+int CRYPTO_dup_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, CRYPTO_EX_DATA *to,
 	     CRYPTO_EX_DATA *from)
 	{
 	int i,j,m,r;
@@ -154,14 +154,14 @@ int CRYPTO_dup_ex_data(STACK *meth, CRYPTO_EX_DATA *to,
 
 	if (meth == NULL) return(1);
 	if (from->sk == NULL) return(1);
-	m=sk_num(meth);
+	m=sk_CRYPTO_EX_DATA_FUNCS_num(meth);
 	j=sk_num(from->sk);
 	for (i=0; i<j; i++)
 		{
 		from_d=CRYPTO_get_ex_data(from,i);
 		if (i < m)
 			{
-			mm=(CRYPTO_EX_DATA_FUNCS *)sk_value(meth,i);
+			mm=sk_CRYPTO_EX_DATA_FUNCS_value(meth,i);
 			if (mm->dup_func != NULL)
 				r=mm->dup_func(to,from,(char **)&from_d,i,
 					mm->argl,mm->argp);
@@ -172,18 +172,18 @@ int CRYPTO_dup_ex_data(STACK *meth, CRYPTO_EX_DATA *to,
 	}
 
 /* Call each free callback */
-void CRYPTO_free_ex_data(STACK *meth, char *obj, CRYPTO_EX_DATA *ad)
+void CRYPTO_free_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad)
 	{
 	CRYPTO_EX_DATA_FUNCS *m;
-	char *ptr;
+	void *ptr;
 	int i,max;
 
 	if (meth != NULL)
 		{
-		max=sk_num(meth);
+		max=sk_CRYPTO_EX_DATA_FUNCS_num(meth);
 		for (i=0; i<max; i++)
 			{
-			m=(CRYPTO_EX_DATA_FUNCS *)sk_value(meth,i);
+			m=sk_CRYPTO_EX_DATA_FUNCS_value(meth,i);
 			if ((m != NULL) && (m->free_func != NULL))
 				{
 				ptr=CRYPTO_get_ex_data(ad,i);
@@ -198,19 +198,19 @@ void CRYPTO_free_ex_data(STACK *meth, char *obj, CRYPTO_EX_DATA *ad)
 		}
 	}
 
-void CRYPTO_new_ex_data(STACK *meth, char *obj, CRYPTO_EX_DATA *ad)
+void CRYPTO_new_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad)
 	{
 	CRYPTO_EX_DATA_FUNCS *m;
-	char *ptr;
+	void *ptr;
 	int i,max;
 
 	ad->sk=NULL;
 	if (meth != NULL)
 		{
-		max=sk_num(meth);
+		max=sk_CRYPTO_EX_DATA_FUNCS_num(meth);
 		for (i=0; i<max; i++)
 			{
-			m=(CRYPTO_EX_DATA_FUNCS *)sk_value(meth,i);
+			m=sk_CRYPTO_EX_DATA_FUNCS_value(meth,i);
 			if ((m != NULL) && (m->new_func != NULL))
 				{
 				ptr=CRYPTO_get_ex_data(ad,i);
@@ -220,4 +220,4 @@ void CRYPTO_new_ex_data(STACK *meth, char *obj, CRYPTO_EX_DATA *ad)
 		}
 	}
 
-
+IMPLEMENT_STACK_OF(CRYPTO_EX_DATA_FUNCS)
diff --git a/lib/libcrypto/hmac/hmac.c b/lib/libcrypto/hmac/hmac.c
index 5c349bbb56e..23b7c98f8fa 100644
--- a/lib/libcrypto/hmac/hmac.c
+++ b/lib/libcrypto/hmac/hmac.c
@@ -109,7 +109,7 @@ void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
 	memcpy(&ctx->md_ctx,&ctx->i_ctx,sizeof(ctx->i_ctx));
 	}
 
-void HMAC_Update(HMAC_CTX *ctx, unsigned char *data, int len)
+void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len)
 	{
 	EVP_DigestUpdate(&(ctx->md_ctx),data,len);
 	}
@@ -134,7 +134,7 @@ void HMAC_cleanup(HMAC_CTX *ctx)
 	}
 
 unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
-		    unsigned char *d, int n, unsigned char *md,
+		    const unsigned char *d, int n, unsigned char *md,
 		    unsigned int *md_len)
 	{
 	HMAC_CTX c;
diff --git a/lib/libcrypto/hmac/hmac.h b/lib/libcrypto/hmac/hmac.h
index f928975fcdc..223eeda7f3f 100644
--- a/lib/libcrypto/hmac/hmac.h
+++ b/lib/libcrypto/hmac/hmac.h
@@ -85,11 +85,11 @@ typedef struct hmac_ctx_st
 
 void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
 	       const EVP_MD *md);
-void HMAC_Update(HMAC_CTX *ctx,unsigned char *key, int len);
+void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
 void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
 void HMAC_cleanup(HMAC_CTX *ctx);
 unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
-		    unsigned char *d, int n, unsigned char *md,
+		    const unsigned char *d, int n, unsigned char *md,
 		    unsigned int *md_len);
 
 
diff --git a/lib/libcrypto/hmac/hmactest.c b/lib/libcrypto/hmac/hmactest.c
index 9a67dff36a2..4b56b8ee135 100644
--- a/lib/libcrypto/hmac/hmactest.c
+++ b/lib/libcrypto/hmac/hmactest.c
@@ -73,7 +73,7 @@ int main(int argc, char *argv[])
 #include <openssl/ebcdic.h>
 #endif
 
-struct test_st
+static struct test_st
 	{
 	unsigned char key[16];
 	int key_len;
diff --git a/lib/libcrypto/install.com b/lib/libcrypto/install.com
index b75d1b44b24..44cfc4e89a7 100644
--- a/lib/libcrypto/install.com
+++ b/lib/libcrypto/install.com
@@ -90,6 +90,7 @@ $	  COPY 'tmp' WRK_SSLINCLUDE: /LOG
 $	ELSE
 $	  COPY [.'D']'tmp' WRK_SSLINCLUDE: /LOG
 $	ENDIF
+$	SET FILE/PROT=WORLD:RE WRK_SSLINCLUDE:'tmp'
 $	GOTO LOOP_SDIRS
 $ LOOP_SDIRS_END:
 $
diff --git a/lib/libcrypto/lhash/Makefile.ssl b/lib/libcrypto/lhash/Makefile.ssl
index d6845d6caa4..eef4000460f 100644
--- a/lib/libcrypto/lhash/Makefile.ssl
+++ b/lib/libcrypto/lhash/Makefile.ssl
@@ -82,7 +82,8 @@ lh_stats.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 lh_stats.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 lh_stats.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 lh_stats.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-lh_stats.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-lh_stats.o: ../cryptlib.h
+lh_stats.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+lh_stats.o: ../../include/openssl/stack.h ../cryptlib.h
 lhash.o: ../../include/openssl/crypto.h ../../include/openssl/lhash.h
-lhash.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
+lhash.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+lhash.o: ../../include/openssl/stack.h
diff --git a/lib/libcrypto/lhash/lhash.c b/lib/libcrypto/lhash/lhash.c
index 801322beb64..6a340a24038 100644
--- a/lib/libcrypto/lhash/lhash.c
+++ b/lib/libcrypto/lhash/lhash.c
@@ -64,11 +64,11 @@
  *
  * 2.1 eay - Added an 'error in last operation' flag. eay 6-May-98
  *
- * 2.0 eay - Fixed a bug that occured when using lh_delete
+ * 2.0 eay - Fixed a bug that occurred when using lh_delete
  *	     from inside lh_doall().  As entries were deleted,
  *	     the 'table' was 'contract()ed', making some entries
  *	     jump from the end of the table to the start, there by
- *	     skiping the lh_doall() processing. eay - 4/12/95
+ *	     skipping the lh_doall() processing. eay - 4/12/95
  *
  * 1.9 eay - Fixed a memory leak in lh_free, the LHASH_NODEs
  *	     were not being free()ed. 21/11/95
@@ -107,12 +107,9 @@ const char *lh_version="lhash" OPENSSL_VERSION_PTEXT;
 #define UP_LOAD		(2*LH_LOAD_MULT) /* load times 256  (default 2) */
 #define DOWN_LOAD	(LH_LOAD_MULT)   /* load times 256  (default 1) */
 
-
-#define P_CP	char *
-#define P_CPP	char *,char *
 static void expand(LHASH *lh);
 static void contract(LHASH *lh);
-static LHASH_NODE **getrn(LHASH *lh, char *data, unsigned long *rhash);
+static LHASH_NODE **getrn(LHASH *lh, void *data, unsigned long *rhash);
 
 LHASH *lh_new(unsigned long (*h)(), int (*c)())
 	{
@@ -152,7 +149,7 @@ LHASH *lh_new(unsigned long (*h)(), int (*c)())
 	ret->error=0;
 	return(ret);
 err1:
-	Free((char *)ret);
+	Free(ret);
 err0:
 	return(NULL);
 	}
@@ -175,15 +172,15 @@ void lh_free(LHASH *lh)
 			n=nn;
 			}
 		}
-	Free((char *)lh->b);
-	Free((char *)lh);
+	Free(lh->b);
+	Free(lh);
 	}
 
-char *lh_insert(LHASH *lh, char *data)
+void *lh_insert(LHASH *lh, void *data)
 	{
 	unsigned long hash;
 	LHASH_NODE *nn,**rn;
-	char *ret;
+	void *ret;
 
 	lh->error=0;
 	if (lh->up_load <= (lh->num_items*LH_LOAD_MULT/lh->num_nodes))
@@ -217,11 +214,11 @@ char *lh_insert(LHASH *lh, char *data)
 	return(ret);
 	}
 
-char *lh_delete(LHASH *lh, char *data)
+void *lh_delete(LHASH *lh, void *data)
 	{
 	unsigned long hash;
 	LHASH_NODE *nn,**rn;
-	char *ret;
+	void *ret;
 
 	lh->error=0;
 	rn=getrn(lh,data,&hash);
@@ -236,7 +233,7 @@ char *lh_delete(LHASH *lh, char *data)
 		nn= *rn;
 		*rn=nn->next;
 		ret=nn->data;
-		Free((char *)nn);
+		Free(nn);
 		lh->num_delete++;
 		}
 
@@ -248,11 +245,11 @@ char *lh_delete(LHASH *lh, char *data)
 	return(ret);
 	}
 
-char *lh_retrieve(LHASH *lh, char *data)
+void *lh_retrieve(LHASH *lh, void *data)
 	{
 	unsigned long hash;
 	LHASH_NODE **rn;
-	char *ret;
+	void *ret;
 
 	lh->error=0;
 	rn=getrn(lh,data,&hash);
@@ -275,7 +272,7 @@ void lh_doall(LHASH *lh, void (*func)())
 	lh_doall_arg(lh,func,NULL);
 	}
 
-void lh_doall_arg(LHASH *lh, void (*func)(), char *arg)
+void lh_doall_arg(LHASH *lh, void (*func)(), void *arg)
 	{
 	int i;
 	LHASH_NODE *a,*n;
@@ -332,7 +329,7 @@ static void expand(LHASH *lh)
 	if ((lh->p) >= lh->pmax)
 		{
 		j=(int)lh->num_alloc_nodes*2;
-		n=(LHASH_NODE **)Realloc((char *)lh->b,
+		n=(LHASH_NODE **)Realloc(lh->b,
 			(unsigned int)sizeof(LHASH_NODE *)*j);
 		if (n == NULL)
 			{
@@ -360,7 +357,7 @@ static void contract(LHASH *lh)
 	lh->b[lh->p+lh->pmax-1]=NULL; /* 24/07-92 - eay - weird but :-( */
 	if (lh->p == 0)
 		{
-		n=(LHASH_NODE **)Realloc((char *)lh->b,
+		n=(LHASH_NODE **)Realloc(lh->b,
 			(unsigned int)(sizeof(LHASH_NODE *)*lh->pmax));
 		if (n == NULL)
 			{
@@ -391,7 +388,7 @@ static void contract(LHASH *lh)
 		}
 	}
 
-static LHASH_NODE **getrn(LHASH *lh, char *data, unsigned long *rhash)
+static LHASH_NODE **getrn(LHASH *lh, void *data, unsigned long *rhash)
 	{
 	LHASH_NODE **ret,*n1;
 	unsigned long hash,nn;
@@ -426,8 +423,7 @@ static LHASH_NODE **getrn(LHASH *lh, char *data, unsigned long *rhash)
 	}
 
 /*
-static unsigned long lh_strhash(str)
-char *str;
+unsigned long lh_strhash(char *str)
 	{
 	int i,l;
 	unsigned long ret=0;
diff --git a/lib/libcrypto/lhash/lhash.h b/lib/libcrypto/lhash/lhash.h
index 6e5a1fe7085..6f6eeb2698a 100644
--- a/lib/libcrypto/lhash/lhash.h
+++ b/lib/libcrypto/lhash/lhash.h
@@ -73,7 +73,7 @@ extern "C" {
 
 typedef struct lhash_node_st
 	{
-	char *data;
+	void *data;
 	struct lhash_node_st *next;
 #ifndef NO_HASH_COMP
 	unsigned long hash;
@@ -116,13 +116,13 @@ typedef struct lhash_st
  * in lh_insert(). */
 #define lh_error(lh)	((lh)->error)
 
-LHASH *lh_new(unsigned long (*h)(), int (*c)());
+LHASH *lh_new(unsigned long (*h)(/* void *a */), int (*c)(/* void *a,void *b */));
 void lh_free(LHASH *lh);
-char *lh_insert(LHASH *lh, char *data);
-char *lh_delete(LHASH *lh, char *data);
-char *lh_retrieve(LHASH *lh, char *data);
-void lh_doall(LHASH *lh, void (*func)(/* char *b */));
-void lh_doall_arg(LHASH *lh, void (*func)(/*char *a,char *b*/),char *arg);
+void *lh_insert(LHASH *lh, void *data);
+void *lh_delete(LHASH *lh, void *data);
+void *lh_retrieve(LHASH *lh, void *data);
+    void lh_doall(LHASH *lh, void (*func)(/*void *b*/));
+void lh_doall_arg(LHASH *lh, void (*func)(/*void *a,void *b*/),void *arg);
 unsigned long lh_strhash(const char *c);
 
 #ifndef NO_FP_API
diff --git a/lib/libcrypto/md2/Makefile.ssl b/lib/libcrypto/md2/Makefile.ssl
index 4274354b5f2..eab615a5be9 100644
--- a/lib/libcrypto/md2/Makefile.ssl
+++ b/lib/libcrypto/md2/Makefile.ssl
@@ -84,5 +84,5 @@ md2_one.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 md2_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 md2_one.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
-md2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-md2_one.o: ../cryptlib.h
+md2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md2_one.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/lib/libcrypto/md2/md2.h b/lib/libcrypto/md2/md2.h
index 0d3592506c4..582bffb8593 100644
--- a/lib/libcrypto/md2/md2.h
+++ b/lib/libcrypto/md2/md2.h
@@ -81,9 +81,9 @@ typedef struct MD2state_st
 
 const char *MD2_options(void);
 void MD2_Init(MD2_CTX *c);
-void MD2_Update(MD2_CTX *c, register unsigned char *data, unsigned long len);
+void MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
 void MD2_Final(unsigned char *md, MD2_CTX *c);
-unsigned char *MD2(unsigned char *d, unsigned long n,unsigned char *md);
+unsigned char *MD2(const unsigned char *d, unsigned long n,unsigned char *md);
 #ifdef  __cplusplus
 }
 #endif
diff --git a/lib/libcrypto/md2/md2_dgst.c b/lib/libcrypto/md2/md2_dgst.c
index c7d8d6aef57..608baefa8f3 100644
--- a/lib/libcrypto/md2/md2_dgst.c
+++ b/lib/libcrypto/md2/md2_dgst.c
@@ -69,9 +69,9 @@ const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
 
 #define UCHAR	unsigned char
 
-static void md2_block(MD2_CTX *c, unsigned char *d);
+static void md2_block(MD2_CTX *c, const unsigned char *d);
 /* The magic S table - I have converted it to hex since it is
- * basicaly just a random byte string. */
+ * basically just a random byte string. */
 static MD2_INT S[256]={
 	0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01,
 	0x3D, 0x36, 0x54, 0xA1, 0xEC, 0xF0, 0x06, 0x13,
@@ -123,7 +123,7 @@ void MD2_Init(MD2_CTX *c)
 	memset(c->data,0,MD2_BLOCK);
 	}
 
-void MD2_Update(MD2_CTX *c, register unsigned char *data, unsigned long len)
+void MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len)
 	{
 	register UCHAR *p;
 
@@ -161,7 +161,7 @@ void MD2_Update(MD2_CTX *c, register unsigned char *data, unsigned long len)
 	c->num=(int)len;
 	}
 
-static void md2_block(MD2_CTX *c, unsigned char *d)
+static void md2_block(MD2_CTX *c, const unsigned char *d)
 	{
 	register MD2_INT t,*sp1,*sp2;
 	register int i,j;
diff --git a/lib/libcrypto/md2/md2_one.c b/lib/libcrypto/md2/md2_one.c
index 7157299d953..b12c37ce4de 100644
--- a/lib/libcrypto/md2/md2_one.c
+++ b/lib/libcrypto/md2/md2_one.c
@@ -63,7 +63,7 @@
 /* This is a separate file so that #defines in cryptlib.h can
  * map my MD functions to different names */
 
-unsigned char *MD2(unsigned char *d, unsigned long n, unsigned char *md)
+unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
 	{
 	MD2_CTX c;
 	static unsigned char m[MD2_DIGEST_LENGTH];
diff --git a/lib/libcrypto/md2/md2test.c b/lib/libcrypto/md2/md2test.c
index 461d124957f..e3f4fb4c341 100644
--- a/lib/libcrypto/md2/md2test.c
+++ b/lib/libcrypto/md2/md2test.c
@@ -73,7 +73,7 @@ int main(int argc, char *argv[])
 #include <openssl/ebcdic.h>
 #endif
 
-char *test[]={
+static char *test[]={
 	"",
 	"a",
 	"abc",
@@ -84,7 +84,7 @@ char *test[]={
 	NULL,
 	};
 
-char *ret[]={
+static char *ret[]={
 	"8350e5a3e24c153df2275c9f80692773",
 	"32ec01ec4a6dac72c0ab96fb34c0b5d1",
 	"da853b0d3f88d99b30283a69e6ded6bb",
diff --git a/lib/libcrypto/md32_common.h b/lib/libcrypto/md32_common.h
index 2b91f9eef2a..1a404a458d1 100644
--- a/lib/libcrypto/md32_common.h
+++ b/lib/libcrypto/md32_common.h
@@ -94,6 +94,8 @@
  *	in original (data) byte order, implemented externally (it
  *	actually is optional if data and host are of the same
  *	"endianess").
+ * HASH_MAKE_STRING
+ *	macro convering context variables to an ASCII hash string.
  *
  * Optional macros:
  *
@@ -178,8 +180,17 @@
 #undef ROTATE
 #ifndef PEDANTIC
 # if defined(_MSC_VER)
-#  define ROTATE(a,n)     _lrotl(a,n)
-# elif defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM)
+#  define ROTATE(a,n)	_lrotl(a,n)
+# elif defined(__MWERKS__)
+#  if defined(__POWERPC__)
+#   define ROTATE(a,n)	__rlwinm(a,n,0,31)
+#  elif defined(__MC68K__)
+    /* Motorola specific tweak. <appro@fy.chalmers.se> */
+#   define ROTATE(a,n)	( n<24 ? __rol(a,n) : __ror(a,32-n) )
+#  else
+#   define ROTATE(a,n)	__rol(a,n)
+#  endif
+# elif defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
   /*
    * Some GNU C inline assembler templates. Note that these are
    * rotates by *constant* number of bits! But that's exactly
@@ -189,16 +200,16 @@
    */
 #  if defined(__i386)
 #   define ROTATE(a,n)	({ register unsigned int ret;	\
-				asm volatile (		\
+				asm (			\
 				"roll %1,%0"		\
 				: "=r"(ret)		\
 				: "I"(n), "0"(a)	\
 				: "cc");		\
 			   ret;				\
 			})
-#  elif defined(__powerpc)
+#  elif defined(__powerpc) || defined(__ppc)
 #   define ROTATE(a,n)	({ register unsigned int ret;	\
-				asm volatile (		\
+				asm (			\
 				"rlwinm %0,%1,%2,0,31"	\
 				: "=r"(ret)		\
 				: "r"(a), "I"(n));	\
@@ -211,18 +222,18 @@
  * Engage compiler specific "fetch in reverse byte order"
  * intrinsic function if available.
  */
-# if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM)
+# if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
   /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
 #  if defined(__i386) && !defined(I386_ONLY)
 #   define BE_FETCH32(a)	({ register unsigned int l=(a);\
-				asm volatile (		\
+				asm (			\
 				"bswapl %0"		\
 				: "=r"(l) : "0"(l));	\
 			  l;				\
 			})
 #  elif defined(__powerpc)
 #   define LE_FETCH32(a)	({ register unsigned int l;	\
-				asm volatile (		\
+				asm (			\
 				"lwbrx %0,0,%1"		\
 				: "=r"(l)		\
 				: "r"(a));		\
@@ -231,7 +242,7 @@
 
 #  elif defined(__sparc) && defined(ULTRASPARC)
 #  define LE_FETCH32(a)	({ register unsigned int l;		\
-				asm volatile (			\
+				asm (				\
 				"lda [%1]#ASI_PRIMARY_LITTLE,%0"\
 				: "=r"(l)			\
 				: "r"(a));			\
@@ -399,8 +410,9 @@
  * Time for some action:-)
  */
 
-void HASH_UPDATE (HASH_CTX *c, const unsigned char *data, unsigned long len)
+void HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
 	{
+	const unsigned char *data=data_;
 	register HASH_LONG * p;
 	register unsigned long l;
 	int sw,sc,ew,ec;
@@ -581,10 +593,11 @@ void HASH_FINAL (unsigned char *md, HASH_CTX *c)
 #endif
 	HASH_BLOCK_HOST_ORDER (c,p,1);
 
-	l=c->A; HOST_l2c(l,md);
-	l=c->B; HOST_l2c(l,md);
-	l=c->C; HOST_l2c(l,md);
-	l=c->D; HOST_l2c(l,md);
+#ifndef HASH_MAKE_STRING
+#error "HASH_MAKE_STRING must be defined!"
+#else
+	HASH_MAKE_STRING(c,md);
+#endif
 
 	c->num=0;
 	/* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
diff --git a/lib/libcrypto/md5/Makefile.ssl b/lib/libcrypto/md5/Makefile.ssl
index cc73fba2ba6..d50f967be77 100644
--- a/lib/libcrypto/md5/Makefile.ssl
+++ b/lib/libcrypto/md5/Makefile.ssl
@@ -19,6 +19,13 @@ AR=             ar r
 MD5_ASM_OBJ=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS=$(CC) -c
 ASFLAGS=$(CFLAGS)
 
 GENERAL=Makefile
@@ -77,7 +84,7 @@ asm/md5-sparcv8plus.o: asm/md5-sparcv9.S
 # if they didn't bother to upgrade GNU assembler. Such users should
 # not choose this option, but be adviced to *remove* GNU assembler
 # or upgrade it.
-sm/md5-sparcv8plus-gcc27.o: asm/md5-sparcv9.S
+asm/md5-sparcv8plus-gcc27.o: asm/md5-sparcv9.S
 	$(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -E asm/md5-sparcv9.S | \
 		/usr/ccs/bin/as -xarch=v8plus - -o asm/md5-sparcv8plus-gcc27.o
 
diff --git a/lib/libcrypto/md5/md5.h b/lib/libcrypto/md5/md5.h
index bdab6d45e86..d10bc8397ff 100644
--- a/lib/libcrypto/md5/md5.h
+++ b/lib/libcrypto/md5/md5.h
@@ -103,9 +103,9 @@ typedef struct MD5state_st
 	} MD5_CTX;
 
 void MD5_Init(MD5_CTX *c);
-void MD5_Update(MD5_CTX *c, const unsigned char *data, unsigned long len);
+void MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
 void MD5_Final(unsigned char *md, MD5_CTX *c);
-unsigned char *MD5(unsigned char *d, unsigned long n, unsigned char *md);
+unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md);
 void MD5_Transform(MD5_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
 }
diff --git a/lib/libcrypto/md5/md5_dgst.c b/lib/libcrypto/md5/md5_dgst.c
index ba0115ae793..23d196b8d45 100644
--- a/lib/libcrypto/md5/md5_dgst.c
+++ b/lib/libcrypto/md5/md5_dgst.c
@@ -60,7 +60,7 @@
 #include "md5_locl.h"
 #include <openssl/opensslv.h>
 
-char *MD5_version="MD5" OPENSSL_VERSION_PTEXT;
+const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT;
 
 /* Implemented from RFC1321 The MD5 Message-Digest Algorithm
  */
@@ -186,6 +186,9 @@ void md5_block_host_order (MD5_CTX *c, const void *data, int num)
 #endif
 
 #ifndef md5_block_data_order
+#ifdef X
+#undef X
+#endif
 void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
 	{
 	const unsigned char *data=data_;
@@ -204,16 +207,15 @@ void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
 	 *
 	 *				<appro@fy.chalmers.se>
 	 */
-	MD5_LONG X[MD5_LBLOCK];
-	/*
-	 * In case you wonder why don't I use c->data for this.
-	 * RISCs usually have a handful of registers and if X is
-	 * declared as automatic array good optimizing compiler
-	 * shall accomodate at least part of it in register bank
-	 * instead of memory.
-	 *
-	 *				<appro@fy.chalmers.se>
-	 */
+#ifndef MD32_XARRAY
+	/* See comment in crypto/sha/sha_locl.h for details. */
+	unsigned long	XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+			XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+# define X(i)	XX##i
+#else
+	MD5_LONG XX[MD5_LBLOCK];
+# define X(i)	XX[i]
+#endif
 
 	A=c->A;
 	B=c->B;
@@ -222,75 +224,75 @@ void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
 
 	for (;num--;)
 		{
-	HOST_c2l(data,l); X[ 0]=l;		HOST_c2l(data,l); X[ 1]=l;
+	HOST_c2l(data,l); X( 0)=l;		HOST_c2l(data,l); X( 1)=l;
 	/* Round 0 */
-	R0(A,B,C,D,X[ 0], 7,0xd76aa478L);	HOST_c2l(data,l); X[ 2]=l;
-	R0(D,A,B,C,X[ 1],12,0xe8c7b756L);	HOST_c2l(data,l); X[ 3]=l;
-	R0(C,D,A,B,X[ 2],17,0x242070dbL);	HOST_c2l(data,l); X[ 4]=l;
-	R0(B,C,D,A,X[ 3],22,0xc1bdceeeL);	HOST_c2l(data,l); X[ 5]=l;
-	R0(A,B,C,D,X[ 4], 7,0xf57c0fafL);	HOST_c2l(data,l); X[ 6]=l;
-	R0(D,A,B,C,X[ 5],12,0x4787c62aL);	HOST_c2l(data,l); X[ 7]=l;
-	R0(C,D,A,B,X[ 6],17,0xa8304613L);	HOST_c2l(data,l); X[ 8]=l;
-	R0(B,C,D,A,X[ 7],22,0xfd469501L);	HOST_c2l(data,l); X[ 9]=l;
-	R0(A,B,C,D,X[ 8], 7,0x698098d8L);	HOST_c2l(data,l); X[10]=l;
-	R0(D,A,B,C,X[ 9],12,0x8b44f7afL);	HOST_c2l(data,l); X[11]=l;
-	R0(C,D,A,B,X[10],17,0xffff5bb1L);	HOST_c2l(data,l); X[12]=l;
-	R0(B,C,D,A,X[11],22,0x895cd7beL);	HOST_c2l(data,l); X[13]=l;
-	R0(A,B,C,D,X[12], 7,0x6b901122L);	HOST_c2l(data,l); X[14]=l;
-	R0(D,A,B,C,X[13],12,0xfd987193L);	HOST_c2l(data,l); X[15]=l;
-	R0(C,D,A,B,X[14],17,0xa679438eL);
-	R0(B,C,D,A,X[15],22,0x49b40821L);
+	R0(A,B,C,D,X( 0), 7,0xd76aa478L);	HOST_c2l(data,l); X( 2)=l;
+	R0(D,A,B,C,X( 1),12,0xe8c7b756L);	HOST_c2l(data,l); X( 3)=l;
+	R0(C,D,A,B,X( 2),17,0x242070dbL);	HOST_c2l(data,l); X( 4)=l;
+	R0(B,C,D,A,X( 3),22,0xc1bdceeeL);	HOST_c2l(data,l); X( 5)=l;
+	R0(A,B,C,D,X( 4), 7,0xf57c0fafL);	HOST_c2l(data,l); X( 6)=l;
+	R0(D,A,B,C,X( 5),12,0x4787c62aL);	HOST_c2l(data,l); X( 7)=l;
+	R0(C,D,A,B,X( 6),17,0xa8304613L);	HOST_c2l(data,l); X( 8)=l;
+	R0(B,C,D,A,X( 7),22,0xfd469501L);	HOST_c2l(data,l); X( 9)=l;
+	R0(A,B,C,D,X( 8), 7,0x698098d8L);	HOST_c2l(data,l); X(10)=l;
+	R0(D,A,B,C,X( 9),12,0x8b44f7afL);	HOST_c2l(data,l); X(11)=l;
+	R0(C,D,A,B,X(10),17,0xffff5bb1L);	HOST_c2l(data,l); X(12)=l;
+	R0(B,C,D,A,X(11),22,0x895cd7beL);	HOST_c2l(data,l); X(13)=l;
+	R0(A,B,C,D,X(12), 7,0x6b901122L);	HOST_c2l(data,l); X(14)=l;
+	R0(D,A,B,C,X(13),12,0xfd987193L);	HOST_c2l(data,l); X(15)=l;
+	R0(C,D,A,B,X(14),17,0xa679438eL);
+	R0(B,C,D,A,X(15),22,0x49b40821L);
 	/* Round 1 */
-	R1(A,B,C,D,X[ 1], 5,0xf61e2562L);
-	R1(D,A,B,C,X[ 6], 9,0xc040b340L);
-	R1(C,D,A,B,X[11],14,0x265e5a51L);
-	R1(B,C,D,A,X[ 0],20,0xe9b6c7aaL);
-	R1(A,B,C,D,X[ 5], 5,0xd62f105dL);
-	R1(D,A,B,C,X[10], 9,0x02441453L);
-	R1(C,D,A,B,X[15],14,0xd8a1e681L);
-	R1(B,C,D,A,X[ 4],20,0xe7d3fbc8L);
-	R1(A,B,C,D,X[ 9], 5,0x21e1cde6L);
-	R1(D,A,B,C,X[14], 9,0xc33707d6L);
-	R1(C,D,A,B,X[ 3],14,0xf4d50d87L);
-	R1(B,C,D,A,X[ 8],20,0x455a14edL);
-	R1(A,B,C,D,X[13], 5,0xa9e3e905L);
-	R1(D,A,B,C,X[ 2], 9,0xfcefa3f8L);
-	R1(C,D,A,B,X[ 7],14,0x676f02d9L);
-	R1(B,C,D,A,X[12],20,0x8d2a4c8aL);
+	R1(A,B,C,D,X( 1), 5,0xf61e2562L);
+	R1(D,A,B,C,X( 6), 9,0xc040b340L);
+	R1(C,D,A,B,X(11),14,0x265e5a51L);
+	R1(B,C,D,A,X( 0),20,0xe9b6c7aaL);
+	R1(A,B,C,D,X( 5), 5,0xd62f105dL);
+	R1(D,A,B,C,X(10), 9,0x02441453L);
+	R1(C,D,A,B,X(15),14,0xd8a1e681L);
+	R1(B,C,D,A,X( 4),20,0xe7d3fbc8L);
+	R1(A,B,C,D,X( 9), 5,0x21e1cde6L);
+	R1(D,A,B,C,X(14), 9,0xc33707d6L);
+	R1(C,D,A,B,X( 3),14,0xf4d50d87L);
+	R1(B,C,D,A,X( 8),20,0x455a14edL);
+	R1(A,B,C,D,X(13), 5,0xa9e3e905L);
+	R1(D,A,B,C,X( 2), 9,0xfcefa3f8L);
+	R1(C,D,A,B,X( 7),14,0x676f02d9L);
+	R1(B,C,D,A,X(12),20,0x8d2a4c8aL);
 	/* Round 2 */
-	R2(A,B,C,D,X[ 5], 4,0xfffa3942L);
-	R2(D,A,B,C,X[ 8],11,0x8771f681L);
-	R2(C,D,A,B,X[11],16,0x6d9d6122L);
-	R2(B,C,D,A,X[14],23,0xfde5380cL);
-	R2(A,B,C,D,X[ 1], 4,0xa4beea44L);
-	R2(D,A,B,C,X[ 4],11,0x4bdecfa9L);
-	R2(C,D,A,B,X[ 7],16,0xf6bb4b60L);
-	R2(B,C,D,A,X[10],23,0xbebfbc70L);
-	R2(A,B,C,D,X[13], 4,0x289b7ec6L);
-	R2(D,A,B,C,X[ 0],11,0xeaa127faL);
-	R2(C,D,A,B,X[ 3],16,0xd4ef3085L);
-	R2(B,C,D,A,X[ 6],23,0x04881d05L);
-	R2(A,B,C,D,X[ 9], 4,0xd9d4d039L);
-	R2(D,A,B,C,X[12],11,0xe6db99e5L);
-	R2(C,D,A,B,X[15],16,0x1fa27cf8L);
-	R2(B,C,D,A,X[ 2],23,0xc4ac5665L);
+	R2(A,B,C,D,X( 5), 4,0xfffa3942L);
+	R2(D,A,B,C,X( 8),11,0x8771f681L);
+	R2(C,D,A,B,X(11),16,0x6d9d6122L);
+	R2(B,C,D,A,X(14),23,0xfde5380cL);
+	R2(A,B,C,D,X( 1), 4,0xa4beea44L);
+	R2(D,A,B,C,X( 4),11,0x4bdecfa9L);
+	R2(C,D,A,B,X( 7),16,0xf6bb4b60L);
+	R2(B,C,D,A,X(10),23,0xbebfbc70L);
+	R2(A,B,C,D,X(13), 4,0x289b7ec6L);
+	R2(D,A,B,C,X( 0),11,0xeaa127faL);
+	R2(C,D,A,B,X( 3),16,0xd4ef3085L);
+	R2(B,C,D,A,X( 6),23,0x04881d05L);
+	R2(A,B,C,D,X( 9), 4,0xd9d4d039L);
+	R2(D,A,B,C,X(12),11,0xe6db99e5L);
+	R2(C,D,A,B,X(15),16,0x1fa27cf8L);
+	R2(B,C,D,A,X( 2),23,0xc4ac5665L);
 	/* Round 3 */
-	R3(A,B,C,D,X[ 0], 6,0xf4292244L);
-	R3(D,A,B,C,X[ 7],10,0x432aff97L);
-	R3(C,D,A,B,X[14],15,0xab9423a7L);
-	R3(B,C,D,A,X[ 5],21,0xfc93a039L);
-	R3(A,B,C,D,X[12], 6,0x655b59c3L);
-	R3(D,A,B,C,X[ 3],10,0x8f0ccc92L);
-	R3(C,D,A,B,X[10],15,0xffeff47dL);
-	R3(B,C,D,A,X[ 1],21,0x85845dd1L);
-	R3(A,B,C,D,X[ 8], 6,0x6fa87e4fL);
-	R3(D,A,B,C,X[15],10,0xfe2ce6e0L);
-	R3(C,D,A,B,X[ 6],15,0xa3014314L);
-	R3(B,C,D,A,X[13],21,0x4e0811a1L);
-	R3(A,B,C,D,X[ 4], 6,0xf7537e82L);
-	R3(D,A,B,C,X[11],10,0xbd3af235L);
-	R3(C,D,A,B,X[ 2],15,0x2ad7d2bbL);
-	R3(B,C,D,A,X[ 9],21,0xeb86d391L);
+	R3(A,B,C,D,X( 0), 6,0xf4292244L);
+	R3(D,A,B,C,X( 7),10,0x432aff97L);
+	R3(C,D,A,B,X(14),15,0xab9423a7L);
+	R3(B,C,D,A,X( 5),21,0xfc93a039L);
+	R3(A,B,C,D,X(12), 6,0x655b59c3L);
+	R3(D,A,B,C,X( 3),10,0x8f0ccc92L);
+	R3(C,D,A,B,X(10),15,0xffeff47dL);
+	R3(B,C,D,A,X( 1),21,0x85845dd1L);
+	R3(A,B,C,D,X( 8), 6,0x6fa87e4fL);
+	R3(D,A,B,C,X(15),10,0xfe2ce6e0L);
+	R3(C,D,A,B,X( 6),15,0xa3014314L);
+	R3(B,C,D,A,X(13),21,0x4e0811a1L);
+	R3(A,B,C,D,X( 4), 6,0xf7537e82L);
+	R3(D,A,B,C,X(11),10,0xbd3af235L);
+	R3(C,D,A,B,X( 2),15,0x2ad7d2bbL);
+	R3(B,C,D,A,X( 9),21,0xeb86d391L);
 
 	A = c->A += A;
 	B = c->B += B;
diff --git a/lib/libcrypto/md5/md5_locl.h b/lib/libcrypto/md5/md5_locl.h
index 9d04696dbde..06af6332286 100644
--- a/lib/libcrypto/md5/md5_locl.h
+++ b/lib/libcrypto/md5/md5_locl.h
@@ -66,7 +66,7 @@
 #endif
 
 #ifdef MD5_ASM
-# if defined(__i386) || defined(_M_IX86)
+# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
 #  define md5_block_host_order md5_block_asm_host_order
 # elif defined(__sparc) && defined(ULTRASPARC)
    void md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,int num);
@@ -77,11 +77,11 @@
 void md5_block_host_order (MD5_CTX *c, const void *p,int num);
 void md5_block_data_order (MD5_CTX *c, const void *p,int num);
 
-#if defined(__i386) || defined(_M_IX86)
+#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
 /*
  * *_block_host_order is expected to handle aligned data while
  * *_block_data_order - unaligned. As algorithm and host (x86)
- * are in this case of the same "endianess" these two are
+ * are in this case of the same "endianness" these two are
  * otherwise indistinguishable. But normally you don't want to
  * call the same function because unaligned access in places
  * where alignment is expected is usually a "Bad Thing". Indeed,
@@ -112,6 +112,13 @@ void md5_block_data_order (MD5_CTX *c, const void *p,int num);
 #define HASH_UPDATE		MD5_Update
 #define HASH_TRANSFORM		MD5_Transform
 #define HASH_FINAL		MD5_Final
+#define	HASH_MAKE_STRING(c,s)	do {	\
+	unsigned long ll;		\
+	ll=(c)->A; HOST_l2c(ll,(s));	\
+	ll=(c)->B; HOST_l2c(ll,(s));	\
+	ll=(c)->C; HOST_l2c(ll,(s));	\
+	ll=(c)->D; HOST_l2c(ll,(s));	\
+	} while (0)
 #define HASH_BLOCK_HOST_ORDER	md5_block_host_order
 #if !defined(L_ENDIAN) || defined(md5_block_data_order)
 #define	HASH_BLOCK_DATA_ORDER	md5_block_data_order
@@ -119,7 +126,7 @@ void md5_block_data_order (MD5_CTX *c, const void *p,int num);
  * Little-endians (Intel and Alpha) feel better without this.
  * It looks like memcpy does better job than generic
  * md5_block_data_order on copying-n-aligning input data.
- * But franlky speaking I didn't expect such result on Alpha.
+ * But frankly speaking I didn't expect such result on Alpha.
  * On the other hand I've got this with egcs-1.0.2 and if
  * program is compiled with another (better?) compiler it
  * might turn out other way around.
@@ -140,7 +147,7 @@ void md5_block_data_order (MD5_CTX *c, const void *p,int num);
 */
 
 /* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
- * simplified to the code below.  Wei attributes these optimisations
+ * simplified to the code below.  Wei attributes these optimizations
  * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
  */
 #define	F(b,c,d)	((((c) ^ (d)) & (b)) ^ (d))
diff --git a/lib/libcrypto/md5/md5_one.c b/lib/libcrypto/md5/md5_one.c
index 4b10e7f9402..b89dec850d2 100644
--- a/lib/libcrypto/md5/md5_one.c
+++ b/lib/libcrypto/md5/md5_one.c
@@ -64,7 +64,7 @@
 #include <openssl/ebcdic.h>
 #endif
 
-unsigned char *MD5(unsigned char *d, unsigned long n, unsigned char *md)
+unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md)
 	{
 	MD5_CTX c;
 	static unsigned char m[MD5_DIGEST_LENGTH];
diff --git a/lib/libcrypto/md5/md5test.c b/lib/libcrypto/md5/md5test.c
index a192a62bb30..6bd86563020 100644
--- a/lib/libcrypto/md5/md5test.c
+++ b/lib/libcrypto/md5/md5test.c
@@ -69,7 +69,7 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/md5.h>
 
-char *test[]={
+static char *test[]={
 	"",
 	"a",
 	"abc",
@@ -80,7 +80,7 @@ char *test[]={
 	NULL,
 	};
 
-char *ret[]={
+static char *ret[]={
 	"d41d8cd98f00b204e9800998ecf8427e",
 	"0cc175b9c0f1b6a831c399e269772661",
 	"900150983cd24fb0d6963f7d28e17f72",
diff --git a/lib/libcrypto/mdc2/Makefile.ssl b/lib/libcrypto/mdc2/Makefile.ssl
index f8c824c4a8a..7c281033505 100644
--- a/lib/libcrypto/mdc2/Makefile.ssl
+++ b/lib/libcrypto/mdc2/Makefile.ssl
@@ -83,7 +83,7 @@ mdc2_one.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 mdc2_one.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 mdc2_one.o: ../../include/openssl/err.h ../../include/openssl/mdc2.h
 mdc2_one.o: ../../include/openssl/opensslconf.h
-mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-mdc2_one.o: ../cryptlib.h
+mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+mdc2_one.o: ../../include/openssl/stack.h ../cryptlib.h
 mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h
diff --git a/lib/libcrypto/mdc2/mdc2.h b/lib/libcrypto/mdc2/mdc2.h
index ec8e159fc92..00acd707cd1 100644
--- a/lib/libcrypto/mdc2/mdc2.h
+++ b/lib/libcrypto/mdc2/mdc2.h
@@ -82,9 +82,10 @@ typedef struct mdc2_ctx_st
 
 
 void MDC2_Init(MDC2_CTX *c);
-void MDC2_Update(MDC2_CTX *c, unsigned char *data, unsigned long len);
+void MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len);
 void MDC2_Final(unsigned char *md, MDC2_CTX *c);
-unsigned char *MDC2(unsigned char *d, unsigned long n, unsigned char *md);
+unsigned char *MDC2(const unsigned char *d, unsigned long n,
+	unsigned char *md);
 
 #ifdef  __cplusplus
 }
diff --git a/lib/libcrypto/mem.c b/lib/libcrypto/mem.c
index 61fc1e184ed..5a661e5f45a 100644
--- a/lib/libcrypto/mem.c
+++ b/lib/libcrypto/mem.c
@@ -59,371 +59,203 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <openssl/crypto.h>
-#ifdef CRYPTO_MDEBUG_TIME
-# include <time.h>	
-#endif
-#include <openssl/buffer.h>
-#include <openssl/bio.h>
-#include <openssl/lhash.h>
 #include "cryptlib.h"
 
-/* #ifdef CRYPTO_MDEBUG */
-/* static int mh_mode=CRYPTO_MEM_CHECK_ON; */
-/* #else */
-static int mh_mode=CRYPTO_MEM_CHECK_OFF;
-/* #endif */
-/* State CRYPTO_MEM_CHECK_ON exists only temporarily when the library
- * thinks that certain allocations should not be checked (e.g. the data
- * structures used for memory checking).  It is not suitable as an initial
- * state: the library will unexpectedly enable memory checking when it
- * executes one of those sections that want to disable checking
- * temporarily.
- *
- * State CRYPTO_MEM_CHECK_ENABLE without ..._ON makes no sense whatsoever.
- */
-
-static unsigned long order=0;
-
-static LHASH *mh=NULL;
 
-typedef struct mem_st
-	{
-	char *addr;
-	int num;
-	const char *file;
-	int line;
-#ifdef CRYPTO_MDEBUG_THREAD
-	unsigned long thread;
+static int allow_customize = 1;      /* we provide flexible functions for */
+static int allow_customize_debug = 1;/* exchanging memory-related functions at
+                                      * run-time, but this must be done
+                                      * before any blocks are actually
+                                      * allocated; or we'll run into huge
+                                      * problems when malloc/free pairs
+                                      * don't match etc. */
+
+/* may be changed as long as `allow_customize' is set */
+static void *(*malloc_locked_func)(size_t)  = malloc;
+static void (*free_locked_func)(void *)     = free;
+static void *(*malloc_func)(size_t)         = malloc;
+static void *(*realloc_func)(void *, size_t)= realloc;
+static void (*free_func)(void *)            = free;
+
+/* may be changed as long as `allow_customize_debug' is set */
+/* XXX use correct function pointer types */
+#ifdef CRYPTO_MDEBUG
+  /* use default functions from mem_dbg.c */
+  static void (*malloc_debug_func)()= (void (*)())CRYPTO_dbg_malloc;
+  static void (*realloc_debug_func)()= (void (*)())CRYPTO_dbg_realloc;
+  static void (*free_debug_func)()= (void (*)())CRYPTO_dbg_free;
+  static void (*set_debug_options_func)()= (void (*)())CRYPTO_dbg_set_options;
+  static long (*get_debug_options_func)()= (long (*)())CRYPTO_dbg_get_options;
+#else
+  /* applications can use CRYPTO_malloc_debug_init() to select above case
+   * at run-time */
+  static void (*malloc_debug_func)()= NULL;
+  static void (*realloc_debug_func)()= NULL;
+  static void (*free_debug_func)()= NULL;
+  static void (*set_debug_options_func)()= NULL;
+  static long (*get_debug_options_func)()= NULL;
 #endif
-	unsigned long order;
-#ifdef CRYPTO_MDEBUG_TIME
-	time_t time;
-#endif
-	} MEM;
-
-int CRYPTO_mem_ctrl(int mode)
-	{
-	int ret=mh_mode;
-
-	CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
-	switch (mode)
-		{
-	/* for applications: */
-	case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */
-		mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE;
-		break;
-	case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */
-		mh_mode = 0;
-		break;
 
-	/* switch off temporarily (for library-internal use): */
-	case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */
-		mh_mode&= ~CRYPTO_MEM_CHECK_ENABLE;
-		break;
-	case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */
-		if (mh_mode&CRYPTO_MEM_CHECK_ON)
-			mh_mode|=CRYPTO_MEM_CHECK_ENABLE;
-		break;
 
-	default:
-		break;
-		}
-	CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
-	return(ret);
-	}
-
-static int mem_cmp(MEM *a, MEM *b)
-	{
-	return(a->addr - b->addr);
-	}
-
-static unsigned long mem_hash(MEM *a)
+int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
+	void (*f)(void *))
 	{
-	unsigned long ret;
-
-	ret=(unsigned long)a->addr;
-
-	ret=ret*17851+(ret>>14)*7+(ret>>4)*251;
-	return(ret);
-	}
-
-static char *(*malloc_locked_func)()=(char *(*)())malloc;
-static void (*free_locked_func)()=(void (*)())free;
-static char *(*malloc_func)()=	(char *(*)())malloc;
-static char *(*realloc_func)()=	(char *(*)())realloc;
-static void (*free_func)()=	(void (*)())free;
-
-void CRYPTO_set_mem_functions(char *(*m)(), char *(*r)(), void (*f)())
-	{
-	if ((m == NULL) || (r == NULL) || (f == NULL)) return;
+	if (!allow_customize)
+		return 0;
+	if ((m == NULL) || (r == NULL) || (f == NULL))
+		return 0;
 	malloc_func=m;
 	realloc_func=r;
 	free_func=f;
 	malloc_locked_func=m;
 	free_locked_func=f;
+	return 1;
 	}
 
-void CRYPTO_set_locked_mem_functions(char *(*m)(), void (*f)())
+int CRYPTO_set_locked_mem_functions(void *(*m)(size_t), void (*f)(void *))
 	{
-	if ((m == NULL) || (f == NULL)) return;
+	if (!allow_customize)
+		return 0;
+	if ((m == NULL) || (f == NULL))
+		return 0;
 	malloc_locked_func=m;
 	free_locked_func=f;
+	return 1;
+	}
+
+int CRYPTO_set_mem_debug_functions(void (*m)(), void (*r)(), void (*f)(),void (*so)(),long (*go)())
+	{
+	if (!allow_customize_debug)
+		return 0;
+	malloc_debug_func=m;
+	realloc_debug_func=r;
+	free_debug_func=f;
+	set_debug_options_func=so;
+	get_debug_options_func=go;
+	return 1;
 	}
 
-void CRYPTO_get_mem_functions(char *(**m)(), char *(**r)(), void (**f)())
+void CRYPTO_get_mem_functions(void *(**m)(size_t), void *(**r)(void *, size_t),
+	void (**f)(void *))
 	{
 	if (m != NULL) *m=malloc_func;
 	if (r != NULL) *r=realloc_func;
 	if (f != NULL) *f=free_func;
 	}
 
-void CRYPTO_get_locked_mem_functions(char *(**m)(), void (**f)())
+void CRYPTO_get_locked_mem_functions(void *(**m)(size_t), void (**f)(void *))
 	{
 	if (m != NULL) *m=malloc_locked_func;
 	if (f != NULL) *f=free_locked_func;
 	}
 
-void *CRYPTO_malloc_locked(int num)
+void CRYPTO_get_mem_debug_functions(void (**m)(), void (**r)(), void (**f)(),void (**so)(),long (**go)())
 	{
-	return(malloc_locked_func(num));
+	if (m != NULL) *m=malloc_debug_func;
+	if (r != NULL) *r=realloc_debug_func;
+	if (f != NULL) *f=free_debug_func;
+	if (so != NULL) *so=set_debug_options_func;
+	if (go != NULL) *go=get_debug_options_func;
 	}
 
-void CRYPTO_free_locked(void *str)
-	{
-	free_locked_func(str);
-	}
 
-void *CRYPTO_malloc(int num)
+void *CRYPTO_malloc_locked(int num, const char *file, int line)
 	{
-	return(malloc_func(num));
-	}
+	char *ret = NULL;
 
-void *CRYPTO_realloc(void *str, int num)
-	{
-	return(realloc_func(str,num));
-	}
-
-void CRYPTO_free(void *str)
-	{
-	free_func(str);
-	}
-
-static unsigned long break_order_num=0;
-void *CRYPTO_dbg_malloc(int num, const char *file, int line)
-	{
-	char *ret;
-	MEM *m,*mm;
-
-	if ((ret=malloc_func(num)) == NULL)
-		return(NULL);
-
-	if (mh_mode & CRYPTO_MEM_CHECK_ENABLE)
+	allow_customize = 0;
+	if (malloc_debug_func != NULL)
 		{
-		MemCheck_off();
-		if ((m=(MEM *)Malloc(sizeof(MEM))) == NULL)
-			{
-			Free(ret);
-			MemCheck_on();
-			return(NULL);
-			}
-		CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
-		if (mh == NULL)
-			{
-			if ((mh=lh_new(mem_hash,mem_cmp)) == NULL)
-				{
-				Free(ret);
-				Free(m);
-				ret=NULL;
-				goto err;
-				}
-			}
-
-		m->addr=ret;
-		m->file=file;
-		m->line=line;
-		m->num=num;
-#ifdef CRYPTO_MDEBUG_THREAD
-		m->thread=CRYPTO_thread_id();
-#endif
-		if (order == break_order_num)
-			{
-			/* BREAK HERE */
-			m->order=order;
-			}
-		m->order=order++;
-#ifdef CRYPTO_MDEBUG_TIME
-		m->time=time(NULL);
-#endif
-		if ((mm=(MEM *)lh_insert(mh,(char *)m)) != NULL)
-			{
-			/* Not good, but don't sweat it */
-			Free(mm);
-			}
-err:
-		CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
-		MemCheck_on();
+		allow_customize_debug = 0;
+		malloc_debug_func(NULL, num, file, line, 0);
 		}
-	return(ret);
+	ret = malloc_locked_func(num);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         > 0x%p (%d)\n", ret, num);
+#endif
+	if (malloc_debug_func != NULL)
+		malloc_debug_func(ret, num, file, line, 1);
+
+	return ret;
 	}
 
-void CRYPTO_dbg_free(void *addr)
+void CRYPTO_free_locked(void *str)
 	{
-	MEM m,*mp;
-
-	if ((mh_mode & CRYPTO_MEM_CHECK_ENABLE) && (mh != NULL))
-		{
-		MemCheck_off();
-		CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
-		m.addr=addr;
-		mp=(MEM *)lh_delete(mh,(char *)&m);
-		if (mp != NULL)
-			Free(mp);
-		CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
-		MemCheck_on();
-		}
-	free_func(addr);
+	if (free_debug_func != NULL)
+		free_debug_func(str, 0);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         < 0x%p\n", str);
+#endif
+	free_locked_func(str);
+	if (free_debug_func != NULL)
+		free_debug_func(NULL, 1);
 	}
 
-void *CRYPTO_dbg_realloc(void *addr, int num, const char *file, int line)
+void *CRYPTO_malloc(int num, const char *file, int line)
 	{
-	char *ret;
-	MEM m,*mp;
-
-	ret=realloc_func(addr,num);
-	if (ret == addr) return(ret);
+	char *ret = NULL;
 
-	if (mh_mode & CRYPTO_MEM_CHECK_ENABLE)
+	allow_customize = 0;
+	if (malloc_debug_func != NULL)
 		{
-		MemCheck_off();
-		if (ret == NULL) return(NULL);
-		m.addr=addr;
-		CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
-		mp=(MEM *)lh_delete(mh,(char *)&m);
-		if (mp != NULL)
-			{
-			mp->addr=ret;
-			lh_insert(mh,(char *)mp);
-			}
-		CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
-		MemCheck_on();
+		allow_customize_debug = 0;
+		malloc_debug_func(NULL, num, file, line, 0);
 		}
-	return(ret);
-	}
-
-void *CRYPTO_remalloc(void *a, int n)
-	{
-	if (a != NULL) Free(a);
-	a=(char *)Malloc(n);
-	return(a);
-	}
+	ret = malloc_func(num);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         > 0x%p (%d)\n", ret, num);
+#endif
+	if (malloc_debug_func != NULL)
+		malloc_debug_func(ret, num, file, line, 1);
 
-void *CRYPTO_dbg_remalloc(void *a, int n, const char *file, int line)
-	{
-	if (a != NULL) CRYPTO_dbg_free(a);
-	a=(char *)CRYPTO_dbg_malloc(n,file,line);
-	return(a);
+	return ret;
 	}
 
-
-typedef struct mem_leak_st
+void *CRYPTO_realloc(void *str, int num, const char *file, int line)
 	{
-	BIO *bio;
-	int chunks;
-	long bytes;
-	} MEM_LEAK;
+	char *ret = NULL;
 
-static void print_leak(MEM *m, MEM_LEAK *l)
-	{
-	char buf[128];
-#ifdef CRYPTO_MDEBUG_TIME
-	struct tm *lcl;
+	if (realloc_debug_func != NULL)
+		realloc_debug_func(str, NULL, num, file, line, 0);
+	ret = realloc_func(str,num);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         | 0x%p -> 0x%p (%d)\n", str, ret, num);
 #endif
+	if (realloc_debug_func != NULL)
+		realloc_debug_func(str, ret, num, file, line, 1);
 
-	if(m->addr == (char *)l->bio)
-	    return;
-
-#ifdef CRYPTO_MDEBUG_TIME
-	lcl = localtime(&m->time);
-#endif
-
-	sprintf(buf,
-#ifdef CRYPTO_MDEBUG_TIME
-		"[%02d:%02d:%02d] "
-#endif
-		"%5lu file=%s, line=%d, "
-#ifdef CRYPTO_MDEBUG_THREAD
-		"thread=%lu, "
-#endif
-		"number=%d, address=%08lX\n",
-#ifdef CRYPTO_MDEBUG_TIME
-		lcl->tm_hour,lcl->tm_min,lcl->tm_sec,
-#endif
-		m->order,m->file,m->line,
-#ifdef CRYPTO_MDEBUG_THREAD
-		m->thread,
-#endif
-		m->num,(unsigned long)m->addr);
-
-	BIO_puts(l->bio,buf);
-	l->chunks++;
-	l->bytes+=m->num;
+	return ret;
 	}
 
-void CRYPTO_mem_leaks(BIO *b)
+void CRYPTO_free(void *str)
 	{
-	MEM_LEAK ml;
-	char buf[80];
-
-	if (mh == NULL) return;
-	ml.bio=b;
-	ml.bytes=0;
-	ml.chunks=0;
-	CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
-	lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml);
-	CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
-	if (ml.chunks != 0)
-		{
-		sprintf(buf,"%ld bytes leaked in %d chunks\n",
-			ml.bytes,ml.chunks);
-		BIO_puts(b,buf);
-		}
-
-#if 0
-	lh_stats_bio(mh,b);
-	lh_node_stats_bio(mh,b);
-	lh_node_usage_stats_bio(mh,b);
+	if (free_debug_func != NULL)
+		free_debug_func(str, 0);
+#ifdef LEVITTE_DEBUG
+	fprintf(stderr, "LEVITTE_DEBUG:         < 0x%p\n", str);
 #endif
+	free_func(str);
+	if (free_debug_func != NULL)
+		free_debug_func(NULL, 1);
 	}
 
-static void (*mem_cb)()=NULL;
-
-static void cb_leak(MEM *m, char *cb)
+void *CRYPTO_remalloc(void *a, int num, const char *file, int line)
 	{
-	void (*mem_callback)()=(void (*)())cb;
-	mem_callback(m->order,m->file,m->line,m->num,m->addr);
+	if (a != NULL) Free(a);
+	a=(char *)Malloc(num);
+	return(a);
 	}
 
-void CRYPTO_mem_leaks_cb(void (*cb)())
+
+void CRYPTO_set_mem_debug_options(long bits)
 	{
-	if (mh == NULL) return;
-	CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
-	mem_cb=cb;
-	lh_doall_arg(mh,(void (*)())cb_leak,(char *)mem_cb);
-	mem_cb=NULL;
-	CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+	if (set_debug_options_func != NULL)
+		set_debug_options_func(bits);
 	}
 
-#ifndef NO_FP_API
-void CRYPTO_mem_leaks_fp(FILE *fp)
+long CRYPTO_get_mem_debug_options(void)
 	{
-	BIO *b;
-
-	if (mh == NULL) return;
-	if ((b=BIO_new(BIO_s_file())) == NULL)
-		return;
-	BIO_set_fp(b,fp,BIO_NOCLOSE);
-	CRYPTO_mem_leaks(b);
-	BIO_free(b);
+	if (get_debug_options_func != NULL)
+		return get_debug_options_func();
+	return 0;
 	}
-#endif
-
diff --git a/lib/libcrypto/objects/Makefile.ssl b/lib/libcrypto/objects/Makefile.ssl
index 53450f87547..f05e15df963 100644
--- a/lib/libcrypto/objects/Makefile.ssl
+++ b/lib/libcrypto/objects/Makefile.ssl
@@ -37,9 +37,6 @@ top:
 
 all:	obj_dat.h lib
 
-obj_dat.h: objects.h obj_dat.pl
-	$(PERL) ./obj_dat.pl < objects.h > obj_dat.h
-
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
 	$(RANLIB) $(LIB)
diff --git a/lib/libcrypto/objects/o_names.c b/lib/libcrypto/objects/o_names.c
index 4da5e45b9c5..d654eb220ea 100644
--- a/lib/libcrypto/objects/o_names.c
+++ b/lib/libcrypto/objects/o_names.c
@@ -4,15 +4,25 @@
 
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
+#include <openssl/safestack.h>
 
 /* I use the ex_data stuff to manage the identifiers for the obj_name_types
  * that applications may define.  I only really use the free function field.
  */
 static LHASH *names_lh=NULL;
 static int names_type_num=OBJ_NAME_TYPE_NUM;
-static STACK *names_cmp=NULL;
-static STACK *names_hash=NULL;
-static STACK *names_free=NULL;
+
+typedef struct name_funcs_st
+	{
+	unsigned long (*hash_func)();
+	int (*cmp_func)();
+	void (*free_func)();
+	} NAME_FUNCS;
+
+DECLARE_STACK_OF(NAME_FUNCS)
+IMPLEMENT_STACK_OF(NAME_FUNCS)
+
+STACK_OF(NAME_FUNCS) *name_funcs_stack;
 
 static unsigned long obj_name_hash(OBJ_NAME *a);
 static int obj_name_cmp(OBJ_NAME *a,OBJ_NAME *b);
@@ -31,51 +41,57 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(), int (*cmp_func)(),
 	{
 	int ret;
 	int i;
+	NAME_FUNCS *name_funcs;
 
-	if (names_free == NULL)
+	if (name_funcs_stack == NULL)
 		{
 		MemCheck_off();
-		names_hash=sk_new_null();
-		names_cmp=sk_new_null();
-		names_free=sk_new_null();
+		name_funcs_stack=sk_NAME_FUNCS_new_null();
 		MemCheck_on();
 		}
-	if ((names_free == NULL) || (names_hash == NULL) || (names_cmp == NULL))
+	if ((name_funcs_stack == NULL))
 		{
 		/* ERROR */
 		return(0);
 		}
 	ret=names_type_num;
 	names_type_num++;
-	for (i=sk_num(names_free); i<names_type_num; i++)
+	for (i=sk_NAME_FUNCS_num(name_funcs_stack); i<names_type_num; i++)
 		{
 		MemCheck_off();
-		sk_push(names_hash,(char *)strcmp);
-		sk_push(names_cmp,(char *)lh_strhash);
-		sk_push(names_free,NULL);
+		name_funcs = Malloc(sizeof(NAME_FUNCS));
+		name_funcs->hash_func = lh_strhash;
+		name_funcs->cmp_func = (int (*)())strcmp;
+		name_funcs->free_func = 0; /* NULL is often declared to
+					    * ((void *)0), which according
+					    * to Compaq C is not really
+					    * compatible with a function
+					    * pointer.  -- Richard Levitte*/
+		sk_NAME_FUNCS_push(name_funcs_stack,name_funcs);
 		MemCheck_on();
 		}
+	name_funcs = sk_NAME_FUNCS_value(name_funcs_stack, ret);
 	if (hash_func != NULL)
-		sk_set(names_hash,ret,(char *)hash_func);
+		name_funcs->hash_func = hash_func;
 	if (cmp_func != NULL)
-		sk_set(names_cmp,ret,(char *)cmp_func);
+		name_funcs->cmp_func = cmp_func;
 	if (free_func != NULL)
-		sk_set(names_free,ret,(char *)free_func);
+		name_funcs->free_func = free_func;
 	return(ret);
 	}
 
 static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
 	{
 	int ret;
-	int (*cmp)();
 
 	ret=a->type-b->type;
 	if (ret == 0)
 		{
-		if ((names_cmp != NULL) && (sk_num(names_cmp) > a->type))
+		if ((name_funcs_stack != NULL)
+			&& (sk_NAME_FUNCS_num(name_funcs_stack) > a->type))
 			{
-			cmp=(int (*)())sk_value(names_cmp,a->type);
-			ret=cmp(a->name,b->name);
+			ret=sk_NAME_FUNCS_value(name_funcs_stack,a->type)
+				->cmp_func(a->name,b->name);
 			}
 		else
 			ret=strcmp(a->name,b->name);
@@ -86,12 +102,11 @@ static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
 static unsigned long obj_name_hash(OBJ_NAME *a)
 	{
 	unsigned long ret;
-	unsigned long (*hash)();
 
-	if ((names_hash != NULL) && (sk_num(names_hash) > a->type))
+	if ((name_funcs_stack != NULL) && (sk_NAME_FUNCS_num(name_funcs_stack) > a->type))
 		{
-		hash=(unsigned long (*)())sk_value(names_hash,a->type);
-		ret=hash(a->name);
+		ret=sk_NAME_FUNCS_value(name_funcs_stack,a->type)
+			->hash_func(a->name);
 		}
 	else
 		{
@@ -117,7 +132,7 @@ const char *OBJ_NAME_get(const char *name, int type)
 
 	for (;;)
 		{
-		ret=(OBJ_NAME *)lh_retrieve(names_lh,(char *)&on);
+		ret=(OBJ_NAME *)lh_retrieve(names_lh,&on);
 		if (ret == NULL) return(NULL);
 		if ((ret->alias) && !alias)
 			{
@@ -133,7 +148,6 @@ const char *OBJ_NAME_get(const char *name, int type)
 
 int OBJ_NAME_add(const char *name, int type, const char *data)
 	{
-	void (*f)();
 	OBJ_NAME *onp,*ret;
 	int alias;
 
@@ -154,16 +168,20 @@ int OBJ_NAME_add(const char *name, int type, const char *data)
 	onp->type=type;
 	onp->data=data;
 
-	ret=(OBJ_NAME *)lh_insert(names_lh,(char *)onp);
+	ret=(OBJ_NAME *)lh_insert(names_lh,onp);
 	if (ret != NULL)
 		{
 		/* free things */
-		if ((names_free != NULL) && (sk_num(names_free) > ret->type))
+		if ((name_funcs_stack != NULL) && (sk_NAME_FUNCS_num(name_funcs_stack) > ret->type))
 			{
-			f=(void (*)())sk_value(names_free,ret->type);
-			f(ret->name,ret->type,ret->data);
+			/* XXX: I'm not sure I understand why the free
+			 * function should get three arguments...
+			 * -- Richard Levitte
+			 */
+			sk_NAME_FUNCS_value(name_funcs_stack,ret->type)
+				->free_func(ret->name,ret->type,ret->data);
 			}
-		Free((char *)ret);
+		Free(ret);
 		}
 	else
 		{
@@ -179,23 +197,26 @@ int OBJ_NAME_add(const char *name, int type, const char *data)
 int OBJ_NAME_remove(const char *name, int type)
 	{
 	OBJ_NAME on,*ret;
-	void (*f)();
 
 	if (names_lh == NULL) return(0);
 
 	type&= ~OBJ_NAME_ALIAS;
 	on.name=name;
 	on.type=type;
-	ret=(OBJ_NAME *)lh_delete(names_lh,(char *)&on);
+	ret=(OBJ_NAME *)lh_delete(names_lh,&on);
 	if (ret != NULL)
 		{
 		/* free things */
-		if ((names_free != NULL) && (sk_num(names_free) > type))
+		if ((name_funcs_stack != NULL) && (sk_NAME_FUNCS_num(name_funcs_stack) > ret->type))
 			{
-			f=(void (*)())sk_value(names_free,type);
-			f(ret->name,ret->type,ret->data);
+			/* XXX: I'm not sure I understand why the free
+			 * function should get three arguments...
+			 * -- Richard Levitte
+			 */
+			sk_NAME_FUNCS_value(name_funcs_stack,ret->type)
+				->free_func(ret->name,ret->type,ret->data);
 			}
-		Free((char *)ret);
+		Free(ret);
 		return(1);
 		}
 	else
@@ -215,6 +236,11 @@ static void names_lh_free(OBJ_NAME *onp, int type)
 		}
 	}
 
+static void name_funcs_free(NAME_FUNCS *ptr)
+	{
+	Free(ptr);
+	}
+
 void OBJ_NAME_cleanup(int type)
 	{
 	unsigned long down_load;
@@ -229,13 +255,9 @@ void OBJ_NAME_cleanup(int type)
 	if (type < 0)
 		{
 		lh_free(names_lh);
-		sk_free(names_hash);
-		sk_free(names_cmp);
-		sk_free(names_free);
+		sk_NAME_FUNCS_pop_free(name_funcs_stack,name_funcs_free);
 		names_lh=NULL;
-		names_hash=NULL;
-		names_cmp=NULL;
-		names_free=NULL;
+		name_funcs_stack = NULL;
 		}
 	else
 		names_lh->down_load=down_load;
diff --git a/lib/libcrypto/objects/obj_dat.c b/lib/libcrypto/objects/obj_dat.c
index d47b874399c..da6df3762ad 100644
--- a/lib/libcrypto/objects/obj_dat.c
+++ b/lib/libcrypto/objects/obj_dat.c
@@ -214,16 +214,12 @@ int OBJ_new_nid(int num)
 int OBJ_add_object(ASN1_OBJECT *obj)
 	{
 	ASN1_OBJECT *o;
-	ADDED_OBJ *ao[4],*aop;
+	ADDED_OBJ *ao[4]={NULL,NULL,NULL,NULL},*aop;
 	int i;
 
 	if (added == NULL)
 		if (!init_added()) return(0);
 	if ((o=OBJ_dup(obj)) == NULL) goto err;
-	ao[ADDED_DATA]=NULL;
-	ao[ADDED_SNAME]=NULL;
-	ao[ADDED_LNAME]=NULL;
-	ao[ADDED_NID]=NULL;
 	ao[ADDED_NID]=(ADDED_OBJ *)Malloc(sizeof(ADDED_OBJ));
 	if ((o->length != 0) && (obj->data != NULL))
 		ao[ADDED_DATA]=(ADDED_OBJ *)Malloc(sizeof(ADDED_OBJ));
@@ -238,7 +234,7 @@ int OBJ_add_object(ASN1_OBJECT *obj)
 			{
 			ao[i]->type=i;
 			ao[i]->obj=o;
-			aop=(ADDED_OBJ *)lh_insert(added,(char *)ao[i]);
+			aop=(ADDED_OBJ *)lh_insert(added,ao[i]);
 			/* memory leak, buit should not normally matter */
 			if (aop != NULL)
 				Free(aop);
@@ -276,7 +272,7 @@ ASN1_OBJECT *OBJ_nid2obj(int n)
 		ad.type=ADDED_NID;
 		ad.obj= &ob;
 		ob.nid=n;
-		adp=(ADDED_OBJ *)lh_retrieve(added,(char *)&ad);
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
 		if (adp != NULL)
 			return(adp->obj);
 		else
@@ -308,7 +304,7 @@ const char *OBJ_nid2sn(int n)
 		ad.type=ADDED_NID;
 		ad.obj= &ob;
 		ob.nid=n;
-		adp=(ADDED_OBJ *)lh_retrieve(added,(char *)&ad);
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
 		if (adp != NULL)
 			return(adp->obj->sn);
 		else
@@ -340,7 +336,7 @@ const char *OBJ_nid2ln(int n)
 		ad.type=ADDED_NID;
 		ad.obj= &ob;
 		ob.nid=n;
-		adp=(ADDED_OBJ *)lh_retrieve(added,(char *)&ad);
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
 		if (adp != NULL)
 			return(adp->obj->ln);
 		else
@@ -365,7 +361,7 @@ int OBJ_obj2nid(ASN1_OBJECT *a)
 		{
 		ad.type=ADDED_DATA;
 		ad.obj=a;
-		adp=(ADDED_OBJ *)lh_retrieve(added,(char *)&ad);
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
 		if (adp != NULL) return (adp->obj->nid);
 		}
 	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&a,(char *)obj_objs,NUM_OBJ,
@@ -504,7 +500,7 @@ int OBJ_ln2nid(const char *s)
 		{
 		ad.type=ADDED_LNAME;
 		ad.obj= &o;
-		adp=(ADDED_OBJ *)lh_retrieve(added,(char *)&ad);
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
 		if (adp != NULL) return (adp->obj->nid);
 		}
 	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)ln_objs,NUM_LN,
@@ -523,7 +519,7 @@ int OBJ_sn2nid(const char *s)
 		{
 		ad.type=ADDED_SNAME;
 		ad.obj= &o;
-		adp=(ADDED_OBJ *)lh_retrieve(added,(char *)&ad);
+		adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
 		if (adp != NULL) return (adp->obj->nid);
 		}
 	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)sn_objs,NUM_SN,
@@ -647,7 +643,7 @@ int OBJ_create(char *oid, char *sn, char *ln)
 	ok=OBJ_add_object(op);
 err:
 	ASN1_OBJECT_free(op);
-	Free((char *)buf);
+	Free(buf);
 	return(ok);
 	}
 
diff --git a/lib/libcrypto/objects/obj_dat.pl b/lib/libcrypto/objects/obj_dat.pl
index 5043daef2a2..e6e3c3b9c02 100644
--- a/lib/libcrypto/objects/obj_dat.pl
+++ b/lib/libcrypto/objects/obj_dat.pl
@@ -38,7 +38,10 @@ sub expand_obj
 	return(%objn);
 	}
 
-while (<>)
+open (IN,"$ARGV[0]") || die "Can't open input file $ARGV[0]";
+open (OUT,">$ARGV[1]") || die "Can't open output file $ARGV[1]";
+
+while (<IN>)
 	{
 	next unless /^\#define\s+(\S+)\s+(.*)$/;
 	$v=$1;
@@ -55,6 +58,7 @@ while (<>)
 		$objd{$v}=$d;
 		}
 	}
+close IN;
 
 %ob=&expand_obj(*objd);
 
@@ -132,7 +136,7 @@ foreach (sort obj_cmp @a)
 	push(@ob,sprintf("&(nid_objs[%2d]),/* %-32s %s */\n",$_,$m,$v));
 	}
 
-print <<'EOF';
+print OUT <<'EOF';
 /* lib/obj/obj_dat.h */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
@@ -193,21 +197,21 @@ print <<'EOF';
 
 /* THIS FILE IS GENERATED FROM Objects.h by obj_dat.pl via the
  * following command:
- * perl obj_dat.pl < objects.h > obj_dat.h
+ * perl obj_dat.pl objects.h obj_dat.h
  */
 
 EOF
 
-printf "#define NUM_NID %d\n",$n;
-printf "#define NUM_SN %d\n",$#sn+1;
-printf "#define NUM_LN %d\n",$#ln+1;
-printf "#define NUM_OBJ %d\n\n",$#ob+1;
+printf OUT "#define NUM_NID %d\n",$n;
+printf OUT "#define NUM_SN %d\n",$#sn+1;
+printf OUT "#define NUM_LN %d\n",$#ln+1;
+printf OUT "#define NUM_OBJ %d\n\n",$#ob+1;
 
-printf "static unsigned char lvalues[%d]={\n",$lvalues+1;
-print @lvalues;
-print "};\n\n";
+printf OUT "static unsigned char lvalues[%d]={\n",$lvalues+1;
+print OUT @lvalues;
+print OUT "};\n\n";
 
-printf "static ASN1_OBJECT nid_objs[NUM_NID]={\n";
+printf OUT "static ASN1_OBJECT nid_objs[NUM_NID]={\n";
 foreach (@out)
 	{
 	if (length($_) > 75)
@@ -218,30 +222,32 @@ foreach (@out)
 			$t=$out.$_.",";
 			if (length($t) > 70)
 				{
-				print "$out\n";
+				print OUT "$out\n";
 				$t="\t$_,";
 				}
 			$out=$t;
 			}
 		chop $out;
-		print "$out";
+		print OUT "$out";
 		}
 	else
-		{ print $_; }
+		{ print OUT $_; }
 	}
-print  "};\n\n";
+print  OUT "};\n\n";
+
+printf OUT "static ASN1_OBJECT *sn_objs[NUM_SN]={\n";
+print  OUT @sn;
+print  OUT "};\n\n";
 
-printf "static ASN1_OBJECT *sn_objs[NUM_SN]={\n";
-print  @sn;
-print  "};\n\n";
+printf OUT "static ASN1_OBJECT *ln_objs[NUM_LN]={\n";
+print  OUT @ln;
+print  OUT "};\n\n";
 
-printf "static ASN1_OBJECT *ln_objs[NUM_LN]={\n";
-print  @ln;
-print  "};\n\n";
+printf OUT "static ASN1_OBJECT *obj_objs[NUM_OBJ]={\n";
+print  OUT @ob;
+print  OUT "};\n\n";
 
-printf "static ASN1_OBJECT *obj_objs[NUM_OBJ]={\n";
-print  @ob;
-print  "};\n\n";
+close OUT;
 
 sub der_it
 	{
diff --git a/lib/libcrypto/objects/objects.h b/lib/libcrypto/objects/objects.h
index d03748e0228..d1a5ad25029 100644
--- a/lib/libcrypto/objects/objects.h
+++ b/lib/libcrypto/objects/objects.h
@@ -110,10 +110,12 @@ extern "C" {
 #define NID_md5WithRSAEncryption	8
 #define OBJ_md5WithRSAEncryption	OBJ_pkcs,1L,4L
 
+#define SN_pbeWithMD2AndDES_CBC		"PBE-MD2-DES"
 #define LN_pbeWithMD2AndDES_CBC		"pbeWithMD2AndDES-CBC"
 #define NID_pbeWithMD2AndDES_CBC	9
 #define OBJ_pbeWithMD2AndDES_CBC	OBJ_pkcs,5L,1L
 
+#define SN_pbeWithMD5AndDES_CBC		"PBE-MD5-DES"
 #define LN_pbeWithMD5AndDES_CBC		"pbeWithMD5AndDES-CBC"
 #define NID_pbeWithMD5AndDES_CBC	10
 #define OBJ_pbeWithMD5AndDES_CBC	OBJ_pkcs,5L,3L
@@ -230,6 +232,7 @@ extern "C" {
 #define SN_idea_cbc			"IDEA-CBC"
 #define LN_idea_cbc			"idea-cbc"
 #define NID_idea_cbc			34
+#define OBJ_idea_cbc			1L,3L,6L,1L,4L,1L,188L,7L,1L,1L,2L
 
 #define SN_idea_cfb64			"IDEA-CFB"
 #define LN_idea_cfb64			"idea-cfb"
@@ -380,6 +383,7 @@ extern "C" {
 #define OBJ_dsa_2			OBJ_algorithm,12L
 
 /* proposed by microsoft to RSA */
+#define SN_pbeWithSHA1AndRC2_CBC	"PBE-SHA1-RC2-64"
 #define LN_pbeWithSHA1AndRC2_CBC	"pbeWithSHA1AndRC2-CBC"
 #define NID_pbeWithSHA1AndRC2_CBC	68
 #define OBJ_pbeWithSHA1AndRC2_CBC	OBJ_pkcs,5L,11L 
@@ -499,6 +503,7 @@ extern "C" {
 #define SN_bf_cbc			"BF-CBC"
 #define LN_bf_cbc			"bf-cbc"
 #define NID_bf_cbc			91
+#define OBJ_bf_cbc			1L,3L,6L,1L,4L,1L,3029L,1L,2L
 
 #define SN_bf_ecb			"BF-ECB"
 #define LN_bf_ecb			"bf-ecb"
@@ -627,7 +632,7 @@ extern "C" {
 #define OBJ_ripemd160			1L,3L,36L,3L,2L,1L
 
 /* The name should actually be rsaSignatureWithripemd160, but I'm going
- * to contiune using the convention I'm using with the other ciphers */
+ * to continue using the convention I'm using with the other ciphers */
 #define SN_ripemd160WithRSA		"RSA-RIPEMD160"
 #define LN_ripemd160WithRSA		"ripemd160WithRSA"
 #define NID_ripemd160WithRSA		119
@@ -661,12 +666,12 @@ extern "C" {
 #define SN_rle_compression		"RLE"
 #define LN_rle_compression		"run length compression"
 #define NID_rle_compression		124
-#define OBJ_rle_compression		1L,1L,1L,1L,666L.1L
+#define OBJ_rle_compression		1L,1L,1L,1L,666L,1L
 
 #define SN_zlib_compression		"ZLIB"
 #define LN_zlib_compression		"zlib compression"
 #define NID_zlib_compression		125
-#define OBJ_zlib_compression		1L,1L,1L,1L,666L.2L
+#define OBJ_zlib_compression		1L,1L,1L,1L,666L,2L
 
 #define SN_ext_key_usage		"extendedKeyUsage"
 #define LN_ext_key_usage		"X509v3 Extended Key Usage"
@@ -735,7 +740,7 @@ extern "C" {
 #define NID_ms_efs			138
 #define OBJ_ms_efs			1L,3L,6L,1L,4L,1L,311L,10L,3L,4L
 
-/* Addidional usage: Netscape */
+/* Additional usage: Netscape */
 
 #define SN_ns_sgc			"nsSGC"
 #define LN_ns_sgc			"Netscape Server Gated Crypto"
@@ -767,26 +772,32 @@ extern "C" {
 #define OBJ_pkcs12			OBJ_pkcs,12L
 #define OBJ_pkcs12_pbeids		OBJ_pkcs12, 1
 
+#define SN_pbe_WithSHA1And128BitRC4	"PBE-SHA1-RC4-128"
 #define LN_pbe_WithSHA1And128BitRC4	"pbeWithSHA1And128BitRC4"
 #define NID_pbe_WithSHA1And128BitRC4	144
 #define OBJ_pbe_WithSHA1And128BitRC4	OBJ_pkcs12_pbeids, 1L
 
+#define SN_pbe_WithSHA1And40BitRC4	"PBE-SHA1-RC4-40"
 #define LN_pbe_WithSHA1And40BitRC4	"pbeWithSHA1And40BitRC4"
 #define NID_pbe_WithSHA1And40BitRC4	145
 #define OBJ_pbe_WithSHA1And40BitRC4	OBJ_pkcs12_pbeids, 2L
 
+#define SN_pbe_WithSHA1And3_Key_TripleDES_CBC	"PBE-SHA1-3DES"
 #define LN_pbe_WithSHA1And3_Key_TripleDES_CBC	"pbeWithSHA1And3-KeyTripleDES-CBC"
 #define NID_pbe_WithSHA1And3_Key_TripleDES_CBC	146
 #define OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC	OBJ_pkcs12_pbeids, 3L
 
+#define SN_pbe_WithSHA1And2_Key_TripleDES_CBC	"PBE-SHA1-2DES"
 #define LN_pbe_WithSHA1And2_Key_TripleDES_CBC	"pbeWithSHA1And2-KeyTripleDES-CBC"
 #define NID_pbe_WithSHA1And2_Key_TripleDES_CBC	147
 #define OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC	OBJ_pkcs12_pbeids, 4L
 
+#define SN_pbe_WithSHA1And128BitRC2_CBC		"PBE-SHA1-RC2-128"
 #define LN_pbe_WithSHA1And128BitRC2_CBC		"pbeWithSHA1And128BitRC2-CBC"
 #define NID_pbe_WithSHA1And128BitRC2_CBC	148
 #define OBJ_pbe_WithSHA1And128BitRC2_CBC	OBJ_pkcs12_pbeids, 5L
 
+#define SN_pbe_WithSHA1And40BitRC2_CBC	"PBE-SHA1-RC2-40"
 #define LN_pbe_WithSHA1And40BitRC2_CBC	"pbeWithSHA1And40BitRC2-CBC"
 #define NID_pbe_WithSHA1And40BitRC2_CBC	149
 #define OBJ_pbe_WithSHA1And40BitRC2_CBC	OBJ_pkcs12_pbeids, 6L
@@ -876,20 +887,73 @@ extern "C" {
 #define SN_SMIMECapabilities		"SMIME-CAPS"
 #define LN_SMIMECapabilities		"S/MIME Capabilities"
 #define NID_SMIMECapabilities		167
-#define OBJ_SMIMECapabilities		OBJ_id_pkcs9,15L
+#define OBJ_SMIMECapabilities		OBJ_pkcs9,15L
 
+#define SN_pbeWithMD2AndRC2_CBC		"PBE-MD2-RC2-64"
 #define LN_pbeWithMD2AndRC2_CBC		"pbeWithMD2AndRC2-CBC"
 #define NID_pbeWithMD2AndRC2_CBC	168
 #define OBJ_pbeWithMD2AndRC2_CBC	OBJ_pkcs,5L,4L
 
+#define SN_pbeWithMD5AndRC2_CBC		"PBE-MD5-RC2-64"
 #define LN_pbeWithMD5AndRC2_CBC		"pbeWithMD5AndRC2-CBC"
 #define NID_pbeWithMD5AndRC2_CBC	169
 #define OBJ_pbeWithMD5AndRC2_CBC	OBJ_pkcs,5L,6L
 
+#define SN_pbeWithSHA1AndDES_CBC	"PBE-SHA1-DES"
 #define LN_pbeWithSHA1AndDES_CBC	"pbeWithSHA1AndDES-CBC"
 #define NID_pbeWithSHA1AndDES_CBC	170
 #define OBJ_pbeWithSHA1AndDES_CBC	OBJ_pkcs,5L,10L
 
+/* Extension request OIDs */
+
+#define LN_ms_ext_req			"Microsoft Extension Request"
+#define SN_ms_ext_req			"msExtReq"
+#define NID_ms_ext_req			171
+#define OBJ_ms_ext_req			1L,3L,6L,1L,4L,1L,311L,2L,1L,14L
+
+#define LN_ext_req			"Extension Request"
+#define SN_ext_req			"extReq"
+#define NID_ext_req			172
+#define OBJ_ext_req			OBJ_pkcs9,14L
+
+#define SN_name				"name"
+#define LN_name				"name"
+#define NID_name			173
+#define OBJ_name			OBJ_X509,41L
+
+#define SN_dnQualifier			"dnQualifier"
+#define LN_dnQualifier			"dnQualifier"
+#define NID_dnQualifier			174
+#define OBJ_dnQualifier			OBJ_X509,46L
+
+#define SN_id_pe			"id-pe"
+#define NID_id_pe			175
+#define OBJ_id_pe			OBJ_id_pkix,1L
+
+#define SN_id_ad			"id-ad"
+#define NID_id_ad			176
+#define OBJ_id_ad			OBJ_id_pkix,48L
+
+#define SN_info_access			"authorityInfoAccess"
+#define LN_info_access			"Authority Information Access"
+#define NID_info_access			177
+#define OBJ_info_access			OBJ_id_pe,1L
+
+#define SN_ad_OCSP			"OCSP"
+#define LN_ad_OCSP			"OCSP"
+#define NID_ad_OCSP			178
+#define OBJ_ad_OCSP			OBJ_id_ad,1L
+
+#define SN_ad_ca_issuers		"caIssuers"
+#define LN_ad_ca_issuers		"CA Issuers"
+#define NID_ad_ca_issuers		179
+#define OBJ_ad_ca_issuers		OBJ_id_ad,2L
+
+#define SN_OSCP_sign			"OCSPSigning"
+#define LN_OCSP_sign			"OCSP Signing"
+#define NID_OCSP_sign			180
+#define OBJ_OCSP_sign			OBJ_id_kp,9L
+
 #include <openssl/bio.h>
 #include <openssl/asn1.h>
 
diff --git a/lib/libcrypto/opensslconf.h.in b/lib/libcrypto/opensslconf.h.in
index e4a8f8ad549..1b85ae59899 100644
--- a/lib/libcrypto/opensslconf.h.in
+++ b/lib/libcrypto/opensslconf.h.in
@@ -1,5 +1,4 @@
-/* crypto/opensslconf.h */
-/* WARNING: This file is autogenerated by Configure */
+/* crypto/opensslconf.h.in */
 
 /* Generate 80386 code? */
 #undef I386_ONLY
@@ -25,11 +24,25 @@
 #define RC2_INT unsigned int
 #endif
 
-#if defined(HEADER_RC4_H) && !defined(RC4_INT)
+#if defined(HEADER_RC4_H)
+#if !defined(RC4_INT)
 /* using int types make the structure larger but make the code faster
  * on most boxes I have tested - up to %20 faster. */
+/*
+ * I don't know what does "most" mean, but declaring "int" is a must on:
+ * - Intel P6 because partial register stalls are very expensive;
+ * - elder Alpha because it lacks byte load/store instructions;
+ */
 #define RC4_INT unsigned int
 #endif
+#if !defined(RC4_CHUNK)
+/*
+ * This enables code handling data aligned at natural CPU word
+ * boundary. See crypto/rc4/rc4_enc.c for further details.
+ */
+#undef RC4_CHUNK
+#endif
+#endif
 
 #if defined(HEADER_DES_H) && !defined(DES_LONG)
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
diff --git a/lib/libcrypto/opensslv.h b/lib/libcrypto/opensslv.h
index b841347f05e..55d5d06cf53 100644
--- a/lib/libcrypto/opensslv.h
+++ b/lib/libcrypto/opensslv.h
@@ -7,15 +7,15 @@
  * 0.9.3-dev	  0x00903000
  * 0.9.3beta1	  0x00903001
  * 0.9.3beta2-dev 0x00903002
- * 0.9.3beta2     0x00903002
+ * 0.9.3beta2     0x00903002 (same as ...beta2-dev)
  * 0.9.3	  0x00903100
  * 0.9.3a	  0x00903101
  * 0.9.4 	  0x00904100
  * 1.2.3z	  0x1020311a
  * (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.)
  */
-#define OPENSSL_VERSION_NUMBER	0x00904100L
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.4 09 Aug 1999"
+#define OPENSSL_VERSION_NUMBER	0x00905100L
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.5 28 Feb 2000"
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
 #endif /* HEADER_OPENSSLV_H */
diff --git a/lib/libcrypto/pem/pem.h b/lib/libcrypto/pem/pem.h
index fc333e42c8a..e4bae0b4aac 100644
--- a/lib/libcrypto/pem/pem.h
+++ b/lib/libcrypto/pem/pem.h
@@ -103,13 +103,16 @@ extern "C" {
 
 #define PEM_STRING_X509_OLD	"X509 CERTIFICATE"
 #define PEM_STRING_X509		"CERTIFICATE"
+#define PEM_STRING_X509_TRUSTED	"TRUSTED CERTIFICATE"
 #define PEM_STRING_X509_REQ_OLD	"NEW CERTIFICATE REQUEST"
 #define PEM_STRING_X509_REQ	"CERTIFICATE REQUEST"
 #define PEM_STRING_X509_CRL	"X509 CRL"
 #define PEM_STRING_EVP_PKEY	"ANY PRIVATE KEY"
+#define PEM_STRING_PUBLIC	"PUBLIC KEY"
 #define PEM_STRING_RSA		"RSA PRIVATE KEY"
 #define PEM_STRING_RSA_PUBLIC	"RSA PUBLIC KEY"
 #define PEM_STRING_DSA		"DSA PRIVATE KEY"
+#define PEM_STRING_DSA_PUBLIC	"DSA PUBLIC KEY"
 #define PEM_STRING_PKCS7	"PKCS7"
 #define PEM_STRING_PKCS8	"ENCRYPTED PRIVATE KEY"
 #define PEM_STRING_PKCS8INF	"PRIVATE KEY"
@@ -528,7 +531,10 @@ void	PEM_dek_info(char *buf, const char *type, int len, char *str);
 
 DECLARE_PEM_rw(X509, X509)
 
+DECLARE_PEM_rw(X509_AUX, X509)
+
 DECLARE_PEM_rw(X509_REQ, X509_REQ)
+DECLARE_PEM_write(X509_REQ_NEW, X509_REQ)
 
 DECLARE_PEM_rw(X509_CRL, X509_CRL)
 
@@ -545,6 +551,7 @@ DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
 DECLARE_PEM_rw_cb(RSAPrivateKey, RSA)
 
 DECLARE_PEM_rw(RSAPublicKey, RSA)
+DECLARE_PEM_rw(RSA_PUBKEY, RSA)
 
 #endif
 
@@ -552,6 +559,8 @@ DECLARE_PEM_rw(RSAPublicKey, RSA)
 
 DECLARE_PEM_rw_cb(DSAPrivateKey, DSA)
 
+DECLARE_PEM_rw(DSA_PUBKEY, DSA)
+
 DECLARE_PEM_rw(DSAparams, DSA)
 
 #endif
@@ -564,10 +573,36 @@ DECLARE_PEM_rw(DHparams, DH)
 
 DECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY)
 
+DECLARE_PEM_rw(PUBKEY, EVP_PKEY)
+
+int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
 int PEM_write_bio_PKCS8PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *,
                                   char *, int, pem_password_cb *, void *);
+int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
+
+int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u);
+
+EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u);
+
 int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
 			      char *kstr,int klen, pem_password_cb *cd, void *u);
+
 #endif /* SSLEAY_MACROS */
 
 
@@ -579,6 +614,8 @@ int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
 /* Error codes for the PEM functions. */
 
 /* Function codes. */
+#define PEM_F_D2I_PKCS8PRIVATEKEY_BIO			 120
+#define PEM_F_D2I_PKCS8PRIVATEKEY_FP			 121
 #define PEM_F_DEF_CALLBACK				 100
 #define PEM_F_LOAD_IV					 101
 #define PEM_F_PEM_ASN1_READ				 102
@@ -586,6 +623,7 @@ int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
 #define PEM_F_PEM_ASN1_WRITE				 104
 #define PEM_F_PEM_ASN1_WRITE_BIO			 105
 #define PEM_F_PEM_DO_HEADER				 106
+#define PEM_F_PEM_F_DO_PK8KEY_FP			 122
 #define PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY		 118
 #define PEM_F_PEM_GET_EVP_CIPHER_INFO			 107
 #define PEM_F_PEM_READ					 108
diff --git a/lib/libcrypto/pem/pem_all.c b/lib/libcrypto/pem/pem_all.c
index bc473f3cff4..dc9c35b4b48 100644
--- a/lib/libcrypto/pem/pem_all.c
+++ b/lib/libcrypto/pem/pem_all.c
@@ -65,10 +65,21 @@
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
 
+#ifndef NO_RSA
+static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
+#endif
+#ifndef NO_DSA
+static DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa);
+#endif
+
 IMPLEMENT_PEM_rw(X509, X509, PEM_STRING_X509, X509)
 
+IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
+
 IMPLEMENT_PEM_rw(X509_REQ, X509_REQ, PEM_STRING_X509_REQ, X509_REQ)
 
+IMPLEMENT_PEM_write(X509_REQ_NEW, X509_REQ, PEM_STRING_X509_REQ_OLD, X509_REQ)
+
 IMPLEMENT_PEM_rw(X509_CRL, X509_CRL, PEM_STRING_X509_CRL, X509_CRL)
 
 IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRING_PKCS7, PKCS7)
@@ -82,15 +93,92 @@ IMPLEMENT_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO, PEM_STRING_PKCS8INF,
 
 #ifndef NO_RSA
 
-IMPLEMENT_PEM_rw_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+/* We treat RSA or DSA private keys as a special case.
+ *
+ * For private keys we read in an EVP_PKEY structure with
+ * PEM_read_bio_PrivateKey() and extract the relevant private
+ * key: this means can handle "traditional" and PKCS#8 formats
+ * transparently.
+ */
+
+static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa)
+{
+	RSA *rtmp;
+	if(!key) return NULL;
+	rtmp = EVP_PKEY_get1_RSA(key);
+	EVP_PKEY_free(key);
+	if(!rtmp) return NULL;
+	if(rsa) {
+		RSA_free(*rsa);
+		*rsa = rtmp;
+	}
+	return rtmp;
+}
+
+RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **rsa, pem_password_cb *cb,
+								void *u)
+{
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);
+	return pkey_get_rsa(pktmp, rsa);
+}
+
+#ifndef NO_FP_API
+
+RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
+								void *u)
+{
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
+	return pkey_get_rsa(pktmp, rsa);
+}
+
+#endif
 
+IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
 IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
+IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
 
 #endif
 
 #ifndef NO_DSA
 
-IMPLEMENT_PEM_rw_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+static DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa)
+{
+	DSA *dtmp;
+	if(!key) return NULL;
+	dtmp = EVP_PKEY_get1_DSA(key);
+	EVP_PKEY_free(key);
+	if(!dtmp) return NULL;
+	if(dsa) {
+		DSA_free(*dsa);
+		*dsa = dtmp;
+	}
+	return dtmp;
+}
+
+DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
+								void *u)
+{
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);
+	return pkey_get_dsa(pktmp, dsa);
+}
+
+IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
+
+#ifndef NO_FP_API
+
+DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb,
+								void *u)
+{
+	EVP_PKEY *pktmp;
+	pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
+	return pkey_get_dsa(pktmp, dsa);
+}
+
+#endif
 
 IMPLEMENT_PEM_rw(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)
 
@@ -111,3 +199,5 @@ IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
  */
 IMPLEMENT_PEM_read(PrivateKey, EVP_PKEY, PEM_STRING_EVP_PKEY, PrivateKey)
 IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey)
+
+IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)
diff --git a/lib/libcrypto/pem/pem_err.c b/lib/libcrypto/pem/pem_err.c
index fa70f609986..642129da204 100644
--- a/lib/libcrypto/pem/pem_err.c
+++ b/lib/libcrypto/pem/pem_err.c
@@ -65,6 +65,8 @@
 #ifndef NO_ERR
 static ERR_STRING_DATA PEM_str_functs[]=
 	{
+{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_BIO,0),	"d2i_PKCS8PrivateKey_bio"},
+{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_FP,0),	"d2i_PKCS8PrivateKey_fp"},
 {ERR_PACK(0,PEM_F_DEF_CALLBACK,0),	"DEF_CALLBACK"},
 {ERR_PACK(0,PEM_F_LOAD_IV,0),	"LOAD_IV"},
 {ERR_PACK(0,PEM_F_PEM_ASN1_READ,0),	"PEM_ASN1_read"},
@@ -72,6 +74,7 @@ static ERR_STRING_DATA PEM_str_functs[]=
 {ERR_PACK(0,PEM_F_PEM_ASN1_WRITE,0),	"PEM_ASN1_write"},
 {ERR_PACK(0,PEM_F_PEM_ASN1_WRITE_BIO,0),	"PEM_ASN1_write_bio"},
 {ERR_PACK(0,PEM_F_PEM_DO_HEADER,0),	"PEM_do_header"},
+{ERR_PACK(0,PEM_F_PEM_F_DO_PK8KEY_FP,0),	"PEM_F_DO_PK8KEY_FP"},
 {ERR_PACK(0,PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY,0),	"PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"},
 {ERR_PACK(0,PEM_F_PEM_GET_EVP_CIPHER_INFO,0),	"PEM_get_EVP_CIPHER_INFO"},
 {ERR_PACK(0,PEM_F_PEM_READ,0),	"PEM_read"},
diff --git a/lib/libcrypto/pem/pem_info.c b/lib/libcrypto/pem/pem_info.c
index fec18a4c2ed..b65239a9200 100644
--- a/lib/libcrypto/pem/pem_info.c
+++ b/lib/libcrypto/pem/pem_info.c
@@ -132,6 +132,17 @@ start:
 				}
 			pp=(char **)&(xi->x509);
 			}
+		else if ((strcmp(name,PEM_STRING_X509_TRUSTED) == 0))
+			{
+			d2i=(char *(*)())d2i_X509_AUX;
+			if (xi->x509 != NULL)
+				{
+				if (!sk_X509_INFO_push(ret,xi)) goto err;
+				if ((xi=X509_INFO_new()) == NULL) goto err;
+				goto start;
+				}
+			pp=(char **)&(xi->x509);
+			}
 		else if (strcmp(name,PEM_STRING_X509_CRL) == 0)
 			{
 			d2i=(char *(*)())d2i_X509_CRL;
diff --git a/lib/libcrypto/pem/pem_lib.c b/lib/libcrypto/pem/pem_lib.c
index 90f02011bad..072211ba0fe 100644
--- a/lib/libcrypto/pem/pem_lib.c
+++ b/lib/libcrypto/pem/pem_lib.c
@@ -75,8 +75,17 @@ const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT;
 
 static int def_callback(char *buf, int num, int w, void *userdata);
 static int load_iv(unsigned char **fromp,unsigned char *to, int num);
-
-static int def_callback(char *buf, int num, int w, void *userdata)
+static int check_pem(const char *nm, const char *name);
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
+				int nid, const EVP_CIPHER *enc,
+				char *kstr, int klen,
+				pem_password_cb *cb, void *u);
+static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
+				int nid, const EVP_CIPHER *enc,
+				char *kstr, int klen,
+				pem_password_cb *cb, void *u);
+
+static int def_callback(char *buf, int num, int w, void *key)
 	{
 #ifdef NO_FP_API
 	/* We should not ever call the default callback routine from
@@ -86,6 +95,12 @@ static int def_callback(char *buf, int num, int w, void *userdata)
 #else
 	int i,j;
 	const char *prompt;
+	if(key) {
+		i=strlen(key);
+		i=(i > num)?num:i;
+		memcpy(buf,key,i);
+		return(i);
+	}
 
 	prompt=EVP_get_pw_prompt();
 	if (prompt == NULL)
@@ -168,6 +183,47 @@ char *PEM_ASN1_read(char *(*d2i)(), const char *name, FILE *fp, char **x,
 	}
 #endif
 
+static int check_pem(const char *nm, const char *name)
+{
+	/* Normal matching nm and name */
+	if (!strcmp(nm,name)) return 1;
+
+	/* Make PEM_STRING_EVP_PKEY match any private key */
+
+	if(!strcmp(nm,PEM_STRING_PKCS8) &&
+		!strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_PKCS8INF) &&
+		 !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_RSA) &&
+		!strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_DSA) &&
+		 !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+	/* Permit older strings */
+
+	if(!strcmp(nm,PEM_STRING_X509_OLD) &&
+		!strcmp(name,PEM_STRING_X509)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_X509_REQ_OLD) &&
+		!strcmp(name,PEM_STRING_X509_REQ)) return 1;
+
+	/* Allow normal certs to be read as trusted certs */
+	if(!strcmp(nm,PEM_STRING_X509) &&
+		!strcmp(name,PEM_STRING_X509_TRUSTED)) return 1;
+
+	if(!strcmp(nm,PEM_STRING_X509_OLD) &&
+		!strcmp(name,PEM_STRING_X509_TRUSTED)) return 1;
+
+	/* Some CAs use PKCS#7 with CERTIFICATE headers */
+	if(!strcmp(nm, PEM_STRING_X509) &&
+		!strcmp(name, PEM_STRING_PKCS7)) return 1;
+
+	return 0;
+}
+
 char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
 	     pem_password_cb *cb, void *u)
 	{
@@ -179,22 +235,13 @@ char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
 
 	for (;;)
 		{
-		if (!PEM_read_bio(bp,&nm,&header,&data,&len)) return(NULL);
-		if (	(strcmp(nm,name) == 0) ||
-			((strcmp(nm,PEM_STRING_RSA) == 0) &&
-			 (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) ||
-			((strcmp(nm,PEM_STRING_DSA) == 0) &&
-			 (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) ||
-			((strcmp(nm,PEM_STRING_PKCS8) == 0) &&
-			 (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) ||
-			((strcmp(nm,PEM_STRING_PKCS8INF) == 0) &&
-			 (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) ||
-			((strcmp(nm,PEM_STRING_X509_OLD) == 0) &&
-			 (strcmp(name,PEM_STRING_X509) == 0)) ||
-			((strcmp(nm,PEM_STRING_X509_REQ_OLD) == 0) &&
-			 (strcmp(name,PEM_STRING_X509_REQ) == 0)) 
-			)
-			break;
+		if (!PEM_read_bio(bp,&nm,&header,&data,&len)) {
+			if(ERR_GET_REASON(ERR_peek_error()) ==
+				PEM_R_NO_START_LINE)
+				ERR_add_error_data(2, "Expecting: ", name);
+			return(NULL);
+		}
+		if(check_pem(nm, name)) break;
 		Free(nm);
 		Free(header);
 		Free(data);
@@ -218,7 +265,7 @@ char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
 			X509_SIG *p8;
 			int klen;
 			char psbuf[PEM_BUFSIZE];
-			p8 = d2i_X509_SIG((X509_SIG **)x, &p, len);
+			p8 = d2i_X509_SIG(NULL, &p, len);
 			if(!p8) goto p8err;
 			if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
 			else klen=def_callback(psbuf,PEM_BUFSIZE,0,u);
@@ -231,6 +278,10 @@ char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
 			X509_SIG_free(p8);
 			if(!p8inf) goto p8err;
 			ret = (char *)EVP_PKCS82PKEY(p8inf);
+			if(x) {
+				if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
+				*x = ret;
+			}
 			PKCS8_PRIV_KEY_INFO_free(p8inf);
 		}
 	} else	ret=d2i(x,&p,len);
@@ -321,8 +372,9 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
 #endif
 			kstr=(unsigned char *)buf;
 			}
-		RAND_seed(data,i);/* put in the RSA key. */
-		RAND_bytes(iv,8);	/* Generate a salt */
+		RAND_add(data,i,0);/* put in the RSA key. */
+		if (RAND_bytes(iv,8) <= 0)	/* Generate a salt */
+			goto err;
 		/* The 'iv' is used as the iv and as a salt.  It is
 		 * NOT taken from the BytesToKey function */
 		EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
@@ -743,16 +795,44 @@ err:
 	return(0);
 	}
 
-/* This function writes a private key in PKCS#8 format: it is a "drop in"
- * replacement for PEM_write_bio_PrivateKey(). As usual if 'enc' is NULL then
- * it uses the unencrypted private key form. It uses PKCS#5 v2.0 password based
- * encryption algorithms.
+/* These functions write a private key in PKCS#8 format: it is a "drop in"
+ * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
+ * is NULL then it uses the unencrypted private key form. The 'nid' versions
+ * uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
  */
 
+int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey(bp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
 int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
 				  char *kstr, int klen,
 				  pem_password_cb *cb, void *u)
 {
+	return do_pk8pkey(bp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey(bp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey(bp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
 	X509_SIG *p8;
 	PKCS8_PRIV_KEY_INFO *p8inf;
 	char buf[PEM_BUFSIZE];
@@ -762,7 +842,7 @@ int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
 					PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
 		return 0;
 	}
-	if(enc) {
+	if(enc || (nid != -1)) {
 		if(!kstr) {
 			if(!cb) klen = def_callback(buf, PEM_BUFSIZE, 1, u);
 			else klen = cb(buf, PEM_BUFSIZE, 1, u);
@@ -775,29 +855,109 @@ int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
 				
 			kstr = buf;
 		}
-		p8 = PKCS8_encrypt(-1, enc, kstr, klen, NULL, 0, 0, p8inf);
+		p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
 		if(kstr == buf) memset(buf, 0, klen);
 		PKCS8_PRIV_KEY_INFO_free(p8inf);
-		ret = PEM_write_bio_PKCS8(bp, p8);
+		if(isder) ret = i2d_PKCS8_bio(bp, p8);
+		else ret = PEM_write_bio_PKCS8(bp, p8);
 		X509_SIG_free(p8);
 		return ret;
 	} else {
-		ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
+		if(isder) ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
+		else ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
 		PKCS8_PRIV_KEY_INFO_free(p8inf);
 		return ret;
 	}
 }
 
+/* Finally the DER version to read PKCS#8 encrypted private keys. It has to be
+ * here to access the default callback.
+ */
+
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+	PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+	X509_SIG *p8 = NULL;
+	int klen;
+	EVP_PKEY *ret;
+	char psbuf[PEM_BUFSIZE];
+	p8 = d2i_PKCS8_bio(bp, NULL);
+	if(!p8) return NULL;
+	if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+	else klen=def_callback(psbuf,PEM_BUFSIZE,0,u);
+	if (klen <= 0) {
+		PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
+		X509_SIG_free(p8);
+		return NULL;	
+	}
+	p8inf = M_PKCS8_decrypt(p8, psbuf, klen);
+	X509_SIG_free(p8);
+	if(!p8inf) return NULL;
+	ret = EVP_PKCS82PKEY(p8inf);
+	PKCS8_PRIV_KEY_INFO_free(p8inf);
+	if(!ret) return NULL;
+	if(x) {
+		if(*x) EVP_PKEY_free(*x);
+		*x = ret;
+	}
+	return ret;
+}
+
+#ifndef NO_FP_API
+
+int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey_fp(fp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey_fp(fp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
+	return do_pk8pkey_fp(fp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
 int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
 			      char *kstr, int klen, pem_password_cb *cb, void *u)
 {
+	return do_pk8pkey_fp(fp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey_fp(FILE *fp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+				  char *kstr, int klen,
+				  pem_password_cb *cb, void *u)
+{
 	BIO *bp;
 	int ret;
 	if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
-		PEMerr(PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY,ERR_R_BUF_LIB);
+		PEMerr(PEM_F_PEM_F_DO_PK8KEY_FP,ERR_R_BUF_LIB);
                 return(0);
 	}
-	ret = PEM_write_bio_PKCS8PrivateKey(bp, x, enc, kstr, klen, cb, u);
+	ret = do_pk8pkey(bp, x, isder, nid, enc, kstr, klen, cb, u);
 	BIO_free(bp);
 	return ret;
 }
+
+EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+	BIO *bp;
+	EVP_PKEY *ret;
+	if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+		PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_FP,ERR_R_BUF_LIB);
+                return NULL;
+	}
+	ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);
+	BIO_free(bp);
+	return ret;
+}
+
+#endif
diff --git a/lib/libcrypto/pem/pem_seal.c b/lib/libcrypto/pem/pem_seal.c
index 23f95beb1e2..126e29d375d 100644
--- a/lib/libcrypto/pem/pem_seal.c
+++ b/lib/libcrypto/pem/pem_seal.c
@@ -175,4 +175,10 @@ err:
 	if (s != NULL) Free(s);
 	return(ret);
 	}
+#else /* !NO_RSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
diff --git a/lib/libcrypto/perlasm/x86ms.pl b/lib/libcrypto/perlasm/x86ms.pl
index 51dcce067fa..252a57bdb51 100644
--- a/lib/libcrypto/perlasm/x86ms.pl
+++ b/lib/libcrypto/perlasm/x86ms.pl
@@ -341,7 +341,14 @@ sub main'set_label
 		$label{$_[0]}="${label}${_[0]}";
 		$label++;
 		}
-	push(@out,"$label{$_[0]}:\n");
+	if((defined $_[1]) && ($_[1] == 1))
+		{
+		push(@out,"$label{$_[0]}::\n");
+		}
+	else
+		{
+		push(@out,"$label{$_[0]}:\n");
+		}
 	}
 
 sub main'data_word
diff --git a/lib/libcrypto/perlasm/x86unix.pl b/lib/libcrypto/perlasm/x86unix.pl
index 8c456b14aff..60d75f5ce4b 100644
--- a/lib/libcrypto/perlasm/x86unix.pl
+++ b/lib/libcrypto/perlasm/x86unix.pl
@@ -368,10 +368,10 @@ sub main'function_end_B
 
 	$func=$under.$func;
 
-	push(@out,".${func}_end:\n");
+	push(@out,".L_${func}_end:\n");
 	if ($main'cpp)
-		{ push(@out,"\tSIZE($func,.${func}_end-$func)\n"); }
-	else	{ push(@out,"\t.size\t$func,.${func}_end-$func\n"); }
+		{ push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); }
+	else	{ push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); }
 	push(@out,".ident	\"desasm.pl\"\n");
 	$stack=0;
 	%label=();
diff --git a/lib/libcrypto/pkcs12/Makefile.ssl b/lib/libcrypto/pkcs12/Makefile.ssl
index 7b0c65fad9d..5716f608b6c 100644
--- a/lib/libcrypto/pkcs12/Makefile.ssl
+++ b/lib/libcrypto/pkcs12/Makefile.ssl
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/asn1/Makefile
+# SSLeay/crypto/pkcs12/Makefile
 #
 
 DIR=	pkcs12
@@ -24,10 +24,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC= p12_add.c p12_attr.c p12_bags.c p12_crpt.c p12_crt.c p12_decr.c \
 	p12_init.c p12_key.c p12_kiss.c p12_lib.c p12_mac.c p12_mutl.c\
-	p12_sbag.c p12_utl.c pk12err.c
+	p12_sbag.c p12_utl.c p12_npas.c pk12err.c
 LIBOBJ= p12_add.o p12_attr.o p12_bags.o p12_crpt.o p12_crt.o p12_decr.o \
 	p12_init.o p12_key.o p12_kiss.o p12_lib.o p12_mac.o p12_mutl.o\
-	p12_sbag.o p12_utl.o pk12err.o
+	p12_sbag.o p12_utl.o p12_npas.o pk12err.o
 
 SRC= $(LIBSRC)
 
@@ -293,6 +293,23 @@ p12_mutl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 p12_mutl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 p12_mutl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 p12_mutl.o: ../cryptlib.h
+p12_npas.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p12_npas.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+p12_npas.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+p12_npas.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+p12_npas.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p12_npas.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_npas.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+p12_npas.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_npas.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_npas.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+p12_npas.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
+p12_npas.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+p12_npas.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+p12_npas.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p12_npas.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_npas.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+p12_npas.o: ../../include/openssl/x509_vfy.h
 p12_sbag.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 p12_sbag.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 p12_sbag.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
diff --git a/lib/libcrypto/pkcs12/p12_add.c b/lib/libcrypto/pkcs12/p12_add.c
index ae3d9de3b4a..d045cbba8d9 100644
--- a/lib/libcrypto/pkcs12/p12_add.c
+++ b/lib/libcrypto/pkcs12/p12_add.c
@@ -133,7 +133,7 @@ PKCS7 *PKCS12_pack_p7data (STACK *sk)
 		return NULL;
 	}
 	p7->type = OBJ_nid2obj(NID_pkcs7_data);
-	if (!(p7->d.data = ASN1_OCTET_STRING_new())) {
+	if (!(p7->d.data = M_ASN1_OCTET_STRING_new())) {
 		PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
@@ -157,20 +157,18 @@ PKCS7 *PKCS12_pack_p7encdata (int pbe_nid, const char *pass, int passlen,
 		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
-	p7->type = OBJ_nid2obj(NID_pkcs7_encrypted);
-	if (!(p7->d.encrypted = PKCS7_ENCRYPT_new ())) {
-		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
+	if(!PKCS7_set_type(p7, NID_pkcs7_encrypted)) {
+		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA,
+				PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
 		return NULL;
 	}
-	ASN1_INTEGER_set (p7->d.encrypted->version, 0);
-	p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
 	if (!(pbe = PKCS5_pbe_set (pbe_nid, iter, salt, saltlen))) {
 		PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm);
 	p7->d.encrypted->enc_data->algorithm = pbe;
-	ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
+	M_ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
 	if (!(p7->d.encrypted->enc_data->enc_data =
 	PKCS12_i2d_encrypt (pbe, i2d_PKCS12_SAFEBAG, pass, passlen,
 				 (char *)bags, 1))) {
@@ -191,24 +189,28 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
 
 	if (!(p8 = X509_SIG_new())) {
 		PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
 
 	if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
 	else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
 	if(!pbe) {
-		PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
-		return NULL;
+		PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
+		goto err;
 	}
 	X509_ALGOR_free(p8->algor);
 	p8->algor = pbe;
-	ASN1_OCTET_STRING_free(p8->digest);
+	M_ASN1_OCTET_STRING_free(p8->digest);
 	if (!(p8->digest = 
 	PKCS12_i2d_encrypt (pbe, i2d_PKCS8_PRIV_KEY_INFO, pass, passlen,
 						 (char *)p8inf, 0))) {
 		PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
-		return NULL;
+		goto err;
 	}
 
 	return p8;
+
+	err:
+	X509_SIG_free(p8);
+	return NULL;
 }
diff --git a/lib/libcrypto/pkcs12/p12_attr.c b/lib/libcrypto/pkcs12/p12_attr.c
index 31c9782b775..f559351d183 100644
--- a/lib/libcrypto/pkcs12/p12_attr.c
+++ b/lib/libcrypto/pkcs12/p12_attr.c
@@ -73,11 +73,11 @@ int PKCS12_add_localkeyid (PKCS12_SAFEBAG *bag, unsigned char *name,
 		return 0;
 	}
 	keyid->type = V_ASN1_OCTET_STRING;
-	if (!(oct = ASN1_OCTET_STRING_new())) {
+	if (!(oct = M_ASN1_OCTET_STRING_new())) {
 		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
-	if (!ASN1_OCTET_STRING_set(oct, name, namelen)) {
+	if (!M_ASN1_OCTET_STRING_set(oct, name, namelen)) {
 		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
@@ -115,11 +115,11 @@ int PKCS8_add_keyusage (PKCS8_PRIV_KEY_INFO *p8, int usage)
 		return 0;
 	}
 	keyid->type = V_ASN1_BIT_STRING;
-	if (!(bstr = ASN1_BIT_STRING_new())) {
+	if (!(bstr = M_ASN1_BIT_STRING_new())) {
 		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
-	if (!ASN1_BIT_STRING_set(bstr, &us_val, 1)) {
+	if (!M_ASN1_BIT_STRING_set(bstr, &us_val, 1)) {
 		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
@@ -176,7 +176,7 @@ int PKCS12_add_friendlyname_uni (PKCS12_SAFEBAG *bag,
 		return 0;
 	}
 	fname->type = V_ASN1_BMPSTRING;
-	if (!(bmp = ASN1_BMPSTRING_new())) {
+	if (!(bmp = M_ASN1_BMPSTRING_new())) {
 		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
 							ERR_R_MALLOC_FAILURE);
 		return 0;
diff --git a/lib/libcrypto/pkcs12/p12_bags.c b/lib/libcrypto/pkcs12/p12_bags.c
index d6eab92c833..c358b067355 100644
--- a/lib/libcrypto/pkcs12/p12_bags.c
+++ b/lib/libcrypto/pkcs12/p12_bags.c
@@ -171,15 +171,15 @@ void PKCS12_BAGS_free (PKCS12_BAGS *a)
 	switch (OBJ_obj2nid(a->type)) {
 
 		case NID_x509Certificate:
-			ASN1_OCTET_STRING_free (a->value.x509cert);
+			M_ASN1_OCTET_STRING_free (a->value.x509cert);
 		break;
 
 		case NID_x509Crl:
-			ASN1_OCTET_STRING_free (a->value.x509crl);
+			M_ASN1_OCTET_STRING_free (a->value.x509crl);
 		break;
 
 		case NID_sdsiCertificate:
-			ASN1_IA5STRING_free (a->value.sdsicert);
+			M_ASN1_IA5STRING_free (a->value.sdsicert);
 		break;
 
 		default:
@@ -188,5 +188,5 @@ void PKCS12_BAGS_free (PKCS12_BAGS *a)
 	}
 
 	ASN1_OBJECT_free (a->type);
-	Free ((char *)a);
+	Free (a);
 }
diff --git a/lib/libcrypto/pkcs12/p12_crpt.c b/lib/libcrypto/pkcs12/p12_crpt.c
index 6de6f8128f2..7b96584f07d 100644
--- a/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/lib/libcrypto/pkcs12/p12_crpt.c
@@ -70,10 +70,12 @@ EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC4, EVP_rc4(), EVP_sha1(),
 EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC4, EVP_rc4_40(), EVP_sha1(),
 							 PKCS12_PBE_keyivgen);
 #endif
+#ifndef NO_DES
 EVP_PBE_alg_add(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
 		 	EVP_des_ede3_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
 EVP_PBE_alg_add(NID_pbe_WithSHA1And2_Key_TripleDES_CBC, 
 			EVP_des_ede_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
+#endif
 #ifndef NO_RC2
 EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC2_CBC, EVP_rc2_cbc(),
 					EVP_sha1(), PKCS12_PBE_keyivgen);
diff --git a/lib/libcrypto/pkcs12/p12_decr.c b/lib/libcrypto/pkcs12/p12_decr.c
index d3d288e1874..4be44eac506 100644
--- a/lib/libcrypto/pkcs12/p12_decr.c
+++ b/lib/libcrypto/pkcs12/p12_decr.c
@@ -155,7 +155,7 @@ ASN1_OCTET_STRING *PKCS12_i2d_encrypt (X509_ALGOR *algor, int (*i2d)(),
 	ASN1_OCTET_STRING *oct;
 	unsigned char *in, *p;
 	int inlen;
-	if (!(oct = ASN1_OCTET_STRING_new ())) {
+	if (!(oct = M_ASN1_OCTET_STRING_new ())) {
 		PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
diff --git a/lib/libcrypto/pkcs12/p12_init.c b/lib/libcrypto/pkcs12/p12_init.c
index dc6ab41db88..d5d4884c820 100644
--- a/lib/libcrypto/pkcs12/p12_init.c
+++ b/lib/libcrypto/pkcs12/p12_init.c
@@ -69,11 +69,11 @@ PKCS12 *PKCS12_init (int mode)
 		PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
-	if (!(pkcs12->version = ASN1_INTEGER_new ())) {
+	if (!(pkcs12->version = M_ASN1_INTEGER_new ())) {
 		PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
-	ASN1_INTEGER_set (pkcs12->version, 3);
+	ASN1_INTEGER_set(pkcs12->version, 3);
 	if (!(pkcs12->authsafes = PKCS7_new())) {
 		PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
 		return NULL;
@@ -82,7 +82,7 @@ PKCS12 *PKCS12_init (int mode)
 	switch (mode) {
 		case NID_pkcs7_data:
 			if (!(pkcs12->authsafes->d.data =
-				 ASN1_OCTET_STRING_new())) {
+				 M_ASN1_OCTET_STRING_new())) {
 			PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
 			return NULL;
 		}
diff --git a/lib/libcrypto/pkcs12/p12_key.c b/lib/libcrypto/pkcs12/p12_key.c
index 25d8cdae575..02fdd20e2fc 100644
--- a/lib/libcrypto/pkcs12/p12_key.c
+++ b/lib/libcrypto/pkcs12/p12_key.c
@@ -64,7 +64,7 @@
 /* Uncomment out this line to get debugging info about key generation */
 /*#define DEBUG_KEYGEN*/
 #ifdef DEBUG_KEYGEN
-#include <bio.h>
+#include <openssl/bio.h>
 extern BIO *bio_err;
 void h__dump (unsigned char *p, int len);
 #endif
@@ -104,13 +104,12 @@ int PKCS12_key_gen_uni (unsigned char *pass, int passlen, unsigned char *salt,
 #ifdef  DEBUG_KEYGEN
 	unsigned char *tmpout = out;
 	int tmpn = n;
-	BIO_printf (bio_err, "KEYGEN DEBUG\n");
-	BIO_printf (bio_err, "ID %d, ITER %d\n", id, iter);
-	BIO_printf (bio_err, "Password (length %d):\n", passlen);
-	h__dump (pass, passlen);
-	BIO_printf (bio_err, "Salt (length %d):\n", saltlen);
-	h__dump (salt, saltlen);
-	BIO_printf (bio_err, "ID %d, ITER %d\n\n", id, iter);
+	fprintf(stderr, "KEYGEN DEBUG\n");
+	fprintf(stderr, "ID %d, ITER %d\n", id, iter);
+	fprintf(stderr, "Password (length %d):\n", passlen);
+	h__dump(pass, passlen);
+	fprintf(stderr, "Salt (length %d):\n", saltlen);
+	h__dump(salt, saltlen);
 #endif
 	v = EVP_MD_block_size (md_type);
 	u = EVP_MD_size (md_type);
@@ -150,8 +149,8 @@ int PKCS12_key_gen_uni (unsigned char *pass, int passlen, unsigned char *salt,
 			BN_free (Ij);
 			BN_free (Bpl1);
 #ifdef DEBUG_KEYGEN
-			BIO_printf (bio_err, "Output KEY (length %d)\n", tmpn);
-			h__dump (tmpout, tmpn);
+			fprintf(stderr, "Output KEY (length %d)\n", tmpn);
+			h__dump(tmpout, tmpn);
 #endif
 			return 1;	
 		}
@@ -176,7 +175,7 @@ int PKCS12_key_gen_uni (unsigned char *pass, int passlen, unsigned char *salt,
 #ifdef DEBUG_KEYGEN
 void h__dump (unsigned char *p, int len)
 {
-	for (; len --; p++) BIO_printf (bio_err, "%02X", *p);
-	BIO_printf (bio_err, "\n");	
+	for (; len --; p++) fprintf(stderr, "%02X", *p);
+	fprintf(stderr, "\n");	
 }
 #endif
diff --git a/lib/libcrypto/pkcs12/p12_kiss.c b/lib/libcrypto/pkcs12/p12_kiss.c
index 767e1303da9..08a60556e09 100644
--- a/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/lib/libcrypto/pkcs12/p12_kiss.c
@@ -139,16 +139,16 @@ static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
 			sk_pop_free (asafes, PKCS7_free);
 			return 0;
 		}
-	    	if (!parse_bags (bags, pass, passlen, pkey, cert, ca,
+	    	if (!parse_bags(bags, pass, passlen, pkey, cert, ca,
 							 &keyid, &keymatch)) {
-			sk_pop_free (bags, PKCS12_SAFEBAG_free);
-			sk_pop_free (asafes, PKCS7_free);
+			sk_pop_free(bags, PKCS12_SAFEBAG_free);
+			sk_pop_free(asafes, PKCS7_free);
 			return 0;
 		}
-		sk_pop_free (bags, PKCS12_SAFEBAG_free);
+		sk_pop_free(bags, PKCS12_SAFEBAG_free);
 	}
-	sk_pop_free (asafes, PKCS7_free);
-	if (keyid) ASN1_OCTET_STRING_free (keyid);
+	sk_pop_free(asafes, PKCS7_free);
+	if (keyid) M_ASN1_OCTET_STRING_free(keyid);
 	return 1;
 }
 
@@ -158,8 +158,8 @@ static int parse_bags (STACK *bags, const char *pass, int passlen,
 		       ASN1_OCTET_STRING **keyid, char *keymatch)
 {
 	int i;
-	for (i = 0; i < sk_num (bags); i++) {
-		if (!parse_bag ((PKCS12_SAFEBAG *)sk_value (bags, i),
+	for (i = 0; i < sk_num(bags); i++) {
+		if (!parse_bag((PKCS12_SAFEBAG *)sk_value (bags, i),
 			 pass, passlen, pkey, cert, ca, keyid,
 							 keymatch)) return 0;
 	}
@@ -170,7 +170,7 @@ static int parse_bags (STACK *bags, const char *pass, int passlen,
 #define MATCH_CERT 0x2
 #define MATCH_ALL  0x3
 
-static int parse_bag (PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 		      EVP_PKEY **pkey, X509 **cert, STACK **ca,
 		      ASN1_OCTET_STRING **keyid,
 	     char *keymatch)
@@ -187,9 +187,9 @@ static int parse_bag (PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 	/* Check for any local key id matching (if needed) */
 	if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
 		if (*keyid) {
-			if (ASN1_OCTET_STRING_cmp (*keyid, lkey)) lkey = NULL;
+			if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey = NULL;
 		} else {
-			if (!(*keyid = ASN1_OCTET_STRING_dup (lkey))) {
+			if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
 				PKCS12err(PKCS12_F_PARSE_BAGS,ERR_R_MALLOC_FAILURE);
 				return 0;
 		    }
@@ -200,16 +200,16 @@ static int parse_bag (PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 	{
 	case NID_keyBag:
 		if (!lkey || !pkey) return 1;	
-		if (!(*pkey = EVP_PKCS82PKEY (bag->value.keybag))) return 0;
+		if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag))) return 0;
 		*keymatch |= MATCH_KEY;
 	break;
 
 	case NID_pkcs8ShroudedKeyBag:
 		if (!lkey || !pkey) return 1;	
-		if (!(p8 = M_PKCS12_decrypt_skey (bag, pass, passlen)))
+		if (!(p8 = M_PKCS12_decrypt_skey(bag, pass, passlen)))
 				return 0;
-		*pkey = EVP_PKCS82PKEY (p8);
-		PKCS8_PRIV_KEY_INFO_free (p8);
+		*pkey = EVP_PKCS82PKEY(p8);
+		PKCS8_PRIV_KEY_INFO_free(p8);
 		if (!(*pkey)) return 0;
 		*keymatch |= MATCH_KEY;
 	break;
diff --git a/lib/libcrypto/pkcs12/p12_lib.c b/lib/libcrypto/pkcs12/p12_lib.c
index 00a6695d9b7..7ca9c14908a 100644
--- a/lib/libcrypto/pkcs12/p12_lib.c
+++ b/lib/libcrypto/pkcs12/p12_lib.c
@@ -104,8 +104,8 @@ PKCS12 *PKCS12_new(void)
 void PKCS12_free (PKCS12 *a)
 {
 	if (a == NULL) return;
-	ASN1_INTEGER_free (a->version);
+	M_ASN1_INTEGER_free(a->version);
 	PKCS12_MAC_DATA_free (a->mac);
 	PKCS7_free (a->authsafes);
-	Free ((char *)a);
+	Free (a);
 }
diff --git a/lib/libcrypto/pkcs12/p12_mac.c b/lib/libcrypto/pkcs12/p12_mac.c
index f163d4cfaa8..f5ab0d6464a 100644
--- a/lib/libcrypto/pkcs12/p12_mac.c
+++ b/lib/libcrypto/pkcs12/p12_mac.c
@@ -82,9 +82,9 @@ PKCS12_MAC_DATA *PKCS12_MAC_DATA_new(void)
 	ASN1_CTX c;
 	M_ASN1_New_Malloc(ret, PKCS12_MAC_DATA);
 	ret->dinfo = X509_SIG_new();
-	ret->salt = ASN1_OCTET_STRING_new();
+	ret->salt = M_ASN1_OCTET_STRING_new();
 	ret->iter = NULL;
-	return (ret);
+	return(ret);
 	M_ASN1_New_Error(ASN1_F_PKCS12_MAC_DATA_NEW);
 }
 
@@ -94,9 +94,9 @@ PKCS12_MAC_DATA *d2i_PKCS12_MAC_DATA(PKCS12_MAC_DATA **a, unsigned char **pp,
 	M_ASN1_D2I_vars(a,PKCS12_MAC_DATA *,PKCS12_MAC_DATA_new);
 	M_ASN1_D2I_Init();
 	M_ASN1_D2I_start_sequence();
-	M_ASN1_D2I_get (ret->dinfo, d2i_X509_SIG);
-	M_ASN1_D2I_get (ret->salt, d2i_ASN1_OCTET_STRING);
-	M_ASN1_D2I_get_opt (ret->iter, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+	M_ASN1_D2I_get(ret->dinfo, d2i_X509_SIG);
+	M_ASN1_D2I_get(ret->salt, d2i_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get_opt(ret->iter, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
 	M_ASN1_D2I_Finish(a, PKCS12_MAC_DATA_free, ASN1_F_D2I_PKCS12_MAC_DATA);
 }
 
@@ -104,7 +104,7 @@ void PKCS12_MAC_DATA_free (PKCS12_MAC_DATA *a)
 {
 	if (a == NULL) return;
 	X509_SIG_free (a->dinfo);
-	ASN1_OCTET_STRING_free (a->salt);
-	ASN1_INTEGER_free (a->iter);
-	Free ((char *)a);
+	M_ASN1_OCTET_STRING_free(a->salt);
+	M_ASN1_INTEGER_free(a->iter);
+	Free (a);
 }
diff --git a/lib/libcrypto/pkcs12/p12_mutl.c b/lib/libcrypto/pkcs12/p12_mutl.c
index bac558d6b9a..f1094b3840e 100644
--- a/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/lib/libcrypto/pkcs12/p12_mutl.c
@@ -131,7 +131,7 @@ int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
 		PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_GENERATION_ERROR);
 		return 0;
 	}
-	if (!(ASN1_OCTET_STRING_set (p12->mac->dinfo->digest, mac, maclen))) {
+	if (!(M_ASN1_OCTET_STRING_set (p12->mac->dinfo->digest, mac, maclen))) {
 		PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_STRING_SET_ERROR);
 						return 0;
 	}
@@ -142,13 +142,13 @@ int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
 int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
 	     EVP_MD *md_type)
 {
-	if (!(p12->mac = PKCS12_MAC_DATA_new ())) return PKCS12_ERROR;
+	if (!(p12->mac = PKCS12_MAC_DATA_new())) return PKCS12_ERROR;
 	if (iter > 1) {
-		if(!(p12->mac->iter = ASN1_INTEGER_new())) {
+		if(!(p12->mac->iter = M_ASN1_INTEGER_new())) {
 			PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
 			return 0;
 		}
-		ASN1_INTEGER_set (p12->mac->iter, iter);
+		ASN1_INTEGER_set(p12->mac->iter, iter);
 	}
 	if (!saltlen) saltlen = PKCS12_SALT_LEN;
 	p12->mac->salt->length = saltlen;
@@ -156,7 +156,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
 		PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
-	if (!salt) RAND_bytes (p12->mac->salt->data, saltlen);
+	if (!salt) {
+		if (RAND_bytes (p12->mac->salt->data, saltlen) <= 0)
+			return 0;
+	}
 	else memcpy (p12->mac->salt->data, salt, saltlen);
 	p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
 	if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
diff --git a/lib/libcrypto/pkcs12/pk12err.c b/lib/libcrypto/pkcs12/pk12err.c
index 38d7be7675a..9d8de10e1e6 100644
--- a/lib/libcrypto/pkcs12/pk12err.c
+++ b/lib/libcrypto/pkcs12/pk12err.c
@@ -79,6 +79,7 @@ static ERR_STRING_DATA PKCS12_str_functs[]=
 {ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_UNI,0),	"PKCS12_key_gen_uni"},
 {ERR_PACK(0,PKCS12_F_PKCS12_MAKE_KEYBAG,0),	"PKCS12_MAKE_KEYBAG"},
 {ERR_PACK(0,PKCS12_F_PKCS12_MAKE_SHKEYBAG,0),	"PKCS12_MAKE_SHKEYBAG"},
+{ERR_PACK(0,PKCS12_F_PKCS12_NEWPASS,0),	"PKCS12_newpass"},
 {ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7DATA,0),	"PKCS12_pack_p7data"},
 {ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7ENCDATA,0),	"PKCS12_pack_p7encdata"},
 {ERR_PACK(0,PKCS12_F_PKCS12_PACK_SAFEBAG,0),	"PKCS12_pack_safebag"},
@@ -99,6 +100,7 @@ static ERR_STRING_DATA PKCS12_str_reasons[]=
 {PKCS12_R_DECODE_ERROR                   ,"decode error"},
 {PKCS12_R_ENCODE_ERROR                   ,"encode error"},
 {PKCS12_R_ENCRYPT_ERROR                  ,"encrypt error"},
+{PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE,"error setting encrypted data type"},
 {PKCS12_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
 {PKCS12_R_INVALID_NULL_PKCS12_POINTER    ,"invalid null pkcs12 pointer"},
 {PKCS12_R_IV_GEN_ERROR                   ,"iv gen error"},
diff --git a/lib/libcrypto/pkcs12/pkcs12.h b/lib/libcrypto/pkcs12/pkcs12.h
index 4cfba5e6c61..254000fa121 100644
--- a/lib/libcrypto/pkcs12/pkcs12.h
+++ b/lib/libcrypto/pkcs12/pkcs12.h
@@ -273,6 +273,7 @@ int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
 int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12);
 PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12);
 PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12);
+int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -296,6 +297,7 @@ PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12);
 #define PKCS12_F_PKCS12_KEY_GEN_UNI			 111
 #define PKCS12_F_PKCS12_MAKE_KEYBAG			 112
 #define PKCS12_F_PKCS12_MAKE_SHKEYBAG			 113
+#define PKCS12_F_PKCS12_NEWPASS				 128
 #define PKCS12_F_PKCS12_PACK_P7DATA			 114
 #define PKCS12_F_PKCS12_PACK_P7ENCDATA			 115
 #define PKCS12_F_PKCS12_PACK_SAFEBAG			 117
@@ -313,6 +315,7 @@ PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12);
 #define PKCS12_R_DECODE_ERROR				 101
 #define PKCS12_R_ENCODE_ERROR				 102
 #define PKCS12_R_ENCRYPT_ERROR				 103
+#define PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE	 120
 #define PKCS12_R_INVALID_NULL_ARGUMENT			 104
 #define PKCS12_R_INVALID_NULL_PKCS12_POINTER		 105
 #define PKCS12_R_IV_GEN_ERROR				 106
diff --git a/lib/libcrypto/pkcs7/Makefile.ssl b/lib/libcrypto/pkcs7/Makefile.ssl
index 6c4644b2f2f..0e508386e8d 100644
--- a/lib/libcrypto/pkcs7/Makefile.ssl
+++ b/lib/libcrypto/pkcs7/Makefile.ssl
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/asn1/Makefile
+# SSLeay/crypto/pkcs7/Makefile
 #
 
 DIR=	pkcs7
@@ -15,6 +15,9 @@ MAKEDEPEND=	$(TOP)/util/domd $(TOP)
 MAKEFILE=	Makefile.ssl
 AR=		ar r
 
+PEX_LIBS=
+EX_LIBS=
+ 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
 GENERAL=Makefile README
@@ -22,8 +25,8 @@ TEST=
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC=	pk7_lib.c pkcs7err.c pk7_doit.c
-LIBOBJ= pk7_lib.o pkcs7err.o pk7_doit.o
+LIBSRC=	pk7_lib.c pkcs7err.c pk7_doit.c pk7_smime.c pk7_attr.c pk7_mime.c
+LIBOBJ= pk7_lib.o pkcs7err.o pk7_doit.o pk7_smime.o pk7_attr.o pk7_mime.o
 
 SRC= $(LIBSRC)
 
@@ -42,16 +45,16 @@ all:	lib
 testapps: enc dec sign verify
 
 enc: enc.o lib
-	$(CC) $(CFLAGS) -o enc enc.o $(LIB)
+	$(CC) $(CFLAGS) -o enc enc.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
 
 dec: dec.o lib
-	$(CC) $(CFLAGS) -o dec dec.o $(LIB)
+	$(CC) $(CFLAGS) -o dec dec.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
 
 sign: sign.o lib
-	$(CC) $(CFLAGS) -o sign sign.o $(LIB)
+	$(CC) $(CFLAGS) -o sign sign.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
 
 verify: verify.o example.o lib
-	$(CC) $(CFLAGS) -o verify verify.o example.o $(LIB)
+	$(CC) $(CFLAGS) -o verify verify.o $(PEX_LIBS) example.o $(LIB) $(EX_LIBS)
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
@@ -90,18 +93,35 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff enc dec sign verify
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
+pk7_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_attr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_attr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pk7_attr.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk7_attr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pk7_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_attr.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_attr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_attr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
+pk7_attr.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pk7_attr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pk7_attr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pk7_attr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_attr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_attr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 pk7_doit.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 pk7_doit.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 pk7_doit.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pk7_doit.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pk7_doit.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk7_doit.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-pk7_doit.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pk7_doit.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_doit.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pk7_doit.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk7_doit.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+pk7_doit.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pk7_doit.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+pk7_doit.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 pk7_doit.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
 pk7_doit.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 pk7_doit.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
@@ -110,7 +130,8 @@ pk7_doit.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
 pk7_doit.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 pk7_doit.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 pk7_doit.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
-pk7_doit.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+pk7_doit.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pk7_doit.o: ../cryptlib.h
 pk7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 pk7_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 pk7_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -128,6 +149,42 @@ pk7_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 pk7_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 pk7_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 pk7_lib.o: ../cryptlib.h
+pk7_mime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_mime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_mime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_mime.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pk7_mime.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pk7_mime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pk7_mime.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_mime.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_mime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_mime.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_mime.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_mime.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pk7_mime.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pk7_mime.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pk7_mime.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_mime.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pk7_mime.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+pk7_smime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_smime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_smime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_smime.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pk7_smime.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pk7_smime.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+pk7_smime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pk7_smime.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+pk7_smime.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+pk7_smime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_smime.o: ../../include/openssl/objects.h
+pk7_smime.o: ../../include/openssl/opensslconf.h
+pk7_smime.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_smime.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pk7_smime.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pk7_smime.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_smime.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_smime.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_smime.o: ../../include/openssl/x509v3.h ../cryptlib.h
 pkcs7err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 pkcs7err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 pkcs7err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
diff --git a/lib/libcrypto/pkcs7/bio_ber.c b/lib/libcrypto/pkcs7/bio_ber.c
index 2f17723e984..4803966fd2b 100644
--- a/lib/libcrypto/pkcs7/bio_ber.c
+++ b/lib/libcrypto/pkcs7/bio_ber.c
@@ -69,6 +69,7 @@ static int ber_read(BIO *h,char *buf,int size);
 static long ber_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int ber_new(BIO *h);
 static int ber_free(BIO *data);
+static long ber_callback_ctrl(BIO *h,int cmd,void *(*fp)());
 #define BER_BUF_SIZE	(32)
 
 /* This is used to hold the state of the BER objects being read. */
@@ -92,7 +93,7 @@ typedef struct bio_ber_struct
 	/* most of the following are used when doing non-blocking IO */
 	/* reading */
 	long num_left;	/* number of bytes still to read/write in block */
-	int depth;	/* used with idefinite encoding. */
+	int depth;	/* used with indefinite encoding. */
 	int finished;	/* No more read data */
 
 	/* writting */ 
@@ -115,6 +116,7 @@ static BIO_METHOD methods_ber=
 	ber_ctrl,
 	ber_new,
 	ber_free,
+	ber_callback_ctrl,
 	};
 
 BIO_METHOD *BIO_f_ber(void)
@@ -409,6 +411,20 @@ again:
 	return(ret);
 	}
 
+static long ber_callback_ctrl(BIO *b, int cmd, void *(*fp)())
+	{
+	long ret=1;
+
+	if (b->next_bio == NULL) return(0);
+	switch (cmd)
+		{
+	default:
+		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
 /*
 void BIO_set_cipher_ctx(b,c)
 BIO *b;
diff --git a/lib/libcrypto/pkcs7/dec.c b/lib/libcrypto/pkcs7/dec.c
index b3661f28d36..6752ec568a9 100644
--- a/lib/libcrypto/pkcs7/dec.c
+++ b/lib/libcrypto/pkcs7/dec.c
@@ -57,6 +57,7 @@
  */
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
@@ -85,7 +86,7 @@ char *argv[];
 	int i,printit=0;
 	STACK_OF(PKCS7_SIGNER_INFO) *sk;
 
-	SSLeay_add_all_algorithms();
+	OpenSSL_add_all_algorithms();
 	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
 	data=BIO_new(BIO_s_file());
@@ -121,9 +122,10 @@ char *argv[];
 	}
 
         if ((in=BIO_new_file(keyfile,"r")) == NULL) goto err;
-        if ((x509=PEM_read_bio_X509(in,NULL,NULL)) == NULL) goto err;
+        if ((x509=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) goto err;
         BIO_reset(in);
-        if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL)) == NULL) goto err;
+        if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL)) == NULL)
+		goto err;
         BIO_free(in);
 
 	if (pp == NULL)
@@ -131,7 +133,7 @@ char *argv[];
 
 
 	/* Load the PKCS7 object from a file */
-	if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL)) == NULL) goto err;
+	if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL,NULL)) == NULL) goto err;
 
 
 
@@ -148,7 +150,7 @@ char *argv[];
 	/* We need to process the data */
 	/* We cannot support detached encryption */
 	p7bio=PKCS7_dataDecode(p7,pkey,detached,x509);
-	
+
 	if (p7bio == NULL)
 		{
 		printf("problems decoding\n");
diff --git a/lib/libcrypto/pkcs7/enc.c b/lib/libcrypto/pkcs7/enc.c
index 43bfd10a238..2b56c2eff33 100644
--- a/lib/libcrypto/pkcs7/enc.c
+++ b/lib/libcrypto/pkcs7/enc.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
@@ -76,7 +77,7 @@ char *argv[];
 	const EVP_CIPHER *cipher=NULL;
 	STACK_OF(X509) *recips=NULL;
 
-	SSLeay_add_all_algorithms();
+	OpenSSL_add_all_algorithms();
 
 	data=BIO_new(BIO_s_file());
 	while(argc > 1)
@@ -98,7 +99,8 @@ char *argv[];
 			argc-=2;
 			argv+=2;
 			if (!(in=BIO_new_file(keyfile,"r"))) goto err;
-			if (!(x509=PEM_read_bio_X509(in,NULL,NULL))) goto err;
+			if (!(x509=PEM_read_bio_X509(in,NULL,NULL,NULL)))
+				goto err;
 			if(!recips) recips = sk_X509_new_null();
 			sk_X509_push(recips, x509);
 			BIO_free(in);
@@ -125,7 +127,14 @@ char *argv[];
 #else
 	PKCS7_set_type(p7,NID_pkcs7_enveloped);
 #endif
-	if(!cipher) cipher = EVP_des_ede3_cbc();
+	if(!cipher)	{
+#ifndef NO_DES
+		cipher = EVP_des_ede3_cbc();
+#else
+		fprintf(stderr, "No cipher selected\n");
+		goto err;
+#endif
+	}
 
 	if (!PKCS7_set_cipher(p7,cipher)) goto err;
 	for(i = 0; i < sk_X509_num(recips); i++) {
diff --git a/lib/libcrypto/pkcs7/example.c b/lib/libcrypto/pkcs7/example.c
index 73548900841..f6656be28e1 100644
--- a/lib/libcrypto/pkcs7/example.c
+++ b/lib/libcrypto/pkcs7/example.c
@@ -1,5 +1,6 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <openssl/pkcs7.h>
 #include <openssl/asn1_mac.h>
 
@@ -36,7 +37,7 @@ void add_signed_string(PKCS7_SIGNER_INFO *si, char *str)
 		signed_string_nid=
 			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
 	os=ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(os,str,strlen(str));
+	ASN1_OCTET_STRING_set(os,(unsigned char*)str,strlen(str));
 	/* When we add, we do not free */
 	PKCS7_add_signed_attribute(si,signed_string_nid,
 		V_ASN1_OCTET_STRING,(char *)os);
@@ -68,7 +69,7 @@ int get_signed_string(PKCS7_SIGNER_INFO *si, char *buf, int len)
 	return(0);
 	}
 
-static signed_seq2string_nid= -1;
+static int signed_seq2string_nid= -1;
 /* ########################################### */
 int add_signed_seq2string(PKCS7_SIGNER_INFO *si, char *str1, char *str2)
 	{
@@ -86,8 +87,8 @@ int add_signed_seq2string(PKCS7_SIGNER_INFO *si, char *str1, char *str2)
 
 	os1=ASN1_OCTET_STRING_new();
 	os2=ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(os1,str1,strlen(str1));
-	ASN1_OCTET_STRING_set(os2,str1,strlen(str1));
+	ASN1_OCTET_STRING_set(os1,(unsigned char*)str1,strlen(str1));
+	ASN1_OCTET_STRING_set(os2,(unsigned char*)str1,strlen(str1));
 	i =i2d_ASN1_OCTET_STRING(os1,NULL);
 	i+=i2d_ASN1_OCTET_STRING(os2,NULL);
 	total=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
@@ -197,7 +198,7 @@ X509_ATTRIBUTE *create_string(char *str)
 		signed_string_nid=
 			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
 	os=ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(os,str,strlen(str));
+	ASN1_OCTET_STRING_set(os,(unsigned char*)str,strlen(str));
 	/* When we add, we do not free */
 	ret=X509_ATTRIBUTE_create(signed_string_nid,
 		V_ASN1_OCTET_STRING,(char *)os);
@@ -250,8 +251,8 @@ X509_ATTRIBUTE *add_seq2string(PKCS7_SIGNER_INFO *si, char *str1, char *str2)
 
 	os1=ASN1_OCTET_STRING_new();
 	os2=ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(os1,str1,strlen(str1));
-	ASN1_OCTET_STRING_set(os2,str1,strlen(str1));
+	ASN1_OCTET_STRING_set(os1,(unsigned char*)str1,strlen(str1));
+	ASN1_OCTET_STRING_set(os2,(unsigned char*)str1,strlen(str1));
 	i =i2d_ASN1_OCTET_STRING(os1,NULL);
 	i+=i2d_ASN1_OCTET_STRING(os2,NULL);
 	total=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
diff --git a/lib/libcrypto/pkcs7/pk7_doit.c b/lib/libcrypto/pkcs7/pk7_doit.c
index dee81b547ad..80ac5e34b4c 100644
--- a/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/lib/libcrypto/pkcs7/pk7_doit.c
@@ -61,6 +61,7 @@
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 
 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
 			 void *value);
@@ -160,9 +161,10 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 		BIO_get_cipher_ctx(btmp, &ctx);
 		keylen=EVP_CIPHER_key_length(evp_cipher);
 		ivlen=EVP_CIPHER_iv_length(evp_cipher);
-		RAND_bytes(key,keylen);
+		if (RAND_bytes(key,keylen) <= 0)
+			goto err;
 		xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
-		if (ivlen > 0) RAND_bytes(iv,ivlen);
+		if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);
 		EVP_CipherInit(ctx, evp_cipher, key, iv, 1);
 
 		if (ivlen > 0) {
@@ -204,7 +206,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 				Free(tmp);
 				goto err;
 				}
-			ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
+			M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
 			}
 		Free(tmp);
 		memset(key, 0, keylen);
@@ -216,30 +218,23 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 		btmp=NULL;
 		}
 
-	if (bio == NULL) /* ??????????? */
-		{
+	if (bio == NULL) {
 		if (p7->detached)
 			bio=BIO_new(BIO_s_null());
-		else
-			{
-			bio=BIO_new(BIO_s_mem());
-			/* We need to set this so that when we have read all
-			 * the data, the encrypt BIO, if present, will read
-			 * EOF and encode the last few bytes */
-			BIO_set_mem_eof_return(bio,0);
-
+		else {
 			if (PKCS7_type_is_signed(p7) &&
-				PKCS7_type_is_data(p7->d.sign->contents))
-				{
+				PKCS7_type_is_data(p7->d.sign->contents)) {
 				ASN1_OCTET_STRING *os;
-
 				os=p7->d.sign->contents->d.data;
-				if (os->length > 0)
-					BIO_write(bio,(char *)os->data,
-						os->length);
-				}
+				if (os->length > 0) bio = 
+					BIO_new_mem_buf(os->data, os->length);
+			} 
+			if(bio == NULL) {
+				bio=BIO_new(BIO_s_mem());
+				BIO_set_mem_eof_return(bio,0);
 			}
 		}
+	}
 	BIO_push(out,bio);
 	bio=NULL;
 	if (0)
@@ -259,7 +254,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 	{
 	int i,j;
 	BIO *out=NULL,*btmp=NULL,*etmp=NULL,*bio=NULL;
-	char *tmp=NULL;
+	unsigned char *tmp=NULL;
 	X509_ALGOR *xa;
 	ASN1_OCTET_STRING *data_body=NULL;
 	const EVP_MD *evp_md;
@@ -270,6 +265,9 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
 	X509_ALGOR *xalg=NULL;
 	PKCS7_RECIP_INFO *ri=NULL;
+#ifndef NO_RC2
+	char is_rc2 = 0;
+#endif
 /*	EVP_PKEY *pkey; */
 #if 0
 	X509_STORE_CTX s_ctx;
@@ -314,6 +312,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 	        goto err;
 		}
 
+	if(EVP_CIPHER_nid(evp_cipher) == NID_rc2_cbc)
+		{
+#ifndef NO_RC2		
+		is_rc2 = 1; 
+#else
+		PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
+		goto err;
+#endif
+		}
+
 	/* We will be checking the signature */
 	if (md_sk != NULL)
 		{
@@ -372,7 +380,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 			ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
 			if(!X509_NAME_cmp(ri->issuer_and_serial->issuer,
 					pcert->cert_info->issuer) &&
-			     !ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
+			     !M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
 					ri->issuer_and_serial->serial)) break;
 			ri=NULL;
 		}
@@ -383,17 +391,15 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 		}
 
 		jj=EVP_PKEY_size(pkey);
-		tmp=Malloc(jj+10);
+		tmp=(unsigned char *)Malloc(jj+10);
 		if (tmp == NULL)
 			{
 			PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 
-		jj=EVP_PKEY_decrypt((unsigned char *)tmp,
-			ASN1_STRING_data(ri->enc_key),
-			ASN1_STRING_length(ri->enc_key),
-			pkey);
+		jj=EVP_PKEY_decrypt(tmp, M_ASN1_STRING_data(ri->enc_key),
+			M_ASN1_STRING_length(ri->enc_key), pkey);
 		if (jj <= 0)
 			{
 			PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_EVP_LIB);
@@ -406,13 +412,25 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 		if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
 			return(NULL);
 
-		if (jj != EVP_CIPHER_CTX_key_length(evp_ctx))
-			{
-			PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+		if (jj != EVP_CIPHER_CTX_key_length(evp_ctx)) {
+			/* HACK: some S/MIME clients don't use the same key
+			 * and effective key length. The key length is
+			 * determined by the size of the decrypted RSA key.
+			 * So we hack things to manually set the RC2 key
+			 * because we currently can't do this with the EVP
+			 * interface.
+			 */
+#ifndef NO_RC2		
+			if(is_rc2) RC2_set_key(&(evp_ctx->c.rc2_ks),jj, tmp,
+					EVP_CIPHER_CTX_key_length(evp_ctx)*8);
+			else
+#endif
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATADECODE,
 					PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH);
-			goto err;
-			}
-		EVP_CipherInit(evp_ctx,NULL,(unsigned char *)tmp,NULL,0);
+				goto err;
+				}
+		} else EVP_CipherInit(evp_ctx,NULL,tmp,NULL,0);
 
 		memset(tmp,0,jj);
 
@@ -430,6 +448,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 		}
 	else 
 		{
+#if 0
 		bio=BIO_new(BIO_s_mem());
 		/* We need to set this so that when we have read all
 		 * the data, the encrypt BIO, if present, will read
@@ -438,6 +457,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 
 		if (data_body->length > 0)
 			BIO_write(bio,(char *)data_body->data,data_body->length);
+#else
+		if (data_body->length > 0)
+		      bio = BIO_new_mem_buf(data_body->data,data_body->length);
+		else {
+			bio=BIO_new(BIO_s_mem());
+			BIO_set_mem_eof_return(bio,0);
+		}
+#endif
 		}
 	BIO_push(out,bio);
 	bio=NULL;
@@ -479,12 +506,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 	case NID_pkcs7_signedAndEnveloped:
 		/* XXXXXXXXXXXXXXXX */
 		si_sk=p7->d.signed_and_enveloped->signer_info;
-		os=ASN1_OCTET_STRING_new();
+		os=M_ASN1_OCTET_STRING_new();
 		p7->d.signed_and_enveloped->enc_data->enc_data=os;
 		break;
 	case NID_pkcs7_enveloped:
 		/* XXXXXXXXXXXXXXXX */
-		os=ASN1_OCTET_STRING_new();
+		os=M_ASN1_OCTET_STRING_new();
 		p7->d.enveloped->enc_data->enc_data=os;
 		break;
 	case NID_pkcs7_signed:
@@ -492,7 +519,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 		os=p7->d.sign->contents->d.data;
 		/* If detached data then the content is excluded */
 		if(p7->detached) {
-			ASN1_OCTET_STRING_free(os);
+			M_ASN1_OCTET_STRING_free(os);
 			p7->d.sign->contents->d.data = NULL;
 		}
 		break;
@@ -527,7 +554,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 					PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_INTERNAL_ERROR);
 					goto err;
 					}
-				if (EVP_MD_type(EVP_MD_CTX_type(mdc)) == j)
+				if (EVP_MD_CTX_type(mdc) == j)
 					break;
 				else
 					btmp=btmp->next_bio;
@@ -561,10 +588,10 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 					V_ASN1_UTCTIME,sign_time);
 
 				/* Add digest */
-				md_tmp=EVP_MD_CTX_type(&ctx_tmp);
+				md_tmp=EVP_MD_CTX_md(&ctx_tmp);
 				EVP_DigestFinal(&ctx_tmp,md_data,&md_len);
-				digest=ASN1_OCTET_STRING_new();
-				ASN1_OCTET_STRING_set(digest,md_data,md_len);
+				digest=M_ASN1_OCTET_STRING_new();
+				M_ASN1_OCTET_STRING_set(digest,md_data,md_len);
 				PKCS7_add_signed_attribute(si,
 					NID_pkcs9_messageDigest,
 					V_ASN1_OCTET_STRING,digest);
@@ -611,8 +638,17 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 			goto err;
 			}
 		BIO_get_mem_ptr(btmp,&buf_mem);
-		ASN1_OCTET_STRING_set(os,
+		/* Mark the BIO read only then we can use its copy of the data
+		 * instead of making an extra copy.
+		 */
+		BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
+		BIO_set_mem_eof_return(btmp, 0);
+		os->data = (unsigned char *)buf_mem->data;
+		os->length = buf_mem->length;
+#if 0
+		M_ASN1_OCTET_STRING_set(os,
 			(unsigned char *)buf_mem->data,buf_mem->length);
+#endif
 		}
 	if (pp != NULL) Free(pp);
 	pp=NULL;
@@ -658,6 +694,7 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
 
 	/* Lets verify */
 	X509_STORE_CTX_init(ctx,cert_store,x509,cert);
+	X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
 	i=X509_verify_cert(ctx);
 	if (i <= 0) 
 		{
@@ -709,7 +746,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
 							PKCS7_R_INTERNAL_ERROR);
 			goto err;
 			}
-		if (EVP_MD_type(EVP_MD_CTX_type(mdc)) == md_type)
+		if (EVP_MD_CTX_type(mdc) == md_type)
 			break;
 		btmp=btmp->next_bio;	
 		}
diff --git a/lib/libcrypto/pkcs7/pk7_lib.c b/lib/libcrypto/pkcs7/pk7_lib.c
index 8b863d05583..45973fe8507 100644
--- a/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/lib/libcrypto/pkcs7/pk7_lib.c
@@ -123,7 +123,7 @@ int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
 		{
 	case NID_pkcs7_signed:
 		if (p7->d.sign->contents != NULL)
-			PKCS7_content_free(p7->d.sign->contents);
+			PKCS7_free(p7->d.sign->contents);
 		p7->d.sign->contents=p7_data;
 		break;
 	case NID_pkcs7_digest:
@@ -157,7 +157,7 @@ int PKCS7_set_type(PKCS7 *p7, int type)
 		break;
 	case NID_pkcs7_data:
 		p7->type=obj;
-		if ((p7->d.data=ASN1_OCTET_STRING_new()) == NULL)
+		if ((p7->d.data=M_ASN1_OCTET_STRING_new()) == NULL)
 			goto err;
 		break;
 	case NID_pkcs7_signedAndEnveloped:
@@ -165,9 +165,6 @@ int PKCS7_set_type(PKCS7 *p7, int type)
 		if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new())
 			== NULL) goto err;
 		ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1);
-/*		p7->d.signed_and_enveloped->enc_data->content_type=
-			OBJ_nid2obj(NID_pkcs7_encrypted);*/
-			
 		break;
 	case NID_pkcs7_enveloped:
 		p7->type=obj;
@@ -175,8 +172,14 @@ int PKCS7_set_type(PKCS7 *p7, int type)
 			== NULL) goto err;
 		ASN1_INTEGER_set(p7->d.enveloped->version,0);
 		break;
-	case NID_pkcs7_digest:
 	case NID_pkcs7_encrypted:
+		p7->type=obj;
+		if ((p7->d.encrypted=PKCS7_ENCRYPT_new())
+			== NULL) goto err;
+		ASN1_INTEGER_set(p7->d.encrypted->version,0);
+		break;
+
+	case NID_pkcs7_digest:
 	default:
 		PKCS7err(PKCS7_F_PKCS7_SET_TYPE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
 		goto err;
@@ -224,8 +227,13 @@ int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
 		}
 	if (!j) /* we need to add another algorithm */
 		{
-		alg=X509_ALGOR_new();
+		if(!(alg=X509_ALGOR_new())
+			|| !(alg->parameter = ASN1_TYPE_new())) {
+			PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER,ERR_R_MALLOC_FAILURE);
+			return(0);
+		}
 		alg->algorithm=OBJ_nid2obj(nid);
+		alg->parameter->type = V_ASN1_NULL;
 		sk_X509_ALGOR_push(md_sk,alg);
 		}
 
@@ -289,6 +297,9 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
 int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
 	     EVP_MD *dgst)
 	{
+	char is_dsa;
+	if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;
+	else is_dsa = 0;
 	/* We now need to add another PKCS7_SIGNER_INFO entry */
 	ASN1_INTEGER_set(p7i->version,1);
 	X509_NAME_set(&p7i->issuer_and_serial->issuer,
@@ -296,17 +307,16 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
 
 	/* because ASN1_INTEGER_set is used to set a 'long' we will do
 	 * things the ugly way. */
-	ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
+	M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
 	p7i->issuer_and_serial->serial=
-		ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+		M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
 
 	/* lets keep the pkey around for a while */
 	CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
 	p7i->pkey=pkey;
 
 	/* Set the algorithms */
-	if (pkey->type == EVP_PKEY_DSA)
-		p7i->digest_alg->algorithm=OBJ_nid2obj(NID_sha1);
+	if (is_dsa) p7i->digest_alg->algorithm=OBJ_nid2obj(NID_sha1);
 	else	
 		p7i->digest_alg->algorithm=OBJ_nid2obj(EVP_MD_type(dgst));
 
@@ -320,9 +330,12 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
 
 	if (p7i->digest_enc_alg->parameter != NULL)
 		ASN1_TYPE_free(p7i->digest_enc_alg->parameter);
-	if ((p7i->digest_enc_alg->parameter=ASN1_TYPE_new()) == NULL)
-		goto err;
-	p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
+	if(is_dsa) p7i->digest_enc_alg->parameter = NULL;
+	else {
+		if (!(p7i->digest_enc_alg->parameter=ASN1_TYPE_new()))
+			goto err;
+		p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
+	}
 
 	return(1);
 err:
@@ -397,9 +410,9 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
 	X509_NAME_set(&p7i->issuer_and_serial->issuer,
 		X509_get_issuer_name(x509));
 
-	ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
+	M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
 	p7i->issuer_and_serial->serial=
-		ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+		M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
 
 	X509_ALGOR_free(p7i->key_enc_algor);
 	p7i->key_enc_algor=(X509_ALGOR *)ASN1_dup(i2d_X509_ALGOR,
@@ -425,6 +438,7 @@ X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
 	{
 	int i;
+	ASN1_OBJECT *objtmp;
 	PKCS7_ENC_CONTENT *ec;
 
 	i=OBJ_obj2nid(p7->type);
@@ -441,7 +455,13 @@ int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
 		return(0);
 		}
 
-	/* Setup cipher OID */
+	/* Check cipher OID exists and has data in it*/
+	i = EVP_CIPHER_type(cipher);
+	if(i == NID_undef) {
+		PKCS7err(PKCS7_F_PKCS7_SET_CIPHER,PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
+		return(0);
+	}
+	objtmp = OBJ_nid2obj(i);
 
 	ec->cipher = cipher;
 	return 1;
diff --git a/lib/libcrypto/pkcs7/pkcs7.h b/lib/libcrypto/pkcs7/pkcs7.h
index c42bd6d391f..3ec725d2263 100644
--- a/lib/libcrypto/pkcs7/pkcs7.h
+++ b/lib/libcrypto/pkcs7/pkcs7.h
@@ -71,8 +71,9 @@ extern "C" {
 #endif
 
 #ifdef WIN32
-/* Under Win32 this is defined in wincrypt.h */
+/* Under Win32 thes are defined in wincrypt.h */
 #undef PKCS7_ISSUER_AND_SERIAL
+#undef PKCS7_SIGNER_INFO
 #endif
 
 /*
@@ -219,6 +220,7 @@ typedef struct pkcs7_st
 #define PKCS7_get_attributes(si)	((si)->unauth_attr)
 
 #define PKCS7_type_is_signed(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_signed)
+#define PKCS7_type_is_enveloped(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_enveloped)
 #define PKCS7_type_is_signedAndEnveloped(a) \
 		(OBJ_obj2nid((a)->type) == NID_pkcs7_signedAndEnveloped)
 #define PKCS7_type_is_data(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_data)
@@ -236,6 +238,29 @@ typedef struct pkcs7_st
 #endif
 #endif
 
+/* S/MIME related flags */
+
+#define PKCS7_TEXT	0x1
+#define PKCS7_NOCERTS	0x2
+#define PKCS7_NOSIGS	0x4
+#define PKCS7_NOCHAIN	0x8
+#define PKCS7_NOINTERN	0x10
+#define PKCS7_NOVERIFY	0x20
+#define PKCS7_DETACHED	0x40
+#define PKCS7_BINARY	0x80
+#define PKCS7_NOATTR	0x100
+
+/* Flags: for compatibility with older code */
+
+#define SMIME_TEXT	PKCS7_TEXT
+#define SMIME_NOCERTS	PKCS7_NOCERTS
+#define SMIME_NOSIGS	PKCS7_NOSIGS
+#define SMIME_NOCHAIN	PKCS7_NOCHAIN
+#define SMIME_NOINTERN	PKCS7_NOINTERN
+#define SMIME_NOVERIFY	PKCS7_NOVERIFY
+#define SMIME_DETACHED	PKCS7_DETACHED
+#define SMIME_BINARY	PKCS7_BINARY
+#define SMIME_NOATTR	PKCS7_NOATTR
 
 PKCS7_ISSUER_AND_SERIAL *PKCS7_ISSUER_AND_SERIAL_new(void );
 void			PKCS7_ISSUER_AND_SERIAL_free(
@@ -247,7 +272,7 @@ PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL(
 				unsigned char **pp, long length);
 
 #ifndef SSLEAY_MACROS
-int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,EVP_MD *type,
+int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,const EVP_MD *type,
 	unsigned char *md,unsigned int *len);
 #ifndef NO_FP_API
 PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7);
@@ -368,6 +393,23 @@ int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
 int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,STACK_OF(X509_ATTRIBUTE) *sk);
 
 
+PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+							BIO *data, int flags);
+int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+					BIO *indata, BIO *out, int flags);
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
+PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, EVP_CIPHER *cipher,
+								int flags);
+int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags);
+
+int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK *cap);
+STACK *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si);
+int PKCS7_simple_smimecap(STACK *sk, int nid, int arg);
+
+int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags);
+PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont);
+int SMIME_crlf_copy(BIO *in, BIO *out, int flags);
+int SMIME_text(BIO *in, BIO *out);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -377,6 +419,9 @@ int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,STACK_OF(X509_ATTRIBUTE) *sk);
 /* Error codes for the PKCS7 functions. */
 
 /* Function codes. */
+#define PKCS7_F_B64_READ_PKCS7				 120
+#define PKCS7_F_B64_WRITE_PKCS7				 121
+#define PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP		 118
 #define PKCS7_F_PKCS7_ADD_CERTIFICATE			 100
 #define PKCS7_F_PKCS7_ADD_CRL				 101
 #define PKCS7_F_PKCS7_ADD_RECIPIENT_INFO		 102
@@ -386,20 +431,56 @@ int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,STACK_OF(X509_ATTRIBUTE) *sk);
 #define PKCS7_F_PKCS7_DATAINIT				 105
 #define PKCS7_F_PKCS7_DATASIGN				 106
 #define PKCS7_F_PKCS7_DATAVERIFY			 107
+#define PKCS7_F_PKCS7_DECRYPT				 114
+#define PKCS7_F_PKCS7_ENCRYPT				 115
+#define PKCS7_F_PKCS7_GET0_SIGNERS			 124
 #define PKCS7_F_PKCS7_SET_CIPHER			 108
 #define PKCS7_F_PKCS7_SET_CONTENT			 109
 #define PKCS7_F_PKCS7_SET_TYPE				 110
+#define PKCS7_F_PKCS7_SIGN				 116
 #define PKCS7_F_PKCS7_SIGNATUREVERIFY			 113
+#define PKCS7_F_PKCS7_SIMPLE_SMIMECAP			 119
+#define PKCS7_F_PKCS7_VERIFY				 117
+#define PKCS7_F_SMIME_READ_PKCS7			 122
+#define PKCS7_F_SMIME_TEXT				 123
 
 /* Reason codes. */
+#define PKCS7_R_CERTIFICATE_VERIFY_ERROR		 117
+#define PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER		 144
 #define PKCS7_R_CIPHER_NOT_INITIALIZED			 116
+#define PKCS7_R_CONTENT_AND_DATA_PRESENT		 118
+#define PKCS7_R_DECODE_ERROR				 130
 #define PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH		 100
+#define PKCS7_R_DECRYPT_ERROR				 119
 #define PKCS7_R_DIGEST_FAILURE				 101
+#define PKCS7_R_ERROR_ADDING_RECIPIENT			 120
+#define PKCS7_R_ERROR_SETTING_CIPHER			 121
 #define PKCS7_R_INTERNAL_ERROR				 102
+#define PKCS7_R_INVALID_MIME_TYPE			 131
+#define PKCS7_R_INVALID_NULL_POINTER			 143
+#define PKCS7_R_MIME_NO_CONTENT_TYPE			 132
+#define PKCS7_R_MIME_PARSE_ERROR			 133
+#define PKCS7_R_MIME_SIG_PARSE_ERROR			 134
 #define PKCS7_R_MISSING_CERIPEND_INFO			 103
+#define PKCS7_R_NO_CONTENT				 122
+#define PKCS7_R_NO_CONTENT_TYPE				 135
+#define PKCS7_R_NO_MULTIPART_BODY_FAILURE		 136
+#define PKCS7_R_NO_MULTIPART_BOUNDARY			 137
 #define PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE	 115
+#define PKCS7_R_NO_SIGNATURES_ON_DATA			 123
+#define PKCS7_R_NO_SIGNERS				 142
+#define PKCS7_R_NO_SIG_CONTENT_TYPE			 138
 #define PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE	 104
+#define PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR		 124
+#define PKCS7_R_PKCS7_DATAFINAL_ERROR			 125
+#define PKCS7_R_PKCS7_DATASIGN				 126
+#define PKCS7_R_PKCS7_PARSE_ERROR			 139
+#define PKCS7_R_PKCS7_SIG_PARSE_ERROR			 140
+#define PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE	 127
 #define PKCS7_R_SIGNATURE_FAILURE			 105
+#define PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND		 128
+#define PKCS7_R_SIG_INVALID_MIME_TYPE			 141
+#define PKCS7_R_SMIME_TEXT_ERROR			 129
 #define PKCS7_R_UNABLE_TO_FIND_CERTIFICATE		 106
 #define PKCS7_R_UNABLE_TO_FIND_MEM_BIO			 107
 #define PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST		 108
diff --git a/lib/libcrypto/pkcs7/pkcs7err.c b/lib/libcrypto/pkcs7/pkcs7err.c
index 82be3c2ca1e..813a8af9edc 100644
--- a/lib/libcrypto/pkcs7/pkcs7err.c
+++ b/lib/libcrypto/pkcs7/pkcs7err.c
@@ -65,6 +65,9 @@
 #ifndef NO_ERR
 static ERR_STRING_DATA PKCS7_str_functs[]=
 	{
+{ERR_PACK(0,PKCS7_F_B64_READ_PKCS7,0),	"B64_READ_PKCS7"},
+{ERR_PACK(0,PKCS7_F_B64_WRITE_PKCS7,0),	"B64_WRITE_PKCS7"},
+{ERR_PACK(0,PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,0),	"PKCS7_add_attrib_smimecap"},
 {ERR_PACK(0,PKCS7_F_PKCS7_ADD_CERTIFICATE,0),	"PKCS7_add_certificate"},
 {ERR_PACK(0,PKCS7_F_PKCS7_ADD_CRL,0),	"PKCS7_add_crl"},
 {ERR_PACK(0,PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,0),	"PKCS7_add_recipient_info"},
@@ -74,23 +77,59 @@ static ERR_STRING_DATA PKCS7_str_functs[]=
 {ERR_PACK(0,PKCS7_F_PKCS7_DATAINIT,0),	"PKCS7_dataInit"},
 {ERR_PACK(0,PKCS7_F_PKCS7_DATASIGN,0),	"PKCS7_DATASIGN"},
 {ERR_PACK(0,PKCS7_F_PKCS7_DATAVERIFY,0),	"PKCS7_dataVerify"},
+{ERR_PACK(0,PKCS7_F_PKCS7_DECRYPT,0),	"PKCS7_decrypt"},
+{ERR_PACK(0,PKCS7_F_PKCS7_ENCRYPT,0),	"PKCS7_encrypt"},
+{ERR_PACK(0,PKCS7_F_PKCS7_GET0_SIGNERS,0),	"PKCS7_get0_signers"},
 {ERR_PACK(0,PKCS7_F_PKCS7_SET_CIPHER,0),	"PKCS7_set_cipher"},
 {ERR_PACK(0,PKCS7_F_PKCS7_SET_CONTENT,0),	"PKCS7_set_content"},
 {ERR_PACK(0,PKCS7_F_PKCS7_SET_TYPE,0),	"PKCS7_set_type"},
+{ERR_PACK(0,PKCS7_F_PKCS7_SIGN,0),	"PKCS7_sign"},
 {ERR_PACK(0,PKCS7_F_PKCS7_SIGNATUREVERIFY,0),	"PKCS7_signatureVerify"},
+{ERR_PACK(0,PKCS7_F_PKCS7_SIMPLE_SMIMECAP,0),	"PKCS7_simple_smimecap"},
+{ERR_PACK(0,PKCS7_F_PKCS7_VERIFY,0),	"PKCS7_verify"},
+{ERR_PACK(0,PKCS7_F_SMIME_READ_PKCS7,0),	"SMIME_read_PKCS7"},
+{ERR_PACK(0,PKCS7_F_SMIME_TEXT,0),	"SMIME_text"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA PKCS7_str_reasons[]=
 	{
+{PKCS7_R_CERTIFICATE_VERIFY_ERROR        ,"certificate verify error"},
+{PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER ,"cipher has no object identifier"},
 {PKCS7_R_CIPHER_NOT_INITIALIZED          ,"cipher not initialized"},
+{PKCS7_R_CONTENT_AND_DATA_PRESENT        ,"content and data present"},
+{PKCS7_R_DECODE_ERROR                    ,"decode error"},
 {PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH   ,"decrypted key is wrong length"},
+{PKCS7_R_DECRYPT_ERROR                   ,"decrypt error"},
 {PKCS7_R_DIGEST_FAILURE                  ,"digest failure"},
+{PKCS7_R_ERROR_ADDING_RECIPIENT          ,"error adding recipient"},
+{PKCS7_R_ERROR_SETTING_CIPHER            ,"error setting cipher"},
 {PKCS7_R_INTERNAL_ERROR                  ,"internal error"},
+{PKCS7_R_INVALID_MIME_TYPE               ,"invalid mime type"},
+{PKCS7_R_INVALID_NULL_POINTER            ,"invalid null pointer"},
+{PKCS7_R_MIME_NO_CONTENT_TYPE            ,"mime no content type"},
+{PKCS7_R_MIME_PARSE_ERROR                ,"mime parse error"},
+{PKCS7_R_MIME_SIG_PARSE_ERROR            ,"mime sig parse error"},
 {PKCS7_R_MISSING_CERIPEND_INFO           ,"missing ceripend info"},
+{PKCS7_R_NO_CONTENT                      ,"no content"},
+{PKCS7_R_NO_CONTENT_TYPE                 ,"no content type"},
+{PKCS7_R_NO_MULTIPART_BODY_FAILURE       ,"no multipart body failure"},
+{PKCS7_R_NO_MULTIPART_BOUNDARY           ,"no multipart boundary"},
 {PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE,"no recipient matches certificate"},
+{PKCS7_R_NO_SIGNATURES_ON_DATA           ,"no signatures on data"},
+{PKCS7_R_NO_SIGNERS                      ,"no signers"},
+{PKCS7_R_NO_SIG_CONTENT_TYPE             ,"no sig content type"},
 {PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE,"operation not supported on this type"},
+{PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR       ,"pkcs7 add signature error"},
+{PKCS7_R_PKCS7_DATAFINAL_ERROR           ,"pkcs7 datafinal error"},
+{PKCS7_R_PKCS7_DATASIGN                  ,"pkcs7 datasign"},
+{PKCS7_R_PKCS7_PARSE_ERROR               ,"pkcs7 parse error"},
+{PKCS7_R_PKCS7_SIG_PARSE_ERROR           ,"pkcs7 sig parse error"},
+{PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
 {PKCS7_R_SIGNATURE_FAILURE               ,"signature failure"},
+{PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND    ,"signer certificate not found"},
+{PKCS7_R_SIG_INVALID_MIME_TYPE           ,"sig invalid mime type"},
+{PKCS7_R_SMIME_TEXT_ERROR                ,"smime text error"},
 {PKCS7_R_UNABLE_TO_FIND_CERTIFICATE      ,"unable to find certificate"},
 {PKCS7_R_UNABLE_TO_FIND_MEM_BIO          ,"unable to find mem bio"},
 {PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST   ,"unable to find message digest"},
diff --git a/lib/libcrypto/pkcs7/sign.c b/lib/libcrypto/pkcs7/sign.c
index d5f11540064..22290e192cc 100644
--- a/lib/libcrypto/pkcs7/sign.c
+++ b/lib/libcrypto/pkcs7/sign.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
@@ -75,10 +76,18 @@ char *argv[];
 	int i;
 	int nodetach=0;
 
+#ifndef NO_MD2
 	EVP_add_digest(EVP_md2());
+#endif
+#ifndef NO_MD5
 	EVP_add_digest(EVP_md5());
+#endif
+#ifndef NO_SHA1
 	EVP_add_digest(EVP_sha1());
+#endif
+#ifndef NO_MDC2
 	EVP_add_digest(EVP_mdc2());
+#endif
 
 	data=BIO_new(BIO_s_file());
 again:
@@ -97,9 +106,9 @@ again:
 		BIO_set_fp(data,stdin,BIO_NOCLOSE);
 
 	if ((in=BIO_new_file("server.pem","r")) == NULL) goto err;
-	if ((x509=PEM_read_bio_X509(in,NULL,NULL)) == NULL) goto err;
+	if ((x509=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) goto err;
 	BIO_reset(in);
-	if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL)) == NULL) goto err;
+	if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL)) == NULL) goto err;
 	BIO_free(in);
 
 	p7=PKCS7_new();
diff --git a/lib/libcrypto/pkcs7/verify.c b/lib/libcrypto/pkcs7/verify.c
index 32d9783e451..49fc8d8bed6 100644
--- a/lib/libcrypto/pkcs7/verify.c
+++ b/lib/libcrypto/pkcs7/verify.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 #include <stdio.h>
+#include <string.h>
 #include <openssl/bio.h>
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
@@ -84,10 +85,18 @@ char *argv[];
 
 	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
+#ifndef NO_MD2
 	EVP_add_digest(EVP_md2());
+#endif
+#ifndef NO_MD5
 	EVP_add_digest(EVP_md5());
+#endif
+#ifndef NO_SHA1
 	EVP_add_digest(EVP_sha1());
+#endif
+#ifndef NO_MDC2
 	EVP_add_digest(EVP_mdc2());
+#endif
 
 	data=BIO_new(BIO_s_file());
 
@@ -121,7 +130,7 @@ char *argv[];
 
 
 	/* Load the PKCS7 object from a file */
-	if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL)) == NULL) goto err;
+	if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL,NULL)) == NULL) goto err;
 
 	/* This stuff is being setup for certificate verification.
 	 * When using SSL, it could be replaced with a 
diff --git a/lib/libcrypto/rand/Makefile.ssl b/lib/libcrypto/rand/Makefile.ssl
index 014356cb18c..be8eea34a27 100644
--- a/lib/libcrypto/rand/Makefile.ssl
+++ b/lib/libcrypto/rand/Makefile.ssl
@@ -22,8 +22,8 @@ TEST= randtest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC=md_rand.c randfile.c rand_lib.c
-LIBOBJ=md_rand.o randfile.o rand_lib.o
+LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c
+LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o
 
 SRC= $(LIBSRC)
 
@@ -79,9 +79,14 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 md_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-md_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-md_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+md_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+md_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+md_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_egd.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
+rand_err.o: ../../include/openssl/err.h ../../include/openssl/rand.h
 rand_lib.o: ../../include/openssl/rand.h
-randfile.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-randfile.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
+randfile.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+randfile.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+randfile.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+randfile.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
diff --git a/lib/libcrypto/rand/md_rand.c b/lib/libcrypto/rand/md_rand.c
index c9a071bd22e..6b158f03495 100644
--- a/lib/libcrypto/rand/md_rand.c
+++ b/lib/libcrypto/rand/md_rand.c
@@ -56,15 +56,23 @@
  * [including the GNU Public Licence.]
  */
 
+#define ENTROPY_NEEDED 16  /* require 128 bits = 16 bytes of randomness */
+
+#ifndef MD_RAND_DEBUG
+# ifndef NDEBUG
+#   define NDEBUG
+# endif
+#endif
+
+#include <assert.h>
 #include <stdio.h>
-#include <sys/types.h>
-#include <fcntl.h>
 #include <time.h>
 #include <string.h>
 
 #include "openssl/e_os.h"
 
 #include <openssl/crypto.h>
+#include <openssl/err.h>
 
 #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
 #if !defined(NO_SHA) && !defined(NO_SHA1)
@@ -130,17 +138,23 @@ static int state_num=0,state_index=0;
 static unsigned char state[STATE_SIZE+MD_DIGEST_LENGTH];
 static unsigned char md[MD_DIGEST_LENGTH];
 static long md_count[2]={0,0};
+static double entropy=0;
+static int initialized=0;
 
 const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT;
 
 static void ssleay_rand_cleanup(void);
 static void ssleay_rand_seed(const void *buf, int num);
-static void ssleay_rand_bytes(unsigned char *buf, int num);
+static void ssleay_rand_add(const void *buf, int num, double add_entropy);
+static int ssleay_rand_bytes(unsigned char *buf, int num);
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
 
 RAND_METHOD rand_ssleay_meth={
 	ssleay_rand_seed,
 	ssleay_rand_bytes,
 	ssleay_rand_cleanup,
+	ssleay_rand_add,
+	ssleay_rand_pseudo_bytes,
 	}; 
 
 RAND_METHOD *RAND_SSLeay(void)
@@ -156,22 +170,49 @@ static void ssleay_rand_cleanup(void)
 	memset(md,0,MD_DIGEST_LENGTH);
 	md_count[0]=0;
 	md_count[1]=0;
+	entropy=0;
 	}
 
-static void ssleay_rand_seed(const void *buf, int num)
+static void ssleay_rand_add(const void *buf, int num, double add)
 	{
-	int i,j,k,st_idx,st_num;
+	int i,j,k,st_idx;
+	long md_c[2];
+	unsigned char local_md[MD_DIGEST_LENGTH];
 	MD_CTX m;
 
 #ifdef NORAND
 	return;
 #endif
 
+	/*
+	 * (Based on the rand(3) manpage)
+	 *
+	 * The input is chopped up into units of 20 bytes (or less for
+	 * the last block).  Each of these blocks is run through the hash
+	 * function as follows:  The data passed to the hash function
+	 * is the current 'md', the same number of bytes from the 'state'
+	 * (the location determined by in incremented looping index) as
+	 * the current 'block', the new key data 'block', and 'count'
+	 * (which is incremented after each use).
+	 * The result of this is kept in 'md' and also xored into the
+	 * 'state' at the same locations that were used as input into the
+         * hash function.
+	 */
+
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	st_idx=state_index;
-	st_num=state_num;
 
-	state_index=(state_index+num);
+	/* use our own copies of the counters so that even
+	 * if a concurrent thread seeds with exactly the
+	 * same data and uses the same subarray there's _some_
+	 * difference */
+	md_c[0] = md_count[0];
+	md_c[1] = md_count[1];
+
+	memcpy(local_md, md, sizeof md);
+
+	/* state_index <= state_num <= STATE_SIZE */
+	state_index += num;
 	if (state_index >= STATE_SIZE)
 		{
 		state_index%=STATE_SIZE;
@@ -182,6 +223,14 @@ static void ssleay_rand_seed(const void *buf, int num)
 		if (state_index > state_num)
 			state_num=state_index;
 		}
+	/* state_index <= state_num <= STATE_SIZE */
+
+	/* state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE]
+	 * are what we will use now, but other threads may use them
+	 * as well */
+
+	md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
+
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
 	for (i=0; i<num; i+=MD_DIGEST_LENGTH)
@@ -190,7 +239,7 @@ static void ssleay_rand_seed(const void *buf, int num)
 		j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j;
 
 		MD_Init(&m);
-		MD_Update(&m,md,MD_DIGEST_LENGTH);
+		MD_Update(&m,local_md,MD_DIGEST_LENGTH);
 		k=(st_idx+j)-STATE_SIZE;
 		if (k > 0)
 			{
@@ -201,33 +250,107 @@ static void ssleay_rand_seed(const void *buf, int num)
 			MD_Update(&m,&(state[st_idx]),j);
 			
 		MD_Update(&m,buf,j);
-		MD_Update(&m,(unsigned char *)&(md_count[0]),sizeof(md_count));
-		MD_Final(md,&m);
-		md_count[1]++;
+		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+		MD_Final(local_md,&m);
+		md_c[1]++;
 
 		buf=(const char *)buf + j;
 
 		for (k=0; k<j; k++)
 			{
-			state[st_idx++]^=md[k];
+			/* Parallel threads may interfere with this,
+			 * but always each byte of the new state is
+			 * the XOR of some previous value of its
+			 * and local_md (itermediate values may be lost).
+			 * Alway using locking could hurt performance more
+			 * than necessary given that conflicts occur only
+			 * when the total seeding is longer than the random
+			 * state. */
+			state[st_idx++]^=local_md[k];
 			if (st_idx >= STATE_SIZE)
-				{
 				st_idx=0;
-				st_num=STATE_SIZE;
-				}
 			}
 		}
 	memset((char *)&m,0,sizeof(m));
+
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	/* Don't just copy back local_md into md -- this could mean that
+	 * other thread's seeding remains without effect (except for
+	 * the incremented counter).  By XORing it we keep at least as
+	 * much entropy as fits into md. */
+	for (k = 0; k < sizeof md; k++)
+		{
+		md[k] ^= local_md[k];
+		}
+	if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
+	    entropy += add;
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	
+#ifndef THREADS	
+	assert(md_c[1] == md_count[1]);
+#endif
 	}
 
-static void ssleay_rand_bytes(unsigned char *buf, int num)
+static void ssleay_rand_seed(const void *buf, int num)
+	{
+	ssleay_rand_add(buf, num, num);
+	}
+
+static void ssleay_rand_initialize(void)
 	{
-	int i,j,k,st_num,st_idx;
-	MD_CTX m;
-	static int init=1;
 	unsigned long l;
+#ifndef GETPID_IS_MEANINGLESS
+	pid_t curr_pid = getpid();
+#endif
 #ifdef DEVRANDOM
-	int fd;
+	FILE *fh;
+#endif
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	/* put in some default random data, we need more than just this */
+#ifndef GETPID_IS_MEANINGLESS
+	l=curr_pid;
+	RAND_add(&l,sizeof(l),0);
+	l=getuid();
+	RAND_add(&l,sizeof(l),0);
+#endif
+	l=time(NULL);
+	RAND_add(&l,sizeof(l),0);
+
+#ifdef DEVRANDOM
+	/* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
+	 * have this. Use /dev/urandom if you can as /dev/random may block
+	 * if it runs out of random entries.  */
+
+	if ((fh = fopen(DEVRANDOM, "r")) != NULL)
+		{
+		unsigned char tmpbuf[ENTROPY_NEEDED];
+		int n;
+		
+		setvbuf(fh, NULL, _IONBF, 0);
+		n=fread((unsigned char *)tmpbuf,1,ENTROPY_NEEDED,fh);
+		fclose(fh);
+		RAND_add(tmpbuf,sizeof tmpbuf,n);
+		memset(tmpbuf,0,n);
+		}
+#endif
+#ifdef PURIFY
+	memset(state,0,STATE_SIZE);
+	memset(md,0,MD_DIGEST_LENGTH);
+#endif
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	initialized=1;
+	}
+
+static int ssleay_rand_bytes(unsigned char *buf, int num)
+	{
+	int i,j,k,st_num,st_idx;
+	int ok;
+	long md_c[2];
+	unsigned char local_md[MD_DIGEST_LENGTH];
+	MD_CTX m;
+#ifndef GETPID_IS_MEANINGLESS
+	pid_t curr_pid = getpid();
 #endif
 
 #ifdef PREDICT
@@ -236,65 +359,63 @@ static void ssleay_rand_bytes(unsigned char *buf, int num)
 
 	for (i=0; i<num; i++)
 		buf[i]=val++;
-	return;
+	return(1);
 	}
 #endif
 
+	/*
+	 * (Based on the rand(3) manpage:)
+	 *
+	 * For each group of 10 bytes (or less), we do the following:
+	 *
+	 * Input into the hash function the top 10 bytes from the
+	 * local 'md' (which is initialized from the global 'md'
+	 * before any bytes are generated), the bytes that are
+	 * to be overwritten by the random bytes, and bytes from the
+	 * 'state' (incrementing looping index).  From this digest output
+	 * (which is kept in 'md'), the top (up to) 10 bytes are
+	 * returned to the caller and the bottom (up to) 10 bytes are xored
+	 * into the 'state'.
+	 * Finally, after we have finished 'num' random bytes for the
+	 * caller, 'count' (which is incremented) and the local and global 'md'
+	 * are fed into the hash function and the results are kept in the
+	 * global 'md'.
+	 */
+
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 
-	if (init)
+	if (!initialized)
+		ssleay_rand_initialize();
+
+	ok = (entropy >= ENTROPY_NEEDED);
+	if (!ok)
 		{
-		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-		/* put in some default random data, we need more than
-		 * just this */
-		RAND_seed(&m,sizeof(m));
-#ifndef MSDOS
-		l=getpid();
-		RAND_seed(&l,sizeof(l));
-		l=getuid();
-		RAND_seed(&l,sizeof(l));
-#endif
-		l=time(NULL);
-		RAND_seed(&l,sizeof(l));
-
-/* #ifdef DEVRANDOM */
-		/* 
-		 * Use a random entropy pool device.
-		 * Linux 1.3.x, OpenBSD, and FreeBSD have
-		 * this. Use /dev/urandom if you can
-		 * as /dev/random will block if it runs out
-		 * of random entries.
+		/* If the PRNG state is not yet unpredictable, then seeing
+		 * the PRNG output may help attackers to determine the new
+		 * state; thus we have to decrease the entropy estimate.
+		 * Once we've had enough initial seeding we don't bother to
+		 * adjust the entropy count, though, because we're not ambitious
+		 * to provide *information-theoretic* randomness.
 		 */
-		if ((fd = open(DEVRANDOM, O_RDONLY)) != NULL)
-			{
-			unsigned char tmpbuf[32];
-
-			read(fd, tmpbuf, sizeof(tmpbuf));
-			/* we don't care how many bytes we read,
-			 * we will just copy the 'stack' if there is
-			 * nothing else :-) */
-			/* the above comment is EVIL.  Security software
-			 * RELIES ON THESE PRIMITIVES HAVING MORE SECURE
-			 * BEHAVIOUR! Secure entropy is required in
-			 * many cases! */
-			RAND_seed(tmpbuf,32);
-			memset(tmpbuf,0,32);
-			}
-/* #endif */
-#ifdef PURIFY
-		memset(state,0,STATE_SIZE);
-		memset(md,0,MD_DIGEST_LENGTH);
-#endif
-		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-		init=0;
+		entropy -= num;
+		if (entropy < 0)
+			entropy = 0;
 		}
 
 	st_idx=state_index;
 	st_num=state_num;
+	md_c[0] = md_count[0];
+	md_c[1] = md_count[1];
+	memcpy(local_md, md, sizeof md);
+
 	state_index+=num;
 	if (state_index > state_num)
-		state_index=(state_index%state_num);
+		state_index %= state_num;
+
+	/* state[st_idx], ..., state[(st_idx + num - 1) % st_num]
+	 * are now ours (but other threads may use them too) */
 
+	md_count[0] += 1;
 	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
 	while (num > 0)
@@ -302,8 +423,15 @@ static void ssleay_rand_bytes(unsigned char *buf, int num)
 		j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num;
 		num-=j;
 		MD_Init(&m);
-		MD_Update(&m,&(md[MD_DIGEST_LENGTH/2]),MD_DIGEST_LENGTH/2);
-		MD_Update(&m,(unsigned char *)&(md_count[0]),sizeof(md_count));
+#ifndef GETPID_IS_MEANINGLESS
+		if (curr_pid) /* just in the first iteration to save time */
+			{
+			MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid);
+			curr_pid = 0;
+			}
+#endif
+		MD_Update(&m,&(local_md[MD_DIGEST_LENGTH/2]),MD_DIGEST_LENGTH/2);
+		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
 #ifndef PURIFY
 		MD_Update(&m,buf,j); /* purify complains */
 #endif
@@ -315,23 +443,57 @@ static void ssleay_rand_bytes(unsigned char *buf, int num)
 			}
 		else
 			MD_Update(&m,&(state[st_idx]),j);
-		MD_Final(md,&m);
+		MD_Final(local_md,&m);
 
 		for (i=0; i<j; i++)
 			{
+			state[st_idx++]^=local_md[i]; /* may compete with other threads */
+			*(buf++)=local_md[i+MD_DIGEST_LENGTH/2];
 			if (st_idx >= st_num)
 				st_idx=0;
-			state[st_idx++]^=md[i];
-			*(buf++)=md[i+MD_DIGEST_LENGTH/2];
 			}
 		}
 
 	MD_Init(&m);
-	MD_Update(&m,(unsigned char *)&(md_count[0]),sizeof(md_count));
-	md_count[0]++;
+	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+	MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	MD_Update(&m,md,MD_DIGEST_LENGTH);
 	MD_Final(md,&m);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
 	memset(&m,0,sizeof(m));
+	if (ok)
+		return(1);
+	else
+		{
+		RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
+		return(0);
+		}
+	}
+
+/* pseudo-random bytes that are guaranteed to be unique but not
+   unpredictable */
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) 
+	{
+	int ret, err;
+
+	ret = RAND_bytes(buf, num);
+	if (ret == 0)
+		{
+		err = ERR_peek_error();
+		if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
+		    ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
+			(void)ERR_get_error();
+		}
+	return (ret);
+	}
+
+int RAND_status(void)
+	{
+	if (!initialized)
+		ssleay_rand_initialize();
+	return (entropy >= ENTROPY_NEEDED);
 	}
 
 #ifdef WINDOWS
@@ -358,12 +520,12 @@ static void ssleay_rand_bytes(unsigned char *buf, int num)
  */
 /*
  * I have modified the loading of bytes via RAND_seed() mechanism since
- * the origional would have been very very CPU intensive since RAND_seed()
+ * the original would have been very very CPU intensive since RAND_seed()
  * does an MD5 per 16 bytes of input.  The cost to digest 16 bytes is the same
  * as that to digest 56 bytes.  So under the old system, a screen of
- * 1024*768*256 would have been CPU cost of approximatly 49,000 56 byte MD5
+ * 1024*768*256 would have been CPU cost of approximately 49,000 56 byte MD5
  * digests or digesting 2.7 mbytes.  What I have put in place would
- * be 48 16k MD5 digests, or efectivly 48*16+48 MD5 bytes or 816 kbytes
+ * be 48 16k MD5 digests, or effectively 48*16+48 MD5 bytes or 816 kbytes
  * or about 3.5 times as much.
  * - eric 
  */
diff --git a/lib/libcrypto/rand/md_rand_munged.c b/lib/libcrypto/rand/md_rand_munged.c
new file mode 100644
index 00000000000..1611bf335b0
--- /dev/null
+++ b/lib/libcrypto/rand/md_rand_munged.c
@@ -0,0 +1,515 @@
+/* crypto/rand/md_rand.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <time.h>
+#include <string.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/crypto.h>
+
+#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
+#if !defined(NO_SHA) && !defined(NO_SHA1)
+#define USE_SHA1_RAND
+#elif !defined(NO_MD5)
+#define USE_MD5_RAND
+#elif !defined(NO_MDC2) && !defined(NO_DES)
+#define USE_MDC2_RAND
+#elif !defined(NO_MD2)
+#define USE_MD2_RAND
+#else
+#error No message digest algorithm available
+#endif
+#endif
+
+/* Changed how the state buffer used.  I now attempt to 'wrap' such
+ * that I don't run over the same locations the next time  go through
+ * the 1023 bytes - many thanks to
+ * Robert J. LeBlanc <rjl@renaissoft.com> for his comments
+ */
+
+#if defined(USE_MD5_RAND)
+#include <openssl/md5.h>
+#define MD_DIGEST_LENGTH	MD5_DIGEST_LENGTH
+#define MD_CTX			MD5_CTX
+#define MD_Init(a)		MD5_Init(a)
+#define MD_Update(a,b,c)	MD5_Update(a,b,c)
+#define	MD_Final(a,b)		MD5_Final(a,b)
+#define	MD(a,b,c)		MD5(a,b,c)
+#elif defined(USE_SHA1_RAND)
+#include <openssl/sha.h>
+#define MD_DIGEST_LENGTH	SHA_DIGEST_LENGTH
+#define MD_CTX			SHA_CTX
+#define MD_Init(a)		SHA1_Init(a)
+#define MD_Update(a,b,c)	SHA1_Update(a,b,c)
+#define	MD_Final(a,b)		SHA1_Final(a,b)
+#define	MD(a,b,c)		SHA1(a,b,c)
+#elif defined(USE_MDC2_RAND)
+#include <openssl/mdc2.h>
+#define MD_DIGEST_LENGTH	MDC2_DIGEST_LENGTH
+#define MD_CTX			MDC2_CTX
+#define MD_Init(a)		MDC2_Init(a)
+#define MD_Update(a,b,c)	MDC2_Update(a,b,c)
+#define	MD_Final(a,b)		MDC2_Final(a,b)
+#define	MD(a,b,c)		MDC2(a,b,c)
+#elif defined(USE_MD2_RAND)
+#include <openssl/md2.h>
+#define MD_DIGEST_LENGTH	MD2_DIGEST_LENGTH
+#define MD_CTX			MD2_CTX
+#define MD_Init(a)		MD2_Init(a)
+#define MD_Update(a,b,c)	MD2_Update(a,b,c)
+#define	MD_Final(a,b)		MD2_Final(a,b)
+#define	MD(a,b,c)		MD2(a,b,c)
+#endif
+
+#include <openssl/rand.h>
+
+/* #define NORAND	1 */
+/* #define PREDICT	1 */
+
+#define STATE_SIZE	1023
+static int state_num=0,state_index=0;
+static unsigned char state[STATE_SIZE+MD_DIGEST_LENGTH];
+static unsigned char md[MD_DIGEST_LENGTH];
+static long md_count[2]={0,0};
+static double entropy=0;
+static int initialized=0;
+
+const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT;
+
+static void ssleay_rand_cleanup(void);
+static void ssleay_rand_seed(const void *buf, int num);
+static void ssleay_rand_add(const void *buf, int num, double add_entropy);
+static int ssleay_rand_bytes(unsigned char *buf, int num);
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
+
+RAND_METHOD rand_ssleay_meth={
+	ssleay_rand_seed,
+	ssleay_rand_bytes,
+	ssleay_rand_cleanup,
+	ssleay_rand_add,
+	ssleay_rand_pseudo_bytes,
+	}; 
+
+RAND_METHOD *RAND_SSLeay(void)
+	{
+	return(&rand_ssleay_meth);
+	}
+
+static void ssleay_rand_cleanup(void)
+	{
+	memset(state,0,sizeof(state));
+	state_num=0;
+	state_index=0;
+	memset(md,0,MD_DIGEST_LENGTH);
+	md_count[0]=0;
+	md_count[1]=0;
+	entropy=0;
+	}
+
+static void ssleay_rand_add(const void *buf, int num, double add)
+	{
+	int i,j,k,st_idx;
+	long md_c[2];
+	unsigned char local_md[MD_DIGEST_LENGTH];
+	MD_CTX m;
+
+#ifdef NORAND
+	return;
+#endif
+
+	/*
+	 * (Based on the rand(3) manpage)
+	 *
+	 * The input is chopped up into units of 20 bytes (or less for
+	 * the last block).  Each of these blocks is run through the hash
+	 * function as follows:  The data passed to the hash function
+	 * is the current 'md', the same number of bytes from the 'state'
+	 * (the location determined by in incremented looping index) as
+	 * the current 'block', the new key data 'block', and 'count'
+	 * (which is incremented after each use).
+	 * The result of this is kept in 'md' and also xored into the
+	 * 'state' at the same locations that were used as input into the
+         * hash function.
+	 */
+
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	st_idx=state_index;
+
+	/* use our own copies of the counters so that even
+	 * if a concurrent thread seeds with exactly the
+	 * same data and uses the same subarray there's _some_
+	 * difference */
+	md_c[0] = md_count[0];
+	md_c[1] = md_count[1];
+
+	memcpy(local_md, md, sizeof md);
+
+	/* state_index <= state_num <= STATE_SIZE */
+	state_index += num;
+	if (state_index >= STATE_SIZE)
+		{
+		state_index%=STATE_SIZE;
+		state_num=STATE_SIZE;
+		}
+	else if (state_num < STATE_SIZE)	
+		{
+		if (state_index > state_num)
+			state_num=state_index;
+		}
+	/* state_index <= state_num <= STATE_SIZE */
+
+	/* state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE]
+	 * are what we will use now, but other threads may use them
+	 * as well */
+
+	md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+	for (i=0; i<num; i+=MD_DIGEST_LENGTH)
+		{
+		j=(num-i);
+		j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j;
+
+		MD_Init(&m);
+		MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+		k=(st_idx+j)-STATE_SIZE;
+		if (k > 0)
+			{
+			MD_Update(&m,&(state[st_idx]),j-k);
+			MD_Update(&m,&(state[0]),k);
+			}
+		else
+			MD_Update(&m,&(state[st_idx]),j);
+			
+		MD_Update(&m,buf,j);
+		MD_Update(&m,(unsigned char *)&(md_count[0]),sizeof(md_count));
+		MD_Final(md,&m);
+		md_count[1]++;
+
+		buf=(const char *)buf + j;
+
+		for (k=0; k<j; k++)
+			{
+			state[st_idx++]^=md[k];
+			if (st_idx >= STATE_SIZE)
+				{
+				st_idx=0;
+				st_num=STATE_SIZE;
+				}
+			}
+		}
+	memset((char *)&m,0,sizeof(m));
+	}
+
+static void ssleay_rand_bytes(unsigned char *buf, int num)
+	{
+	int i,j,k,st_num,st_idx;
+	MD_CTX m;
+	static int init=1;
+	unsigned long l;
+#ifdef DEVRANDOM
+	int fd;
+#endif
+
+#ifdef PREDICT
+	{
+	static unsigned char val=0;
+
+	for (i=0; i<num; i++)
+		buf[i]=val++;
+	return;
+	}
+#endif
+
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+	if (init)
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+		/* put in some default random data, we need more than
+		 * just this */
+		RAND_seed(&m,sizeof(m));
+#ifndef MSDOS
+		l=getpid();
+		RAND_seed(&l,sizeof(l));
+		l=getuid();
+		RAND_seed(&l,sizeof(l));
+#endif
+		l=time(NULL);
+		RAND_seed(&l,sizeof(l));
+
+/* #ifdef DEVRANDOM */
+		/* 
+		 * Use a random entropy pool device.
+		 * Linux 1.3.x, OpenBSD, and FreeBSD have
+		 * this. Use /dev/urandom if you can
+		 * as /dev/random will block if it runs out
+		 * of random entries.
+		 */
+		if ((fd = open(DEVRANDOM, O_RDONLY)) != NULL)
+			{
+			unsigned char tmpbuf[32];
+
+			read(fd, tmpbuf, sizeof(tmpbuf));
+			/* we don't care how many bytes we read,
+			 * we will just copy the 'stack' if there is
+			 * nothing else :-) */
+			/* the above comment is EVIL.  Security software
+			 * RELIES ON THESE PRIMITIVES HAVING MORE SECURE
+			 * BEHAVIOUR! Secure entropy is required in
+			 * many cases! */
+			RAND_seed(tmpbuf,32);
+			memset(tmpbuf,0,32);
+			}
+/* #endif */
+#ifdef PURIFY
+		memset(state,0,STATE_SIZE);
+		memset(md,0,MD_DIGEST_LENGTH);
+#endif
+		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+		init=0;
+		}
+
+	st_idx=state_index;
+	st_num=state_num;
+	state_index+=num;
+	if (state_index > state_num)
+		state_index=(state_index%state_num);
+
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+	while (num > 0)
+		{
+		j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num;
+		num-=j;
+		MD_Init(&m);
+#ifndef GETPID_IS_MEANINGLESS
+		if (curr_pid) /* just in the first iteration to save time */
+			{
+			MD_Update(&m,(unsigned char*)&curr_pid,sizeof curr_pid);
+			curr_pid = 0;
+			}
+#endif
+		MD_Update(&m,&(local_md[MD_DIGEST_LENGTH/2]),MD_DIGEST_LENGTH/2);
+		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+#ifndef PURIFY
+		MD_Update(&m,buf,j); /* purify complains */
+#endif
+		k=(st_idx+j)-st_num;
+		if (k > 0)
+			{
+			MD_Update(&m,&(state[st_idx]),j-k);
+			MD_Update(&m,&(state[0]),k);
+			}
+		else
+			MD_Update(&m,&(state[st_idx]),j);
+		MD_Final(local_md,&m);
+
+		for (i=0; i<j; i++)
+			{
+			state[st_idx++]^=local_md[i]; /* may compete with other threads */
+			*(buf++)=local_md[i+MD_DIGEST_LENGTH/2];
+			if (st_idx >= st_num)
+				st_idx=0;
+			}
+		}
+
+	MD_Init(&m);
+	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+	MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	MD_Update(&m,md,MD_DIGEST_LENGTH);
+	MD_Final(md,&m);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+	memset(&m,0,sizeof(m));
+	if (ok)
+		return(1);
+	else
+		{
+		RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
+		return(0);
+		}
+	}
+
+/* pseudo-random bytes that are guaranteed to be unique but not
+   unpredictable */
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) 
+	{
+	int ret, err;
+
+	ret = RAND_bytes(buf, num);
+	if (ret == 0)
+		{
+		err = ERR_peek_error();
+		if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
+		    ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
+			(void)ERR_get_error();
+		}
+	return (ret);
+	}
+
+int RAND_status(void)
+	{
+	if (!initialized)
+		ssleay_rand_initialize();
+	return (entropy >= ENTROPY_NEEDED);
+	}
+
+#ifdef WINDOWS
+#include <windows.h>
+#include <openssl/rand.h>
+
+/*****************************************************************************
+ * Initialisation function for the SSL random generator.  Takes the contents
+ * of the screen as random seed.
+ *
+ * Created 960901 by Gertjan van Oosten, gertjan@West.NL, West Consulting B.V.
+ *
+ * Code adapted from
+ * <URL:http://www.microsoft.com/kb/developr/win_dk/q97193.htm>;
+ * the original copyright message is:
+ *
+ *   (C) Copyright Microsoft Corp. 1993.  All rights reserved.
+ *
+ *   You have a royalty-free right to use, modify, reproduce and
+ *   distribute the Sample Files (and/or any modified version) in
+ *   any way you find useful, provided that you agree that
+ *   Microsoft has no warranty obligations or liability for any
+ *   Sample Application Files which are modified.
+ */
+/*
+ * I have modified the loading of bytes via RAND_seed() mechanism since
+ * the original would have been very very CPU intensive since RAND_seed()
+ * does an MD5 per 16 bytes of input.  The cost to digest 16 bytes is the same
+ * as that to digest 56 bytes.  So under the old system, a screen of
+ * 1024*768*256 would have been CPU cost of approximately 49,000 56 byte MD5
+ * digests or digesting 2.7 mbytes.  What I have put in place would
+ * be 48 16k MD5 digests, or effectively 48*16+48 MD5 bytes or 816 kbytes
+ * or about 3.5 times as much.
+ * - eric 
+ */
+void RAND_screen(void)
+{
+  HDC		hScrDC;		/* screen DC */
+  HDC		hMemDC;		/* memory DC */
+  HBITMAP	hBitmap;	/* handle for our bitmap */
+  HBITMAP	hOldBitmap;	/* handle for previous bitmap */
+  BITMAP	bm;		/* bitmap properties */
+  unsigned int	size;		/* size of bitmap */
+  char		*bmbits;	/* contents of bitmap */
+  int		w;		/* screen width */
+  int		h;		/* screen height */
+  int		y;		/* y-coordinate of screen lines to grab */
+  int		n = 16;		/* number of screen lines to grab at a time */
+
+  /* Create a screen DC and a memory DC compatible to screen DC */
+  hScrDC = CreateDC("DISPLAY", NULL, NULL, NULL);
+  hMemDC = CreateCompatibleDC(hScrDC);
+
+  /* Get screen resolution */
+  w = GetDeviceCaps(hScrDC, HORZRES);
+  h = GetDeviceCaps(hScrDC, VERTRES);
+
+  /* Create a bitmap compatible with the screen DC */
+  hBitmap = CreateCompatibleBitmap(hScrDC, w, n);
+
+  /* Select new bitmap into memory DC */
+  hOldBitmap = SelectObject(hMemDC, hBitmap);
+
+  /* Get bitmap properties */
+  GetObject(hBitmap, sizeof(BITMAP), (LPSTR)&bm);
+  size = (unsigned int)bm.bmWidthBytes * bm.bmHeight * bm.bmPlanes;
+
+  bmbits = Malloc(size);
+  if (bmbits) {
+    /* Now go through the whole screen, repeatedly grabbing n lines */
+    for (y = 0; y < h-n; y += n)
+    	{
+	unsigned char md[MD_DIGEST_LENGTH];
+
+	/* Bitblt screen DC to memory DC */
+	BitBlt(hMemDC, 0, 0, w, n, hScrDC, 0, y, SRCCOPY);
+
+	/* Copy bitmap bits from memory DC to bmbits */
+	GetBitmapBits(hBitmap, size, bmbits);
+
+	/* Get the MD5 of the bitmap */
+	MD(bmbits,size,md);
+
+	/* Seed the random generator with the MD5 digest */
+	RAND_seed(md, MD_DIGEST_LENGTH);
+	}
+
+    Free(bmbits);
+  }
+
+  /* Select old bitmap back into memory DC */
+  hBitmap = SelectObject(hMemDC, hOldBitmap);
+
+  /* Clean up */
+  DeleteObject(hBitmap);
+  DeleteDC(hMemDC);
+  DeleteDC(hScrDC);
+}
+#endif
diff --git a/lib/libcrypto/rand/rand.h b/lib/libcrypto/rand/rand.h
index fd8ee38366f..28f45ec0526 100644
--- a/lib/libcrypto/rand/rand.h
+++ b/lib/libcrypto/rand/rand.h
@@ -66,24 +66,45 @@ extern "C" {
 typedef struct rand_meth_st
 	{
 	void (*seed)(const void *buf, int num);
-	void (*bytes)(unsigned char *buf, int num);
+	int (*bytes)(unsigned char *buf, int num);
 	void (*cleanup)(void);
+	void (*add)(const void *buf, int num, double entropy);
+	int (*pseudorand)(unsigned char *buf, int num);
 	} RAND_METHOD;
 
 void RAND_set_rand_method(RAND_METHOD *meth);
 RAND_METHOD *RAND_get_rand_method(void );
 RAND_METHOD *RAND_SSLeay(void);
 void RAND_cleanup(void );
-void RAND_bytes(unsigned char *buf,int num);
+int  RAND_bytes(unsigned char *buf,int num);
+int  RAND_pseudo_bytes(unsigned char *buf,int num);
 void RAND_seed(const void *buf,int num);
+void RAND_add(const void *buf,int num,double entropy);
 int  RAND_load_file(const char *file,long max_bytes);
 int  RAND_write_file(const char *file);
-char *RAND_file_name(char *file,int num);
+const char *RAND_file_name(char *file,int num);
+int RAND_status(void);
+int RAND_egd(const char *path);
 #ifdef WINDOWS
 void RAND_screen(void);
 #endif
+void	ERR_load_RAND_strings(void);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the RAND functions. */
+
+/* Function codes. */
+#define RAND_F_SSLEAY_RAND_BYTES			 100
+
+/* Reason codes. */
+#define RAND_R_PRNG_NOT_SEEDED				 100
+
 #ifdef  __cplusplus
 }
 #endif
-
 #endif
+
diff --git a/lib/libcrypto/rand/rand_lib.c b/lib/libcrypto/rand/rand_lib.c
index 34c6d5b9681..b09a300c46e 100644
--- a/lib/libcrypto/rand/rand_lib.c
+++ b/lib/libcrypto/rand/rand_lib.c
@@ -57,7 +57,6 @@
  */
 
 #include <stdio.h>
-#include <sys/types.h>
 #include <time.h>
 #include <openssl/rand.h>
 
@@ -90,9 +89,22 @@ void RAND_seed(const void *buf, int num)
 		rand_meth->seed(buf,num);
 	}
 
-void RAND_bytes(unsigned char *buf, int num)
+void RAND_add(const void *buf, int num, double entropy)
 	{
 	if (rand_meth != NULL)
-		rand_meth->bytes(buf,num);
+		rand_meth->add(buf,num,entropy);
 	}
 
+int RAND_bytes(unsigned char *buf, int num)
+	{
+	if (rand_meth != NULL)
+		return rand_meth->bytes(buf,num);
+	return(-1);
+	}
+
+int RAND_pseudo_bytes(unsigned char *buf, int num)
+	{
+	if (rand_meth != NULL)
+		return rand_meth->pseudorand(buf,num);
+	return(-1);
+	}
diff --git a/lib/libcrypto/rand/randfile.c b/lib/libcrypto/rand/randfile.c
index 6829d4ec370..658a8d6b65f 100644
--- a/lib/libcrypto/rand/randfile.c
+++ b/lib/libcrypto/rand/randfile.c
@@ -60,22 +60,35 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/types.h>
 
 #include "openssl/e_os.h"
 
+#ifdef VMS
+#include <unixio.h>
+#endif
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef MAC_OS_pre_X
+# include <stat.h>
+#else
+# include <sys/stat.h>
+#endif
+
+#include <openssl/crypto.h>
 #include <openssl/rand.h>
 
 #undef BUFSIZE
 #define BUFSIZE	1024
 #define RAND_DATA 1024
 
-/* #define RFILE ".rand" - defined in ../../e_os.h */
+/* #define RFILE ".rnd" - defined in ../../e_os.h */
 
 int RAND_load_file(const char *file, long bytes)
 	{
+	/* If bytes >= 0, read up to 'bytes' bytes.
+	 * if bytes == -1, read complete file. */
+
 	MS_STATIC unsigned char buf[BUFSIZE];
 	struct stat sb;
 	int i,ret=0,n;
@@ -85,23 +98,28 @@ int RAND_load_file(const char *file, long bytes)
 
 	i=stat(file,&sb);
 	/* If the state fails, put some crap in anyway */
-	RAND_seed(&sb,sizeof(sb));
-	ret+=sizeof(sb);
+	RAND_add(&sb,sizeof(sb),0);
 	if (i < 0) return(0);
-	if (bytes <= 0) return(ret);
+	if (bytes == 0) return(ret);
 
 	in=fopen(file,"rb");
 	if (in == NULL) goto err;
 	for (;;)
 		{
-		n=(bytes < BUFSIZE)?(int)bytes:BUFSIZE;
+		if (bytes > 0)
+			n = (bytes < BUFSIZE)?(int)bytes:BUFSIZE;
+		else
+			n = BUFSIZE;
 		i=fread(buf,1,n,in);
 		if (i <= 0) break;
 		/* even if n != i, use the full array */
-		RAND_seed(buf,n);
+		RAND_add(buf,n,i);
 		ret+=i;
-		bytes-=n;
-		if (bytes <= 0) break;
+		if (bytes > 0)
+			{
+			bytes-=n;
+			if (bytes == 0) break;
+			}
 		}
 	fclose(in);
 	memset(buf,0,BUFSIZE);
@@ -112,29 +130,48 @@ err:
 int RAND_write_file(const char *file)
 	{
 	unsigned char buf[BUFSIZE];
-	int i,ret=0;
-	FILE *out;
+	int i,ret=0,err=0;
+	FILE *out = NULL;
 	int n;
 
-	/* Under VMS, fopen(file, "wb") will craete a new version of the
+#ifdef VMS
+	/* Under VMS, fopen(file, "wb") will create a new version of the
 	   same file.  This is not good, so let's try updating an existing
-	   one, and create file only if it doesn't already exist.  This
-	   should be completely harmless on system that have no file
-	   versions.					-- Richard Levitte */
+	   one, and create file only if it doesn't already exist. */
+	/* At the same time, if we just update a file, we also need to
+	   truncate it, and unfortunately, ftruncate() and truncate() do
+	   not exist everywhere.  All that remains is to delete old versions
+	   of the random data file (done at the end). */
+#if 0
 	out=fopen(file,"rb+");
-	if (out == NULL && errno == ENOENT)
+	if (out == NULL && errno != ENOENT)
+		goto err;
+#endif
+#endif
+
+	if (out == NULL)
 		{
-		errno = 0;
+#if defined O_CREAT && defined O_EXCL
+		/* chmod(..., 0600) is too late to protect the file,
+		 * permissions should be restrictive from the start */
+		int fd = open(file, O_CREAT | O_EXCL, 0600);
+		if (fd != -1)
+			out = fdopen(fd, "wb");
+#else		
 		out=fopen(file,"wb");
+#endif
 		}
 	if (out == NULL) goto err;
+#ifndef NO_CHMOD
 	chmod(file,0600);
+#endif
 	n=RAND_DATA;
 	for (;;)
 		{
 		i=(n > BUFSIZE)?BUFSIZE:n;
 		n-=BUFSIZE;
-		RAND_bytes(buf,i);
+		if (RAND_bytes(buf,i) <= 0)
+			err=1;
 		i=fwrite(buf,1,i,out);
 		if (i <= 0)
 			{
@@ -144,13 +181,40 @@ int RAND_write_file(const char *file)
 		ret+=i;
 		if (n <= 0) break;
 		}
+#ifdef VMS
+	/* We may have updated an existing file using mode "rb+",
+	 * now remove any old extra bytes */
+#if 0
+	if (ret > 0)
+		ftruncate(fileno(out), ret);
+#else
+	/* Try to delete older versions of the file, until there aren't
+	   any */
+	{
+	char *tmpf;
+
+	tmpf = Malloc(strlen(file) + 4);  /* to add ";-1" and a nul */
+	if (tmpf)
+		{
+		strcpy(tmpf, file);
+		strcat(tmpf, ";-1");
+		while(delete(tmpf) == 0)
+			;
+		rename(file,";1"); /* Make sure it's version 1, or we
+				      will reach the limit (32767) at
+				      some point... */
+		}
+	}
+#endif
+#endif
+
 	fclose(out);
 	memset(buf,0,BUFSIZE);
 err:
-	return(ret);
+	return(err ? -1 : ret);
 	}
 
-char *RAND_file_name(char *buf, int size)
+const char *RAND_file_name(char *buf, int size)
 	{
 	char *s;
 	char *ret=NULL;
diff --git a/lib/libcrypto/rand/randtest.c b/lib/libcrypto/rand/randtest.c
index f0706d779a2..da96e3f6959 100644
--- a/lib/libcrypto/rand/randtest.c
+++ b/lib/libcrypto/rand/randtest.c
@@ -73,7 +73,7 @@ int main()
 	/*double d; */
 	long d;
 
-	RAND_bytes(buf,2500);
+	RAND_pseudo_bytes(buf,2500);
 
 	n1=0;
 	for (i=0; i<16; i++) n2[i]=0;
diff --git a/lib/libcrypto/rc2/rc2speed.c b/lib/libcrypto/rc2/rc2speed.c
index c3da63e77eb..9f7f5ccfa34 100644
--- a/lib/libcrypto/rc2/rc2speed.c
+++ b/lib/libcrypto/rc2/rc2speed.c
@@ -183,7 +183,7 @@ int main(int argc, char **argv)
 #endif
 
 #ifndef TIMES
-	printf("To get the most acurate results, try to run this\n");
+	printf("To get the most accurate results, try to run this\n");
 	printf("program when this computer is idle.\n");
 #endif
 
diff --git a/lib/libcrypto/rc2/rc2test.c b/lib/libcrypto/rc2/rc2test.c
index 6a5defa6ea8..521269ded18 100644
--- a/lib/libcrypto/rc2/rc2test.c
+++ b/lib/libcrypto/rc2/rc2test.c
@@ -72,7 +72,7 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/rc2.h>
 
-unsigned char RC2key[4][16]={
+static unsigned char RC2key[4][16]={
 	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
 	 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
 	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
@@ -83,14 +83,14 @@ unsigned char RC2key[4][16]={
 	 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F},
 	};
 
-unsigned char RC2plain[4][8]={
+static unsigned char RC2plain[4][8]={
 	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
 	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
 	{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},
 	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
 	};
 
-unsigned char RC2cipher[4][8]={
+static unsigned char RC2cipher[4][8]={
 	{0x1C,0x19,0x8A,0x83,0x8D,0xF0,0x28,0xB7},
 	{0x21,0x82,0x9C,0x78,0xA9,0xF9,0xC0,0x74},
 	{0x13,0xDB,0x35,0x17,0xD3,0x21,0x86,0x9E},
diff --git a/lib/libcrypto/rc4/rc4.h b/lib/libcrypto/rc4/rc4.h
index 7418c2a9a21..8556dddab0e 100644
--- a/lib/libcrypto/rc4/rc4.h
+++ b/lib/libcrypto/rc4/rc4.h
@@ -77,8 +77,8 @@ typedef struct rc4_key_st
 
  
 const char *RC4_options(void);
-void RC4_set_key(RC4_KEY *key, int len, unsigned char *data);
-void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata,
+void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
 		unsigned char *outdata);
 
 #ifdef  __cplusplus
diff --git a/lib/libcrypto/rc4/rc4_enc.c b/lib/libcrypto/rc4/rc4_enc.c
index 3256bea8cc8..d5f18a3a707 100644
--- a/lib/libcrypto/rc4/rc4_enc.c
+++ b/lib/libcrypto/rc4/rc4_enc.c
@@ -67,7 +67,7 @@
  * Date: Wed, 14 Sep 1994 06:35:31 GMT
  */
 
-void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata,
+void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
 	     unsigned char *outdata)
 	{
         register RC4_INT *d;
@@ -78,6 +78,190 @@ void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata,
         y=key->y;     
         d=key->data; 
 
+#if defined(RC4_CHUNK)
+	/*
+	 * The original reason for implementing this(*) was the fact that
+	 * pre-21164a Alpha CPUs don't have byte load/store instructions
+	 * and e.g. a byte store has to be done with 64-bit load, shift,
+	 * and, or and finally 64-bit store. Peaking data and operating
+	 * at natural word size made it possible to reduce amount of
+	 * instructions as well as to perform early read-ahead without
+	 * suffering from RAW (read-after-write) hazard. This resulted
+	 * in ~40%(**) performance improvement on 21064 box with gcc.
+	 * But it's not only Alpha users who win here:-) Thanks to the
+	 * early-n-wide read-ahead this implementation also exhibits
+	 * >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
+	 * on sizeof(RC4_INT)).
+	 *
+	 * (*)	"this" means code which recognizes the case when input
+	 *	and output pointers appear to be aligned at natural CPU
+	 *	word boundary
+	 * (**)	i.e. according to 'apps/openssl speed rc4' benchmark,
+	 *	crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
+	 *
+	 * Cavets.
+	 *
+	 * - RC4_CHUNK="unsigned long long" should be a #1 choice for
+	 *   UltraSPARC. Unfortunately gcc generates very slow code
+	 *   (2.5-3 times slower than one generated by Sun's WorkShop
+	 *   C) and therefore gcc (at least 2.95 and earlier) should
+	 *   always be told that RC4_CHUNK="unsigned long".
+	 *
+	 *					<appro@fy.chalmers.se>
+	 */
+
+# define RC4_STEP	( \
+			x=(x+1) &0xff,	\
+			tx=d[x],	\
+			y=(tx+y)&0xff,	\
+			ty=d[y],	\
+			d[y]=tx,	\
+			d[x]=ty,	\
+			(RC4_CHUNK)d[(tx+ty)&0xff]\
+			)
+
+	if ( ( ((unsigned long)indata  & (sizeof(RC4_CHUNK)-1)) | 
+	       ((unsigned long)outdata & (sizeof(RC4_CHUNK)-1)) ) == 0 )
+		{
+		RC4_CHUNK ichunk,otp;
+		const union { long one; char little; } is_endian = {1};
+
+		/*
+		 * I reckon we can afford to implement both endian
+		 * cases and to decide which way to take at run-time
+		 * because the machine code appears to be very compact
+		 * and redundant 1-2KB is perfectly tolerable (i.e.
+		 * in case the compiler fails to eliminate it:-). By
+		 * suggestion from Terrel Larson <terr@terralogic.net>
+		 * who also stands for the is_endian union:-)
+		 *
+		 * Special notes.
+		 *
+		 * - is_endian is declared automatic as doing otherwise
+		 *   (declaring static) prevents gcc from eliminating
+		 *   the redundant code;
+		 * - compilers (those I've tried) don't seem to have
+		 *   problems eliminating either the operators guarded
+		 *   by "if (sizeof(RC4_CHUNK)==8)" or the condition
+		 *   expressions themselves so I've got 'em to replace
+		 *   corresponding #ifdefs from the previous version;
+		 * - I chose to let the redundant switch cases when
+		 *   sizeof(RC4_CHUNK)!=8 be (were also #ifdefed
+		 *   before);
+		 * - in case you wonder "&(sizeof(RC4_CHUNK)*8-1)" in
+		 *   [LB]ESHFT guards against "shift is out of range"
+		 *   warnings when sizeof(RC4_CHUNK)!=8 
+		 *
+		 *			<appro@fy.chalmers.se>
+		 */
+		if (!is_endian.little)
+			{	/* BIG-ENDIAN CASE */
+# define BESHFT(c)	(((sizeof(RC4_CHUNK)-(c)-1)*8)&(sizeof(RC4_CHUNK)*8-1))
+			for (;len&-sizeof(RC4_CHUNK);len-=sizeof(RC4_CHUNK))
+				{
+				ichunk  = *(RC4_CHUNK *)indata;
+				otp  = RC4_STEP<<BESHFT(0);
+				otp |= RC4_STEP<<BESHFT(1);
+				otp |= RC4_STEP<<BESHFT(2);
+				otp |= RC4_STEP<<BESHFT(3);
+				if (sizeof(RC4_CHUNK)==8)
+					{
+					otp |= RC4_STEP<<BESHFT(4);
+					otp |= RC4_STEP<<BESHFT(5);
+					otp |= RC4_STEP<<BESHFT(6);
+					otp |= RC4_STEP<<BESHFT(7);
+					}
+				*(RC4_CHUNK *)outdata = otp^ichunk;
+				indata  += sizeof(RC4_CHUNK);
+				outdata += sizeof(RC4_CHUNK);
+				}
+			if (len)
+				{
+				RC4_CHUNK mask=(RC4_CHUNK)-1, ochunk;
+
+				ichunk = *(RC4_CHUNK *)indata;
+				ochunk = *(RC4_CHUNK *)outdata;
+				otp = 0;
+				i = BESHFT(0);
+				mask <<= (sizeof(RC4_CHUNK)-len)<<3;
+				switch (len&(sizeof(RC4_CHUNK)-1))
+					{
+					case 7:	otp  = RC4_STEP<<i, i-=8;
+					case 6:	otp |= RC4_STEP<<i, i-=8;
+					case 5:	otp |= RC4_STEP<<i, i-=8;
+					case 4:	otp |= RC4_STEP<<i, i-=8;
+					case 3:	otp |= RC4_STEP<<i, i-=8;
+					case 2:	otp |= RC4_STEP<<i, i-=8;
+					case 1:	otp |= RC4_STEP<<i, i-=8;
+					case 0: ; /*
+						   * it's never the case,
+						   * but it has to be here
+						   * for ultrix?
+						   */
+					}
+				ochunk &= ~mask;
+				ochunk |= (otp^ichunk) & mask;
+				*(RC4_CHUNK *)outdata = ochunk;
+				}
+			key->x=x;     
+			key->y=y;
+			return;
+			}
+		else
+			{	/* LITTLE-ENDIAN CASE */
+# define LESHFT(c)	(((c)*8)&(sizeof(RC4_CHUNK)*8-1))
+			for (;len&-sizeof(RC4_CHUNK);len-=sizeof(RC4_CHUNK))
+				{
+				ichunk  = *(RC4_CHUNK *)indata;
+				otp  = RC4_STEP;
+				otp |= RC4_STEP<<8;
+				otp |= RC4_STEP<<16;
+				otp |= RC4_STEP<<24;
+				if (sizeof(RC4_CHUNK)==8)
+					{
+					otp |= RC4_STEP<<LESHFT(4);
+					otp |= RC4_STEP<<LESHFT(5);
+					otp |= RC4_STEP<<LESHFT(6);
+					otp |= RC4_STEP<<LESHFT(7);
+					}
+				*(RC4_CHUNK *)outdata = otp^ichunk;
+				indata  += sizeof(RC4_CHUNK);
+				outdata += sizeof(RC4_CHUNK);
+				}
+			if (len)
+				{
+				RC4_CHUNK mask=(RC4_CHUNK)-1, ochunk;
+
+				ichunk = *(RC4_CHUNK *)indata;
+				ochunk = *(RC4_CHUNK *)outdata;
+				otp = 0;
+				i   = 0;
+				mask >>= (sizeof(RC4_CHUNK)-len)<<3;
+				switch (len&(sizeof(RC4_CHUNK)-1))
+					{
+					case 7:	otp  = RC4_STEP,    i+=8;
+					case 6:	otp |= RC4_STEP<<i, i+=8;
+					case 5:	otp |= RC4_STEP<<i, i+=8;
+					case 4:	otp |= RC4_STEP<<i, i+=8;
+					case 3:	otp |= RC4_STEP<<i, i+=8;
+					case 2:	otp |= RC4_STEP<<i, i+=8;
+					case 1:	otp |= RC4_STEP<<i, i+=8;
+					case 0: ; /*
+						   * it's never the case,
+						   * but it has to be here
+						   * for ultrix?
+						   */
+					}
+				ochunk &= ~mask;
+				ochunk |= (otp^ichunk) & mask;
+				*(RC4_CHUNK *)outdata = ochunk;
+				}
+			key->x=x;     
+			key->y=y;
+			return;
+			}
+		}
+#endif
 #define LOOP(in,out) \
 		x=((x+1)&0xff); \
 		tx=d[x]; \
diff --git a/lib/libcrypto/rc4/rc4_skey.c b/lib/libcrypto/rc4/rc4_skey.c
index c67a445f1f6..bb10c1ebe28 100644
--- a/lib/libcrypto/rc4/rc4_skey.c
+++ b/lib/libcrypto/rc4/rc4_skey.c
@@ -85,7 +85,7 @@ const char *RC4_options(void)
  * Date: Wed, 14 Sep 1994 06:35:31 GMT
  */
 
-void RC4_set_key(RC4_KEY *key, int len, register unsigned char *data)
+void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
 	{
         register RC4_INT tmp;
         register int id1,id2;
diff --git a/lib/libcrypto/rc4/rc4speed.c b/lib/libcrypto/rc4/rc4speed.c
index 4fb5ebf5738..b448f4a5c67 100644
--- a/lib/libcrypto/rc4/rc4speed.c
+++ b/lib/libcrypto/rc4/rc4speed.c
@@ -183,7 +183,7 @@ int main(int argc, char **argv)
 #endif
 
 #ifndef TIMES
-	printf("To get the most acurate results, try to run this\n");
+	printf("To get the most accurate results, try to run this\n");
 	printf("program when this computer is idle.\n");
 #endif
 
diff --git a/lib/libcrypto/rc4/rc4test.c b/lib/libcrypto/rc4/rc4test.c
index 5abf8cff307..3914eb6c383 100644
--- a/lib/libcrypto/rc4/rc4test.c
+++ b/lib/libcrypto/rc4/rc4test.c
@@ -69,7 +69,7 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/rc4.h>
 
-unsigned char keys[7][30]={
+static unsigned char keys[7][30]={
 	{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
 	{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
 	{8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
@@ -78,8 +78,8 @@ unsigned char keys[7][30]={
 	{4,0xef,0x01,0x23,0x45},
 	};
 
-unsigned char data_len[7]={8,8,8,20,28,10};
-unsigned char data[7][30]={
+static unsigned char data_len[7]={8,8,8,20,28,10};
+static unsigned char data[7][30]={
 	{0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xff},
 	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
 	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
@@ -94,7 +94,7 @@ unsigned char data[7][30]={
 	{0},
 	};
 
-unsigned char output[7][30]={
+static unsigned char output[7][30]={
 	{0x75,0xb7,0x87,0x80,0x99,0xe0,0xc5,0x96,0x00},
 	{0x74,0x94,0xc2,0xe7,0x10,0x4b,0x08,0x79,0x00},
 	{0xde,0x18,0x89,0x41,0xa3,0x37,0x5d,0x3a,0x00},
diff --git a/lib/libcrypto/ripemd/Makefile.ssl b/lib/libcrypto/ripemd/Makefile.ssl
index 5b6d1d25997..c6153d43615 100644
--- a/lib/libcrypto/ripemd/Makefile.ssl
+++ b/lib/libcrypto/ripemd/Makefile.ssl
@@ -102,6 +102,7 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
+rmd_dgst.o: ../../include/openssl/opensslconf.h
 rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
-rmd_dgst.o: rmd_locl.h rmdconst.h
-rmd_one.o: ../../include/openssl/ripemd.h rmd_locl.h rmdconst.h
+rmd_dgst.o: ../md32_common.h rmd_locl.h rmdconst.h
+rmd_one.o: ../../include/openssl/ripemd.h
diff --git a/lib/libcrypto/ripemd/asm/rips.cpp b/lib/libcrypto/ripemd/asm/rips.cpp
index 321a98443e5..f7a13677a92 100644
--- a/lib/libcrypto/ripemd/asm/rips.cpp
+++ b/lib/libcrypto/ripemd/asm/rips.cpp
@@ -34,6 +34,8 @@ void GetTSC(unsigned long& tsc)
 #include <stdlib.h>
 #include <openssl/ripemd.h>
 
+#define ripemd160_block_x86 ripemd160_block_asm_host_order
+
 extern "C" {
 void ripemd160_block_x86(RIPEMD160_CTX *ctx, unsigned char *buffer,int num);
 }
@@ -55,8 +57,10 @@ void main(int argc,char *argv[])
 	if (num == 0) num=16;
 	if (num > 250) num=16;
 	numm=num+2;
+#if 0
 	num*=64;
 	numm*=64;
+#endif
 
 	for (j=0; j<6; j++)
 		{
@@ -71,7 +75,7 @@ void main(int argc,char *argv[])
 			GetTSC(e2);
 			ripemd160_block_x86(&ctx,buffer,num);
 			}
-		printf("ripemd160 (%d bytes) %d %d (%.2f)\n",num,
+		printf("ripemd160 (%d bytes) %d %d (%.2f)\n",num*64,
 			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
 		}
 	}
diff --git a/lib/libcrypto/ripemd/asm/rm-win32.asm b/lib/libcrypto/ripemd/asm/rm-win32.asm
index bd38791c13b..f07d517857b 100644
--- a/lib/libcrypto/ripemd/asm/rm-win32.asm
+++ b/lib/libcrypto/ripemd/asm/rm-win32.asm
@@ -8,1965 +8,1966 @@
         .386
 .model FLAT
 _TEXT	SEGMENT
-PUBLIC	_ripemd160_block_x86
+PUBLIC	_ripemd160_block_asm_host_order
 
-_ripemd160_block_x86 PROC NEAR
+_ripemd160_block_asm_host_order PROC NEAR
+	mov	edx,		DWORD PTR 4[esp]
+	mov	eax,		DWORD PTR 8[esp]
 	push	esi
-	mov	ecx,		DWORD PTR 16[esp]
+	mov	ecx,		DWORD PTR [edx]
 	push	edi
-	mov	esi,		DWORD PTR 16[esp]
+	mov	esi,		DWORD PTR 4[edx]
 	push	ebp
-	add	ecx,		esi
+	mov	edi,		DWORD PTR 8[edx]
 	push	ebx
-	sub	ecx,		64
-	sub	esp,		88
-	mov	DWORD PTR [esp],ecx
-	mov	edi,		DWORD PTR 108[esp]
+	sub	esp,		108
 L000start:
 	; 
-	mov	eax,		DWORD PTR [esi]
-	mov	ebx,		DWORD PTR 4[esi]
-	mov	DWORD PTR 4[esp],eax
+	mov	ebx,		DWORD PTR [eax]
+	mov	ebp,		DWORD PTR 4[eax]
+	mov	DWORD PTR [esp],ebx
+	mov	DWORD PTR 4[esp],ebp
+	mov	ebx,		DWORD PTR 8[eax]
+	mov	ebp,		DWORD PTR 12[eax]
 	mov	DWORD PTR 8[esp],ebx
-	mov	eax,		DWORD PTR 8[esi]
-	mov	ebx,		DWORD PTR 12[esi]
-	mov	DWORD PTR 12[esp],eax
+	mov	DWORD PTR 12[esp],ebp
+	mov	ebx,		DWORD PTR 16[eax]
+	mov	ebp,		DWORD PTR 20[eax]
 	mov	DWORD PTR 16[esp],ebx
-	mov	eax,		DWORD PTR 16[esi]
-	mov	ebx,		DWORD PTR 20[esi]
-	mov	DWORD PTR 20[esp],eax
+	mov	DWORD PTR 20[esp],ebp
+	mov	ebx,		DWORD PTR 24[eax]
+	mov	ebp,		DWORD PTR 28[eax]
 	mov	DWORD PTR 24[esp],ebx
-	mov	eax,		DWORD PTR 24[esi]
-	mov	ebx,		DWORD PTR 28[esi]
-	mov	DWORD PTR 28[esp],eax
+	mov	DWORD PTR 28[esp],ebp
+	mov	ebx,		DWORD PTR 32[eax]
+	mov	ebp,		DWORD PTR 36[eax]
 	mov	DWORD PTR 32[esp],ebx
-	mov	eax,		DWORD PTR 32[esi]
-	mov	ebx,		DWORD PTR 36[esi]
-	mov	DWORD PTR 36[esp],eax
+	mov	DWORD PTR 36[esp],ebp
+	mov	ebx,		DWORD PTR 40[eax]
+	mov	ebp,		DWORD PTR 44[eax]
 	mov	DWORD PTR 40[esp],ebx
-	mov	eax,		DWORD PTR 40[esi]
-	mov	ebx,		DWORD PTR 44[esi]
-	mov	DWORD PTR 44[esp],eax
+	mov	DWORD PTR 44[esp],ebp
+	mov	ebx,		DWORD PTR 48[eax]
+	mov	ebp,		DWORD PTR 52[eax]
 	mov	DWORD PTR 48[esp],ebx
-	mov	eax,		DWORD PTR 48[esi]
-	mov	ebx,		DWORD PTR 52[esi]
-	mov	DWORD PTR 52[esp],eax
+	mov	DWORD PTR 52[esp],ebp
+	mov	ebx,		DWORD PTR 56[eax]
+	mov	ebp,		DWORD PTR 60[eax]
 	mov	DWORD PTR 56[esp],ebx
-	mov	eax,		DWORD PTR 56[esi]
-	mov	ebx,		DWORD PTR 60[esi]
-	mov	DWORD PTR 60[esp],eax
-	mov	DWORD PTR 64[esp],ebx
-	add	esi,		64
-	mov	eax,		DWORD PTR [edi]
-	mov	DWORD PTR 112[esp],esi
-	mov	ebx,		DWORD PTR 4[edi]
-	mov	ecx,		DWORD PTR 8[edi]
-	mov	edx,		DWORD PTR 12[edi]
-	mov	ebp,		DWORD PTR 16[edi]
+	mov	DWORD PTR 60[esp],ebp
+	mov	eax,		edi
+	mov	ebx,		DWORD PTR 12[edx]
+	mov	ebp,		DWORD PTR 16[edx]
 	; 0
-	mov	esi,		ecx
-	xor	esi,		edx
-	mov	edi,		DWORD PTR 4[esp]
-	xor	esi,		ebx
-	add	eax,		edi
-	rol	ecx,		10
-	add	eax,		esi
-	mov	esi,		ebx
-	rol	eax,		11
-	add	eax,		ebp
+	xor	eax,		ebx
+	mov	edx,		DWORD PTR [esp]
+	xor	eax,		esi
+	add	ecx,		edx
+	rol	edi,		10
+	add	ecx,		eax
+	mov	eax,		esi
+	rol	ecx,		11
+	add	ecx,		ebp
 	; 1
-	xor	esi,		ecx
-	mov	edi,		DWORD PTR 8[esp]
-	xor	esi,		eax
-	add	ebp,		esi
-	mov	esi,		eax
-	rol	ebx,		10
-	add	ebp,		edi
-	xor	esi,		ebx
-	rol	ebp,		14
+	xor	eax,		edi
+	mov	edx,		DWORD PTR 4[esp]
+	xor	eax,		ecx
+	add	ebp,		eax
+	mov	eax,		ecx
+	rol	esi,		10
 	add	ebp,		edx
+	xor	eax,		esi
+	rol	ebp,		14
+	add	ebp,		ebx
 	; 2
-	mov	edi,		DWORD PTR 12[esp]
-	xor	esi,		ebp
-	add	edx,		edi
-	rol	eax,		10
-	add	edx,		esi
-	mov	esi,		ebp
-	rol	edx,		15
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 8[esp]
+	xor	eax,		ebp
+	add	ebx,		edx
+	rol	ecx,		10
+	add	ebx,		eax
+	mov	eax,		ebp
+	rol	ebx,		15
+	add	ebx,		edi
 	; 3
-	xor	esi,		eax
-	mov	edi,		DWORD PTR 16[esp]
-	xor	esi,		edx
-	add	ecx,		esi
-	mov	esi,		edx
+	xor	eax,		ecx
+	mov	edx,		DWORD PTR 12[esp]
+	xor	eax,		ebx
+	add	edi,		eax
+	mov	eax,		ebx
 	rol	ebp,		10
-	add	ecx,		edi
-	xor	esi,		ebp
-	rol	ecx,		12
-	add	ecx,		ebx
+	add	edi,		edx
+	xor	eax,		ebp
+	rol	edi,		12
+	add	edi,		esi
 	; 4
-	mov	edi,		DWORD PTR 20[esp]
-	xor	esi,		ecx
-	add	ebx,		edi
-	rol	edx,		10
-	add	ebx,		esi
-	mov	esi,		ecx
-	rol	ebx,		5
-	add	ebx,		eax
+	mov	edx,		DWORD PTR 16[esp]
+	xor	eax,		edi
+	add	esi,		edx
+	rol	ebx,		10
+	add	esi,		eax
+	mov	eax,		edi
+	rol	esi,		5
+	add	esi,		ecx
 	; 5
-	xor	esi,		edx
-	mov	edi,		DWORD PTR 24[esp]
-	xor	esi,		ebx
-	add	eax,		esi
-	mov	esi,		ebx
-	rol	ecx,		10
-	add	eax,		edi
-	xor	esi,		ecx
-	rol	eax,		8
-	add	eax,		ebp
+	xor	eax,		ebx
+	mov	edx,		DWORD PTR 20[esp]
+	xor	eax,		esi
+	add	ecx,		eax
+	mov	eax,		esi
+	rol	edi,		10
+	add	ecx,		edx
+	xor	eax,		edi
+	rol	ecx,		8
+	add	ecx,		ebp
 	; 6
-	mov	edi,		DWORD PTR 28[esp]
-	xor	esi,		eax
-	add	ebp,		edi
-	rol	ebx,		10
-	add	ebp,		esi
-	mov	esi,		eax
-	rol	ebp,		7
+	mov	edx,		DWORD PTR 24[esp]
+	xor	eax,		ecx
 	add	ebp,		edx
+	rol	esi,		10
+	add	ebp,		eax
+	mov	eax,		ecx
+	rol	ebp,		7
+	add	ebp,		ebx
 	; 7
-	xor	esi,		ebx
-	mov	edi,		DWORD PTR 32[esp]
-	xor	esi,		ebp
-	add	edx,		esi
-	mov	esi,		ebp
-	rol	eax,		10
-	add	edx,		edi
-	xor	esi,		eax
-	rol	edx,		9
-	add	edx,		ecx
+	xor	eax,		esi
+	mov	edx,		DWORD PTR 28[esp]
+	xor	eax,		ebp
+	add	ebx,		eax
+	mov	eax,		ebp
+	rol	ecx,		10
+	add	ebx,		edx
+	xor	eax,		ecx
+	rol	ebx,		9
+	add	ebx,		edi
 	; 8
-	mov	edi,		DWORD PTR 36[esp]
-	xor	esi,		edx
-	add	ecx,		edi
+	mov	edx,		DWORD PTR 32[esp]
+	xor	eax,		ebx
+	add	edi,		edx
 	rol	ebp,		10
-	add	ecx,		esi
-	mov	esi,		edx
-	rol	ecx,		11
-	add	ecx,		ebx
+	add	edi,		eax
+	mov	eax,		ebx
+	rol	edi,		11
+	add	edi,		esi
 	; 9
-	xor	esi,		ebp
-	mov	edi,		DWORD PTR 40[esp]
-	xor	esi,		ecx
-	add	ebx,		esi
-	mov	esi,		ecx
-	rol	edx,		10
-	add	ebx,		edi
-	xor	esi,		edx
-	rol	ebx,		13
-	add	ebx,		eax
+	xor	eax,		ebp
+	mov	edx,		DWORD PTR 36[esp]
+	xor	eax,		edi
+	add	esi,		eax
+	mov	eax,		edi
+	rol	ebx,		10
+	add	esi,		edx
+	xor	eax,		ebx
+	rol	esi,		13
+	add	esi,		ecx
 	; 10
-	mov	edi,		DWORD PTR 44[esp]
-	xor	esi,		ebx
-	add	eax,		edi
-	rol	ecx,		10
-	add	eax,		esi
-	mov	esi,		ebx
-	rol	eax,		14
-	add	eax,		ebp
+	mov	edx,		DWORD PTR 40[esp]
+	xor	eax,		esi
+	add	ecx,		edx
+	rol	edi,		10
+	add	ecx,		eax
+	mov	eax,		esi
+	rol	ecx,		14
+	add	ecx,		ebp
 	; 11
-	xor	esi,		ecx
-	mov	edi,		DWORD PTR 48[esp]
-	xor	esi,		eax
-	add	ebp,		esi
-	mov	esi,		eax
-	rol	ebx,		10
-	add	ebp,		edi
-	xor	esi,		ebx
-	rol	ebp,		15
+	xor	eax,		edi
+	mov	edx,		DWORD PTR 44[esp]
+	xor	eax,		ecx
+	add	ebp,		eax
+	mov	eax,		ecx
+	rol	esi,		10
 	add	ebp,		edx
+	xor	eax,		esi
+	rol	ebp,		15
+	add	ebp,		ebx
 	; 12
-	mov	edi,		DWORD PTR 52[esp]
-	xor	esi,		ebp
-	add	edx,		edi
-	rol	eax,		10
-	add	edx,		esi
-	mov	esi,		ebp
-	rol	edx,		6
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 48[esp]
+	xor	eax,		ebp
+	add	ebx,		edx
+	rol	ecx,		10
+	add	ebx,		eax
+	mov	eax,		ebp
+	rol	ebx,		6
+	add	ebx,		edi
 	; 13
-	xor	esi,		eax
-	mov	edi,		DWORD PTR 56[esp]
-	xor	esi,		edx
-	add	ecx,		esi
-	mov	esi,		edx
+	xor	eax,		ecx
+	mov	edx,		DWORD PTR 52[esp]
+	xor	eax,		ebx
+	add	edi,		eax
+	mov	eax,		ebx
 	rol	ebp,		10
-	add	ecx,		edi
-	xor	esi,		ebp
-	rol	ecx,		7
-	add	ecx,		ebx
+	add	edi,		edx
+	xor	eax,		ebp
+	rol	edi,		7
+	add	edi,		esi
 	; 14
-	mov	edi,		DWORD PTR 60[esp]
-	xor	esi,		ecx
-	add	ebx,		edi
-	rol	edx,		10
-	add	ebx,		esi
-	mov	esi,		ecx
-	rol	ebx,		9
-	add	ebx,		eax
+	mov	edx,		DWORD PTR 56[esp]
+	xor	eax,		edi
+	add	esi,		edx
+	rol	ebx,		10
+	add	esi,		eax
+	mov	eax,		edi
+	rol	esi,		9
+	add	esi,		ecx
 	; 15
-	xor	esi,		edx
-	mov	edi,		DWORD PTR 64[esp]
-	xor	esi,		ebx
-	add	eax,		esi
-	mov	esi,		-1
-	rol	ecx,		10
-	add	eax,		edi
-	mov	edi,		DWORD PTR 32[esp]
-	rol	eax,		8
-	add	eax,		ebp
+	xor	eax,		ebx
+	mov	edx,		DWORD PTR 60[esp]
+	xor	eax,		esi
+	add	ecx,		eax
+	mov	eax,		-1
+	rol	edi,		10
+	add	ecx,		edx
+	mov	edx,		DWORD PTR 28[esp]
+	rol	ecx,		8
+	add	ecx,		ebp
 	; 16
-	add	ebp,		edi
-	mov	edi,		ebx
-	sub	esi,		eax
-	and	edi,		eax
-	and	esi,		ecx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 20[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1518500249[edi*1+ebp]
-	mov	edi,		-1
-	rol	ebp,		7
 	add	ebp,		edx
+	mov	edx,		esi
+	sub	eax,		ecx
+	and	edx,		ecx
+	and	eax,		edi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 16[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1518500249[edx*1+ebp]
+	mov	edx,		-1
+	rol	ebp,		7
+	add	ebp,		ebx
 	; 17
-	add	edx,		esi
-	mov	esi,		eax
-	sub	edi,		ebp
-	and	esi,		ebp
-	and	edi,		ebx
-	or	esi,		edi
-	mov	edi,		DWORD PTR 56[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1518500249[esi*1+edx]
-	mov	esi,		-1
-	rol	edx,		6
-	add	edx,		ecx
+	add	ebx,		eax
+	mov	eax,		ecx
+	sub	edx,		ebp
+	and	eax,		ebp
+	and	edx,		esi
+	or	eax,		edx
+	mov	edx,		DWORD PTR 52[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1518500249[eax*1+ebx]
+	mov	eax,		-1
+	rol	ebx,		6
+	add	ebx,		edi
 	; 18
-	add	ecx,		edi
-	mov	edi,		ebp
-	sub	esi,		edx
-	and	edi,		edx
-	and	esi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 8[esp]
+	add	edi,		edx
+	mov	edx,		ebp
+	sub	eax,		ebx
+	and	edx,		ebx
+	and	eax,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 4[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1518500249[edi*1+ecx]
-	mov	edi,		-1
-	rol	ecx,		8
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1518500249[edx*1+edi]
+	mov	edx,		-1
+	rol	edi,		8
+	add	edi,		esi
 	; 19
-	add	ebx,		esi
-	mov	esi,		edx
-	sub	edi,		ecx
-	and	esi,		ecx
-	and	edi,		ebp
-	or	esi,		edi
-	mov	edi,		DWORD PTR 44[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1518500249[esi*1+ebx]
-	mov	esi,		-1
-	rol	ebx,		13
-	add	ebx,		eax
+	add	esi,		eax
+	mov	eax,		ebx
+	sub	edx,		edi
+	and	eax,		edi
+	and	edx,		ebp
+	or	eax,		edx
+	mov	edx,		DWORD PTR 40[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1518500249[eax*1+esi]
+	mov	eax,		-1
+	rol	esi,		13
+	add	esi,		ecx
 	; 20
-	add	eax,		edi
-	mov	edi,		ecx
-	sub	esi,		ebx
-	and	edi,		ebx
-	and	esi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 28[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1518500249[edi*1+eax]
-	mov	edi,		-1
-	rol	eax,		11
-	add	eax,		ebp
+	add	ecx,		edx
+	mov	edx,		edi
+	sub	eax,		esi
+	and	edx,		esi
+	and	eax,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 24[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1518500249[edx*1+ecx]
+	mov	edx,		-1
+	rol	ecx,		11
+	add	ecx,		ebp
 	; 21
-	add	ebp,		esi
-	mov	esi,		ebx
-	sub	edi,		eax
-	and	esi,		eax
-	and	edi,		ecx
-	or	esi,		edi
-	mov	edi,		DWORD PTR 64[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1518500249[esi*1+ebp]
-	mov	esi,		-1
+	add	ebp,		eax
+	mov	eax,		esi
+	sub	edx,		ecx
+	and	eax,		ecx
+	and	edx,		edi
+	or	eax,		edx
+	mov	edx,		DWORD PTR 60[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1518500249[eax*1+ebp]
+	mov	eax,		-1
 	rol	ebp,		9
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 22
-	add	edx,		edi
-	mov	edi,		eax
-	sub	esi,		ebp
-	and	edi,		ebp
-	and	esi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 16[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1518500249[edi*1+edx]
-	mov	edi,		-1
-	rol	edx,		7
-	add	edx,		ecx
+	add	ebx,		edx
+	mov	edx,		ecx
+	sub	eax,		ebp
+	and	edx,		ebp
+	and	eax,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 12[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1518500249[edx*1+ebx]
+	mov	edx,		-1
+	rol	ebx,		7
+	add	ebx,		edi
 	; 23
-	add	ecx,		esi
-	mov	esi,		ebp
-	sub	edi,		edx
-	and	esi,		edx
-	and	edi,		eax
-	or	esi,		edi
-	mov	edi,		DWORD PTR 52[esp]
+	add	edi,		eax
+	mov	eax,		ebp
+	sub	edx,		ebx
+	and	eax,		ebx
+	and	edx,		ecx
+	or	eax,		edx
+	mov	edx,		DWORD PTR 48[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1518500249[esi*1+ecx]
-	mov	esi,		-1
-	rol	ecx,		15
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1518500249[eax*1+edi]
+	mov	eax,		-1
+	rol	edi,		15
+	add	edi,		esi
 	; 24
-	add	ebx,		edi
-	mov	edi,		edx
-	sub	esi,		ecx
-	and	edi,		ecx
-	and	esi,		ebp
-	or	edi,		esi
-	mov	esi,		DWORD PTR 4[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1518500249[edi*1+ebx]
-	mov	edi,		-1
-	rol	ebx,		7
-	add	ebx,		eax
+	add	esi,		edx
+	mov	edx,		ebx
+	sub	eax,		edi
+	and	edx,		edi
+	and	eax,		ebp
+	or	edx,		eax
+	mov	eax,		DWORD PTR [esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1518500249[edx*1+esi]
+	mov	edx,		-1
+	rol	esi,		7
+	add	esi,		ecx
 	; 25
-	add	eax,		esi
-	mov	esi,		ecx
-	sub	edi,		ebx
-	and	esi,		ebx
-	and	edi,		edx
-	or	esi,		edi
-	mov	edi,		DWORD PTR 40[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1518500249[esi*1+eax]
-	mov	esi,		-1
-	rol	eax,		12
-	add	eax,		ebp
+	add	ecx,		eax
+	mov	eax,		edi
+	sub	edx,		esi
+	and	eax,		esi
+	and	edx,		ebx
+	or	eax,		edx
+	mov	edx,		DWORD PTR 36[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1518500249[eax*1+ecx]
+	mov	eax,		-1
+	rol	ecx,		12
+	add	ecx,		ebp
 	; 26
-	add	ebp,		edi
-	mov	edi,		ebx
-	sub	esi,		eax
-	and	edi,		eax
-	and	esi,		ecx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 24[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1518500249[edi*1+ebp]
-	mov	edi,		-1
-	rol	ebp,		15
 	add	ebp,		edx
+	mov	edx,		esi
+	sub	eax,		ecx
+	and	edx,		ecx
+	and	eax,		edi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 20[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1518500249[edx*1+ebp]
+	mov	edx,		-1
+	rol	ebp,		15
+	add	ebp,		ebx
 	; 27
-	add	edx,		esi
-	mov	esi,		eax
-	sub	edi,		ebp
-	and	esi,		ebp
-	and	edi,		ebx
-	or	esi,		edi
-	mov	edi,		DWORD PTR 12[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1518500249[esi*1+edx]
-	mov	esi,		-1
-	rol	edx,		9
-	add	edx,		ecx
+	add	ebx,		eax
+	mov	eax,		ecx
+	sub	edx,		ebp
+	and	eax,		ebp
+	and	edx,		esi
+	or	eax,		edx
+	mov	edx,		DWORD PTR 8[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1518500249[eax*1+ebx]
+	mov	eax,		-1
+	rol	ebx,		9
+	add	ebx,		edi
 	; 28
-	add	ecx,		edi
-	mov	edi,		ebp
-	sub	esi,		edx
-	and	edi,		edx
-	and	esi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 60[esp]
+	add	edi,		edx
+	mov	edx,		ebp
+	sub	eax,		ebx
+	and	edx,		ebx
+	and	eax,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 56[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1518500249[edi*1+ecx]
-	mov	edi,		-1
-	rol	ecx,		11
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1518500249[edx*1+edi]
+	mov	edx,		-1
+	rol	edi,		11
+	add	edi,		esi
 	; 29
-	add	ebx,		esi
-	mov	esi,		edx
-	sub	edi,		ecx
-	and	esi,		ecx
-	and	edi,		ebp
-	or	esi,		edi
-	mov	edi,		DWORD PTR 48[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1518500249[esi*1+ebx]
-	mov	esi,		-1
-	rol	ebx,		7
-	add	ebx,		eax
+	add	esi,		eax
+	mov	eax,		ebx
+	sub	edx,		edi
+	and	eax,		edi
+	and	edx,		ebp
+	or	eax,		edx
+	mov	edx,		DWORD PTR 44[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1518500249[eax*1+esi]
+	mov	eax,		-1
+	rol	esi,		7
+	add	esi,		ecx
 	; 30
-	add	eax,		edi
-	mov	edi,		ecx
-	sub	esi,		ebx
-	and	edi,		ebx
-	and	esi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 36[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1518500249[edi*1+eax]
-	mov	edi,		-1
-	rol	eax,		13
-	add	eax,		ebp
+	add	ecx,		edx
+	mov	edx,		edi
+	sub	eax,		esi
+	and	edx,		esi
+	and	eax,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 32[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1518500249[edx*1+ecx]
+	mov	edx,		-1
+	rol	ecx,		13
+	add	ecx,		ebp
 	; 31
-	add	ebp,		esi
-	mov	esi,		ebx
-	sub	edi,		eax
-	and	esi,		eax
-	and	edi,		ecx
-	or	esi,		edi
-	mov	edi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1518500249[esi*1+ebp]
-	sub	edi,		eax
+	add	ebp,		eax
+	mov	eax,		esi
+	sub	edx,		ecx
+	and	eax,		ecx
+	and	edx,		edi
+	or	eax,		edx
+	mov	edx,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1518500249[eax*1+ebp]
+	sub	edx,		ecx
 	rol	ebp,		12
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 32
-	mov	esi,		DWORD PTR 16[esp]
-	or	edi,		ebp
-	add	edx,		esi
-	xor	edi,		ebx
-	mov	esi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1859775393[edi*1+edx]
-	sub	esi,		ebp
-	rol	edx,		11
-	add	edx,		ecx
+	mov	eax,		DWORD PTR 12[esp]
+	or	edx,		ebp
+	add	ebx,		eax
+	xor	edx,		esi
+	mov	eax,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1859775393[edx*1+ebx]
+	sub	eax,		ebp
+	rol	ebx,		11
+	add	ebx,		edi
 	; 33
-	mov	edi,		DWORD PTR 44[esp]
-	or	esi,		edx
-	add	ecx,		edi
-	xor	esi,		eax
-	mov	edi,		-1
+	mov	edx,		DWORD PTR 40[esp]
+	or	eax,		ebx
+	add	edi,		edx
+	xor	eax,		ecx
+	mov	edx,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1859775393[esi*1+ecx]
-	sub	edi,		edx
-	rol	ecx,		13
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1859775393[eax*1+edi]
+	sub	edx,		ebx
+	rol	edi,		13
+	add	edi,		esi
 	; 34
-	mov	esi,		DWORD PTR 60[esp]
-	or	edi,		ecx
-	add	ebx,		esi
-	xor	edi,		ebp
-	mov	esi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1859775393[edi*1+ebx]
-	sub	esi,		ecx
-	rol	ebx,		6
-	add	ebx,		eax
+	mov	eax,		DWORD PTR 56[esp]
+	or	edx,		edi
+	add	esi,		eax
+	xor	edx,		ebp
+	mov	eax,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1859775393[edx*1+esi]
+	sub	eax,		edi
+	rol	esi,		6
+	add	esi,		ecx
 	; 35
-	mov	edi,		DWORD PTR 20[esp]
-	or	esi,		ebx
-	add	eax,		edi
-	xor	esi,		edx
-	mov	edi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1859775393[esi*1+eax]
-	sub	edi,		ebx
-	rol	eax,		7
-	add	eax,		ebp
+	mov	edx,		DWORD PTR 16[esp]
+	or	eax,		esi
+	add	ecx,		edx
+	xor	eax,		ebx
+	mov	edx,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1859775393[eax*1+ecx]
+	sub	edx,		esi
+	rol	ecx,		7
+	add	ecx,		ebp
 	; 36
-	mov	esi,		DWORD PTR 40[esp]
-	or	edi,		eax
-	add	ebp,		esi
-	xor	edi,		ecx
-	mov	esi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1859775393[edi*1+ebp]
-	sub	esi,		eax
+	mov	eax,		DWORD PTR 36[esp]
+	or	edx,		ecx
+	add	ebp,		eax
+	xor	edx,		edi
+	mov	eax,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1859775393[edx*1+ebp]
+	sub	eax,		ecx
 	rol	ebp,		14
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 37
-	mov	edi,		DWORD PTR 64[esp]
-	or	esi,		ebp
-	add	edx,		edi
-	xor	esi,		ebx
-	mov	edi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1859775393[esi*1+edx]
-	sub	edi,		ebp
-	rol	edx,		9
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 60[esp]
+	or	eax,		ebp
+	add	ebx,		edx
+	xor	eax,		esi
+	mov	edx,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1859775393[eax*1+ebx]
+	sub	edx,		ebp
+	rol	ebx,		9
+	add	ebx,		edi
 	; 38
-	mov	esi,		DWORD PTR 36[esp]
-	or	edi,		edx
-	add	ecx,		esi
-	xor	edi,		eax
-	mov	esi,		-1
+	mov	eax,		DWORD PTR 32[esp]
+	or	edx,		ebx
+	add	edi,		eax
+	xor	edx,		ecx
+	mov	eax,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1859775393[edi*1+ecx]
-	sub	esi,		edx
-	rol	ecx,		13
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1859775393[edx*1+edi]
+	sub	eax,		ebx
+	rol	edi,		13
+	add	edi,		esi
 	; 39
-	mov	edi,		DWORD PTR 8[esp]
-	or	esi,		ecx
-	add	ebx,		edi
-	xor	esi,		ebp
-	mov	edi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1859775393[esi*1+ebx]
-	sub	edi,		ecx
-	rol	ebx,		15
-	add	ebx,		eax
+	mov	edx,		DWORD PTR 4[esp]
+	or	eax,		edi
+	add	esi,		edx
+	xor	eax,		ebp
+	mov	edx,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1859775393[eax*1+esi]
+	sub	edx,		edi
+	rol	esi,		15
+	add	esi,		ecx
 	; 40
-	mov	esi,		DWORD PTR 12[esp]
-	or	edi,		ebx
-	add	eax,		esi
-	xor	edi,		edx
-	mov	esi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1859775393[edi*1+eax]
-	sub	esi,		ebx
-	rol	eax,		14
-	add	eax,		ebp
+	mov	eax,		DWORD PTR 8[esp]
+	or	edx,		esi
+	add	ecx,		eax
+	xor	edx,		ebx
+	mov	eax,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1859775393[edx*1+ecx]
+	sub	eax,		esi
+	rol	ecx,		14
+	add	ecx,		ebp
 	; 41
-	mov	edi,		DWORD PTR 32[esp]
-	or	esi,		eax
-	add	ebp,		edi
-	xor	esi,		ecx
-	mov	edi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1859775393[esi*1+ebp]
-	sub	edi,		eax
-	rol	ebp,		8
+	mov	edx,		DWORD PTR 28[esp]
+	or	eax,		ecx
 	add	ebp,		edx
+	xor	eax,		edi
+	mov	edx,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1859775393[eax*1+ebp]
+	sub	edx,		ecx
+	rol	ebp,		8
+	add	ebp,		ebx
 	; 42
-	mov	esi,		DWORD PTR 4[esp]
-	or	edi,		ebp
-	add	edx,		esi
-	xor	edi,		ebx
-	mov	esi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1859775393[edi*1+edx]
-	sub	esi,		ebp
-	rol	edx,		13
-	add	edx,		ecx
+	mov	eax,		DWORD PTR [esp]
+	or	edx,		ebp
+	add	ebx,		eax
+	xor	edx,		esi
+	mov	eax,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1859775393[edx*1+ebx]
+	sub	eax,		ebp
+	rol	ebx,		13
+	add	ebx,		edi
 	; 43
-	mov	edi,		DWORD PTR 28[esp]
-	or	esi,		edx
-	add	ecx,		edi
-	xor	esi,		eax
-	mov	edi,		-1
+	mov	edx,		DWORD PTR 24[esp]
+	or	eax,		ebx
+	add	edi,		edx
+	xor	eax,		ecx
+	mov	edx,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1859775393[esi*1+ecx]
-	sub	edi,		edx
-	rol	ecx,		6
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1859775393[eax*1+edi]
+	sub	edx,		ebx
+	rol	edi,		6
+	add	edi,		esi
 	; 44
-	mov	esi,		DWORD PTR 56[esp]
-	or	edi,		ecx
-	add	ebx,		esi
-	xor	edi,		ebp
-	mov	esi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1859775393[edi*1+ebx]
-	sub	esi,		ecx
-	rol	ebx,		5
-	add	ebx,		eax
+	mov	eax,		DWORD PTR 52[esp]
+	or	edx,		edi
+	add	esi,		eax
+	xor	edx,		ebp
+	mov	eax,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1859775393[edx*1+esi]
+	sub	eax,		edi
+	rol	esi,		5
+	add	esi,		ecx
 	; 45
-	mov	edi,		DWORD PTR 48[esp]
-	or	esi,		ebx
-	add	eax,		edi
-	xor	esi,		edx
-	mov	edi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1859775393[esi*1+eax]
-	sub	edi,		ebx
-	rol	eax,		12
-	add	eax,		ebp
+	mov	edx,		DWORD PTR 44[esp]
+	or	eax,		esi
+	add	ecx,		edx
+	xor	eax,		ebx
+	mov	edx,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1859775393[eax*1+ecx]
+	sub	edx,		esi
+	rol	ecx,		12
+	add	ecx,		ebp
 	; 46
-	mov	esi,		DWORD PTR 24[esp]
-	or	edi,		eax
-	add	ebp,		esi
-	xor	edi,		ecx
-	mov	esi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1859775393[edi*1+ebp]
-	sub	esi,		eax
+	mov	eax,		DWORD PTR 20[esp]
+	or	edx,		ecx
+	add	ebp,		eax
+	xor	edx,		edi
+	mov	eax,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1859775393[edx*1+ebp]
+	sub	eax,		ecx
 	rol	ebp,		7
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 47
-	mov	edi,		DWORD PTR 52[esp]
-	or	esi,		ebp
-	add	edx,		edi
-	xor	esi,		ebx
-	mov	edi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1859775393[esi*1+edx]
-	mov	esi,		eax
-	rol	edx,		5
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 48[esp]
+	or	eax,		ebp
+	add	ebx,		edx
+	xor	eax,		esi
+	mov	edx,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1859775393[eax*1+ebx]
+	mov	eax,		ecx
+	rol	ebx,		5
+	add	ebx,		edi
 	; 48
-	sub	edi,		eax
-	and	esi,		edx
-	and	edi,		ebp
-	or	edi,		esi
-	mov	esi,		DWORD PTR 8[esp]
+	sub	edx,		ecx
+	and	eax,		ebx
+	and	edx,		ebp
+	or	edx,		eax
+	mov	eax,		DWORD PTR 4[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2400959708[edi+ecx]
-	mov	edi,		-1
-	add	ecx,		esi
-	mov	esi,		ebp
-	rol	ecx,		11
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2400959708[edx+edi]
+	mov	edx,		-1
+	add	edi,		eax
+	mov	eax,		ebp
+	rol	edi,		11
+	add	edi,		esi
 	; 49
-	sub	edi,		ebp
-	and	esi,		ecx
-	and	edi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 40[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2400959708[edi+ebx]
-	mov	edi,		-1
-	add	ebx,		esi
-	mov	esi,		edx
-	rol	ebx,		12
-	add	ebx,		eax
+	sub	edx,		ebp
+	and	eax,		edi
+	and	edx,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 36[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2400959708[edx+esi]
+	mov	edx,		-1
+	add	esi,		eax
+	mov	eax,		ebx
+	rol	esi,		12
+	add	esi,		ecx
 	; 50
-	sub	edi,		edx
-	and	esi,		ebx
-	and	edi,		ecx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 48[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 2400959708[edi+eax]
-	mov	edi,		-1
-	add	eax,		esi
-	mov	esi,		ecx
-	rol	eax,		14
-	add	eax,		ebp
+	sub	edx,		ebx
+	and	eax,		esi
+	and	edx,		edi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 44[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 2400959708[edx+ecx]
+	mov	edx,		-1
+	add	ecx,		eax
+	mov	eax,		edi
+	rol	ecx,		14
+	add	ecx,		ebp
 	; 51
-	sub	edi,		ecx
-	and	esi,		eax
-	and	edi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 44[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 2400959708[edi+ebp]
-	mov	edi,		-1
-	add	ebp,		esi
-	mov	esi,		ebx
+	sub	edx,		edi
+	and	eax,		ecx
+	and	edx,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 40[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 2400959708[edx+ebp]
+	mov	edx,		-1
+	add	ebp,		eax
+	mov	eax,		esi
 	rol	ebp,		15
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 52
-	sub	edi,		ebx
-	and	esi,		ebp
-	and	edi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 4[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 2400959708[edi+edx]
-	mov	edi,		-1
-	add	edx,		esi
-	mov	esi,		eax
-	rol	edx,		14
-	add	edx,		ecx
+	sub	edx,		esi
+	and	eax,		ebp
+	and	edx,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR [esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 2400959708[edx+ebx]
+	mov	edx,		-1
+	add	ebx,		eax
+	mov	eax,		ecx
+	rol	ebx,		14
+	add	ebx,		edi
 	; 53
-	sub	edi,		eax
-	and	esi,		edx
-	and	edi,		ebp
-	or	edi,		esi
-	mov	esi,		DWORD PTR 36[esp]
+	sub	edx,		ecx
+	and	eax,		ebx
+	and	edx,		ebp
+	or	edx,		eax
+	mov	eax,		DWORD PTR 32[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2400959708[edi+ecx]
-	mov	edi,		-1
-	add	ecx,		esi
-	mov	esi,		ebp
-	rol	ecx,		15
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2400959708[edx+edi]
+	mov	edx,		-1
+	add	edi,		eax
+	mov	eax,		ebp
+	rol	edi,		15
+	add	edi,		esi
 	; 54
-	sub	edi,		ebp
-	and	esi,		ecx
-	and	edi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 52[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2400959708[edi+ebx]
-	mov	edi,		-1
-	add	ebx,		esi
-	mov	esi,		edx
-	rol	ebx,		9
-	add	ebx,		eax
+	sub	edx,		ebp
+	and	eax,		edi
+	and	edx,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 48[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2400959708[edx+esi]
+	mov	edx,		-1
+	add	esi,		eax
+	mov	eax,		ebx
+	rol	esi,		9
+	add	esi,		ecx
 	; 55
-	sub	edi,		edx
-	and	esi,		ebx
-	and	edi,		ecx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 20[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 2400959708[edi+eax]
-	mov	edi,		-1
-	add	eax,		esi
-	mov	esi,		ecx
-	rol	eax,		8
-	add	eax,		ebp
+	sub	edx,		ebx
+	and	eax,		esi
+	and	edx,		edi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 16[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 2400959708[edx+ecx]
+	mov	edx,		-1
+	add	ecx,		eax
+	mov	eax,		edi
+	rol	ecx,		8
+	add	ecx,		ebp
 	; 56
-	sub	edi,		ecx
-	and	esi,		eax
-	and	edi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 56[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 2400959708[edi+ebp]
-	mov	edi,		-1
-	add	ebp,		esi
-	mov	esi,		ebx
+	sub	edx,		edi
+	and	eax,		ecx
+	and	edx,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 52[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 2400959708[edx+ebp]
+	mov	edx,		-1
+	add	ebp,		eax
+	mov	eax,		esi
 	rol	ebp,		9
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 57
-	sub	edi,		ebx
-	and	esi,		ebp
-	and	edi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 16[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 2400959708[edi+edx]
-	mov	edi,		-1
-	add	edx,		esi
-	mov	esi,		eax
-	rol	edx,		14
-	add	edx,		ecx
+	sub	edx,		esi
+	and	eax,		ebp
+	and	edx,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 12[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 2400959708[edx+ebx]
+	mov	edx,		-1
+	add	ebx,		eax
+	mov	eax,		ecx
+	rol	ebx,		14
+	add	ebx,		edi
 	; 58
-	sub	edi,		eax
-	and	esi,		edx
-	and	edi,		ebp
-	or	edi,		esi
-	mov	esi,		DWORD PTR 32[esp]
+	sub	edx,		ecx
+	and	eax,		ebx
+	and	edx,		ebp
+	or	edx,		eax
+	mov	eax,		DWORD PTR 28[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2400959708[edi+ecx]
-	mov	edi,		-1
-	add	ecx,		esi
-	mov	esi,		ebp
-	rol	ecx,		5
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2400959708[edx+edi]
+	mov	edx,		-1
+	add	edi,		eax
+	mov	eax,		ebp
+	rol	edi,		5
+	add	edi,		esi
 	; 59
-	sub	edi,		ebp
-	and	esi,		ecx
-	and	edi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 64[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2400959708[edi+ebx]
-	mov	edi,		-1
-	add	ebx,		esi
-	mov	esi,		edx
-	rol	ebx,		6
-	add	ebx,		eax
+	sub	edx,		ebp
+	and	eax,		edi
+	and	edx,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 60[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2400959708[edx+esi]
+	mov	edx,		-1
+	add	esi,		eax
+	mov	eax,		ebx
+	rol	esi,		6
+	add	esi,		ecx
 	; 60
-	sub	edi,		edx
-	and	esi,		ebx
-	and	edi,		ecx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 60[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 2400959708[edi+eax]
-	mov	edi,		-1
-	add	eax,		esi
-	mov	esi,		ecx
-	rol	eax,		8
-	add	eax,		ebp
+	sub	edx,		ebx
+	and	eax,		esi
+	and	edx,		edi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 56[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 2400959708[edx+ecx]
+	mov	edx,		-1
+	add	ecx,		eax
+	mov	eax,		edi
+	rol	ecx,		8
+	add	ecx,		ebp
 	; 61
-	sub	edi,		ecx
-	and	esi,		eax
-	and	edi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 24[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 2400959708[edi+ebp]
-	mov	edi,		-1
-	add	ebp,		esi
-	mov	esi,		ebx
+	sub	edx,		edi
+	and	eax,		ecx
+	and	edx,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 20[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 2400959708[edx+ebp]
+	mov	edx,		-1
+	add	ebp,		eax
+	mov	eax,		esi
 	rol	ebp,		6
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 62
-	sub	edi,		ebx
-	and	esi,		ebp
-	and	edi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 28[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 2400959708[edi+edx]
-	mov	edi,		-1
-	add	edx,		esi
-	mov	esi,		eax
-	rol	edx,		5
-	add	edx,		ecx
+	sub	edx,		esi
+	and	eax,		ebp
+	and	edx,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 24[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 2400959708[edx+ebx]
+	mov	edx,		-1
+	add	ebx,		eax
+	mov	eax,		ecx
+	rol	ebx,		5
+	add	ebx,		edi
 	; 63
-	sub	edi,		eax
-	and	esi,		edx
-	and	edi,		ebp
-	or	edi,		esi
-	mov	esi,		DWORD PTR 12[esp]
+	sub	edx,		ecx
+	and	eax,		ebx
+	and	edx,		ebp
+	or	edx,		eax
+	mov	eax,		DWORD PTR 8[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2400959708[edi+ecx]
-	mov	edi,		-1
-	add	ecx,		esi
-	sub	edi,		ebp
-	rol	ecx,		12
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2400959708[edx+edi]
+	mov	edx,		-1
+	add	edi,		eax
+	sub	edx,		ebp
+	rol	edi,		12
+	add	edi,		esi
 	; 64
-	mov	esi,		DWORD PTR 20[esp]
-	or	edi,		edx
-	add	ebx,		esi
-	xor	edi,		ecx
-	mov	esi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2840853838[edi*1+ebx]
-	sub	esi,		edx
-	rol	ebx,		9
-	add	ebx,		eax
+	mov	eax,		DWORD PTR 16[esp]
+	or	edx,		ebx
+	add	esi,		eax
+	xor	edx,		edi
+	mov	eax,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2840853838[edx*1+esi]
+	sub	eax,		ebx
+	rol	esi,		9
+	add	esi,		ecx
 	; 65
-	mov	edi,		DWORD PTR 4[esp]
-	or	esi,		ecx
-	add	eax,		edi
-	xor	esi,		ebx
-	mov	edi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 2840853838[esi*1+eax]
-	sub	edi,		ecx
-	rol	eax,		15
-	add	eax,		ebp
+	mov	edx,		DWORD PTR [esp]
+	or	eax,		edi
+	add	ecx,		edx
+	xor	eax,		esi
+	mov	edx,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 2840853838[eax*1+ecx]
+	sub	edx,		edi
+	rol	ecx,		15
+	add	ecx,		ebp
 	; 66
-	mov	esi,		DWORD PTR 24[esp]
-	or	edi,		ebx
-	add	ebp,		esi
-	xor	edi,		eax
-	mov	esi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 2840853838[edi*1+ebp]
-	sub	esi,		ebx
+	mov	eax,		DWORD PTR 20[esp]
+	or	edx,		esi
+	add	ebp,		eax
+	xor	edx,		ecx
+	mov	eax,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 2840853838[edx*1+ebp]
+	sub	eax,		esi
 	rol	ebp,		5
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 67
-	mov	edi,		DWORD PTR 40[esp]
-	or	esi,		eax
-	add	edx,		edi
-	xor	esi,		ebp
-	mov	edi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 2840853838[esi*1+edx]
-	sub	edi,		eax
-	rol	edx,		11
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 36[esp]
+	or	eax,		ecx
+	add	ebx,		edx
+	xor	eax,		ebp
+	mov	edx,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 2840853838[eax*1+ebx]
+	sub	edx,		ecx
+	rol	ebx,		11
+	add	ebx,		edi
 	; 68
-	mov	esi,		DWORD PTR 32[esp]
-	or	edi,		ebp
-	add	ecx,		esi
-	xor	edi,		edx
-	mov	esi,		-1
+	mov	eax,		DWORD PTR 28[esp]
+	or	edx,		ebp
+	add	edi,		eax
+	xor	edx,		ebx
+	mov	eax,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2840853838[edi*1+ecx]
-	sub	esi,		ebp
-	rol	ecx,		6
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2840853838[edx*1+edi]
+	sub	eax,		ebp
+	rol	edi,		6
+	add	edi,		esi
 	; 69
-	mov	edi,		DWORD PTR 52[esp]
-	or	esi,		edx
-	add	ebx,		edi
-	xor	esi,		ecx
-	mov	edi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2840853838[esi*1+ebx]
-	sub	edi,		edx
-	rol	ebx,		8
-	add	ebx,		eax
+	mov	edx,		DWORD PTR 48[esp]
+	or	eax,		ebx
+	add	esi,		edx
+	xor	eax,		edi
+	mov	edx,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2840853838[eax*1+esi]
+	sub	edx,		ebx
+	rol	esi,		8
+	add	esi,		ecx
 	; 70
-	mov	esi,		DWORD PTR 12[esp]
-	or	edi,		ecx
-	add	eax,		esi
-	xor	edi,		ebx
-	mov	esi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 2840853838[edi*1+eax]
-	sub	esi,		ecx
-	rol	eax,		13
-	add	eax,		ebp
+	mov	eax,		DWORD PTR 8[esp]
+	or	edx,		edi
+	add	ecx,		eax
+	xor	edx,		esi
+	mov	eax,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 2840853838[edx*1+ecx]
+	sub	eax,		edi
+	rol	ecx,		13
+	add	ecx,		ebp
 	; 71
-	mov	edi,		DWORD PTR 44[esp]
-	or	esi,		ebx
-	add	ebp,		edi
-	xor	esi,		eax
-	mov	edi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 2840853838[esi*1+ebp]
-	sub	edi,		ebx
-	rol	ebp,		12
+	mov	edx,		DWORD PTR 40[esp]
+	or	eax,		esi
 	add	ebp,		edx
+	xor	eax,		ecx
+	mov	edx,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 2840853838[eax*1+ebp]
+	sub	edx,		esi
+	rol	ebp,		12
+	add	ebp,		ebx
 	; 72
-	mov	esi,		DWORD PTR 60[esp]
-	or	edi,		eax
-	add	edx,		esi
-	xor	edi,		ebp
-	mov	esi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 2840853838[edi*1+edx]
-	sub	esi,		eax
-	rol	edx,		5
-	add	edx,		ecx
+	mov	eax,		DWORD PTR 56[esp]
+	or	edx,		ecx
+	add	ebx,		eax
+	xor	edx,		ebp
+	mov	eax,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 2840853838[edx*1+ebx]
+	sub	eax,		ecx
+	rol	ebx,		5
+	add	ebx,		edi
 	; 73
-	mov	edi,		DWORD PTR 8[esp]
-	or	esi,		ebp
-	add	ecx,		edi
-	xor	esi,		edx
-	mov	edi,		-1
+	mov	edx,		DWORD PTR 4[esp]
+	or	eax,		ebp
+	add	edi,		edx
+	xor	eax,		ebx
+	mov	edx,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2840853838[esi*1+ecx]
-	sub	edi,		ebp
-	rol	ecx,		12
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2840853838[eax*1+edi]
+	sub	edx,		ebp
+	rol	edi,		12
+	add	edi,		esi
 	; 74
-	mov	esi,		DWORD PTR 16[esp]
-	or	edi,		edx
-	add	ebx,		esi
-	xor	edi,		ecx
-	mov	esi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2840853838[edi*1+ebx]
-	sub	esi,		edx
-	rol	ebx,		13
-	add	ebx,		eax
+	mov	eax,		DWORD PTR 12[esp]
+	or	edx,		ebx
+	add	esi,		eax
+	xor	edx,		edi
+	mov	eax,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2840853838[edx*1+esi]
+	sub	eax,		ebx
+	rol	esi,		13
+	add	esi,		ecx
 	; 75
-	mov	edi,		DWORD PTR 36[esp]
-	or	esi,		ecx
-	add	eax,		edi
-	xor	esi,		ebx
-	mov	edi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 2840853838[esi*1+eax]
-	sub	edi,		ecx
-	rol	eax,		14
-	add	eax,		ebp
+	mov	edx,		DWORD PTR 32[esp]
+	or	eax,		edi
+	add	ecx,		edx
+	xor	eax,		esi
+	mov	edx,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 2840853838[eax*1+ecx]
+	sub	edx,		edi
+	rol	ecx,		14
+	add	ecx,		ebp
 	; 76
-	mov	esi,		DWORD PTR 48[esp]
-	or	edi,		ebx
-	add	ebp,		esi
-	xor	edi,		eax
-	mov	esi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 2840853838[edi*1+ebp]
-	sub	esi,		ebx
+	mov	eax,		DWORD PTR 44[esp]
+	or	edx,		esi
+	add	ebp,		eax
+	xor	edx,		ecx
+	mov	eax,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 2840853838[edx*1+ebp]
+	sub	eax,		esi
 	rol	ebp,		11
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 77
-	mov	edi,		DWORD PTR 28[esp]
-	or	esi,		eax
-	add	edx,		edi
-	xor	esi,		ebp
-	mov	edi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 2840853838[esi*1+edx]
-	sub	edi,		eax
-	rol	edx,		8
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 24[esp]
+	or	eax,		ecx
+	add	ebx,		edx
+	xor	eax,		ebp
+	mov	edx,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 2840853838[eax*1+ebx]
+	sub	edx,		ecx
+	rol	ebx,		8
+	add	ebx,		edi
 	; 78
-	mov	esi,		DWORD PTR 64[esp]
-	or	edi,		ebp
-	add	ecx,		esi
-	xor	edi,		edx
-	mov	esi,		-1
+	mov	eax,		DWORD PTR 60[esp]
+	or	edx,		ebp
+	add	edi,		eax
+	xor	edx,		ebx
+	mov	eax,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2840853838[edi*1+ecx]
-	sub	esi,		ebp
-	rol	ecx,		5
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2840853838[edx*1+edi]
+	sub	eax,		ebp
+	rol	edi,		5
+	add	edi,		esi
 	; 79
-	mov	edi,		DWORD PTR 56[esp]
-	or	esi,		edx
-	add	ebx,		edi
-	xor	esi,		ecx
-	mov	edi,		DWORD PTR 108[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2840853838[esi*1+ebx]
-	mov	DWORD PTR 68[esp],eax
-	rol	ebx,		6
-	add	ebx,		eax
-	mov	eax,		DWORD PTR [edi]
-	mov	DWORD PTR 72[esp],ebx
-	mov	DWORD PTR 76[esp],ecx
-	mov	ebx,		DWORD PTR 4[edi]
-	mov	DWORD PTR 80[esp],edx
-	mov	ecx,		DWORD PTR 8[edi]
-	mov	DWORD PTR 84[esp],ebp
-	mov	edx,		DWORD PTR 12[edi]
-	mov	ebp,		DWORD PTR 16[edi]
+	mov	edx,		DWORD PTR 52[esp]
+	or	eax,		ebx
+	add	esi,		edx
+	xor	eax,		edi
+	mov	edx,		DWORD PTR 128[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2840853838[eax*1+esi]
+	mov	DWORD PTR 64[esp],ecx
+	rol	esi,		6
+	add	esi,		ecx
+	mov	ecx,		DWORD PTR [edx]
+	mov	DWORD PTR 68[esp],esi
+	mov	DWORD PTR 72[esp],edi
+	mov	esi,		DWORD PTR 4[edx]
+	mov	DWORD PTR 76[esp],ebx
+	mov	edi,		DWORD PTR 8[edx]
+	mov	DWORD PTR 80[esp],ebp
+	mov	ebx,		DWORD PTR 12[edx]
+	mov	ebp,		DWORD PTR 16[edx]
 	; 80
-	mov	edi,		-1
-	sub	edi,		edx
-	mov	esi,		DWORD PTR 24[esp]
-	or	edi,		ecx
-	add	eax,		esi
-	xor	edi,		ebx
-	mov	esi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1352829926[edi*1+eax]
-	sub	esi,		ecx
-	rol	eax,		8
-	add	eax,		ebp
+	mov	edx,		-1
+	sub	edx,		ebx
+	mov	eax,		DWORD PTR 20[esp]
+	or	edx,		edi
+	add	ecx,		eax
+	xor	edx,		esi
+	mov	eax,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1352829926[edx*1+ecx]
+	sub	eax,		edi
+	rol	ecx,		8
+	add	ecx,		ebp
 	; 81
-	mov	edi,		DWORD PTR 60[esp]
-	or	esi,		ebx
-	add	ebp,		edi
-	xor	esi,		eax
-	mov	edi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1352829926[esi*1+ebp]
-	sub	edi,		ebx
-	rol	ebp,		9
+	mov	edx,		DWORD PTR 56[esp]
+	or	eax,		esi
 	add	ebp,		edx
+	xor	eax,		ecx
+	mov	edx,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1352829926[eax*1+ebp]
+	sub	edx,		esi
+	rol	ebp,		9
+	add	ebp,		ebx
 	; 82
-	mov	esi,		DWORD PTR 32[esp]
-	or	edi,		eax
-	add	edx,		esi
-	xor	edi,		ebp
-	mov	esi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1352829926[edi*1+edx]
-	sub	esi,		eax
-	rol	edx,		9
-	add	edx,		ecx
+	mov	eax,		DWORD PTR 28[esp]
+	or	edx,		ecx
+	add	ebx,		eax
+	xor	edx,		ebp
+	mov	eax,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1352829926[edx*1+ebx]
+	sub	eax,		ecx
+	rol	ebx,		9
+	add	ebx,		edi
 	; 83
-	mov	edi,		DWORD PTR 4[esp]
-	or	esi,		ebp
-	add	ecx,		edi
-	xor	esi,		edx
-	mov	edi,		-1
+	mov	edx,		DWORD PTR [esp]
+	or	eax,		ebp
+	add	edi,		edx
+	xor	eax,		ebx
+	mov	edx,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1352829926[esi*1+ecx]
-	sub	edi,		ebp
-	rol	ecx,		11
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1352829926[eax*1+edi]
+	sub	edx,		ebp
+	rol	edi,		11
+	add	edi,		esi
 	; 84
-	mov	esi,		DWORD PTR 40[esp]
-	or	edi,		edx
-	add	ebx,		esi
-	xor	edi,		ecx
-	mov	esi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1352829926[edi*1+ebx]
-	sub	esi,		edx
-	rol	ebx,		13
-	add	ebx,		eax
+	mov	eax,		DWORD PTR 36[esp]
+	or	edx,		ebx
+	add	esi,		eax
+	xor	edx,		edi
+	mov	eax,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1352829926[edx*1+esi]
+	sub	eax,		ebx
+	rol	esi,		13
+	add	esi,		ecx
 	; 85
-	mov	edi,		DWORD PTR 12[esp]
-	or	esi,		ecx
-	add	eax,		edi
-	xor	esi,		ebx
-	mov	edi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1352829926[esi*1+eax]
-	sub	edi,		ecx
-	rol	eax,		15
-	add	eax,		ebp
+	mov	edx,		DWORD PTR 8[esp]
+	or	eax,		edi
+	add	ecx,		edx
+	xor	eax,		esi
+	mov	edx,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1352829926[eax*1+ecx]
+	sub	edx,		edi
+	rol	ecx,		15
+	add	ecx,		ebp
 	; 86
-	mov	esi,		DWORD PTR 48[esp]
-	or	edi,		ebx
-	add	ebp,		esi
-	xor	edi,		eax
-	mov	esi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1352829926[edi*1+ebp]
-	sub	esi,		ebx
+	mov	eax,		DWORD PTR 44[esp]
+	or	edx,		esi
+	add	ebp,		eax
+	xor	edx,		ecx
+	mov	eax,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1352829926[edx*1+ebp]
+	sub	eax,		esi
 	rol	ebp,		15
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 87
-	mov	edi,		DWORD PTR 20[esp]
-	or	esi,		eax
-	add	edx,		edi
-	xor	esi,		ebp
-	mov	edi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1352829926[esi*1+edx]
-	sub	edi,		eax
-	rol	edx,		5
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 16[esp]
+	or	eax,		ecx
+	add	ebx,		edx
+	xor	eax,		ebp
+	mov	edx,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1352829926[eax*1+ebx]
+	sub	edx,		ecx
+	rol	ebx,		5
+	add	ebx,		edi
 	; 88
-	mov	esi,		DWORD PTR 56[esp]
-	or	edi,		ebp
-	add	ecx,		esi
-	xor	edi,		edx
-	mov	esi,		-1
+	mov	eax,		DWORD PTR 52[esp]
+	or	edx,		ebp
+	add	edi,		eax
+	xor	edx,		ebx
+	mov	eax,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1352829926[edi*1+ecx]
-	sub	esi,		ebp
-	rol	ecx,		7
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1352829926[edx*1+edi]
+	sub	eax,		ebp
+	rol	edi,		7
+	add	edi,		esi
 	; 89
-	mov	edi,		DWORD PTR 28[esp]
-	or	esi,		edx
-	add	ebx,		edi
-	xor	esi,		ecx
-	mov	edi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1352829926[esi*1+ebx]
-	sub	edi,		edx
-	rol	ebx,		7
-	add	ebx,		eax
+	mov	edx,		DWORD PTR 24[esp]
+	or	eax,		ebx
+	add	esi,		edx
+	xor	eax,		edi
+	mov	edx,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1352829926[eax*1+esi]
+	sub	edx,		ebx
+	rol	esi,		7
+	add	esi,		ecx
 	; 90
-	mov	esi,		DWORD PTR 64[esp]
-	or	edi,		ecx
-	add	eax,		esi
-	xor	edi,		ebx
-	mov	esi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1352829926[edi*1+eax]
-	sub	esi,		ecx
-	rol	eax,		8
-	add	eax,		ebp
+	mov	eax,		DWORD PTR 60[esp]
+	or	edx,		edi
+	add	ecx,		eax
+	xor	edx,		esi
+	mov	eax,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1352829926[edx*1+ecx]
+	sub	eax,		edi
+	rol	ecx,		8
+	add	ecx,		ebp
 	; 91
-	mov	edi,		DWORD PTR 36[esp]
-	or	esi,		ebx
-	add	ebp,		edi
-	xor	esi,		eax
-	mov	edi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1352829926[esi*1+ebp]
-	sub	edi,		ebx
-	rol	ebp,		11
+	mov	edx,		DWORD PTR 32[esp]
+	or	eax,		esi
 	add	ebp,		edx
+	xor	eax,		ecx
+	mov	edx,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1352829926[eax*1+ebp]
+	sub	edx,		esi
+	rol	ebp,		11
+	add	ebp,		ebx
 	; 92
-	mov	esi,		DWORD PTR 8[esp]
-	or	edi,		eax
-	add	edx,		esi
-	xor	edi,		ebp
-	mov	esi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1352829926[edi*1+edx]
-	sub	esi,		eax
-	rol	edx,		14
-	add	edx,		ecx
+	mov	eax,		DWORD PTR 4[esp]
+	or	edx,		ecx
+	add	ebx,		eax
+	xor	edx,		ebp
+	mov	eax,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1352829926[edx*1+ebx]
+	sub	eax,		ecx
+	rol	ebx,		14
+	add	ebx,		edi
 	; 93
-	mov	edi,		DWORD PTR 44[esp]
-	or	esi,		ebp
-	add	ecx,		edi
-	xor	esi,		edx
-	mov	edi,		-1
+	mov	edx,		DWORD PTR 40[esp]
+	or	eax,		ebp
+	add	edi,		edx
+	xor	eax,		ebx
+	mov	edx,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1352829926[esi*1+ecx]
-	sub	edi,		ebp
-	rol	ecx,		14
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1352829926[eax*1+edi]
+	sub	edx,		ebp
+	rol	edi,		14
+	add	edi,		esi
 	; 94
-	mov	esi,		DWORD PTR 16[esp]
-	or	edi,		edx
-	add	ebx,		esi
-	xor	edi,		ecx
-	mov	esi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1352829926[edi*1+ebx]
-	sub	esi,		edx
-	rol	ebx,		12
-	add	ebx,		eax
+	mov	eax,		DWORD PTR 12[esp]
+	or	edx,		ebx
+	add	esi,		eax
+	xor	edx,		edi
+	mov	eax,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1352829926[edx*1+esi]
+	sub	eax,		ebx
+	rol	esi,		12
+	add	esi,		ecx
 	; 95
-	mov	edi,		DWORD PTR 52[esp]
-	or	esi,		ecx
-	add	eax,		edi
-	xor	esi,		ebx
-	mov	edi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1352829926[esi*1+eax]
-	mov	esi,		ecx
-	rol	eax,		6
-	add	eax,		ebp
+	mov	edx,		DWORD PTR 48[esp]
+	or	eax,		edi
+	add	ecx,		edx
+	xor	eax,		esi
+	mov	edx,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1352829926[eax*1+ecx]
+	mov	eax,		edi
+	rol	ecx,		6
+	add	ecx,		ebp
 	; 96
-	sub	edi,		ecx
-	and	esi,		eax
-	and	edi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 28[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1548603684[edi+ebp]
-	mov	edi,		-1
-	add	ebp,		esi
-	mov	esi,		ebx
+	sub	edx,		edi
+	and	eax,		ecx
+	and	edx,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 24[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1548603684[edx+ebp]
+	mov	edx,		-1
+	add	ebp,		eax
+	mov	eax,		esi
 	rol	ebp,		9
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 97
-	sub	edi,		ebx
-	and	esi,		ebp
-	and	edi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 48[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1548603684[edi+edx]
-	mov	edi,		-1
-	add	edx,		esi
-	mov	esi,		eax
-	rol	edx,		13
-	add	edx,		ecx
+	sub	edx,		esi
+	and	eax,		ebp
+	and	edx,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 44[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1548603684[edx+ebx]
+	mov	edx,		-1
+	add	ebx,		eax
+	mov	eax,		ecx
+	rol	ebx,		13
+	add	ebx,		edi
 	; 98
-	sub	edi,		eax
-	and	esi,		edx
-	and	edi,		ebp
-	or	edi,		esi
-	mov	esi,		DWORD PTR 16[esp]
+	sub	edx,		ecx
+	and	eax,		ebx
+	and	edx,		ebp
+	or	edx,		eax
+	mov	eax,		DWORD PTR 12[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1548603684[edi+ecx]
-	mov	edi,		-1
-	add	ecx,		esi
-	mov	esi,		ebp
-	rol	ecx,		15
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1548603684[edx+edi]
+	mov	edx,		-1
+	add	edi,		eax
+	mov	eax,		ebp
+	rol	edi,		15
+	add	edi,		esi
 	; 99
-	sub	edi,		ebp
-	and	esi,		ecx
-	and	edi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 32[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1548603684[edi+ebx]
-	mov	edi,		-1
-	add	ebx,		esi
-	mov	esi,		edx
-	rol	ebx,		7
-	add	ebx,		eax
+	sub	edx,		ebp
+	and	eax,		edi
+	and	edx,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 28[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1548603684[edx+esi]
+	mov	edx,		-1
+	add	esi,		eax
+	mov	eax,		ebx
+	rol	esi,		7
+	add	esi,		ecx
 	; 100
-	sub	edi,		edx
-	and	esi,		ebx
-	and	edi,		ecx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 4[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1548603684[edi+eax]
-	mov	edi,		-1
-	add	eax,		esi
-	mov	esi,		ecx
-	rol	eax,		12
-	add	eax,		ebp
+	sub	edx,		ebx
+	and	eax,		esi
+	and	edx,		edi
+	or	edx,		eax
+	mov	eax,		DWORD PTR [esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1548603684[edx+ecx]
+	mov	edx,		-1
+	add	ecx,		eax
+	mov	eax,		edi
+	rol	ecx,		12
+	add	ecx,		ebp
 	; 101
-	sub	edi,		ecx
-	and	esi,		eax
-	and	edi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 56[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1548603684[edi+ebp]
-	mov	edi,		-1
-	add	ebp,		esi
-	mov	esi,		ebx
+	sub	edx,		edi
+	and	eax,		ecx
+	and	edx,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 52[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1548603684[edx+ebp]
+	mov	edx,		-1
+	add	ebp,		eax
+	mov	eax,		esi
 	rol	ebp,		8
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 102
-	sub	edi,		ebx
-	and	esi,		ebp
-	and	edi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 24[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1548603684[edi+edx]
-	mov	edi,		-1
-	add	edx,		esi
-	mov	esi,		eax
-	rol	edx,		9
-	add	edx,		ecx
+	sub	edx,		esi
+	and	eax,		ebp
+	and	edx,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 20[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1548603684[edx+ebx]
+	mov	edx,		-1
+	add	ebx,		eax
+	mov	eax,		ecx
+	rol	ebx,		9
+	add	ebx,		edi
 	; 103
-	sub	edi,		eax
-	and	esi,		edx
-	and	edi,		ebp
-	or	edi,		esi
-	mov	esi,		DWORD PTR 44[esp]
+	sub	edx,		ecx
+	and	eax,		ebx
+	and	edx,		ebp
+	or	edx,		eax
+	mov	eax,		DWORD PTR 40[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1548603684[edi+ecx]
-	mov	edi,		-1
-	add	ecx,		esi
-	mov	esi,		ebp
-	rol	ecx,		11
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1548603684[edx+edi]
+	mov	edx,		-1
+	add	edi,		eax
+	mov	eax,		ebp
+	rol	edi,		11
+	add	edi,		esi
 	; 104
-	sub	edi,		ebp
-	and	esi,		ecx
-	and	edi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 60[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1548603684[edi+ebx]
-	mov	edi,		-1
-	add	ebx,		esi
-	mov	esi,		edx
-	rol	ebx,		7
-	add	ebx,		eax
+	sub	edx,		ebp
+	and	eax,		edi
+	and	edx,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 56[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1548603684[edx+esi]
+	mov	edx,		-1
+	add	esi,		eax
+	mov	eax,		ebx
+	rol	esi,		7
+	add	esi,		ecx
 	; 105
-	sub	edi,		edx
-	and	esi,		ebx
-	and	edi,		ecx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 64[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1548603684[edi+eax]
-	mov	edi,		-1
-	add	eax,		esi
-	mov	esi,		ecx
-	rol	eax,		7
-	add	eax,		ebp
+	sub	edx,		ebx
+	and	eax,		esi
+	and	edx,		edi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 60[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1548603684[edx+ecx]
+	mov	edx,		-1
+	add	ecx,		eax
+	mov	eax,		edi
+	rol	ecx,		7
+	add	ecx,		ebp
 	; 106
-	sub	edi,		ecx
-	and	esi,		eax
-	and	edi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 36[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1548603684[edi+ebp]
-	mov	edi,		-1
-	add	ebp,		esi
-	mov	esi,		ebx
+	sub	edx,		edi
+	and	eax,		ecx
+	and	edx,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 32[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1548603684[edx+ebp]
+	mov	edx,		-1
+	add	ebp,		eax
+	mov	eax,		esi
 	rol	ebp,		12
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 107
-	sub	edi,		ebx
-	and	esi,		ebp
-	and	edi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 52[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1548603684[edi+edx]
-	mov	edi,		-1
-	add	edx,		esi
-	mov	esi,		eax
-	rol	edx,		7
-	add	edx,		ecx
+	sub	edx,		esi
+	and	eax,		ebp
+	and	edx,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 48[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1548603684[edx+ebx]
+	mov	edx,		-1
+	add	ebx,		eax
+	mov	eax,		ecx
+	rol	ebx,		7
+	add	ebx,		edi
 	; 108
-	sub	edi,		eax
-	and	esi,		edx
-	and	edi,		ebp
-	or	edi,		esi
-	mov	esi,		DWORD PTR 20[esp]
+	sub	edx,		ecx
+	and	eax,		ebx
+	and	edx,		ebp
+	or	edx,		eax
+	mov	eax,		DWORD PTR 16[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1548603684[edi+ecx]
-	mov	edi,		-1
-	add	ecx,		esi
-	mov	esi,		ebp
-	rol	ecx,		6
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1548603684[edx+edi]
+	mov	edx,		-1
+	add	edi,		eax
+	mov	eax,		ebp
+	rol	edi,		6
+	add	edi,		esi
 	; 109
-	sub	edi,		ebp
-	and	esi,		ecx
-	and	edi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 40[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1548603684[edi+ebx]
-	mov	edi,		-1
-	add	ebx,		esi
-	mov	esi,		edx
-	rol	ebx,		15
-	add	ebx,		eax
+	sub	edx,		ebp
+	and	eax,		edi
+	and	edx,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 36[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1548603684[edx+esi]
+	mov	edx,		-1
+	add	esi,		eax
+	mov	eax,		ebx
+	rol	esi,		15
+	add	esi,		ecx
 	; 110
-	sub	edi,		edx
-	and	esi,		ebx
-	and	edi,		ecx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 8[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1548603684[edi+eax]
-	mov	edi,		-1
-	add	eax,		esi
-	mov	esi,		ecx
-	rol	eax,		13
-	add	eax,		ebp
+	sub	edx,		ebx
+	and	eax,		esi
+	and	edx,		edi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 4[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1548603684[edx+ecx]
+	mov	edx,		-1
+	add	ecx,		eax
+	mov	eax,		edi
+	rol	ecx,		13
+	add	ecx,		ebp
 	; 111
-	sub	edi,		ecx
-	and	esi,		eax
-	and	edi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 12[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1548603684[edi+ebp]
-	mov	edi,		-1
-	add	ebp,		esi
-	sub	edi,		eax
+	sub	edx,		edi
+	and	eax,		ecx
+	and	edx,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 8[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1548603684[edx+ebp]
+	mov	edx,		-1
+	add	ebp,		eax
+	sub	edx,		ecx
 	rol	ebp,		11
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 112
-	mov	esi,		DWORD PTR 64[esp]
-	or	edi,		ebp
-	add	edx,		esi
-	xor	edi,		ebx
-	mov	esi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1836072691[edi*1+edx]
-	sub	esi,		ebp
-	rol	edx,		9
-	add	edx,		ecx
+	mov	eax,		DWORD PTR 60[esp]
+	or	edx,		ebp
+	add	ebx,		eax
+	xor	edx,		esi
+	mov	eax,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1836072691[edx*1+ebx]
+	sub	eax,		ebp
+	rol	ebx,		9
+	add	ebx,		edi
 	; 113
-	mov	edi,		DWORD PTR 24[esp]
-	or	esi,		edx
-	add	ecx,		edi
-	xor	esi,		eax
-	mov	edi,		-1
+	mov	edx,		DWORD PTR 20[esp]
+	or	eax,		ebx
+	add	edi,		edx
+	xor	eax,		ecx
+	mov	edx,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1836072691[esi*1+ecx]
-	sub	edi,		edx
-	rol	ecx,		7
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1836072691[eax*1+edi]
+	sub	edx,		ebx
+	rol	edi,		7
+	add	edi,		esi
 	; 114
-	mov	esi,		DWORD PTR 8[esp]
-	or	edi,		ecx
-	add	ebx,		esi
-	xor	edi,		ebp
-	mov	esi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1836072691[edi*1+ebx]
-	sub	esi,		ecx
-	rol	ebx,		15
-	add	ebx,		eax
+	mov	eax,		DWORD PTR 4[esp]
+	or	edx,		edi
+	add	esi,		eax
+	xor	edx,		ebp
+	mov	eax,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1836072691[edx*1+esi]
+	sub	eax,		edi
+	rol	esi,		15
+	add	esi,		ecx
 	; 115
-	mov	edi,		DWORD PTR 16[esp]
-	or	esi,		ebx
-	add	eax,		edi
-	xor	esi,		edx
-	mov	edi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1836072691[esi*1+eax]
-	sub	edi,		ebx
-	rol	eax,		11
-	add	eax,		ebp
+	mov	edx,		DWORD PTR 12[esp]
+	or	eax,		esi
+	add	ecx,		edx
+	xor	eax,		ebx
+	mov	edx,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1836072691[eax*1+ecx]
+	sub	edx,		esi
+	rol	ecx,		11
+	add	ecx,		ebp
 	; 116
-	mov	esi,		DWORD PTR 32[esp]
-	or	edi,		eax
-	add	ebp,		esi
-	xor	edi,		ecx
-	mov	esi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1836072691[edi*1+ebp]
-	sub	esi,		eax
+	mov	eax,		DWORD PTR 28[esp]
+	or	edx,		ecx
+	add	ebp,		eax
+	xor	edx,		edi
+	mov	eax,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1836072691[edx*1+ebp]
+	sub	eax,		ecx
 	rol	ebp,		8
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 117
-	mov	edi,		DWORD PTR 60[esp]
-	or	esi,		ebp
-	add	edx,		edi
-	xor	esi,		ebx
-	mov	edi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1836072691[esi*1+edx]
-	sub	edi,		ebp
-	rol	edx,		6
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 56[esp]
+	or	eax,		ebp
+	add	ebx,		edx
+	xor	eax,		esi
+	mov	edx,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1836072691[eax*1+ebx]
+	sub	edx,		ebp
+	rol	ebx,		6
+	add	ebx,		edi
 	; 118
-	mov	esi,		DWORD PTR 28[esp]
-	or	edi,		edx
-	add	ecx,		esi
-	xor	edi,		eax
-	mov	esi,		-1
+	mov	eax,		DWORD PTR 24[esp]
+	or	edx,		ebx
+	add	edi,		eax
+	xor	edx,		ecx
+	mov	eax,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1836072691[edi*1+ecx]
-	sub	esi,		edx
-	rol	ecx,		6
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1836072691[edx*1+edi]
+	sub	eax,		ebx
+	rol	edi,		6
+	add	edi,		esi
 	; 119
-	mov	edi,		DWORD PTR 40[esp]
-	or	esi,		ecx
-	add	ebx,		edi
-	xor	esi,		ebp
-	mov	edi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1836072691[esi*1+ebx]
-	sub	edi,		ecx
-	rol	ebx,		14
-	add	ebx,		eax
+	mov	edx,		DWORD PTR 36[esp]
+	or	eax,		edi
+	add	esi,		edx
+	xor	eax,		ebp
+	mov	edx,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1836072691[eax*1+esi]
+	sub	edx,		edi
+	rol	esi,		14
+	add	esi,		ecx
 	; 120
-	mov	esi,		DWORD PTR 48[esp]
-	or	edi,		ebx
-	add	eax,		esi
-	xor	edi,		edx
-	mov	esi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1836072691[edi*1+eax]
-	sub	esi,		ebx
-	rol	eax,		12
-	add	eax,		ebp
+	mov	eax,		DWORD PTR 44[esp]
+	or	edx,		esi
+	add	ecx,		eax
+	xor	edx,		ebx
+	mov	eax,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1836072691[edx*1+ecx]
+	sub	eax,		esi
+	rol	ecx,		12
+	add	ecx,		ebp
 	; 121
-	mov	edi,		DWORD PTR 36[esp]
-	or	esi,		eax
-	add	ebp,		edi
-	xor	esi,		ecx
-	mov	edi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1836072691[esi*1+ebp]
-	sub	edi,		eax
-	rol	ebp,		13
+	mov	edx,		DWORD PTR 32[esp]
+	or	eax,		ecx
 	add	ebp,		edx
+	xor	eax,		edi
+	mov	edx,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1836072691[eax*1+ebp]
+	sub	edx,		ecx
+	rol	ebp,		13
+	add	ebp,		ebx
 	; 122
-	mov	esi,		DWORD PTR 52[esp]
-	or	edi,		ebp
-	add	edx,		esi
-	xor	edi,		ebx
-	mov	esi,		-1
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1836072691[edi*1+edx]
-	sub	esi,		ebp
-	rol	edx,		5
-	add	edx,		ecx
+	mov	eax,		DWORD PTR 48[esp]
+	or	edx,		ebp
+	add	ebx,		eax
+	xor	edx,		esi
+	mov	eax,		-1
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1836072691[edx*1+ebx]
+	sub	eax,		ebp
+	rol	ebx,		5
+	add	ebx,		edi
 	; 123
-	mov	edi,		DWORD PTR 12[esp]
-	or	esi,		edx
-	add	ecx,		edi
-	xor	esi,		eax
-	mov	edi,		-1
+	mov	edx,		DWORD PTR 8[esp]
+	or	eax,		ebx
+	add	edi,		edx
+	xor	eax,		ecx
+	mov	edx,		-1
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 1836072691[esi*1+ecx]
-	sub	edi,		edx
-	rol	ecx,		14
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 1836072691[eax*1+edi]
+	sub	edx,		ebx
+	rol	edi,		14
+	add	edi,		esi
 	; 124
-	mov	esi,		DWORD PTR 44[esp]
-	or	edi,		ecx
-	add	ebx,		esi
-	xor	edi,		ebp
-	mov	esi,		-1
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 1836072691[edi*1+ebx]
-	sub	esi,		ecx
-	rol	ebx,		13
-	add	ebx,		eax
+	mov	eax,		DWORD PTR 40[esp]
+	or	edx,		edi
+	add	esi,		eax
+	xor	edx,		ebp
+	mov	eax,		-1
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 1836072691[edx*1+esi]
+	sub	eax,		edi
+	rol	esi,		13
+	add	esi,		ecx
 	; 125
-	mov	edi,		DWORD PTR 4[esp]
-	or	esi,		ebx
-	add	eax,		edi
-	xor	esi,		edx
-	mov	edi,		-1
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 1836072691[esi*1+eax]
-	sub	edi,		ebx
-	rol	eax,		13
-	add	eax,		ebp
+	mov	edx,		DWORD PTR [esp]
+	or	eax,		esi
+	add	ecx,		edx
+	xor	eax,		ebx
+	mov	edx,		-1
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 1836072691[eax*1+ecx]
+	sub	edx,		esi
+	rol	ecx,		13
+	add	ecx,		ebp
 	; 126
-	mov	esi,		DWORD PTR 20[esp]
-	or	edi,		eax
-	add	ebp,		esi
-	xor	edi,		ecx
-	mov	esi,		-1
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 1836072691[edi*1+ebp]
-	sub	esi,		eax
+	mov	eax,		DWORD PTR 16[esp]
+	or	edx,		ecx
+	add	ebp,		eax
+	xor	edx,		edi
+	mov	eax,		-1
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 1836072691[edx*1+ebp]
+	sub	eax,		ecx
 	rol	ebp,		7
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 127
-	mov	edi,		DWORD PTR 56[esp]
-	or	esi,		ebp
-	add	edx,		edi
-	xor	esi,		ebx
-	mov	edi,		DWORD PTR 36[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 1836072691[esi*1+edx]
-	mov	esi,		-1
-	rol	edx,		5
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 52[esp]
+	or	eax,		ebp
+	add	ebx,		edx
+	xor	eax,		esi
+	mov	edx,		DWORD PTR 32[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 1836072691[eax*1+ebx]
+	mov	eax,		-1
+	rol	ebx,		5
+	add	ebx,		edi
 	; 128
-	add	ecx,		edi
-	mov	edi,		ebp
-	sub	esi,		edx
-	and	edi,		edx
-	and	esi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 28[esp]
+	add	edi,		edx
+	mov	edx,		ebp
+	sub	eax,		ebx
+	and	edx,		ebx
+	and	eax,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 24[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2053994217[edi*1+ecx]
-	mov	edi,		-1
-	rol	ecx,		15
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2053994217[edx*1+edi]
+	mov	edx,		-1
+	rol	edi,		15
+	add	edi,		esi
 	; 129
-	add	ebx,		esi
-	mov	esi,		edx
-	sub	edi,		ecx
-	and	esi,		ecx
-	and	edi,		ebp
-	or	esi,		edi
-	mov	edi,		DWORD PTR 20[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2053994217[esi*1+ebx]
-	mov	esi,		-1
-	rol	ebx,		5
-	add	ebx,		eax
+	add	esi,		eax
+	mov	eax,		ebx
+	sub	edx,		edi
+	and	eax,		edi
+	and	edx,		ebp
+	or	eax,		edx
+	mov	edx,		DWORD PTR 16[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2053994217[eax*1+esi]
+	mov	eax,		-1
+	rol	esi,		5
+	add	esi,		ecx
 	; 130
-	add	eax,		edi
-	mov	edi,		ecx
-	sub	esi,		ebx
-	and	edi,		ebx
-	and	esi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 8[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 2053994217[edi*1+eax]
-	mov	edi,		-1
-	rol	eax,		8
-	add	eax,		ebp
+	add	ecx,		edx
+	mov	edx,		edi
+	sub	eax,		esi
+	and	edx,		esi
+	and	eax,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 4[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 2053994217[edx*1+ecx]
+	mov	edx,		-1
+	rol	ecx,		8
+	add	ecx,		ebp
 	; 131
-	add	ebp,		esi
-	mov	esi,		ebx
-	sub	edi,		eax
-	and	esi,		eax
-	and	edi,		ecx
-	or	esi,		edi
-	mov	edi,		DWORD PTR 16[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 2053994217[esi*1+ebp]
-	mov	esi,		-1
+	add	ebp,		eax
+	mov	eax,		esi
+	sub	edx,		ecx
+	and	eax,		ecx
+	and	edx,		edi
+	or	eax,		edx
+	mov	edx,		DWORD PTR 12[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 2053994217[eax*1+ebp]
+	mov	eax,		-1
 	rol	ebp,		11
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 132
-	add	edx,		edi
-	mov	edi,		eax
-	sub	esi,		ebp
-	and	edi,		ebp
-	and	esi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 48[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 2053994217[edi*1+edx]
-	mov	edi,		-1
-	rol	edx,		14
-	add	edx,		ecx
+	add	ebx,		edx
+	mov	edx,		ecx
+	sub	eax,		ebp
+	and	edx,		ebp
+	and	eax,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 44[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 2053994217[edx*1+ebx]
+	mov	edx,		-1
+	rol	ebx,		14
+	add	ebx,		edi
 	; 133
-	add	ecx,		esi
-	mov	esi,		ebp
-	sub	edi,		edx
-	and	esi,		edx
-	and	edi,		eax
-	or	esi,		edi
-	mov	edi,		DWORD PTR 64[esp]
+	add	edi,		eax
+	mov	eax,		ebp
+	sub	edx,		ebx
+	and	eax,		ebx
+	and	edx,		ecx
+	or	eax,		edx
+	mov	edx,		DWORD PTR 60[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2053994217[esi*1+ecx]
-	mov	esi,		-1
-	rol	ecx,		14
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2053994217[eax*1+edi]
+	mov	eax,		-1
+	rol	edi,		14
+	add	edi,		esi
 	; 134
-	add	ebx,		edi
-	mov	edi,		edx
-	sub	esi,		ecx
-	and	edi,		ecx
-	and	esi,		ebp
-	or	edi,		esi
-	mov	esi,		DWORD PTR 4[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2053994217[edi*1+ebx]
-	mov	edi,		-1
-	rol	ebx,		6
-	add	ebx,		eax
+	add	esi,		edx
+	mov	edx,		ebx
+	sub	eax,		edi
+	and	edx,		edi
+	and	eax,		ebp
+	or	edx,		eax
+	mov	eax,		DWORD PTR [esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2053994217[edx*1+esi]
+	mov	edx,		-1
+	rol	esi,		6
+	add	esi,		ecx
 	; 135
-	add	eax,		esi
-	mov	esi,		ecx
-	sub	edi,		ebx
-	and	esi,		ebx
-	and	edi,		edx
-	or	esi,		edi
-	mov	edi,		DWORD PTR 24[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 2053994217[esi*1+eax]
-	mov	esi,		-1
-	rol	eax,		14
-	add	eax,		ebp
+	add	ecx,		eax
+	mov	eax,		edi
+	sub	edx,		esi
+	and	eax,		esi
+	and	edx,		ebx
+	or	eax,		edx
+	mov	edx,		DWORD PTR 20[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 2053994217[eax*1+ecx]
+	mov	eax,		-1
+	rol	ecx,		14
+	add	ecx,		ebp
 	; 136
-	add	ebp,		edi
-	mov	edi,		ebx
-	sub	esi,		eax
-	and	edi,		eax
-	and	esi,		ecx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 52[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 2053994217[edi*1+ebp]
-	mov	edi,		-1
-	rol	ebp,		6
 	add	ebp,		edx
+	mov	edx,		esi
+	sub	eax,		ecx
+	and	edx,		ecx
+	and	eax,		edi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 48[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 2053994217[edx*1+ebp]
+	mov	edx,		-1
+	rol	ebp,		6
+	add	ebp,		ebx
 	; 137
-	add	edx,		esi
-	mov	esi,		eax
-	sub	edi,		ebp
-	and	esi,		ebp
-	and	edi,		ebx
-	or	esi,		edi
-	mov	edi,		DWORD PTR 12[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 2053994217[esi*1+edx]
-	mov	esi,		-1
-	rol	edx,		9
-	add	edx,		ecx
+	add	ebx,		eax
+	mov	eax,		ecx
+	sub	edx,		ebp
+	and	eax,		ebp
+	and	edx,		esi
+	or	eax,		edx
+	mov	edx,		DWORD PTR 8[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 2053994217[eax*1+ebx]
+	mov	eax,		-1
+	rol	ebx,		9
+	add	ebx,		edi
 	; 138
-	add	ecx,		edi
-	mov	edi,		ebp
-	sub	esi,		edx
-	and	edi,		edx
-	and	esi,		eax
-	or	edi,		esi
-	mov	esi,		DWORD PTR 56[esp]
+	add	edi,		edx
+	mov	edx,		ebp
+	sub	eax,		ebx
+	and	edx,		ebx
+	and	eax,		ecx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 52[esp]
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2053994217[edi*1+ecx]
-	mov	edi,		-1
-	rol	ecx,		12
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2053994217[edx*1+edi]
+	mov	edx,		-1
+	rol	edi,		12
+	add	edi,		esi
 	; 139
-	add	ebx,		esi
-	mov	esi,		edx
-	sub	edi,		ecx
-	and	esi,		ecx
-	and	edi,		ebp
-	or	esi,		edi
-	mov	edi,		DWORD PTR 40[esp]
-	rol	edx,		10
-	lea	ebx,		DWORD PTR 2053994217[esi*1+ebx]
-	mov	esi,		-1
-	rol	ebx,		9
-	add	ebx,		eax
+	add	esi,		eax
+	mov	eax,		ebx
+	sub	edx,		edi
+	and	eax,		edi
+	and	edx,		ebp
+	or	eax,		edx
+	mov	edx,		DWORD PTR 36[esp]
+	rol	ebx,		10
+	lea	esi,		DWORD PTR 2053994217[eax*1+esi]
+	mov	eax,		-1
+	rol	esi,		9
+	add	esi,		ecx
 	; 140
-	add	eax,		edi
-	mov	edi,		ecx
-	sub	esi,		ebx
-	and	edi,		ebx
-	and	esi,		edx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 32[esp]
-	rol	ecx,		10
-	lea	eax,		DWORD PTR 2053994217[edi*1+eax]
-	mov	edi,		-1
-	rol	eax,		12
-	add	eax,		ebp
+	add	ecx,		edx
+	mov	edx,		edi
+	sub	eax,		esi
+	and	edx,		esi
+	and	eax,		ebx
+	or	edx,		eax
+	mov	eax,		DWORD PTR 28[esp]
+	rol	edi,		10
+	lea	ecx,		DWORD PTR 2053994217[edx*1+ecx]
+	mov	edx,		-1
+	rol	ecx,		12
+	add	ecx,		ebp
 	; 141
-	add	ebp,		esi
-	mov	esi,		ebx
-	sub	edi,		eax
-	and	esi,		eax
-	and	edi,		ecx
-	or	esi,		edi
-	mov	edi,		DWORD PTR 44[esp]
-	rol	ebx,		10
-	lea	ebp,		DWORD PTR 2053994217[esi*1+ebp]
-	mov	esi,		-1
+	add	ebp,		eax
+	mov	eax,		esi
+	sub	edx,		ecx
+	and	eax,		ecx
+	and	edx,		edi
+	or	eax,		edx
+	mov	edx,		DWORD PTR 40[esp]
+	rol	esi,		10
+	lea	ebp,		DWORD PTR 2053994217[eax*1+ebp]
+	mov	eax,		-1
 	rol	ebp,		5
-	add	ebp,		edx
+	add	ebp,		ebx
 	; 142
-	add	edx,		edi
-	mov	edi,		eax
-	sub	esi,		ebp
-	and	edi,		ebp
-	and	esi,		ebx
-	or	edi,		esi
-	mov	esi,		DWORD PTR 60[esp]
-	rol	eax,		10
-	lea	edx,		DWORD PTR 2053994217[edi*1+edx]
-	mov	edi,		-1
-	rol	edx,		15
-	add	edx,		ecx
+	add	ebx,		edx
+	mov	edx,		ecx
+	sub	eax,		ebp
+	and	edx,		ebp
+	and	eax,		esi
+	or	edx,		eax
+	mov	eax,		DWORD PTR 56[esp]
+	rol	ecx,		10
+	lea	ebx,		DWORD PTR 2053994217[edx*1+ebx]
+	mov	edx,		-1
+	rol	ebx,		15
+	add	ebx,		edi
 	; 143
-	add	ecx,		esi
-	mov	esi,		ebp
-	sub	edi,		edx
-	and	esi,		edx
-	and	edi,		eax
-	or	edi,		esi
-	mov	esi,		edx
+	add	edi,		eax
+	mov	eax,		ebp
+	sub	edx,		ebx
+	and	eax,		ebx
+	and	edx,		ecx
+	or	edx,		eax
+	mov	eax,		ebx
 	rol	ebp,		10
-	lea	ecx,		DWORD PTR 2053994217[edi*1+ecx]
-	xor	esi,		ebp
-	rol	ecx,		8
-	add	ecx,		ebx
+	lea	edi,		DWORD PTR 2053994217[edx*1+edi]
+	xor	eax,		ebp
+	rol	edi,		8
+	add	edi,		esi
 	; 144
-	mov	edi,		DWORD PTR 52[esp]
-	xor	esi,		ecx
-	add	ebx,		edi
-	rol	edx,		10
-	add	ebx,		esi
-	mov	esi,		ecx
-	rol	ebx,		8
-	add	ebx,		eax
+	mov	edx,		DWORD PTR 48[esp]
+	xor	eax,		edi
+	add	esi,		edx
+	rol	ebx,		10
+	add	esi,		eax
+	mov	eax,		edi
+	rol	esi,		8
+	add	esi,		ecx
 	; 145
-	xor	esi,		edx
-	mov	edi,		DWORD PTR 64[esp]
-	xor	esi,		ebx
-	add	eax,		esi
-	mov	esi,		ebx
-	rol	ecx,		10
-	add	eax,		edi
-	xor	esi,		ecx
-	rol	eax,		5
-	add	eax,		ebp
+	xor	eax,		ebx
+	mov	edx,		DWORD PTR 60[esp]
+	xor	eax,		esi
+	add	ecx,		eax
+	mov	eax,		esi
+	rol	edi,		10
+	add	ecx,		edx
+	xor	eax,		edi
+	rol	ecx,		5
+	add	ecx,		ebp
 	; 146
-	mov	edi,		DWORD PTR 44[esp]
-	xor	esi,		eax
-	add	ebp,		edi
-	rol	ebx,		10
-	add	ebp,		esi
-	mov	esi,		eax
-	rol	ebp,		12
+	mov	edx,		DWORD PTR 40[esp]
+	xor	eax,		ecx
 	add	ebp,		edx
+	rol	esi,		10
+	add	ebp,		eax
+	mov	eax,		ecx
+	rol	ebp,		12
+	add	ebp,		ebx
 	; 147
-	xor	esi,		ebx
-	mov	edi,		DWORD PTR 20[esp]
-	xor	esi,		ebp
-	add	edx,		esi
-	mov	esi,		ebp
-	rol	eax,		10
-	add	edx,		edi
-	xor	esi,		eax
-	rol	edx,		9
-	add	edx,		ecx
+	xor	eax,		esi
+	mov	edx,		DWORD PTR 16[esp]
+	xor	eax,		ebp
+	add	ebx,		eax
+	mov	eax,		ebp
+	rol	ecx,		10
+	add	ebx,		edx
+	xor	eax,		ecx
+	rol	ebx,		9
+	add	ebx,		edi
 	; 148
-	mov	edi,		DWORD PTR 8[esp]
-	xor	esi,		edx
-	add	ecx,		edi
+	mov	edx,		DWORD PTR 4[esp]
+	xor	eax,		ebx
+	add	edi,		edx
 	rol	ebp,		10
-	add	ecx,		esi
-	mov	esi,		edx
-	rol	ecx,		12
-	add	ecx,		ebx
+	add	edi,		eax
+	mov	eax,		ebx
+	rol	edi,		12
+	add	edi,		esi
 	; 149
-	xor	esi,		ebp
-	mov	edi,		DWORD PTR 24[esp]
-	xor	esi,		ecx
-	add	ebx,		esi
-	mov	esi,		ecx
-	rol	edx,		10
-	add	ebx,		edi
-	xor	esi,		edx
-	rol	ebx,		5
-	add	ebx,		eax
+	xor	eax,		ebp
+	mov	edx,		DWORD PTR 20[esp]
+	xor	eax,		edi
+	add	esi,		eax
+	mov	eax,		edi
+	rol	ebx,		10
+	add	esi,		edx
+	xor	eax,		ebx
+	rol	esi,		5
+	add	esi,		ecx
 	; 150
-	mov	edi,		DWORD PTR 36[esp]
-	xor	esi,		ebx
-	add	eax,		edi
-	rol	ecx,		10
-	add	eax,		esi
-	mov	esi,		ebx
-	rol	eax,		14
-	add	eax,		ebp
+	mov	edx,		DWORD PTR 32[esp]
+	xor	eax,		esi
+	add	ecx,		edx
+	rol	edi,		10
+	add	ecx,		eax
+	mov	eax,		esi
+	rol	ecx,		14
+	add	ecx,		ebp
 	; 151
-	xor	esi,		ecx
-	mov	edi,		DWORD PTR 32[esp]
-	xor	esi,		eax
-	add	ebp,		esi
-	mov	esi,		eax
-	rol	ebx,		10
-	add	ebp,		edi
-	xor	esi,		ebx
-	rol	ebp,		6
+	xor	eax,		edi
+	mov	edx,		DWORD PTR 28[esp]
+	xor	eax,		ecx
+	add	ebp,		eax
+	mov	eax,		ecx
+	rol	esi,		10
 	add	ebp,		edx
+	xor	eax,		esi
+	rol	ebp,		6
+	add	ebp,		ebx
 	; 152
-	mov	edi,		DWORD PTR 28[esp]
-	xor	esi,		ebp
-	add	edx,		edi
-	rol	eax,		10
-	add	edx,		esi
-	mov	esi,		ebp
-	rol	edx,		8
-	add	edx,		ecx
+	mov	edx,		DWORD PTR 24[esp]
+	xor	eax,		ebp
+	add	ebx,		edx
+	rol	ecx,		10
+	add	ebx,		eax
+	mov	eax,		ebp
+	rol	ebx,		8
+	add	ebx,		edi
 	; 153
-	xor	esi,		eax
-	mov	edi,		DWORD PTR 12[esp]
-	xor	esi,		edx
-	add	ecx,		esi
-	mov	esi,		edx
+	xor	eax,		ecx
+	mov	edx,		DWORD PTR 8[esp]
+	xor	eax,		ebx
+	add	edi,		eax
+	mov	eax,		ebx
 	rol	ebp,		10
-	add	ecx,		edi
-	xor	esi,		ebp
-	rol	ecx,		13
-	add	ecx,		ebx
+	add	edi,		edx
+	xor	eax,		ebp
+	rol	edi,		13
+	add	edi,		esi
 	; 154
-	mov	edi,		DWORD PTR 56[esp]
-	xor	esi,		ecx
-	add	ebx,		edi
-	rol	edx,		10
-	add	ebx,		esi
-	mov	esi,		ecx
-	rol	ebx,		6
-	add	ebx,		eax
+	mov	edx,		DWORD PTR 52[esp]
+	xor	eax,		edi
+	add	esi,		edx
+	rol	ebx,		10
+	add	esi,		eax
+	mov	eax,		edi
+	rol	esi,		6
+	add	esi,		ecx
 	; 155
-	xor	esi,		edx
-	mov	edi,		DWORD PTR 60[esp]
-	xor	esi,		ebx
-	add	eax,		esi
-	mov	esi,		ebx
-	rol	ecx,		10
-	add	eax,		edi
-	xor	esi,		ecx
-	rol	eax,		5
-	add	eax,		ebp
+	xor	eax,		ebx
+	mov	edx,		DWORD PTR 56[esp]
+	xor	eax,		esi
+	add	ecx,		eax
+	mov	eax,		esi
+	rol	edi,		10
+	add	ecx,		edx
+	xor	eax,		edi
+	rol	ecx,		5
+	add	ecx,		ebp
 	; 156
-	mov	edi,		DWORD PTR 4[esp]
-	xor	esi,		eax
-	add	ebp,		edi
-	rol	ebx,		10
-	add	ebp,		esi
-	mov	esi,		eax
-	rol	ebp,		15
+	mov	edx,		DWORD PTR [esp]
+	xor	eax,		ecx
 	add	ebp,		edx
+	rol	esi,		10
+	add	ebp,		eax
+	mov	eax,		ecx
+	rol	ebp,		15
+	add	ebp,		ebx
 	; 157
-	xor	esi,		ebx
-	mov	edi,		DWORD PTR 16[esp]
-	xor	esi,		ebp
-	add	edx,		esi
-	mov	esi,		ebp
-	rol	eax,		10
-	add	edx,		edi
-	xor	esi,		eax
-	rol	edx,		13
-	add	edx,		ecx
+	xor	eax,		esi
+	mov	edx,		DWORD PTR 12[esp]
+	xor	eax,		ebp
+	add	ebx,		eax
+	mov	eax,		ebp
+	rol	ecx,		10
+	add	ebx,		edx
+	xor	eax,		ecx
+	rol	ebx,		13
+	add	ebx,		edi
 	; 158
-	mov	edi,		DWORD PTR 40[esp]
-	xor	esi,		edx
-	add	ecx,		edi
+	mov	edx,		DWORD PTR 36[esp]
+	xor	eax,		ebx
+	add	edi,		edx
 	rol	ebp,		10
-	add	ecx,		esi
-	mov	esi,		edx
-	rol	ecx,		11
-	add	ecx,		ebx
+	add	edi,		eax
+	mov	eax,		ebx
+	rol	edi,		11
+	add	edi,		esi
 	; 159
-	xor	esi,		ebp
-	mov	edi,		DWORD PTR 48[esp]
-	xor	esi,		ecx
-	add	ebx,		esi
-	rol	edx,		10
-	add	ebx,		edi
-	mov	edi,		DWORD PTR 108[esp]
-	rol	ebx,		11
+	xor	eax,		ebp
+	mov	edx,		DWORD PTR 44[esp]
+	xor	eax,		edi
+	add	esi,		eax
+	rol	ebx,		10
+	add	esi,		edx
+	mov	edx,		DWORD PTR 128[esp]
+	rol	esi,		11
+	add	esi,		ecx
+	mov	eax,		DWORD PTR 4[edx]
 	add	ebx,		eax
-	mov	esi,		DWORD PTR 4[edi]
-	add	edx,		esi
-	mov	esi,		DWORD PTR 76[esp]
-	add	edx,		esi
-	mov	esi,		DWORD PTR 8[edi]
-	add	ebp,		esi
-	mov	esi,		DWORD PTR 80[esp]
-	add	ebp,		esi
-	mov	esi,		DWORD PTR 12[edi]
-	add	eax,		esi
-	mov	esi,		DWORD PTR 84[esp]
-	add	eax,		esi
-	mov	esi,		DWORD PTR 16[edi]
-	add	ebx,		esi
-	mov	esi,		DWORD PTR 68[esp]
-	add	ebx,		esi
-	mov	esi,		DWORD PTR [edi]
-	add	ecx,		esi
-	mov	esi,		DWORD PTR 72[esp]
-	add	ecx,		esi
-	mov	DWORD PTR [edi],edx
-	mov	DWORD PTR 4[edi],ebp
-	mov	DWORD PTR 8[edi],eax
-	mov	DWORD PTR 12[edi],ebx
-	mov	DWORD PTR 16[edi],ecx
-	mov	edi,		DWORD PTR [esp]
-	mov	esi,		DWORD PTR 112[esp]
-	cmp	edi,		esi
-	mov	edi,		DWORD PTR 108[esp]
-	jge	L000start
-	add	esp,		88
+	mov	eax,		DWORD PTR 72[esp]
+	add	ebx,		eax
+	mov	eax,		DWORD PTR 8[edx]
+	add	ebp,		eax
+	mov	eax,		DWORD PTR 76[esp]
+	add	ebp,		eax
+	mov	eax,		DWORD PTR 12[edx]
+	add	ecx,		eax
+	mov	eax,		DWORD PTR 80[esp]
+	add	ecx,		eax
+	mov	eax,		DWORD PTR 16[edx]
+	add	esi,		eax
+	mov	eax,		DWORD PTR 64[esp]
+	add	esi,		eax
+	mov	eax,		DWORD PTR [edx]
+	add	edi,		eax
+	mov	eax,		DWORD PTR 68[esp]
+	add	edi,		eax
+	mov	eax,		DWORD PTR 136[esp]
+	mov	DWORD PTR [edx],ebx
+	mov	DWORD PTR 4[edx],ebp
+	mov	DWORD PTR 8[edx],ecx
+	sub	eax,		1
+	mov	DWORD PTR 12[edx],esi
+	mov	DWORD PTR 16[edx],edi
+	jle	$L001get_out
+	mov	DWORD PTR 136[esp],eax
+	mov	edi,		ecx
+	mov	eax,		DWORD PTR 132[esp]
+	mov	ecx,		ebx
+	add	eax,		64
+	mov	esi,		ebp
+	mov	DWORD PTR 132[esp],eax
+	jmp	L000start
+$L001get_out:
+	add	esp,		108
 	pop	ebx
 	pop	ebp
 	pop	edi
 	pop	esi
 	ret
-_ripemd160_block_x86 ENDP
+_ripemd160_block_asm_host_order ENDP
 _TEXT	ENDS
 END
diff --git a/lib/libcrypto/ripemd/asm/rmd-586.pl b/lib/libcrypto/ripemd/asm/rmd-586.pl
index e53c5fadba7..0ab6f76bfff 100644
--- a/lib/libcrypto/ripemd/asm/rmd-586.pl
+++ b/lib/libcrypto/ripemd/asm/rmd-586.pl
@@ -1,9 +1,7 @@
 #!/usr/local/bin/perl
 
 # Normal is the
-# ripemd160_block_x86(MD5_CTX *c, ULONG *X);
-# version, non-normal is the
-# ripemd160_block_x86(MD5_CTX *c, ULONG *X,int blocks);
+# ripemd160_block_asm_host_order(RIPEMD160_CTX *c, ULONG *X,int blocks);
 
 $normal=0;
 
@@ -12,13 +10,13 @@ require "x86asm.pl";
 
 &asm_init($ARGV[0],$0);
 
-$A="eax";
-$B="ebx";
-$C="ecx";
-$D="edx";
+$A="ecx";
+$B="esi";
+$C="edi";
+$D="ebx";
 $E="ebp";
-$tmp1="esi";
-$tmp2="edi";
+$tmp1="eax";
+$tmp2="edx";
 
 $KL1=0x5A827999;
 $KL2=0x6ED9EBA1;
@@ -58,13 +56,13 @@ $KR3=0x7A6D76E9;
 	 8, 5,12, 9,12, 5,14, 6, 8,13, 6, 5,15,13,11,11,
  	);
 
-&ripemd160_block("ripemd160_block_x86");
+&ripemd160_block("ripemd160_block_asm_host_order");
 &asm_finish();
 
 sub Xv
 	{
 	local($n)=@_;
-	return(&swtmp($n+1));
+	return(&swtmp($n));
 	# tmp on stack
 	}
 
@@ -82,7 +80,7 @@ sub RIP1
 	&comment($p++);
 	if ($p & 1)
 		{
-	 &mov($tmp1,	$c) if $o == -1;
+	 #&mov($tmp1,	$c) if $o == -1;
 	&xor($tmp1,	$d) if $o == -1;
 	 &mov($tmp2,	&Xv($pos));
 	&xor($tmp1,	$b);
@@ -290,7 +288,7 @@ sub RIP5
 	&rotl($c,	10);
 	&lea($a,	&DWP($K,$a,$tmp1,1));
 	 &sub($tmp2,	&Np($d)) if $o <= 0;
-	 &mov(&swtmp(1+16),	$A) if $o == 1;
+	 &mov(&swtmp(16),	$A) if $o == 1;
 	 &mov($tmp1,	&Np($d)) if $o == 2;
 	&rotl($a,	$s);
 	&add($a,	$e);
@@ -310,19 +308,25 @@ sub ripemd160_block
 	# D 	12
 	# E 	16
 
+	&mov($tmp2,	&wparam(0));
+	 &mov($tmp1,	&wparam(1));
 	&push("esi");
-	 &mov($C,	&wparam(2));
+	 &mov($A,	&DWP( 0,$tmp2,"",0));
 	&push("edi");
-	 &mov($tmp1,	&wparam(1)); # edi
+	 &mov($B,	&DWP( 4,$tmp2,"",0));
 	&push("ebp");
-	 &add($C,	$tmp1); # offset we end at
+	 &mov($C,	&DWP( 8,$tmp2,"",0));
 	&push("ebx");
-	 &sub($C,	64);
-	&stack_push(16+5+1);
-	 # XXX
-
-	&mov(&swtmp(0),	$C);
-	 &mov($tmp2,	&wparam(0)); # Done at end of loop
+	 &stack_push(16+5+6);
+			  # Special comment about the figure of 6.
+			  # Idea is to pad the current frame so
+			  # that the top of the stack gets fairly
+			  # aligned. Well, as you realize it would
+			  # always depend on how the frame below is
+			  # aligned. The good news are that gcc-2.95
+			  # and later does keep first argument at
+			  # least double-wise aligned.
+			  #			<appro@fy.chalmers.se>
 
 	&set_label("start") unless $normal;
 	&comment("");
@@ -332,16 +336,12 @@ sub ripemd160_block
 
 	for ($z=0; $z<16; $z+=2)
 		{
-		&mov($A,		&DWP( $z*4,$tmp1,"",0));
-		 &mov($B,		&DWP( ($z+1)*4,$tmp1,"",0));
-		&mov(&swtmp(1+$z),	$A);
-		 &mov(&swtmp(1+$z+1),	$B);
+		&mov($D,		&DWP( $z*4,$tmp1,"",0));
+		 &mov($E,		&DWP( ($z+1)*4,$tmp1,"",0));
+		&mov(&swtmp($z),	$D);
+		 &mov(&swtmp($z+1),	$E);
 		}
-	&add($tmp1,	64);
-	 &mov($A,	&DWP( 0,$tmp2,"",0));
-	&mov(&wparam(1),$tmp1);
-	 &mov($B,	&DWP( 4,$tmp2,"",0));
-	&mov($C,	&DWP( 8,$tmp2,"",0));
+	&mov($tmp1,	$C);
 	 &mov($D,	&DWP(12,$tmp2,"",0));
 	&mov($E,	&DWP(16,$tmp2,"",0));
 
@@ -431,14 +431,14 @@ sub ripemd160_block
 	&RIP5($B,$C,$D,$E,$A,$wl[79],$sl[79],$KL4,1);
 
 	# &mov($tmp2,	&wparam(0)); # moved into last RIP5
-	# &mov(&swtmp(1+16),	$A);
+	# &mov(&swtmp(16),	$A);
 	 &mov($A,	&DWP( 0,$tmp2,"",0));
-	&mov(&swtmp(1+17),	$B);
-	 &mov(&swtmp(1+18),	$C);
+	&mov(&swtmp(16+1),	$B);
+	 &mov(&swtmp(16+2),	$C);
 	&mov($B,	&DWP( 4,$tmp2,"",0));
-	 &mov(&swtmp(1+19),	$D);
+	 &mov(&swtmp(16+3),	$D);
 	&mov($C,	&DWP( 8,$tmp2,"",0));
-	 &mov(&swtmp(1+20),	$E);
+	 &mov(&swtmp(16+4),	$E);
 	&mov($D,	&DWP(12,$tmp2,"",0));
 	 &mov($E,	&DWP(16,$tmp2,"",0));
 
@@ -531,46 +531,54 @@ sub ripemd160_block
 
 	 &mov($tmp1,	&DWP( 4,$tmp2,"",0));	# ctx->B
  	&add($D,	$tmp1);	
-	 &mov($tmp1,	&swtmp(1+18));		# $c
+	 &mov($tmp1,	&swtmp(16+2));		# $c
 	&add($D,	$tmp1);
 
 	 &mov($tmp1,	&DWP( 8,$tmp2,"",0));	# ctx->C
 	&add($E,	$tmp1);	
-	 &mov($tmp1,	&swtmp(1+19));		# $d
+	 &mov($tmp1,	&swtmp(16+3));		# $d
 	&add($E,	$tmp1);
 
 	 &mov($tmp1,	&DWP(12,$tmp2,"",0));	# ctx->D
 	&add($A,	$tmp1);	
-	 &mov($tmp1,	&swtmp(1+20));		# $e
+	 &mov($tmp1,	&swtmp(16+4));		# $e
 	&add($A,	$tmp1);
 
 
 	 &mov($tmp1,	&DWP(16,$tmp2,"",0));	# ctx->E
 	&add($B,	$tmp1);	
-	 &mov($tmp1,	&swtmp(1+16));		# $a
+	 &mov($tmp1,	&swtmp(16+0));		# $a
 	&add($B,	$tmp1);
 
 	 &mov($tmp1,	&DWP( 0,$tmp2,"",0));	# ctx->A
 	&add($C,	$tmp1);	
-	 &mov($tmp1,	&swtmp(1+17));		# $b
+	 &mov($tmp1,	&swtmp(16+1));		# $b
 	&add($C,	$tmp1);
 
+	 &mov($tmp1,	&wparam(2));
+
 	&mov(&DWP( 0,$tmp2,"",0),	$D);
 	 &mov(&DWP( 4,$tmp2,"",0),	$E);
 	&mov(&DWP( 8,$tmp2,"",0),	$A);
-	 &mov(&DWP(12,$tmp2,"",0),	$B);
-	&mov(&DWP(16,$tmp2,"",0),	$C);
+	 &sub($tmp1,1);
+	&mov(&DWP(12,$tmp2,"",0),	$B);
+	 &mov(&DWP(16,$tmp2,"",0),	$C);
 
-	&mov($tmp2,		&swtmp(0));
-	 &mov($tmp1,		&wparam(1));
+	&jle(&label("get_out"));
+
+	&mov(&wparam(2),$tmp1);
+	 &mov($C,	$A);
+	&mov($tmp1,	&wparam(1));
+	 &mov($A,	$D);
+	&add($tmp1,	64);
+	 &mov($B,	$E);
+	&mov(&wparam(1),$tmp1);
 
-	&cmp($tmp2,$tmp1);
-	 &mov($tmp2,	&wparam(0));
+	&jmp(&label("start"));
 
-	# XXX
-	 &jge(&label("start"));
+	&set_label("get_out");
 
-	&stack_pop(16+5+1);
+	&stack_pop(16+5+6);
 
 	&pop("ebx");
 	&pop("ebp");
diff --git a/lib/libcrypto/ripemd/ripemd.h b/lib/libcrypto/ripemd/ripemd.h
index ab76be4c332..dd1627cf406 100644
--- a/lib/libcrypto/ripemd/ripemd.h
+++ b/lib/libcrypto/ripemd/ripemd.h
@@ -67,26 +67,33 @@ extern "C" {
 #error RIPEMD is disabled.
 #endif
 
+#if defined(WIN16) || defined(__LP32__)
+#define RIPEMD160_LONG unsigned long
+#elif defined(_CRAY) || defined(__ILP64__)
+#define RIPEMD160_LONG unsigned long
+#define RIPEMD160_LONG_LOG2 3
+#else
+#define RIPEMD160_LONG unsigned int
+#endif
+
 #define RIPEMD160_CBLOCK	64
-#define RIPEMD160_LBLOCK	16
-#define RIPEMD160_BLOCK		16
-#define RIPEMD160_LAST_BLOCK	56
-#define RIPEMD160_LENGTH_BLOCK	8
+#define RIPEMD160_LBLOCK	(RIPEMD160_CBLOCK/4)
 #define RIPEMD160_DIGEST_LENGTH	20
 
 typedef struct RIPEMD160state_st
 	{
-	unsigned long A,B,C,D,E;
-	unsigned long Nl,Nh;
-	unsigned long data[RIPEMD160_LBLOCK];
+	RIPEMD160_LONG A,B,C,D,E;
+	RIPEMD160_LONG Nl,Nh;
+	RIPEMD160_LONG data[RIPEMD160_LBLOCK];
 	int num;
 	} RIPEMD160_CTX;
 
 void RIPEMD160_Init(RIPEMD160_CTX *c);
-void RIPEMD160_Update(RIPEMD160_CTX *c, unsigned char *data, unsigned long len);
+void RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
 void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
-unsigned char *RIPEMD160(unsigned char *d, unsigned long n, unsigned char *md);
-void RIPEMD160_Transform(RIPEMD160_CTX *c, unsigned char *b);
+unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
+	unsigned char *md);
+void RIPEMD160_Transform(RIPEMD160_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
 }
 #endif
diff --git a/lib/libcrypto/ripemd/rmd_dgst.c b/lib/libcrypto/ripemd/rmd_dgst.c
index b590856229f..bdfae270b63 100644
--- a/lib/libcrypto/ripemd/rmd_dgst.c
+++ b/lib/libcrypto/ripemd/rmd_dgst.c
@@ -60,7 +60,7 @@
 #include "rmd_locl.h"
 #include <openssl/opensslv.h>
 
-char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
+const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
 
 #  ifdef RMD160_ASM
      void ripemd160_block_x86(RIPEMD160_CTX *c, unsigned long *p,int num);
@@ -68,6 +68,7 @@ char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
 #  else
      void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num);
 #  endif
+
 void RIPEMD160_Init(RIPEMD160_CTX *c)
 	{
 	c->A=RIPEMD160_A;
@@ -80,180 +81,21 @@ void RIPEMD160_Init(RIPEMD160_CTX *c)
 	c->num=0;
 	}
 
-void RIPEMD160_Update(RIPEMD160_CTX *c, register unsigned char *data,
-	     unsigned long len)
-	{
-	register ULONG *p;
-	int sw,sc;
-	ULONG l;
-
-	if (len == 0) return;
-
-	l=(c->Nl+(len<<3))&0xffffffffL;
-	if (l < c->Nl) /* overflow */
-		c->Nh++;
-	c->Nh+=(len>>29);
-	c->Nl=l;
-
-	if (c->num != 0)
-		{
-		p=c->data;
-		sw=c->num>>2;
-		sc=c->num&0x03;
-
-		if ((c->num+len) >= RIPEMD160_CBLOCK)
-			{
-			l= p[sw];
-			p_c2l(data,l,sc);
-			p[sw++]=l;
-			for (; sw<RIPEMD160_LBLOCK; sw++)
-				{
-				c2l(data,l);
-				p[sw]=l;
-				}
-			len-=(RIPEMD160_CBLOCK-c->num);
-
-			ripemd160_block(c,p,64);
-			c->num=0;
-			/* drop through and do the rest */
-			}
-		else
-			{
-			int ew,ec;
-
-			c->num+=(int)len;
-			if ((sc+len) < 4) /* ugly, add char's to a word */
-				{
-				l= p[sw];
-				p_c2l_p(data,l,sc,len);
-				p[sw]=l;
-				}
-			else
-				{
-				ew=(c->num>>2);
-				ec=(c->num&0x03);
-				l= p[sw];
-				p_c2l(data,l,sc);
-				p[sw++]=l;
-				for (; sw < ew; sw++)
-					{ c2l(data,l); p[sw]=l; }
-				if (ec)
-					{
-					c2l_p(data,l,ec);
-					p[sw]=l;
-					}
-				}
-			return;
-			}
-		}
-	/* we now can process the input data in blocks of RIPEMD160_CBLOCK
-	 * chars and save the leftovers to c->data. */
-#ifdef L_ENDIAN
-	if ((((unsigned long)data)%sizeof(ULONG)) == 0)
-		{
-		sw=(int)len/RIPEMD160_CBLOCK;
-		if (sw > 0)
-			{
-			sw*=RIPEMD160_CBLOCK;
-			ripemd160_block(c,(ULONG *)data,sw);
-			data+=sw;
-			len-=sw;
-			}
-		}
-#endif
-	p=c->data;
-	while (len >= RIPEMD160_CBLOCK)
-		{
-#if defined(L_ENDIAN) || defined(B_ENDIAN)
-		if (p != (unsigned long *)data)
-			memcpy(p,data,RIPEMD160_CBLOCK);
-		data+=RIPEMD160_CBLOCK;
-#ifdef B_ENDIAN
-		for (sw=(RIPEMD160_LBLOCK/4); sw; sw--)
-			{
-			Endian_Reverse32(p[0]);
-			Endian_Reverse32(p[1]);
-			Endian_Reverse32(p[2]);
-			Endian_Reverse32(p[3]);
-			p+=4;
-			}
-#endif
-#else
-		for (sw=(RIPEMD160_LBLOCK/4); sw; sw--)
-			{
-			c2l(data,l); *(p++)=l;
-			c2l(data,l); *(p++)=l;
-			c2l(data,l); *(p++)=l;
-			c2l(data,l); *(p++)=l; 
-			} 
+#ifndef ripemd160_block_host_order
+#ifdef X
+#undef X
 #endif
-		p=c->data;
-		ripemd160_block(c,p,64);
-		len-=RIPEMD160_CBLOCK;
-		}
-	sc=(int)len;
-	c->num=sc;
-	if (sc)
-		{
-		sw=sc>>2;	/* words to copy */
-#ifdef L_ENDIAN
-		p[sw]=0;
-		memcpy(p,data,sc);
-#else
-		sc&=0x03;
-		for ( ; sw; sw--)
-			{ c2l(data,l); *(p++)=l; }
-		c2l_p(data,l,sc);
-		*p=l;
-#endif
-		}
-	}
-
-void RIPEMD160_Transform(RIPEMD160_CTX *c, unsigned char *b)
+#define X(i)	XX[i]
+void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num)
 	{
-	ULONG p[16];
-#if !defined(L_ENDIAN)
-	ULONG *q;
-	int i;
-#endif
+	const RIPEMD160_LONG *XX=p;
+	register unsigned long A,B,C,D,E;
+	register unsigned long a,b,c,d,e;
 
-#if defined(B_ENDIAN) || defined(L_ENDIAN)
-	memcpy(p,b,64);
-#ifdef B_ENDIAN
-	q=p;
-	for (i=(RIPEMD160_LBLOCK/4); i; i--)
-		{
-		Endian_Reverse32(q[0]);
-		Endian_Reverse32(q[1]);
-		Endian_Reverse32(q[2]);
-		Endian_Reverse32(q[3]);
-		q+=4;
-		}
-#endif
-#else
-	q=p;
-	for (i=(RIPEMD160_LBLOCK/4); i; i--)
+	for (;num--;XX+=HASH_LBLOCK)
 		{
-		ULONG l;
-		c2l(b,l); *(q++)=l;
-		c2l(b,l); *(q++)=l;
-		c2l(b,l); *(q++)=l;
-		c2l(b,l); *(q++)=l; 
-		} 
-#endif
-	ripemd160_block(c,p,64);
-	}
-
-#ifndef RMD160_ASM
-
-void ripemd160_block(RIPEMD160_CTX *ctx, register ULONG *X, int num)
-	{
-	register ULONG A,B,C,D,E;
-	ULONG a,b,c,d,e;
 
-	for (;;)
-		{
-		A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
+	A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
 
 	RIP1(A,B,C,D,E,WL00,SL00);
 	RIP1(E,A,B,C,D,WL01,SL01);
@@ -436,80 +278,216 @@ void ripemd160_block(RIPEMD160_CTX *ctx, register ULONG *X, int num)
 	ctx->E=ctx->A+b+C;
 	ctx->A=D;
 
-	X+=16;
-	num-=64;
-	if (num <= 0) break;
 		}
 	}
 #endif
 
-void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c)
+#ifndef ripemd160_block_data_order
+#ifdef X
+#undef X
+#endif
+void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, int num)
 	{
-	register int i,j;
-	register ULONG l;
-	register ULONG *p;
-	static unsigned char end[4]={0x80,0x00,0x00,0x00};
-	unsigned char *cp=end;
-
-	/* c->num should definitly have room for at least one more byte. */
-	p=c->data;
-	j=c->num;
-	i=j>>2;
-
-	/* purify often complains about the following line as an
-	 * Uninitialized Memory Read.  While this can be true, the
-	 * following p_c2l macro will reset l when that case is true.
-	 * This is because j&0x03 contains the number of 'valid' bytes
-	 * already in p[i].  If and only if j&0x03 == 0, the UMR will
-	 * occur but this is also the only time p_c2l will do
-	 * l= *(cp++) instead of l|= *(cp++)
-	 * Many thanks to Alex Tang <altitude@cic.net> for pickup this
-	 * 'potential bug' */
-#ifdef PURIFY
-	if ((j&0x03) == 0) p[i]=0;
+	const unsigned char *data=p;
+	register unsigned long A,B,C,D,E;
+	unsigned long a,b,c,d,e,l;
+#ifndef MD32_XARRAY
+	/* See comment in crypto/sha/sha_locl.h for details. */
+	unsigned long	XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+			XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+# define X(i)	XX##i
+#else
+	RIPEMD160_LONG	XX[16];
+# define X(i)	XX[i]
 #endif
-	l=p[i];
-	p_c2l(cp,l,j&0x03);
-	p[i]=l;
-	i++;
-	/* i is the next 'undefined word' */
-	if (c->num >= RIPEMD160_LAST_BLOCK)
+
+	for (;num--;)
 		{
-		for (; i<RIPEMD160_LBLOCK; i++)
-			p[i]=0;
-		ripemd160_block(c,p,64);
-		i=0;
-		}
-	for (; i<(RIPEMD160_LBLOCK-2); i++)
-		p[i]=0;
-	p[RIPEMD160_LBLOCK-2]=c->Nl;
-	p[RIPEMD160_LBLOCK-1]=c->Nh;
-	ripemd160_block(c,p,64);
-	cp=md;
-	l=c->A; l2c(l,cp);
-	l=c->B; l2c(l,cp);
-	l=c->C; l2c(l,cp);
-	l=c->D; l2c(l,cp);
-	l=c->E; l2c(l,cp);
-
-	/* clear stuff, ripemd160_block may be leaving some stuff on the stack
-	 * but I'm not worried :-) */
-	c->num=0;
-/*	memset((char *)&c,0,sizeof(c));*/
-	}
 
-#ifdef undef
-int printit(unsigned long *l)
-	{
-	int i,ii;
+	A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
+
+	HOST_c2l(data,l); X( 0)=l;	HOST_c2l(data,l); X( 1)=l;
+	RIP1(A,B,C,D,E,WL00,SL00);	HOST_c2l(data,l); X( 2)=l;
+	RIP1(E,A,B,C,D,WL01,SL01);	HOST_c2l(data,l); X( 3)=l;
+	RIP1(D,E,A,B,C,WL02,SL02);	HOST_c2l(data,l); X( 4)=l;
+	RIP1(C,D,E,A,B,WL03,SL03);	HOST_c2l(data,l); X( 5)=l;
+	RIP1(B,C,D,E,A,WL04,SL04);	HOST_c2l(data,l); X( 6)=l;
+	RIP1(A,B,C,D,E,WL05,SL05);	HOST_c2l(data,l); X( 7)=l;
+	RIP1(E,A,B,C,D,WL06,SL06);	HOST_c2l(data,l); X( 8)=l;
+	RIP1(D,E,A,B,C,WL07,SL07);	HOST_c2l(data,l); X( 9)=l;
+	RIP1(C,D,E,A,B,WL08,SL08);	HOST_c2l(data,l); X(10)=l;
+	RIP1(B,C,D,E,A,WL09,SL09);	HOST_c2l(data,l); X(11)=l;
+	RIP1(A,B,C,D,E,WL10,SL10);	HOST_c2l(data,l); X(12)=l;
+	RIP1(E,A,B,C,D,WL11,SL11);	HOST_c2l(data,l); X(13)=l;
+	RIP1(D,E,A,B,C,WL12,SL12);	HOST_c2l(data,l); X(14)=l;
+	RIP1(C,D,E,A,B,WL13,SL13);	HOST_c2l(data,l); X(15)=l;
+	RIP1(B,C,D,E,A,WL14,SL14);
+	RIP1(A,B,C,D,E,WL15,SL15);
+
+	RIP2(E,A,B,C,D,WL16,SL16,KL1);
+	RIP2(D,E,A,B,C,WL17,SL17,KL1);
+	RIP2(C,D,E,A,B,WL18,SL18,KL1);
+	RIP2(B,C,D,E,A,WL19,SL19,KL1);
+	RIP2(A,B,C,D,E,WL20,SL20,KL1);
+	RIP2(E,A,B,C,D,WL21,SL21,KL1);
+	RIP2(D,E,A,B,C,WL22,SL22,KL1);
+	RIP2(C,D,E,A,B,WL23,SL23,KL1);
+	RIP2(B,C,D,E,A,WL24,SL24,KL1);
+	RIP2(A,B,C,D,E,WL25,SL25,KL1);
+	RIP2(E,A,B,C,D,WL26,SL26,KL1);
+	RIP2(D,E,A,B,C,WL27,SL27,KL1);
+	RIP2(C,D,E,A,B,WL28,SL28,KL1);
+	RIP2(B,C,D,E,A,WL29,SL29,KL1);
+	RIP2(A,B,C,D,E,WL30,SL30,KL1);
+	RIP2(E,A,B,C,D,WL31,SL31,KL1);
+
+	RIP3(D,E,A,B,C,WL32,SL32,KL2);
+	RIP3(C,D,E,A,B,WL33,SL33,KL2);
+	RIP3(B,C,D,E,A,WL34,SL34,KL2);
+	RIP3(A,B,C,D,E,WL35,SL35,KL2);
+	RIP3(E,A,B,C,D,WL36,SL36,KL2);
+	RIP3(D,E,A,B,C,WL37,SL37,KL2);
+	RIP3(C,D,E,A,B,WL38,SL38,KL2);
+	RIP3(B,C,D,E,A,WL39,SL39,KL2);
+	RIP3(A,B,C,D,E,WL40,SL40,KL2);
+	RIP3(E,A,B,C,D,WL41,SL41,KL2);
+	RIP3(D,E,A,B,C,WL42,SL42,KL2);
+	RIP3(C,D,E,A,B,WL43,SL43,KL2);
+	RIP3(B,C,D,E,A,WL44,SL44,KL2);
+	RIP3(A,B,C,D,E,WL45,SL45,KL2);
+	RIP3(E,A,B,C,D,WL46,SL46,KL2);
+	RIP3(D,E,A,B,C,WL47,SL47,KL2);
+
+	RIP4(C,D,E,A,B,WL48,SL48,KL3);
+	RIP4(B,C,D,E,A,WL49,SL49,KL3);
+	RIP4(A,B,C,D,E,WL50,SL50,KL3);
+	RIP4(E,A,B,C,D,WL51,SL51,KL3);
+	RIP4(D,E,A,B,C,WL52,SL52,KL3);
+	RIP4(C,D,E,A,B,WL53,SL53,KL3);
+	RIP4(B,C,D,E,A,WL54,SL54,KL3);
+	RIP4(A,B,C,D,E,WL55,SL55,KL3);
+	RIP4(E,A,B,C,D,WL56,SL56,KL3);
+	RIP4(D,E,A,B,C,WL57,SL57,KL3);
+	RIP4(C,D,E,A,B,WL58,SL58,KL3);
+	RIP4(B,C,D,E,A,WL59,SL59,KL3);
+	RIP4(A,B,C,D,E,WL60,SL60,KL3);
+	RIP4(E,A,B,C,D,WL61,SL61,KL3);
+	RIP4(D,E,A,B,C,WL62,SL62,KL3);
+	RIP4(C,D,E,A,B,WL63,SL63,KL3);
+
+	RIP5(B,C,D,E,A,WL64,SL64,KL4);
+	RIP5(A,B,C,D,E,WL65,SL65,KL4);
+	RIP5(E,A,B,C,D,WL66,SL66,KL4);
+	RIP5(D,E,A,B,C,WL67,SL67,KL4);
+	RIP5(C,D,E,A,B,WL68,SL68,KL4);
+	RIP5(B,C,D,E,A,WL69,SL69,KL4);
+	RIP5(A,B,C,D,E,WL70,SL70,KL4);
+	RIP5(E,A,B,C,D,WL71,SL71,KL4);
+	RIP5(D,E,A,B,C,WL72,SL72,KL4);
+	RIP5(C,D,E,A,B,WL73,SL73,KL4);
+	RIP5(B,C,D,E,A,WL74,SL74,KL4);
+	RIP5(A,B,C,D,E,WL75,SL75,KL4);
+	RIP5(E,A,B,C,D,WL76,SL76,KL4);
+	RIP5(D,E,A,B,C,WL77,SL77,KL4);
+	RIP5(C,D,E,A,B,WL78,SL78,KL4);
+	RIP5(B,C,D,E,A,WL79,SL79,KL4);
+
+	a=A; b=B; c=C; d=D; e=E;
+	/* Do other half */
+	A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
+
+	RIP5(A,B,C,D,E,WR00,SR00,KR0);
+	RIP5(E,A,B,C,D,WR01,SR01,KR0);
+	RIP5(D,E,A,B,C,WR02,SR02,KR0);
+	RIP5(C,D,E,A,B,WR03,SR03,KR0);
+	RIP5(B,C,D,E,A,WR04,SR04,KR0);
+	RIP5(A,B,C,D,E,WR05,SR05,KR0);
+	RIP5(E,A,B,C,D,WR06,SR06,KR0);
+	RIP5(D,E,A,B,C,WR07,SR07,KR0);
+	RIP5(C,D,E,A,B,WR08,SR08,KR0);
+	RIP5(B,C,D,E,A,WR09,SR09,KR0);
+	RIP5(A,B,C,D,E,WR10,SR10,KR0);
+	RIP5(E,A,B,C,D,WR11,SR11,KR0);
+	RIP5(D,E,A,B,C,WR12,SR12,KR0);
+	RIP5(C,D,E,A,B,WR13,SR13,KR0);
+	RIP5(B,C,D,E,A,WR14,SR14,KR0);
+	RIP5(A,B,C,D,E,WR15,SR15,KR0);
+
+	RIP4(E,A,B,C,D,WR16,SR16,KR1);
+	RIP4(D,E,A,B,C,WR17,SR17,KR1);
+	RIP4(C,D,E,A,B,WR18,SR18,KR1);
+	RIP4(B,C,D,E,A,WR19,SR19,KR1);
+	RIP4(A,B,C,D,E,WR20,SR20,KR1);
+	RIP4(E,A,B,C,D,WR21,SR21,KR1);
+	RIP4(D,E,A,B,C,WR22,SR22,KR1);
+	RIP4(C,D,E,A,B,WR23,SR23,KR1);
+	RIP4(B,C,D,E,A,WR24,SR24,KR1);
+	RIP4(A,B,C,D,E,WR25,SR25,KR1);
+	RIP4(E,A,B,C,D,WR26,SR26,KR1);
+	RIP4(D,E,A,B,C,WR27,SR27,KR1);
+	RIP4(C,D,E,A,B,WR28,SR28,KR1);
+	RIP4(B,C,D,E,A,WR29,SR29,KR1);
+	RIP4(A,B,C,D,E,WR30,SR30,KR1);
+	RIP4(E,A,B,C,D,WR31,SR31,KR1);
+
+	RIP3(D,E,A,B,C,WR32,SR32,KR2);
+	RIP3(C,D,E,A,B,WR33,SR33,KR2);
+	RIP3(B,C,D,E,A,WR34,SR34,KR2);
+	RIP3(A,B,C,D,E,WR35,SR35,KR2);
+	RIP3(E,A,B,C,D,WR36,SR36,KR2);
+	RIP3(D,E,A,B,C,WR37,SR37,KR2);
+	RIP3(C,D,E,A,B,WR38,SR38,KR2);
+	RIP3(B,C,D,E,A,WR39,SR39,KR2);
+	RIP3(A,B,C,D,E,WR40,SR40,KR2);
+	RIP3(E,A,B,C,D,WR41,SR41,KR2);
+	RIP3(D,E,A,B,C,WR42,SR42,KR2);
+	RIP3(C,D,E,A,B,WR43,SR43,KR2);
+	RIP3(B,C,D,E,A,WR44,SR44,KR2);
+	RIP3(A,B,C,D,E,WR45,SR45,KR2);
+	RIP3(E,A,B,C,D,WR46,SR46,KR2);
+	RIP3(D,E,A,B,C,WR47,SR47,KR2);
+
+	RIP2(C,D,E,A,B,WR48,SR48,KR3);
+	RIP2(B,C,D,E,A,WR49,SR49,KR3);
+	RIP2(A,B,C,D,E,WR50,SR50,KR3);
+	RIP2(E,A,B,C,D,WR51,SR51,KR3);
+	RIP2(D,E,A,B,C,WR52,SR52,KR3);
+	RIP2(C,D,E,A,B,WR53,SR53,KR3);
+	RIP2(B,C,D,E,A,WR54,SR54,KR3);
+	RIP2(A,B,C,D,E,WR55,SR55,KR3);
+	RIP2(E,A,B,C,D,WR56,SR56,KR3);
+	RIP2(D,E,A,B,C,WR57,SR57,KR3);
+	RIP2(C,D,E,A,B,WR58,SR58,KR3);
+	RIP2(B,C,D,E,A,WR59,SR59,KR3);
+	RIP2(A,B,C,D,E,WR60,SR60,KR3);
+	RIP2(E,A,B,C,D,WR61,SR61,KR3);
+	RIP2(D,E,A,B,C,WR62,SR62,KR3);
+	RIP2(C,D,E,A,B,WR63,SR63,KR3);
+
+	RIP1(B,C,D,E,A,WR64,SR64);
+	RIP1(A,B,C,D,E,WR65,SR65);
+	RIP1(E,A,B,C,D,WR66,SR66);
+	RIP1(D,E,A,B,C,WR67,SR67);
+	RIP1(C,D,E,A,B,WR68,SR68);
+	RIP1(B,C,D,E,A,WR69,SR69);
+	RIP1(A,B,C,D,E,WR70,SR70);
+	RIP1(E,A,B,C,D,WR71,SR71);
+	RIP1(D,E,A,B,C,WR72,SR72);
+	RIP1(C,D,E,A,B,WR73,SR73);
+	RIP1(B,C,D,E,A,WR74,SR74);
+	RIP1(A,B,C,D,E,WR75,SR75);
+	RIP1(E,A,B,C,D,WR76,SR76);
+	RIP1(D,E,A,B,C,WR77,SR77);
+	RIP1(C,D,E,A,B,WR78,SR78);
+	RIP1(B,C,D,E,A,WR79,SR79);
+
+	D     =ctx->B+c+D;
+	ctx->B=ctx->C+d+E;
+	ctx->C=ctx->D+e+A;
+	ctx->D=ctx->E+a+B;
+	ctx->E=ctx->A+b+C;
+	ctx->A=D;
 
-	for (i=0; i<2; i++)
-		{
-		for (ii=0; ii<8; ii++)
-			{
-			fprintf(stderr,"%08lx ",l[i*8+ii]);
-			}
-		fprintf(stderr,"\n");
 		}
 	}
 #endif
diff --git a/lib/libcrypto/ripemd/rmd_locl.h b/lib/libcrypto/ripemd/rmd_locl.h
index d6ba02001af..145cf316b90 100644
--- a/lib/libcrypto/ripemd/rmd_locl.h
+++ b/lib/libcrypto/ripemd/rmd_locl.h
@@ -58,134 +58,76 @@
 
 #include <stdlib.h>
 #include <string.h>
+#include <openssl/opensslconf.h>
 #include <openssl/ripemd.h>
 
-#define ULONG	unsigned long
-#define UCHAR	unsigned char
-#define UINT	unsigned int
-
-#undef c2nl
-#define c2nl(c,l)	(l =(((unsigned long)(*((c)++)))<<24), \
-			 l|=(((unsigned long)(*((c)++)))<<16), \
-			 l|=(((unsigned long)(*((c)++)))<< 8), \
-			 l|=(((unsigned long)(*((c)++)))    ))
-
-#undef p_c2nl
-#define p_c2nl(c,l,n)	{ \
-			switch (n) { \
-			case 0: l =((unsigned long)(*((c)++)))<<24; \
-			case 1: l|=((unsigned long)(*((c)++)))<<16; \
-			case 2: l|=((unsigned long)(*((c)++)))<< 8; \
-			case 3: l|=((unsigned long)(*((c)++))); \
-				} \
-			}
-
-#undef c2nl_p
-/* NOTE the pointer is not incremented at the end of this */
-#define c2nl_p(c,l,n)	{ \
-			l=0; \
-			(c)+=n; \
-			switch (n) { \
-			case 3: l =((unsigned long)(*(--(c))))<< 8; \
-			case 2: l|=((unsigned long)(*(--(c))))<<16; \
-			case 1: l|=((unsigned long)(*(--(c))))<<24; \
-				} \
-			}
-
-#undef p_c2nl_p
-#define p_c2nl_p(c,l,sc,len) { \
-			switch (sc) \
-				{ \
-			case 0: l =((unsigned long)(*((c)++)))<<24; \
-				if (--len == 0) break; \
-			case 1: l|=((unsigned long)(*((c)++)))<<16; \
-				if (--len == 0) break; \
-			case 2: l|=((unsigned long)(*((c)++)))<< 8; \
-				} \
-			}
-
-#undef nl2c
-#define nl2c(l,c)	(*((c)++)=(unsigned char)(((l)>>24)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-			 *((c)++)=(unsigned char)(((l)    )&0xff))
-
-#undef c2l
-#define c2l(c,l)	(l =(((unsigned long)(*((c)++)))    ), \
-			 l|=(((unsigned long)(*((c)++)))<< 8), \
-			 l|=(((unsigned long)(*((c)++)))<<16), \
-			 l|=(((unsigned long)(*((c)++)))<<24))
-
-#undef p_c2l
-#define p_c2l(c,l,n)	{ \
-			switch (n) { \
-			case 0: l =((unsigned long)(*((c)++))); \
-			case 1: l|=((unsigned long)(*((c)++)))<< 8; \
-			case 2: l|=((unsigned long)(*((c)++)))<<16; \
-			case 3: l|=((unsigned long)(*((c)++)))<<24; \
-				} \
-			}
-
-#undef c2l_p
-/* NOTE the pointer is not incremented at the end of this */
-#define c2l_p(c,l,n)	{ \
-			l=0; \
-			(c)+=n; \
-			switch (n) { \
-			case 3: l =((unsigned long)(*(--(c))))<<16; \
-			case 2: l|=((unsigned long)(*(--(c))))<< 8; \
-			case 1: l|=((unsigned long)(*(--(c)))); \
-				} \
-			}
-
-#undef p_c2l_p
-#define p_c2l_p(c,l,sc,len) { \
-			switch (sc) \
-				{ \
-			case 0: l =((unsigned long)(*((c)++))); \
-				if (--len == 0) break; \
-			case 1: l|=((unsigned long)(*((c)++)))<< 8; \
-				if (--len == 0) break; \
-			case 2: l|=((unsigned long)(*((c)++)))<<16; \
-				} \
-			}
-
-#undef l2c
-#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff), \
-			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>24)&0xff))
-
-#undef ROTATE
-#if defined(WIN32)
-#define ROTATE(a,n)     _lrotl(a,n)
-#else
-#define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
+#ifndef RIPEMD160_LONG_LOG2
+#define RIPEMD160_LONG_LOG2 2 /* default to 32 bits */
+#endif
+
+/*
+ * DO EXAMINE COMMENTS IN crypto/md5/md5_locl.h & crypto/md5/md5_dgst.c
+ * FOR EXPLANATIONS ON FOLLOWING "CODE."
+ *					<appro@fy.chalmers.se>
+ */
+#ifdef RMD160_ASM
+# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#  define ripemd160_block_host_order ripemd160_block_asm_host_order
+# endif
+#endif
+
+void ripemd160_block_host_order (RIPEMD160_CTX *c, const void *p,int num);
+void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,int num);
+
+#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#define ripemd160_block_data_order ripemd160_block_host_order
+#endif
+
+#define DATA_ORDER_IS_LITTLE_ENDIAN
+
+#define HASH_LONG               RIPEMD160_LONG
+#define HASH_LONG_LOG2          RIPEMD160_LONG_LOG2
+#define HASH_CTX                RIPEMD160_CTX
+#define HASH_CBLOCK             RIPEMD160_CBLOCK
+#define HASH_LBLOCK             RIPEMD160_LBLOCK
+#define HASH_UPDATE             RIPEMD160_Update
+#define HASH_TRANSFORM          RIPEMD160_Transform
+#define HASH_FINAL              RIPEMD160_Final
+#define HASH_BLOCK_HOST_ORDER   ripemd160_block_host_order
+#define	HASH_MAKE_STRING(c,s)	do {	\
+	unsigned long ll;		\
+	ll=(c)->A; HOST_l2c(ll,(s));	\
+	ll=(c)->B; HOST_l2c(ll,(s));	\
+	ll=(c)->C; HOST_l2c(ll,(s));	\
+	ll=(c)->D; HOST_l2c(ll,(s));	\
+	ll=(c)->E; HOST_l2c(ll,(s));	\
+	} while (0)
+#if !defined(L_ENDIAN) || defined(ripemd160_block_data_order)
+#define HASH_BLOCK_DATA_ORDER   ripemd160_block_data_order
 #endif
 
-/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
-#if defined(WIN32)
-/* 5 instructions with rotate instruction, else 9 */
-#define Endian_Reverse32(a) \
-	{ \
-	unsigned long l=(a); \
-	(a)=((ROTATE(l,8)&0x00FF00FF)|(ROTATE(l,24)&0xFF00FF00)); \
-	}
+#ifndef FLAT_INC
+#include "../md32_common.h"
 #else
-/* 6 instructions with rotate instruction, else 8 */
-#define Endian_Reverse32(a) \
-	{ \
-	unsigned long l=(a); \
-	l=(((l&0xFF00FF00)>>8L)|((l&0x00FF00FF)<<8L)); \
-	(a)=ROTATE(l,16L); \
-	}
+#include "md32_common.h"
 #endif
 
+#if 0
 #define F1(x,y,z)	 ((x)^(y)^(z))
 #define F2(x,y,z)	(((x)&(y))|((~x)&z))
 #define F3(x,y,z)	(((x)|(~y))^(z))
 #define F4(x,y,z)	(((x)&(z))|((y)&(~(z))))
 #define F5(x,y,z)	 ((x)^((y)|(~(z))))
+#else
+/*
+ * Transformed F2 and F4 are courtesy of Wei Dai <weidai@eskimo.com>
+ */
+#define F1(x,y,z)	((x) ^ (y) ^ (z))
+#define F2(x,y,z)	((((y) ^ (z)) & (x)) ^ (z))
+#define F3(x,y,z)	(((~(y)) | (x)) ^ (z))
+#define F4(x,y,z)	((((x) ^ (y)) & (z)) ^ (y))
+#define F5(x,y,z)	(((~(z)) | (y)) ^ (x))
+#endif
 
 #define RIPEMD160_A	0x67452301L
 #define RIPEMD160_B	0xEFCDAB89L
@@ -196,27 +138,27 @@
 #include "rmdconst.h"
 
 #define RIP1(a,b,c,d,e,w,s) { \
-	a+=F1(b,c,d)+X[w]; \
+	a+=F1(b,c,d)+X(w); \
         a=ROTATE(a,s)+e; \
         c=ROTATE(c,10); }
 
 #define RIP2(a,b,c,d,e,w,s,K) { \
-	a+=F2(b,c,d)+X[w]+K; \
+	a+=F2(b,c,d)+X(w)+K; \
         a=ROTATE(a,s)+e; \
         c=ROTATE(c,10); }
 
 #define RIP3(a,b,c,d,e,w,s,K) { \
-	a+=F3(b,c,d)+X[w]+K; \
+	a+=F3(b,c,d)+X(w)+K; \
         a=ROTATE(a,s)+e; \
         c=ROTATE(c,10); }
 
 #define RIP4(a,b,c,d,e,w,s,K) { \
-	a+=F4(b,c,d)+X[w]+K; \
+	a+=F4(b,c,d)+X(w)+K; \
         a=ROTATE(a,s)+e; \
         c=ROTATE(c,10); }
 
 #define RIP5(a,b,c,d,e,w,s,K) { \
-	a+=F5(b,c,d)+X[w]+K; \
+	a+=F5(b,c,d)+X(w)+K; \
         a=ROTATE(a,s)+e; \
         c=ROTATE(c,10); }
 
diff --git a/lib/libcrypto/ripemd/rmd_one.c b/lib/libcrypto/ripemd/rmd_one.c
index 5b6ff147145..efdf2dd6efc 100644
--- a/lib/libcrypto/ripemd/rmd_one.c
+++ b/lib/libcrypto/ripemd/rmd_one.c
@@ -57,9 +57,10 @@
  */
 
 #include <stdio.h>
-#include "rmd_locl.h"
+#include <string.h>
+#include <openssl/ripemd.h>
 
-unsigned char *RIPEMD160(unsigned char *d, unsigned long n,
+unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
 	     unsigned char *md)
 	{
 	RIPEMD160_CTX c;
diff --git a/lib/libcrypto/ripemd/rmdtest.c b/lib/libcrypto/ripemd/rmdtest.c
index 5e93d4627c9..5d79c997253 100644
--- a/lib/libcrypto/ripemd/rmdtest.c
+++ b/lib/libcrypto/ripemd/rmdtest.c
@@ -73,7 +73,7 @@ int main(int argc, char *argv[])
 #include <openssl/ebcdic.h>
 #endif
 
-char *test[]={
+static char *test[]={
 	"",
 	"a",
 	"abc",
@@ -85,7 +85,7 @@ char *test[]={
 	NULL,
 	};
 
-char *ret[]={
+static char *ret[]={
 	"9c1185a5c5e9fc54612808977ee8f548b2258d31",
 	"0bdc9d2d256b3ee9daae347be6f4dc835a467ffe",
 	"8eb208f7e05d987a9b044a8e98c6b087f15a0bfc",
diff --git a/lib/libcrypto/rsa/Makefile.ssl b/lib/libcrypto/rsa/Makefile.ssl
index 3bb89701a22..7b3960e70d1 100644
--- a/lib/libcrypto/rsa/Makefile.ssl
+++ b/lib/libcrypto/rsa/Makefile.ssl
@@ -18,14 +18,14 @@ AR=		ar r
 CFLAGS= $(INCLUDES) $(CFLAG)
 
 GENERAL=Makefile
-TEST=rsa_oaep_test.c
+TEST=rsa_test.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
-	rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c
+	rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c
 LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
-	rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o
+	rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o
 
 SRC= $(LIBSRC)
 
@@ -83,52 +83,61 @@ clean:
 rsa_chk.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 rsa_chk.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 rsa_chk.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-rsa_chk.o: ../../include/openssl/stack.h
+rsa_chk.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_eay.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 rsa_eay.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/stack.h
-rsa_eay.o: ../cryptlib.h
+rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_eay.o: ../../include/openssl/stack.h ../cryptlib.h
 rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 rsa_err.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 rsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-rsa_err.o: ../../include/openssl/stack.h
+rsa_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_gen.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 rsa_gen.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 rsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-rsa_gen.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_gen.o: ../cryptlib.h
 rsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 rsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/stack.h
-rsa_lib.o: ../cryptlib.h
+rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_lib.o: ../../include/openssl/stack.h ../cryptlib.h
 rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_none.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_none.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 rsa_none.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 rsa_none.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_none.o: ../../include/openssl/rsa.h ../../include/openssl/stack.h
-rsa_none.o: ../cryptlib.h
+rsa_none.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_none.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_null.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+rsa_null.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
+rsa_null.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
+rsa_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_null.o: ../../include/openssl/stack.h ../cryptlib.h
 rsa_oaep.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_oaep.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_oaep.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 rsa_oaep.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 rsa_oaep.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_oaep.o: ../../include/openssl/rsa.h ../../include/openssl/sha.h
-rsa_oaep.o: ../../include/openssl/stack.h ../cryptlib.h
+rsa_oaep.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_oaep.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_oaep.o: ../cryptlib.h
 rsa_pk1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_pk1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_pk1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 rsa_pk1.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 rsa_pk1.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_pk1.o: ../../include/openssl/rsa.h ../../include/openssl/stack.h
-rsa_pk1.o: ../cryptlib.h
+rsa_pk1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_pk1.o: ../../include/openssl/stack.h ../cryptlib.h
 rsa_saos.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 rsa_saos.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 rsa_saos.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -168,5 +177,5 @@ rsa_ssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_ssl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 rsa_ssl.o: ../../include/openssl/err.h ../../include/openssl/opensslconf.h
 rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_ssl.o: ../../include/openssl/rsa.h ../../include/openssl/stack.h
-rsa_ssl.o: ../cryptlib.h
+rsa_ssl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_ssl.o: ../../include/openssl/stack.h ../cryptlib.h
diff --git a/lib/libcrypto/rsa/rsa.h b/lib/libcrypto/rsa/rsa.h
index 9230b2fcc9b..f9f9b5cfe91 100644
--- a/lib/libcrypto/rsa/rsa.h
+++ b/lib/libcrypto/rsa/rsa.h
@@ -91,6 +91,18 @@ typedef struct rsa_meth_st
 	int (*finish)(RSA *rsa);	/* called at free */
 	int flags;			/* RSA_METHOD_FLAG_* things */
 	char *app_data;			/* may be needed! */
+/* New sign and verify functions: some libraries don't allow arbitrary data
+ * to be signed/verified: this allows them to be used. Note: for this to work
+ * the RSA_public_decrypt() and RSA_private_encrypt() should *NOT* be used
+ * RSA_sign(), RSA_verify() should be used instead. Note: for backwards
+ * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
+ * option is set in 'flags'.
+ */
+	int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
+             unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+	int (*rsa_verify)(int dtype, unsigned char *m, unsigned int m_len,
+             unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
 	} RSA_METHOD;
 
 struct rsa_st
@@ -140,12 +152,16 @@ struct rsa_st
  */
 #define RSA_FLAG_EXT_PKEY		0x20
 
+/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
+ */
+#define RSA_FLAG_SIGN_VER		0x40
+
 #define RSA_PKCS1_PADDING	1
 #define RSA_SSLV23_PADDING	2
 #define RSA_NO_PADDING		3
 #define RSA_PKCS1_OAEP_PADDING	4
 
-#define RSA_set_app_data(s,arg)         RSA_set_ex_data(s,0,(char *)arg)
+#define RSA_set_app_data(s,arg)         RSA_set_ex_data(s,0,arg)
 #define RSA_get_app_data(s)             RSA_get_ex_data(s,0)
 
 RSA *	RSA_new(void);
@@ -181,6 +197,8 @@ RSA_METHOD *RSA_PKCS1_RSAref(void);
 /* these are the actual SSLeay RSA functions */
 RSA_METHOD *RSA_PKCS1_SSLeay(void);
 
+RSA_METHOD *RSA_null_method(void);
+
 void	ERR_load_RSA_strings(void );
 
 RSA *	d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
@@ -241,10 +259,10 @@ int RSA_padding_add_none(unsigned char *to,int tlen,
 int RSA_padding_check_none(unsigned char *to,int tlen,
 	unsigned char *f,int fl,int rsa_len);
 
-int RSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	int (*dup_func)(), void (*free_func)());
-int RSA_set_ex_data(RSA *r,int idx,char *arg);
-char *RSA_get_ex_data(RSA *r, int idx);
+int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int RSA_set_ex_data(RSA *r,int idx,void *arg);
+void *RSA_get_ex_data(RSA *r, int idx);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -262,6 +280,7 @@ char *RSA_get_ex_data(RSA *r, int idx);
 #define RSA_F_RSA_EAY_PUBLIC_ENCRYPT			 104
 #define RSA_F_RSA_GENERATE_KEY				 105
 #define RSA_F_RSA_NEW_METHOD				 106
+#define RSA_F_RSA_NULL					 124
 #define RSA_F_RSA_PADDING_ADD_NONE			 107
 #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP		 121
 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1		 108
@@ -292,10 +311,11 @@ char *RSA_get_ex_data(RSA *r, int idx);
 #define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE		 110
 #define RSA_R_DATA_TOO_SMALL				 111
 #define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE		 122
-#define RSA_R_D_E_NOT_CONGRUENT_TO_1			 123
 #define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY		 112
 #define RSA_R_DMP1_NOT_CONGRUENT_TO_D			 124
 #define RSA_R_DMQ1_NOT_CONGRUENT_TO_D			 125
+#define RSA_R_D_E_NOT_CONGRUENT_TO_1			 123
+#define RSA_R_INVALID_MESSAGE_LENGTH			 131
 #define RSA_R_IQMP_NOT_INVERSE_OF_Q			 126
 #define RSA_R_KEY_SIZE_TOO_SMALL			 120
 #define RSA_R_NULL_BEFORE_BLOCK_MISSING			 113
@@ -304,6 +324,7 @@ char *RSA_get_ex_data(RSA *r, int idx);
 #define RSA_R_PADDING_CHECK_FAILED			 114
 #define RSA_R_P_NOT_PRIME				 128
 #define RSA_R_Q_NOT_PRIME				 129
+#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130
 #define RSA_R_SSLV3_ROLLBACK_ATTACK			 115
 #define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
 #define RSA_R_UNKNOWN_ALGORITHM_TYPE			 117
diff --git a/lib/libcrypto/rsa/rsa_eay.c b/lib/libcrypto/rsa/rsa_eay.c
index 776324860c7..179b7da90a8 100644
--- a/lib/libcrypto/rsa/rsa_eay.c
+++ b/lib/libcrypto/rsa/rsa_eay.c
@@ -72,6 +72,8 @@
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
 
+#ifndef RSA_NULL
+
 static int RSA_eay_public_encrypt(int flen, unsigned char *from,
 		unsigned char *to, RSA *rsa,int padding);
 static int RSA_eay_private_encrypt(int flen, unsigned char *from,
@@ -285,4 +287,4 @@ static int RSA_eay_finish(RSA *rsa)
 	return(1);
 	}
 
-
+#endif
diff --git a/lib/libcrypto/rsa/rsa_err.c b/lib/libcrypto/rsa/rsa_err.c
index 9fb15e398dd..5cfbea2b033 100644
--- a/lib/libcrypto/rsa/rsa_err.c
+++ b/lib/libcrypto/rsa/rsa_err.c
@@ -73,6 +73,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
 {ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_ENCRYPT,0),	"RSA_EAY_PUBLIC_ENCRYPT"},
 {ERR_PACK(0,RSA_F_RSA_GENERATE_KEY,0),	"RSA_generate_key"},
 {ERR_PACK(0,RSA_F_RSA_NEW_METHOD,0),	"RSA_new_method"},
+{ERR_PACK(0,RSA_F_RSA_NULL,0),	"RSA_NULL"},
 {ERR_PACK(0,RSA_F_RSA_PADDING_ADD_NONE,0),	"RSA_padding_add_none"},
 {ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,0),	"RSA_padding_add_PKCS1_OAEP"},
 {ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,0),	"RSA_padding_add_PKCS1_type_1"},
@@ -106,10 +107,11 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
 {RSA_R_DATA_TOO_SMALL                    ,"data too small"},
 {RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE       ,"data too small for key size"},
-{RSA_R_D_E_NOT_CONGRUENT_TO_1            ,"d e not congruent to 1"},
 {RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY        ,"digest too big for rsa key"},
 {RSA_R_DMP1_NOT_CONGRUENT_TO_D           ,"dmp1 not congruent to d"},
 {RSA_R_DMQ1_NOT_CONGRUENT_TO_D           ,"dmq1 not congruent to d"},
+{RSA_R_D_E_NOT_CONGRUENT_TO_1            ,"d e not congruent to 1"},
+{RSA_R_INVALID_MESSAGE_LENGTH            ,"invalid message length"},
 {RSA_R_IQMP_NOT_INVERSE_OF_Q             ,"iqmp not inverse of q"},
 {RSA_R_KEY_SIZE_TOO_SMALL                ,"key size too small"},
 {RSA_R_NULL_BEFORE_BLOCK_MISSING         ,"null before block missing"},
@@ -118,6 +120,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {RSA_R_PADDING_CHECK_FAILED              ,"padding check failed"},
 {RSA_R_P_NOT_PRIME                       ,"p not prime"},
 {RSA_R_Q_NOT_PRIME                       ,"q not prime"},
+{RSA_R_RSA_OPERATIONS_NOT_SUPPORTED      ,"rsa operations not supported"},
 {RSA_R_SSLV3_ROLLBACK_ATTACK             ,"sslv3 rollback attack"},
 {RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
 {RSA_R_UNKNOWN_ALGORITHM_TYPE            ,"unknown algorithm type"},
diff --git a/lib/libcrypto/rsa/rsa_gen.c b/lib/libcrypto/rsa/rsa_gen.c
index 3227dba7947..b1ee5d8dce4 100644
--- a/lib/libcrypto/rsa/rsa_gen.c
+++ b/lib/libcrypto/rsa/rsa_gen.c
@@ -85,6 +85,7 @@ err:
 		RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN);
 		ok=0;
 		}
+	BN_CTX_end(ctx);
 	BN_CTX_free(ctx);
 	BN_CTX_free(ctx2);
 	
diff --git a/lib/libcrypto/rsa/rsa_lib.c b/lib/libcrypto/rsa/rsa_lib.c
index c0ca2923a69..074a4f5074b 100644
--- a/lib/libcrypto/rsa/rsa_lib.c
+++ b/lib/libcrypto/rsa/rsa_lib.c
@@ -67,7 +67,7 @@ const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
 
 static RSA_METHOD *default_RSA_meth=NULL;
 static int rsa_meth_num=0;
-static STACK *rsa_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
 
 RSA *RSA_new(void)
 	{
@@ -105,11 +105,15 @@ RSA *RSA_new_method(RSA_METHOD *meth)
 
 	if (default_RSA_meth == NULL)
 		{
+#ifdef RSA_NULL
+		default_RSA_meth=RSA_null_method();
+#else
 #ifdef RSAref
 		default_RSA_meth=RSA_PKCS1_RSAref();
 #else
 		default_RSA_meth=RSA_PKCS1_SSLeay();
 #endif
+#endif
 		}
 	ret=(RSA *)Malloc(sizeof(RSA));
 	if (ret == NULL)
@@ -146,7 +150,7 @@ RSA *RSA_new_method(RSA_METHOD *meth)
 		ret=NULL;
 		}
 	else
-		CRYPTO_new_ex_data(rsa_meth,(char *)ret,&ret->ex_data);
+		CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data);
 	return(ret);
 	}
 
@@ -169,7 +173,7 @@ void RSA_free(RSA *r)
 		}
 #endif
 
-	CRYPTO_free_ex_data(rsa_meth,(char *)r,&r->ex_data);
+	CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data);
 
 	if (r->meth->finish != NULL)
 		r->meth->finish(r);
@@ -187,20 +191,20 @@ void RSA_free(RSA *r)
 	Free(r);
 	}
 
-int RSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	     int (*dup_func)(), void (*free_func)())
+int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
 	rsa_meth_num++;
 	return(CRYPTO_get_ex_new_index(rsa_meth_num-1,
 		&rsa_meth,argl,argp,new_func,dup_func,free_func));
         }
 
-int RSA_set_ex_data(RSA *r, int idx, char *arg)
+int RSA_set_ex_data(RSA *r, int idx, void *arg)
 	{
 	return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
 	}
 
-char *RSA_get_ex_data(RSA *r, int idx)
+void *RSA_get_ex_data(RSA *r, int idx)
 	{
 	return(CRYPTO_get_ex_data(&r->ex_data,idx));
 	}
@@ -265,19 +269,19 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
 	if (rsa->blinding != NULL)
 		BN_BLINDING_free(rsa->blinding);
 
-	A= &(ctx->bn[0]);
-	ctx->tos++;
+	BN_CTX_start(ctx);
+	A = BN_CTX_get(ctx);
 	if (!BN_rand(A,BN_num_bits(rsa->n)-1,1,0)) goto err;
 	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
 
 	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
 	    goto err;
 	rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
-	ctx->tos--;
 	rsa->flags|=RSA_FLAG_BLINDING;
 	BN_free(Ai);
 	ret=1;
 err:
+	BN_CTX_end(ctx);
 	if (ctx != p_ctx) BN_CTX_free(ctx);
 	return(ret);
 	}
diff --git a/lib/libcrypto/rsa/rsa_oaep.c b/lib/libcrypto/rsa/rsa_oaep.c
index 843c40c8640..1465c01f4f4 100644
--- a/lib/libcrypto/rsa/rsa_oaep.c
+++ b/lib/libcrypto/rsa/rsa_oaep.c
@@ -50,7 +50,8 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
 	   emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
     db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
     memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
-    RAND_bytes(seed, SHA_DIGEST_LENGTH);
+    if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
+    	return (0);
 #ifdef PKCS_TESTVECT
     memcpy(seed,
 	   "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
diff --git a/lib/libcrypto/rsa/rsa_oaep_test.c b/lib/libcrypto/rsa/rsa_oaep_test.c
index 0d4e39d3dab..e69de29bb2d 100644
--- a/lib/libcrypto/rsa/rsa_oaep_test.c
+++ b/lib/libcrypto/rsa/rsa_oaep_test.c
@@ -1,309 +0,0 @@
-/* test vectors from p1ovect1.txt */
-
-#include <stdio.h>
-#include <string.h>
-
-#include "openssl/e_os.h"
-
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#ifdef NO_RSA
-int main(int argc, char *argv[])
-{
-    printf("No RSA support\n");
-    return(0);
-}
-#else
-#include <openssl/rsa.h>
-
-#define SetKey \
-  key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
-  key->e = BN_bin2bn(e, sizeof(e)-1, key->e); \
-  key->d = BN_bin2bn(d, sizeof(d)-1, key->d); \
-  key->p = BN_bin2bn(p, sizeof(p)-1, key->p); \
-  key->q = BN_bin2bn(q, sizeof(q)-1, key->q); \
-  key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1); \
-  key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1); \
-  key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp); \
-  memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
-  return (sizeof(ctext_ex) - 1);
-
-static int key1(RSA *key, unsigned char *c)
-    {
-    static unsigned char n[] =
-"\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
-"\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
-"\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
-"\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
-"\xF5";
-
-    static unsigned char e[] = "\x11";
-
-    static unsigned char d[] =
-"\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
-"\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
-"\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
-"\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
-
-    static unsigned char p[] =
-"\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
-"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
-"\x0D";
-    
-    static unsigned char q[] =
-"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
-"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
-"\x89";
-
-    static unsigned char dmp1[] =
-"\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
-"\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
-
-    static unsigned char dmq1[] =
-"\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
-"\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
-"\x51";
-
-    static unsigned char iqmp[] =
-"\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
-"\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
-
-    static unsigned char ctext_ex[] =
-"\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89"
-"\x2b\xfb\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52"
-"\x33\x89\x5c\x74\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44"
-"\xb0\x05\xc3\x9e\xd8\x27\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
-
-    SetKey;
-    }
-
-static int key2(RSA *key, unsigned char *c)
-    {
-    static unsigned char n[] =
-"\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8"
-"\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26"
-"\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8"
-"\x34\x77\xCF";
-
-    static unsigned char e[] = "\x3";
-
-    static unsigned char d[] =
-"\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2"
-"\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41"
-"\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21"
-"\xE5\xEB";
-
-    static unsigned char p[] =
-"\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92"
-"\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91";
-
-    static unsigned char q[] =
-"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
-"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F";
-    
-    static unsigned char dmp1[] =
-"\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61"
-"\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B";
-
-    static unsigned char dmq1[] =
-"\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90"
-"\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F";
-
-    static unsigned char iqmp[] =
-"\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13"
-"\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D";
-
-    static unsigned char ctext_ex[] =
-"\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a"
-"\x8b\x40\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4"
-"\x17\x53\x03\x29\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52"
-"\x62\x51";
-
-    SetKey;
-    }
-
-static int key3(RSA *key, unsigned char *c)
-    {
-    static unsigned char n[] =
-"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
-"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
-"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
-"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
-"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
-"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
-"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
-"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
-"\xCB";
-
-    static unsigned char e[] = "\x11";
-
-    static unsigned char d[] =
-"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
-"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
-"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
-"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
-"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
-"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
-"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
-"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
-"\xC1";
-
-    static unsigned char p[] =
-"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
-"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
-"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
-"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
-"\x99";
-
-    static unsigned char q[] =
-"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
-"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
-"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
-"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
-"\x03";
-
-    static unsigned char dmp1[] =
-"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
-"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
-"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
-"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
-
-    static unsigned char dmq1[] =
-"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
-"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
-"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
-"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
-    
-    static unsigned char iqmp[] =
-"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
-"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
-"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
-"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
-"\xF7";
-
-    static unsigned char ctext_ex[] =
-"\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7"
-"\x90\xc4\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce"
-"\xf0\xc4\x36\x6f\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3"
-"\xf2\xf1\x92\xdb\xea\xca\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06"
-"\x69\xac\x22\xe9\xf3\xa7\x85\x2e\x3c\x15\xd9\x13\xca\xb0\xb8\x86"
-"\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49\x54\x61\x03\x46\xf4\xd4"
-"\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a\x1f\xc4\x02\x6a"
-"\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20\x2f\xb1";
-
-    SetKey;
-    }
-
-static int pad_unknown(void)
-{
-    unsigned long l;
-    while ((l = ERR_get_error()) != 0)
-      if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE)
-	return(1);
-    return(0);
-}
-
-int main() 
-    {
-    int err=0;
-    int v;
-    RSA *key;
-    unsigned char ptext[256];
-    unsigned char ctext[256];
-    static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
-    unsigned char ctext_ex[256];
-    int plen;
-    int clen = 0;
-    int num;
-
-    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-	
-    plen = sizeof(ptext_ex) - 1;
-
-    for (v = 0; v < 3; v++)
-	{
-	key = RSA_new();
-	switch (v) {
-    case 0:
-	clen = key1(key, ctext_ex);
-	break;
-    case 1:
-	clen = key2(key, ctext_ex);
-	break;
-    case 2:
-	clen = key3(key, ctext_ex);
-	break;
-	}
-
-	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
-				 RSA_PKCS1_PADDING);
-	if (num != clen)
-	    {
-	    printf("PKCS#1 v1.5 encryption failed!\n");
-	    err=1;
-	    goto oaep;
-	    }
-  
-	num = RSA_private_decrypt(num, ctext, ptext, key,
-				  RSA_PKCS1_PADDING);
-	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
-	    {
-	    printf("PKCS#1 v1.5 decryption failed!\n");
-	    err=1;
-	    }
-	else
-	    printf("PKCS #1 v1.5 encryption/decryption ok\n");
-
-    oaep:
-	ERR_clear_error();
-	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
-				 RSA_PKCS1_OAEP_PADDING);
-	if (num == -1 && pad_unknown())
-	    {
-	    printf("No OAEP support\n");
-	    goto next;
-	    }
-	if (num != clen)
-	    {
-	    printf("OAEP encryption failed!\n");
-	    err=1;
-	    goto next;
-	    }
-  
-	num = RSA_private_decrypt(num, ctext, ptext, key,
-				  RSA_PKCS1_OAEP_PADDING);
-	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
-	    {
-	    printf("OAEP decryption (encrypted data) failed!\n");
-	    err=1;
-	    }
-	else if (memcmp(ctext, ctext_ex, num) == 0)
-	    {
-	    printf("OAEP test vector %d passed!\n", v);
-	    goto next;
-	    }
-    
-	/* Different ciphertexts (rsa_oaep.c without -DPKCS_TESTVECT).
-	   Try decrypting ctext_ex */
-
-	num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
-				  RSA_PKCS1_OAEP_PADDING);
-
-	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
-	    {
-	    printf("OAEP decryption (test vector data) failed!\n");
-	    err=1;
-	    }
-	else
-	    printf("OAEP encryption/decryption ok\n");
-    next:
-	RSA_free(key);
-	}
-
-    ERR_remove_state(0);
-
-    CRYPTO_mem_leaks_fp(stdout);
-
-    return err;
-    }
-#endif
diff --git a/lib/libcrypto/rsa/rsa_pk1.c b/lib/libcrypto/rsa/rsa_pk1.c
index f0ae51f234e..48a32bc264a 100644
--- a/lib/libcrypto/rsa/rsa_pk1.c
+++ b/lib/libcrypto/rsa/rsa_pk1.c
@@ -79,7 +79,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
 	*(p++)=0;
 	*(p++)=1; /* Private Key BT (Block Type) */
 
-	/* padd out with 0xff data */
+	/* pad out with 0xff data */
 	j=tlen-3-flen;
 	memset(p,0xff,j);
 	p+=j;
@@ -130,6 +130,11 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
 		}
 	i++; /* Skip over the '\0' */
 	j-=i;
+	if (j > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
 	memcpy(to,p,(unsigned int)j);
 
 	return(j);
@@ -155,12 +160,14 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
 	/* pad out with non-zero random data */
 	j=tlen-3-flen;
 
-	RAND_bytes(p,j);
+	if (RAND_bytes(p,j) <= 0)
+		return(0);
 	for (i=0; i<j; i++)
 		{
 		if (*p == '\0')
 			do	{
-				RAND_bytes(p,1);
+				if (RAND_bytes(p,1) <= 0)
+					return(0);
 				} while (*p == '\0');
 		p++;
 		}
@@ -205,6 +212,11 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
 		}
 	i++; /* Skip over the '\0' */
 	j-=i;
+	if (j > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
 	memcpy(to,p,(unsigned int)j);
 
 	return(j);
diff --git a/lib/libcrypto/rsa/rsa_saos.c b/lib/libcrypto/rsa/rsa_saos.c
index 73b8b0c7ad6..61efb0b00fd 100644
--- a/lib/libcrypto/rsa/rsa_saos.c
+++ b/lib/libcrypto/rsa/rsa_saos.c
@@ -136,7 +136,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, unsigned char *m,
 	else
 		ret=1;
 err:
-	if (sig != NULL) ASN1_OCTET_STRING_free(sig);
+	if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
 	memset(s,0,(unsigned int)siglen);
 	Free(s);
 	return(ret);
diff --git a/lib/libcrypto/rsa/rsa_sign.c b/lib/libcrypto/rsa/rsa_sign.c
index 1740494a4c7..05bb7fb74af 100644
--- a/lib/libcrypto/rsa/rsa_sign.c
+++ b/lib/libcrypto/rsa/rsa_sign.c
@@ -63,59 +63,77 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+/* Size of an SSL signature: MD5+SHA1 */
+#define SSL_SIG_LENGTH	36
+
 int RSA_sign(int type, unsigned char *m, unsigned int m_len,
 	     unsigned char *sigret, unsigned int *siglen, RSA *rsa)
 	{
 	X509_SIG sig;
 	ASN1_TYPE parameter;
 	int i,j,ret=1;
-	unsigned char *p,*s;
+	unsigned char *p,*s = NULL;
 	X509_ALGOR algor;
 	ASN1_OCTET_STRING digest;
-
-	sig.algor= &algor;
-	sig.algor->algorithm=OBJ_nid2obj(type);
-	if (sig.algor->algorithm == NULL)
-		{
-		RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
-		return(0);
-		}
-	if (sig.algor->algorithm->length == 0)
-		{
-		RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
-		return(0);
+	if(rsa->flags & RSA_FLAG_SIGN_VER)
+	      return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
+	/* Special case: SSL signature, just check the length */
+	if(type == NID_md5_sha1) {
+		if(m_len != SSL_SIG_LENGTH) {
+			RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH);
+			return(0);
 		}
-	parameter.type=V_ASN1_NULL;
-	parameter.value.ptr=NULL;
-	sig.algor->parameter= &parameter;
+		i = SSL_SIG_LENGTH;
+		s = m;
+	} else {
+		sig.algor= &algor;
+		sig.algor->algorithm=OBJ_nid2obj(type);
+		if (sig.algor->algorithm == NULL)
+			{
+			RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
+			return(0);
+			}
+		if (sig.algor->algorithm->length == 0)
+			{
+			RSAerr(RSA_F_RSA_SIGN,RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
+			return(0);
+			}
+		parameter.type=V_ASN1_NULL;
+		parameter.value.ptr=NULL;
+		sig.algor->parameter= &parameter;
 
-	sig.digest= &digest;
-	sig.digest->data=m;
-	sig.digest->length=m_len;
+		sig.digest= &digest;
+		sig.digest->data=m;
+		sig.digest->length=m_len;
 
-	i=i2d_X509_SIG(&sig,NULL);
+		i=i2d_X509_SIG(&sig,NULL);
+	}
 	j=RSA_size(rsa);
 	if ((i-RSA_PKCS1_PADDING) > j)
 		{
 		RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
 		return(0);
 		}
-	s=(unsigned char *)Malloc((unsigned int)j+1);
-	if (s == NULL)
-		{
-		RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
-		return(0);
-		}
-	p=s;
-	i2d_X509_SIG(&sig,&p);
+	if(type != NID_md5_sha1) {
+		s=(unsigned char *)Malloc((unsigned int)j+1);
+		if (s == NULL)
+			{
+			RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
+		p=s;
+		i2d_X509_SIG(&sig,&p);
+	}
 	i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
 	if (i <= 0)
 		ret=0;
 	else
 		*siglen=i;
 
-	memset(s,0,(unsigned int)j+1);
-	Free(s);
+	if(type != NID_md5_sha1) {
+		memset(s,0,(unsigned int)j+1);
+		Free(s);
+	}
 	return(ret);
 	}
 
@@ -132,53 +150,68 @@ int RSA_verify(int dtype, unsigned char *m, unsigned int m_len,
 		return(0);
 		}
 
+	if(rsa->flags & RSA_FLAG_SIGN_VER)
+	    return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
+
 	s=(unsigned char *)Malloc((unsigned int)siglen);
 	if (s == NULL)
 		{
 		RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
+	if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
+			return(0);
+	}
 	i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
 
 	if (i <= 0) goto err;
 
-	p=s;
-	sig=d2i_X509_SIG(NULL,&p,(long)i);
+	/* Special case: SSL signature */
+	if(dtype == NID_md5_sha1) {
+		if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
+				RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+		else ret = 1;
+	} else {
+		p=s;
+		sig=d2i_X509_SIG(NULL,&p,(long)i);
 
-	if (sig == NULL) goto err;
-	sigtype=OBJ_obj2nid(sig->algor->algorithm);
+		if (sig == NULL) goto err;
+		sigtype=OBJ_obj2nid(sig->algor->algorithm);
 
 
-#ifdef RSA_DEBUG
-	/* put a backward compatability flag in EAY */
-	fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype),
-		OBJ_nid2ln(dtype));
-#endif
-	if (sigtype != dtype)
-		{
-		if (((dtype == NID_md5) &&
-			(sigtype == NID_md5WithRSAEncryption)) ||
-			((dtype == NID_md2) &&
-			(sigtype == NID_md2WithRSAEncryption)))
+	#ifdef RSA_DEBUG
+		/* put a backward compatibility flag in EAY */
+		fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype),
+			OBJ_nid2ln(dtype));
+	#endif
+		if (sigtype != dtype)
 			{
-			/* ok, we will let it through */
-#if !defined(NO_STDIO) && !defined(WIN16)
-			fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
-#endif
+			if (((dtype == NID_md5) &&
+				(sigtype == NID_md5WithRSAEncryption)) ||
+				((dtype == NID_md2) &&
+				(sigtype == NID_md2WithRSAEncryption)))
+				{
+				/* ok, we will let it through */
+	#if !defined(NO_STDIO) && !defined(WIN16)
+				fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
+	#endif
+				}
+			else
+				{
+				RSAerr(RSA_F_RSA_VERIFY,
+						RSA_R_ALGORITHM_MISMATCH);
+				goto err;
+				}
 			}
-		else
+		if (	((unsigned int)sig->digest->length != m_len) ||
+			(memcmp(m,sig->digest->data,m_len) != 0))
 			{
-			RSAerr(RSA_F_RSA_VERIFY,RSA_R_ALGORITHM_MISMATCH);
-			goto err;
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
 			}
-		}
-	if (	((unsigned int)sig->digest->length != m_len) ||
-		(memcmp(m,sig->digest->data,m_len) != 0))
-		{
-		RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
-		}
-	else
-		ret=1;
+		else
+			ret=1;
+	}
 err:
 	if (sig != NULL) X509_SIG_free(sig);
 	memset(s,0,(unsigned int)siglen);
diff --git a/lib/libcrypto/rsa/rsa_ssl.c b/lib/libcrypto/rsa/rsa_ssl.c
index 1050844f8d2..81a857c8136 100644
--- a/lib/libcrypto/rsa/rsa_ssl.c
+++ b/lib/libcrypto/rsa/rsa_ssl.c
@@ -82,12 +82,14 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, unsigned char *from,
 	/* pad out with non-zero random data */
 	j=tlen-3-8-flen;
 
-	RAND_bytes(p,j);
+	if (RAND_bytes(p,j) <= 0)
+		return(0);
 	for (i=0; i<j; i++)
 		{
 		if (*p == '\0')
 			do	{
-				RAND_bytes(p,1);
+				if (RAND_bytes(p,1) <= 0)
+					return(0);
 				} while (*p == '\0');
 		p++;
 		}
@@ -140,6 +142,11 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, unsigned char *from,
 
 	i++; /* Skip over the '\0' */
 	j-=i;
+	if (j > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
 	memcpy(to,p,(unsigned int)j);
 
 	return(j);
diff --git a/lib/libcrypto/sha/Makefile.ssl b/lib/libcrypto/sha/Makefile.ssl
index 6ea5b1d719c..79ef43aa349 100644
--- a/lib/libcrypto/sha/Makefile.ssl
+++ b/lib/libcrypto/sha/Makefile.ssl
@@ -104,8 +104,8 @@ clean:
 sha1_one.o: ../../include/openssl/sha.h
 sha1dgst.o: ../../include/openssl/opensslconf.h
 sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
-sha1dgst.o: sha_locl.h
+sha1dgst.o: ../md32_common.h sha_locl.h
 sha_dgst.o: ../../include/openssl/opensslconf.h
 sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
-sha_dgst.o: sha_locl.h
+sha_dgst.o: ../md32_common.h sha_locl.h
 sha_one.o: ../../include/openssl/sha.h
diff --git a/lib/libcrypto/sha/asm/s1-win32.asm b/lib/libcrypto/sha/asm/s1-win32.asm
index 61335666b9c..699afdb0223 100644
--- a/lib/libcrypto/sha/asm/s1-win32.asm
+++ b/lib/libcrypto/sha/asm/s1-win32.asm
@@ -8,302 +8,303 @@
         .486
 .model FLAT
 _TEXT	SEGMENT
-PUBLIC	_sha1_block_x86
+PUBLIC	_sha1_block_asm_data_order
 
-_sha1_block_x86 PROC NEAR
+_sha1_block_asm_data_order PROC NEAR
+	mov	ecx,		DWORD PTR 12[esp]
 	push	esi
+	shl	ecx,		6
+	mov	esi,		DWORD PTR 12[esp]
 	push	ebp
-	mov	eax,		DWORD PTR 20[esp]
-	mov	esi,		DWORD PTR 16[esp]
-	add	eax,		esi
-	mov	ebp,		DWORD PTR 12[esp]
+	add	ecx,		esi
 	push	ebx
-	sub	eax,		64
+	mov	ebp,		DWORD PTR 16[esp]
 	push	edi
-	mov	ebx,		DWORD PTR 4[ebp]
-	sub	esp,		72
 	mov	edx,		DWORD PTR 12[ebp]
+	sub	esp,		108
 	mov	edi,		DWORD PTR 16[ebp]
-	mov	ecx,		DWORD PTR 8[ebp]
-	mov	DWORD PTR 68[esp],eax
+	mov	ebx,		DWORD PTR 8[ebp]
+	mov	DWORD PTR 68[esp],ecx
 	; First we need to setup the X array
-	mov	eax,		DWORD PTR [esi]
 L000start:
 	; First, load the words onto the stack in network byte order
+	mov	eax,		DWORD PTR [esi]
+	mov	ecx,		DWORD PTR 4[esi]
 	bswap	eax
+	bswap	ecx
 	mov	DWORD PTR [esp],eax
-	mov	eax,		DWORD PTR 4[esi]
-	bswap	eax
-	mov	DWORD PTR 4[esp],eax
+	mov	DWORD PTR 4[esp],ecx
 	mov	eax,		DWORD PTR 8[esi]
+	mov	ecx,		DWORD PTR 12[esi]
 	bswap	eax
+	bswap	ecx
 	mov	DWORD PTR 8[esp],eax
-	mov	eax,		DWORD PTR 12[esi]
-	bswap	eax
-	mov	DWORD PTR 12[esp],eax
+	mov	DWORD PTR 12[esp],ecx
 	mov	eax,		DWORD PTR 16[esi]
+	mov	ecx,		DWORD PTR 20[esi]
 	bswap	eax
+	bswap	ecx
 	mov	DWORD PTR 16[esp],eax
-	mov	eax,		DWORD PTR 20[esi]
-	bswap	eax
-	mov	DWORD PTR 20[esp],eax
+	mov	DWORD PTR 20[esp],ecx
 	mov	eax,		DWORD PTR 24[esi]
+	mov	ecx,		DWORD PTR 28[esi]
 	bswap	eax
+	bswap	ecx
 	mov	DWORD PTR 24[esp],eax
-	mov	eax,		DWORD PTR 28[esi]
-	bswap	eax
-	mov	DWORD PTR 28[esp],eax
+	mov	DWORD PTR 28[esp],ecx
 	mov	eax,		DWORD PTR 32[esi]
+	mov	ecx,		DWORD PTR 36[esi]
 	bswap	eax
+	bswap	ecx
 	mov	DWORD PTR 32[esp],eax
-	mov	eax,		DWORD PTR 36[esi]
-	bswap	eax
-	mov	DWORD PTR 36[esp],eax
+	mov	DWORD PTR 36[esp],ecx
 	mov	eax,		DWORD PTR 40[esi]
+	mov	ecx,		DWORD PTR 44[esi]
 	bswap	eax
+	bswap	ecx
 	mov	DWORD PTR 40[esp],eax
-	mov	eax,		DWORD PTR 44[esi]
-	bswap	eax
-	mov	DWORD PTR 44[esp],eax
+	mov	DWORD PTR 44[esp],ecx
 	mov	eax,		DWORD PTR 48[esi]
+	mov	ecx,		DWORD PTR 52[esi]
 	bswap	eax
+	bswap	ecx
 	mov	DWORD PTR 48[esp],eax
-	mov	eax,		DWORD PTR 52[esi]
-	bswap	eax
-	mov	DWORD PTR 52[esp],eax
+	mov	DWORD PTR 52[esp],ecx
 	mov	eax,		DWORD PTR 56[esi]
+	mov	ecx,		DWORD PTR 60[esi]
 	bswap	eax
+	bswap	ecx
 	mov	DWORD PTR 56[esp],eax
-	mov	eax,		DWORD PTR 60[esi]
-	bswap	eax
-	mov	DWORD PTR 60[esp],eax
+	mov	DWORD PTR 60[esp],ecx
 	; We now have the X array on the stack
 	; starting at sp-4
-	mov	DWORD PTR 64[esp],esi
+	mov	DWORD PTR 132[esp],esi
+L001shortcut:
 	; 
 	; Start processing
 	mov	eax,		DWORD PTR [ebp]
+	mov	ecx,		DWORD PTR 4[ebp]
 	; 00_15 0
-	mov	esi,		ecx
+	mov	esi,		ebx
 	mov	ebp,		eax
 	xor	esi,		edx
 	rol	ebp,		5
-	and	esi,		ebx
+	and	esi,		ecx
 	add	ebp,		edi
-	ror	ebx,		1
+	ror	ecx,		1
 	mov	edi,		DWORD PTR [esp]
-	ror	ebx,		1
+	ror	ecx,		1
 	xor	esi,		edx
 	lea	ebp,		DWORD PTR 1518500249[edi*1+ebp]
-	mov	edi,		ebx
+	mov	edi,		ecx
 	add	esi,		ebp
-	xor	edi,		ecx
+	xor	edi,		ebx
 	mov	ebp,		esi
 	and	edi,		eax
 	rol	ebp,		5
 	add	ebp,		edx
 	mov	edx,		DWORD PTR 4[esp]
 	ror	eax,		1
-	xor	edi,		ecx
+	xor	edi,		ebx
 	ror	eax,		1
 	lea	ebp,		DWORD PTR 1518500249[edx*1+ebp]
 	add	edi,		ebp
 	; 00_15 2
 	mov	edx,		eax
 	mov	ebp,		edi
-	xor	edx,		ebx
+	xor	edx,		ecx
 	rol	ebp,		5
 	and	edx,		esi
-	add	ebp,		ecx
+	add	ebp,		ebx
 	ror	esi,		1
-	mov	ecx,		DWORD PTR 8[esp]
+	mov	ebx,		DWORD PTR 8[esp]
 	ror	esi,		1
-	xor	edx,		ebx
-	lea	ebp,		DWORD PTR 1518500249[ecx*1+ebp]
-	mov	ecx,		esi
+	xor	edx,		ecx
+	lea	ebp,		DWORD PTR 1518500249[ebx*1+ebp]
+	mov	ebx,		esi
 	add	edx,		ebp
-	xor	ecx,		eax
+	xor	ebx,		eax
 	mov	ebp,		edx
-	and	ecx,		edi
+	and	ebx,		edi
 	rol	ebp,		5
-	add	ebp,		ebx
-	mov	ebx,		DWORD PTR 12[esp]
+	add	ebp,		ecx
+	mov	ecx,		DWORD PTR 12[esp]
 	ror	edi,		1
-	xor	ecx,		eax
+	xor	ebx,		eax
 	ror	edi,		1
-	lea	ebp,		DWORD PTR 1518500249[ebx*1+ebp]
-	add	ecx,		ebp
+	lea	ebp,		DWORD PTR 1518500249[ecx*1+ebp]
+	add	ebx,		ebp
 	; 00_15 4
-	mov	ebx,		edi
-	mov	ebp,		ecx
-	xor	ebx,		esi
+	mov	ecx,		edi
+	mov	ebp,		ebx
+	xor	ecx,		esi
 	rol	ebp,		5
-	and	ebx,		edx
+	and	ecx,		edx
 	add	ebp,		eax
 	ror	edx,		1
 	mov	eax,		DWORD PTR 16[esp]
 	ror	edx,		1
-	xor	ebx,		esi
+	xor	ecx,		esi
 	lea	ebp,		DWORD PTR 1518500249[eax*1+ebp]
 	mov	eax,		edx
-	add	ebx,		ebp
+	add	ecx,		ebp
 	xor	eax,		edi
-	mov	ebp,		ebx
-	and	eax,		ecx
+	mov	ebp,		ecx
+	and	eax,		ebx
 	rol	ebp,		5
 	add	ebp,		esi
 	mov	esi,		DWORD PTR 20[esp]
-	ror	ecx,		1
+	ror	ebx,		1
 	xor	eax,		edi
-	ror	ecx,		1
+	ror	ebx,		1
 	lea	ebp,		DWORD PTR 1518500249[esi*1+ebp]
 	add	eax,		ebp
 	; 00_15 6
-	mov	esi,		ecx
+	mov	esi,		ebx
 	mov	ebp,		eax
 	xor	esi,		edx
 	rol	ebp,		5
-	and	esi,		ebx
+	and	esi,		ecx
 	add	ebp,		edi
-	ror	ebx,		1
+	ror	ecx,		1
 	mov	edi,		DWORD PTR 24[esp]
-	ror	ebx,		1
+	ror	ecx,		1
 	xor	esi,		edx
 	lea	ebp,		DWORD PTR 1518500249[edi*1+ebp]
-	mov	edi,		ebx
+	mov	edi,		ecx
 	add	esi,		ebp
-	xor	edi,		ecx
+	xor	edi,		ebx
 	mov	ebp,		esi
 	and	edi,		eax
 	rol	ebp,		5
 	add	ebp,		edx
 	mov	edx,		DWORD PTR 28[esp]
 	ror	eax,		1
-	xor	edi,		ecx
+	xor	edi,		ebx
 	ror	eax,		1
 	lea	ebp,		DWORD PTR 1518500249[edx*1+ebp]
 	add	edi,		ebp
 	; 00_15 8
 	mov	edx,		eax
 	mov	ebp,		edi
-	xor	edx,		ebx
+	xor	edx,		ecx
 	rol	ebp,		5
 	and	edx,		esi
-	add	ebp,		ecx
+	add	ebp,		ebx
 	ror	esi,		1
-	mov	ecx,		DWORD PTR 32[esp]
+	mov	ebx,		DWORD PTR 32[esp]
 	ror	esi,		1
-	xor	edx,		ebx
-	lea	ebp,		DWORD PTR 1518500249[ecx*1+ebp]
-	mov	ecx,		esi
+	xor	edx,		ecx
+	lea	ebp,		DWORD PTR 1518500249[ebx*1+ebp]
+	mov	ebx,		esi
 	add	edx,		ebp
-	xor	ecx,		eax
+	xor	ebx,		eax
 	mov	ebp,		edx
-	and	ecx,		edi
+	and	ebx,		edi
 	rol	ebp,		5
-	add	ebp,		ebx
-	mov	ebx,		DWORD PTR 36[esp]
+	add	ebp,		ecx
+	mov	ecx,		DWORD PTR 36[esp]
 	ror	edi,		1
-	xor	ecx,		eax
+	xor	ebx,		eax
 	ror	edi,		1
-	lea	ebp,		DWORD PTR 1518500249[ebx*1+ebp]
-	add	ecx,		ebp
+	lea	ebp,		DWORD PTR 1518500249[ecx*1+ebp]
+	add	ebx,		ebp
 	; 00_15 10
-	mov	ebx,		edi
-	mov	ebp,		ecx
-	xor	ebx,		esi
+	mov	ecx,		edi
+	mov	ebp,		ebx
+	xor	ecx,		esi
 	rol	ebp,		5
-	and	ebx,		edx
+	and	ecx,		edx
 	add	ebp,		eax
 	ror	edx,		1
 	mov	eax,		DWORD PTR 40[esp]
 	ror	edx,		1
-	xor	ebx,		esi
+	xor	ecx,		esi
 	lea	ebp,		DWORD PTR 1518500249[eax*1+ebp]
 	mov	eax,		edx
-	add	ebx,		ebp
+	add	ecx,		ebp
 	xor	eax,		edi
-	mov	ebp,		ebx
-	and	eax,		ecx
+	mov	ebp,		ecx
+	and	eax,		ebx
 	rol	ebp,		5
 	add	ebp,		esi
 	mov	esi,		DWORD PTR 44[esp]
-	ror	ecx,		1
+	ror	ebx,		1
 	xor	eax,		edi
-	ror	ecx,		1
+	ror	ebx,		1
 	lea	ebp,		DWORD PTR 1518500249[esi*1+ebp]
 	add	eax,		ebp
 	; 00_15 12
-	mov	esi,		ecx
+	mov	esi,		ebx
 	mov	ebp,		eax
 	xor	esi,		edx
 	rol	ebp,		5
-	and	esi,		ebx
+	and	esi,		ecx
 	add	ebp,		edi
-	ror	ebx,		1
+	ror	ecx,		1
 	mov	edi,		DWORD PTR 48[esp]
-	ror	ebx,		1
+	ror	ecx,		1
 	xor	esi,		edx
 	lea	ebp,		DWORD PTR 1518500249[edi*1+ebp]
-	mov	edi,		ebx
+	mov	edi,		ecx
 	add	esi,		ebp
-	xor	edi,		ecx
+	xor	edi,		ebx
 	mov	ebp,		esi
 	and	edi,		eax
 	rol	ebp,		5
 	add	ebp,		edx
 	mov	edx,		DWORD PTR 52[esp]
 	ror	eax,		1
-	xor	edi,		ecx
+	xor	edi,		ebx
 	ror	eax,		1
 	lea	ebp,		DWORD PTR 1518500249[edx*1+ebp]
 	add	edi,		ebp
 	; 00_15 14
 	mov	edx,		eax
 	mov	ebp,		edi
-	xor	edx,		ebx
+	xor	edx,		ecx
 	rol	ebp,		5
 	and	edx,		esi
-	add	ebp,		ecx
+	add	ebp,		ebx
 	ror	esi,		1
-	mov	ecx,		DWORD PTR 56[esp]
+	mov	ebx,		DWORD PTR 56[esp]
 	ror	esi,		1
-	xor	edx,		ebx
-	lea	ebp,		DWORD PTR 1518500249[ecx*1+ebp]
-	mov	ecx,		esi
+	xor	edx,		ecx
+	lea	ebp,		DWORD PTR 1518500249[ebx*1+ebp]
+	mov	ebx,		esi
 	add	edx,		ebp
-	xor	ecx,		eax
+	xor	ebx,		eax
 	mov	ebp,		edx
-	and	ecx,		edi
+	and	ebx,		edi
 	rol	ebp,		5
-	add	ebp,		ebx
-	mov	ebx,		DWORD PTR 60[esp]
+	add	ebp,		ecx
+	mov	ecx,		DWORD PTR 60[esp]
 	ror	edi,		1
-	xor	ecx,		eax
+	xor	ebx,		eax
 	ror	edi,		1
-	lea	ebp,		DWORD PTR 1518500249[ebx*1+ebp]
-	add	ecx,		ebp
+	lea	ebp,		DWORD PTR 1518500249[ecx*1+ebp]
+	add	ebx,		ebp
 	; 16_19 16
 	nop
 	mov	ebp,		DWORD PTR [esp]
-	mov	ebx,		DWORD PTR 8[esp]
-	xor	ebx,		ebp
+	mov	ecx,		DWORD PTR 8[esp]
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 32[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 52[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edi
-	rol	ebx,		1
+	rol	ecx,		1
 	xor	ebp,		esi
-	mov	DWORD PTR [esp],ebx
+	mov	DWORD PTR [esp],ecx
 	and	ebp,		edx
-	lea	ebx,		DWORD PTR 1518500249[eax*1+ebx]
+	lea	ecx,		DWORD PTR 1518500249[eax*1+ecx]
 	xor	ebp,		esi
-	mov	eax,		ecx
-	add	ebx,		ebp
+	mov	eax,		ebx
+	add	ecx,		ebp
 	rol	eax,		5
 	ror	edx,		1
-	add	ebx,		eax
+	add	ecx,		eax
 	mov	eax,		DWORD PTR 4[esp]
 	mov	ebp,		DWORD PTR 12[esp]
 	xor	eax,		ebp
@@ -316,14 +317,14 @@ L000start:
 	mov	ebp,		edx
 	xor	ebp,		edi
 	mov	DWORD PTR 4[esp],eax
-	and	ebp,		ecx
+	and	ebp,		ebx
 	lea	eax,		DWORD PTR 1518500249[esi*1+eax]
 	xor	ebp,		edi
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		esi
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		ebp
 	; 16_19 18
 	mov	ebp,		DWORD PTR 8[esp]
@@ -333,17 +334,17 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 60[esp]
 	xor	esi,		ebp
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	rol	esi,		1
 	xor	ebp,		edx
 	mov	DWORD PTR 8[esp],esi
-	and	ebp,		ebx
+	and	ebp,		ecx
 	lea	esi,		DWORD PTR 1518500249[edi*1+esi]
 	xor	ebp,		edx
 	mov	edi,		eax
 	add	esi,		ebp
 	rol	edi,		5
-	ror	ebx,		1
+	ror	ecx,		1
 	add	esi,		edi
 	mov	edi,		DWORD PTR 12[esp]
 	mov	ebp,		DWORD PTR 20[esp]
@@ -351,15 +352,15 @@ L000start:
 	mov	ebp,		DWORD PTR 44[esp]
 	xor	edi,		ebp
 	mov	ebp,		DWORD PTR [esp]
-	ror	ebx,		1
+	ror	ecx,		1
 	xor	edi,		ebp
 	rol	edi,		1
-	mov	ebp,		ebx
-	xor	ebp,		ecx
+	mov	ebp,		ecx
+	xor	ebp,		ebx
 	mov	DWORD PTR 12[esp],edi
 	and	ebp,		eax
 	lea	edi,		DWORD PTR 1518500249[edx*1+edi]
-	xor	ebp,		ecx
+	xor	ebp,		ebx
 	mov	edx,		esi
 	rol	edx,		5
 	ror	eax,		1
@@ -378,54 +379,54 @@ L000start:
 	rol	edx,		1
 	xor	ebp,		eax
 	mov	DWORD PTR 16[esp],edx
-	xor	ebp,		ebx
-	lea	edx,		DWORD PTR 1859775393[ecx*1+edx]
-	mov	ecx,		edi
-	rol	ecx,		5
+	xor	ebp,		ecx
+	lea	edx,		DWORD PTR 1859775393[ebx*1+edx]
+	mov	ebx,		edi
+	rol	ebx,		5
 	ror	esi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	ror	esi,		1
-	add	edx,		ecx
+	add	edx,		ebx
 	; 20_39 21
-	mov	ecx,		DWORD PTR 20[esp]
+	mov	ebx,		DWORD PTR 20[esp]
 	mov	ebp,		DWORD PTR 28[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 52[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 8[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		edi
-	rol	ecx,		1
+	rol	ebx,		1
 	xor	ebp,		esi
-	mov	DWORD PTR 20[esp],ecx
+	mov	DWORD PTR 20[esp],ebx
 	xor	ebp,		eax
-	lea	ecx,		DWORD PTR 1859775393[ebx*1+ecx]
-	mov	ebx,		edx
-	rol	ebx,		5
+	lea	ebx,		DWORD PTR 1859775393[ecx*1+ebx]
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebx,		ebp
+	add	ecx,		ebp
 	ror	edi,		1
-	add	ecx,		ebx
+	add	ebx,		ecx
 	; 20_39 22
-	mov	ebx,		DWORD PTR 24[esp]
+	mov	ecx,		DWORD PTR 24[esp]
 	mov	ebp,		DWORD PTR 32[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 56[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 12[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	xor	ebp,		edi
-	mov	DWORD PTR 24[esp],ebx
+	mov	DWORD PTR 24[esp],ecx
 	xor	ebp,		esi
-	lea	ebx,		DWORD PTR 1859775393[eax*1+ebx]
-	mov	eax,		ecx
+	lea	ecx,		DWORD PTR 1859775393[eax*1+ecx]
+	mov	eax,		ebx
 	rol	eax,		5
 	ror	edx,		1
 	add	eax,		ebp
 	ror	edx,		1
-	add	ebx,		eax
+	add	ecx,		eax
 	; 20_39 23
 	mov	eax,		DWORD PTR 28[esp]
 	mov	ebp,		DWORD PTR 36[esp]
@@ -434,17 +435,17 @@ L000start:
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR 16[esp]
 	xor	eax,		ebp
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	rol	eax,		1
 	xor	ebp,		edx
 	mov	DWORD PTR 28[esp],eax
 	xor	ebp,		edi
 	lea	eax,		DWORD PTR 1859775393[esi*1+eax]
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	esi,		ebp
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		esi
 	; 20_39 24
 	mov	esi,		DWORD PTR 32[esp]
@@ -454,17 +455,17 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 20[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	xor	ebp,		ecx
+	xor	ebp,		ebx
 	mov	DWORD PTR 32[esp],esi
 	xor	ebp,		edx
 	lea	esi,		DWORD PTR 1859775393[edi*1+esi]
 	mov	edi,		eax
 	rol	edi,		5
-	ror	ebx,		1
+	ror	ecx,		1
 	add	edi,		ebp
-	ror	ebx,		1
+	ror	ecx,		1
 	add	esi,		edi
 	; 20_39 25
 	mov	edi,		DWORD PTR 36[esp]
@@ -476,9 +477,9 @@ L000start:
 	xor	edi,		ebp
 	mov	ebp,		eax
 	rol	edi,		1
-	xor	ebp,		ebx
-	mov	DWORD PTR 36[esp],edi
 	xor	ebp,		ecx
+	mov	DWORD PTR 36[esp],edi
+	xor	ebp,		ebx
 	lea	edi,		DWORD PTR 1859775393[edx*1+edi]
 	mov	edx,		esi
 	rol	edx,		5
@@ -498,54 +499,54 @@ L000start:
 	rol	edx,		1
 	xor	ebp,		eax
 	mov	DWORD PTR 40[esp],edx
-	xor	ebp,		ebx
-	lea	edx,		DWORD PTR 1859775393[ecx*1+edx]
-	mov	ecx,		edi
-	rol	ecx,		5
+	xor	ebp,		ecx
+	lea	edx,		DWORD PTR 1859775393[ebx*1+edx]
+	mov	ebx,		edi
+	rol	ebx,		5
 	ror	esi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	ror	esi,		1
-	add	edx,		ecx
+	add	edx,		ebx
 	; 20_39 27
-	mov	ecx,		DWORD PTR 44[esp]
+	mov	ebx,		DWORD PTR 44[esp]
 	mov	ebp,		DWORD PTR 52[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 12[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 32[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		edi
-	rol	ecx,		1
+	rol	ebx,		1
 	xor	ebp,		esi
-	mov	DWORD PTR 44[esp],ecx
+	mov	DWORD PTR 44[esp],ebx
 	xor	ebp,		eax
-	lea	ecx,		DWORD PTR 1859775393[ebx*1+ecx]
-	mov	ebx,		edx
-	rol	ebx,		5
+	lea	ebx,		DWORD PTR 1859775393[ecx*1+ebx]
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebx,		ebp
+	add	ecx,		ebp
 	ror	edi,		1
-	add	ecx,		ebx
+	add	ebx,		ecx
 	; 20_39 28
-	mov	ebx,		DWORD PTR 48[esp]
+	mov	ecx,		DWORD PTR 48[esp]
 	mov	ebp,		DWORD PTR 56[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 16[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 36[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	xor	ebp,		edi
-	mov	DWORD PTR 48[esp],ebx
+	mov	DWORD PTR 48[esp],ecx
 	xor	ebp,		esi
-	lea	ebx,		DWORD PTR 1859775393[eax*1+ebx]
-	mov	eax,		ecx
+	lea	ecx,		DWORD PTR 1859775393[eax*1+ecx]
+	mov	eax,		ebx
 	rol	eax,		5
 	ror	edx,		1
 	add	eax,		ebp
 	ror	edx,		1
-	add	ebx,		eax
+	add	ecx,		eax
 	; 20_39 29
 	mov	eax,		DWORD PTR 52[esp]
 	mov	ebp,		DWORD PTR 60[esp]
@@ -554,17 +555,17 @@ L000start:
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR 40[esp]
 	xor	eax,		ebp
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	rol	eax,		1
 	xor	ebp,		edx
 	mov	DWORD PTR 52[esp],eax
 	xor	ebp,		edi
 	lea	eax,		DWORD PTR 1859775393[esi*1+eax]
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	esi,		ebp
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		esi
 	; 20_39 30
 	mov	esi,		DWORD PTR 56[esp]
@@ -574,17 +575,17 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 44[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	xor	ebp,		ecx
+	xor	ebp,		ebx
 	mov	DWORD PTR 56[esp],esi
 	xor	ebp,		edx
 	lea	esi,		DWORD PTR 1859775393[edi*1+esi]
 	mov	edi,		eax
 	rol	edi,		5
-	ror	ebx,		1
+	ror	ecx,		1
 	add	edi,		ebp
-	ror	ebx,		1
+	ror	ecx,		1
 	add	esi,		edi
 	; 20_39 31
 	mov	edi,		DWORD PTR 60[esp]
@@ -596,9 +597,9 @@ L000start:
 	xor	edi,		ebp
 	mov	ebp,		eax
 	rol	edi,		1
-	xor	ebp,		ebx
-	mov	DWORD PTR 60[esp],edi
 	xor	ebp,		ecx
+	mov	DWORD PTR 60[esp],edi
+	xor	ebp,		ebx
 	lea	edi,		DWORD PTR 1859775393[edx*1+edi]
 	mov	edx,		esi
 	rol	edx,		5
@@ -618,54 +619,54 @@ L000start:
 	rol	edx,		1
 	xor	ebp,		eax
 	mov	DWORD PTR [esp],edx
-	xor	ebp,		ebx
-	lea	edx,		DWORD PTR 1859775393[ecx*1+edx]
-	mov	ecx,		edi
-	rol	ecx,		5
+	xor	ebp,		ecx
+	lea	edx,		DWORD PTR 1859775393[ebx*1+edx]
+	mov	ebx,		edi
+	rol	ebx,		5
 	ror	esi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	ror	esi,		1
-	add	edx,		ecx
+	add	edx,		ebx
 	; 20_39 33
-	mov	ecx,		DWORD PTR 4[esp]
+	mov	ebx,		DWORD PTR 4[esp]
 	mov	ebp,		DWORD PTR 12[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 36[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 56[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		edi
-	rol	ecx,		1
+	rol	ebx,		1
 	xor	ebp,		esi
-	mov	DWORD PTR 4[esp],ecx
+	mov	DWORD PTR 4[esp],ebx
 	xor	ebp,		eax
-	lea	ecx,		DWORD PTR 1859775393[ebx*1+ecx]
-	mov	ebx,		edx
-	rol	ebx,		5
+	lea	ebx,		DWORD PTR 1859775393[ecx*1+ebx]
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebx,		ebp
+	add	ecx,		ebp
 	ror	edi,		1
-	add	ecx,		ebx
+	add	ebx,		ecx
 	; 20_39 34
-	mov	ebx,		DWORD PTR 8[esp]
+	mov	ecx,		DWORD PTR 8[esp]
 	mov	ebp,		DWORD PTR 16[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 40[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 60[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	xor	ebp,		edi
-	mov	DWORD PTR 8[esp],ebx
+	mov	DWORD PTR 8[esp],ecx
 	xor	ebp,		esi
-	lea	ebx,		DWORD PTR 1859775393[eax*1+ebx]
-	mov	eax,		ecx
+	lea	ecx,		DWORD PTR 1859775393[eax*1+ecx]
+	mov	eax,		ebx
 	rol	eax,		5
 	ror	edx,		1
 	add	eax,		ebp
 	ror	edx,		1
-	add	ebx,		eax
+	add	ecx,		eax
 	; 20_39 35
 	mov	eax,		DWORD PTR 12[esp]
 	mov	ebp,		DWORD PTR 20[esp]
@@ -674,17 +675,17 @@ L000start:
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR [esp]
 	xor	eax,		ebp
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	rol	eax,		1
 	xor	ebp,		edx
 	mov	DWORD PTR 12[esp],eax
 	xor	ebp,		edi
 	lea	eax,		DWORD PTR 1859775393[esi*1+eax]
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	esi,		ebp
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		esi
 	; 20_39 36
 	mov	esi,		DWORD PTR 16[esp]
@@ -694,17 +695,17 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 4[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	xor	ebp,		ecx
+	xor	ebp,		ebx
 	mov	DWORD PTR 16[esp],esi
 	xor	ebp,		edx
 	lea	esi,		DWORD PTR 1859775393[edi*1+esi]
 	mov	edi,		eax
 	rol	edi,		5
-	ror	ebx,		1
+	ror	ecx,		1
 	add	edi,		ebp
-	ror	ebx,		1
+	ror	ecx,		1
 	add	esi,		edi
 	; 20_39 37
 	mov	edi,		DWORD PTR 20[esp]
@@ -716,9 +717,9 @@ L000start:
 	xor	edi,		ebp
 	mov	ebp,		eax
 	rol	edi,		1
-	xor	ebp,		ebx
-	mov	DWORD PTR 20[esp],edi
 	xor	ebp,		ecx
+	mov	DWORD PTR 20[esp],edi
+	xor	ebp,		ebx
 	lea	edi,		DWORD PTR 1859775393[edx*1+edi]
 	mov	edx,		esi
 	rol	edx,		5
@@ -738,57 +739,57 @@ L000start:
 	rol	edx,		1
 	xor	ebp,		eax
 	mov	DWORD PTR 24[esp],edx
-	xor	ebp,		ebx
-	lea	edx,		DWORD PTR 1859775393[ecx*1+edx]
-	mov	ecx,		edi
-	rol	ecx,		5
+	xor	ebp,		ecx
+	lea	edx,		DWORD PTR 1859775393[ebx*1+edx]
+	mov	ebx,		edi
+	rol	ebx,		5
 	ror	esi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	ror	esi,		1
-	add	edx,		ecx
+	add	edx,		ebx
 	; 20_39 39
-	mov	ecx,		DWORD PTR 28[esp]
+	mov	ebx,		DWORD PTR 28[esp]
 	mov	ebp,		DWORD PTR 36[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 60[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 16[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		edi
-	rol	ecx,		1
+	rol	ebx,		1
 	xor	ebp,		esi
-	mov	DWORD PTR 28[esp],ecx
+	mov	DWORD PTR 28[esp],ebx
 	xor	ebp,		eax
-	lea	ecx,		DWORD PTR 1859775393[ebx*1+ecx]
-	mov	ebx,		edx
-	rol	ebx,		5
+	lea	ebx,		DWORD PTR 1859775393[ecx*1+ebx]
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebx,		ebp
+	add	ecx,		ebp
 	ror	edi,		1
-	add	ecx,		ebx
+	add	ebx,		ecx
 	; 40_59 40
-	mov	ebx,		DWORD PTR 32[esp]
+	mov	ecx,		DWORD PTR 32[esp]
 	mov	ebp,		DWORD PTR 40[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR [esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 20[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	or	ebp,		edi
-	mov	DWORD PTR 32[esp],ebx
+	mov	DWORD PTR 32[esp],ecx
 	and	ebp,		esi
-	lea	ebx,		DWORD PTR 2400959708[eax*1+ebx]
+	lea	ecx,		DWORD PTR 2400959708[eax*1+ecx]
 	mov	eax,		edx
 	ror	edx,		1
 	and	eax,		edi
 	or	ebp,		eax
-	mov	eax,		ecx
+	mov	eax,		ebx
 	rol	eax,		5
 	add	ebp,		eax
 	mov	eax,		DWORD PTR 36[esp]
-	add	ebx,		ebp
+	add	ecx,		ebp
 	mov	ebp,		DWORD PTR 44[esp]
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR 4[esp]
@@ -797,19 +798,19 @@ L000start:
 	ror	edx,		1
 	xor	eax,		ebp
 	rol	eax,		1
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	mov	DWORD PTR 36[esp],eax
 	or	ebp,		edx
 	lea	eax,		DWORD PTR 2400959708[esi*1+eax]
-	mov	esi,		ecx
+	mov	esi,		ebx
 	and	ebp,		edi
 	and	esi,		edx
 	or	ebp,		esi
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	ebp,		esi
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		ebp
 	; 40_59 41
 	; 40_59 42
@@ -820,15 +821,15 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 28[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	or	ebp,		ecx
+	or	ebp,		ebx
 	mov	DWORD PTR 40[esp],esi
 	and	ebp,		edx
 	lea	esi,		DWORD PTR 2400959708[edi*1+esi]
-	mov	edi,		ebx
-	ror	ebx,		1
-	and	edi,		ecx
+	mov	edi,		ecx
+	ror	ecx,		1
+	and	edi,		ebx
 	or	ebp,		edi
 	mov	edi,		eax
 	rol	edi,		5
@@ -840,16 +841,16 @@ L000start:
 	mov	ebp,		DWORD PTR 12[esp]
 	xor	edi,		ebp
 	mov	ebp,		DWORD PTR 32[esp]
-	ror	ebx,		1
+	ror	ecx,		1
 	xor	edi,		ebp
 	rol	edi,		1
 	mov	ebp,		eax
 	mov	DWORD PTR 44[esp],edi
-	or	ebp,		ebx
+	or	ebp,		ecx
 	lea	edi,		DWORD PTR 2400959708[edx*1+edi]
 	mov	edx,		eax
-	and	ebp,		ecx
-	and	edx,		ebx
+	and	ebp,		ebx
+	and	edx,		ecx
 	or	ebp,		edx
 	mov	edx,		esi
 	rol	edx,		5
@@ -870,63 +871,63 @@ L000start:
 	rol	edx,		1
 	or	ebp,		eax
 	mov	DWORD PTR 48[esp],edx
-	and	ebp,		ebx
-	lea	edx,		DWORD PTR 2400959708[ecx*1+edx]
-	mov	ecx,		esi
+	and	ebp,		ecx
+	lea	edx,		DWORD PTR 2400959708[ebx*1+edx]
+	mov	ebx,		esi
 	ror	esi,		1
-	and	ecx,		eax
-	or	ebp,		ecx
-	mov	ecx,		edi
-	rol	ecx,		5
-	add	ebp,		ecx
-	mov	ecx,		DWORD PTR 52[esp]
+	and	ebx,		eax
+	or	ebp,		ebx
+	mov	ebx,		edi
+	rol	ebx,		5
+	add	ebp,		ebx
+	mov	ebx,		DWORD PTR 52[esp]
 	add	edx,		ebp
 	mov	ebp,		DWORD PTR 60[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 20[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 40[esp]
 	ror	esi,		1
-	xor	ecx,		ebp
-	rol	ecx,		1
+	xor	ebx,		ebp
+	rol	ebx,		1
 	mov	ebp,		edi
-	mov	DWORD PTR 52[esp],ecx
+	mov	DWORD PTR 52[esp],ebx
 	or	ebp,		esi
-	lea	ecx,		DWORD PTR 2400959708[ebx*1+ecx]
-	mov	ebx,		edi
+	lea	ebx,		DWORD PTR 2400959708[ecx*1+ebx]
+	mov	ecx,		edi
 	and	ebp,		eax
-	and	ebx,		esi
-	or	ebp,		ebx
-	mov	ebx,		edx
-	rol	ebx,		5
+	and	ecx,		esi
+	or	ebp,		ecx
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebp,		ebx
+	add	ebp,		ecx
 	ror	edi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	; 40_59 45
 	; 40_59 46
-	mov	ebx,		DWORD PTR 56[esp]
+	mov	ecx,		DWORD PTR 56[esp]
 	mov	ebp,		DWORD PTR [esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 24[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 44[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	or	ebp,		edi
-	mov	DWORD PTR 56[esp],ebx
+	mov	DWORD PTR 56[esp],ecx
 	and	ebp,		esi
-	lea	ebx,		DWORD PTR 2400959708[eax*1+ebx]
+	lea	ecx,		DWORD PTR 2400959708[eax*1+ecx]
 	mov	eax,		edx
 	ror	edx,		1
 	and	eax,		edi
 	or	ebp,		eax
-	mov	eax,		ecx
+	mov	eax,		ebx
 	rol	eax,		5
 	add	ebp,		eax
 	mov	eax,		DWORD PTR 60[esp]
-	add	ebx,		ebp
+	add	ecx,		ebp
 	mov	ebp,		DWORD PTR 4[esp]
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR 28[esp]
@@ -935,19 +936,19 @@ L000start:
 	ror	edx,		1
 	xor	eax,		ebp
 	rol	eax,		1
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	mov	DWORD PTR 60[esp],eax
 	or	ebp,		edx
 	lea	eax,		DWORD PTR 2400959708[esi*1+eax]
-	mov	esi,		ecx
+	mov	esi,		ebx
 	and	ebp,		edi
 	and	esi,		edx
 	or	ebp,		esi
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	ebp,		esi
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		ebp
 	; 40_59 47
 	; 40_59 48
@@ -958,15 +959,15 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 52[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	or	ebp,		ecx
+	or	ebp,		ebx
 	mov	DWORD PTR [esp],esi
 	and	ebp,		edx
 	lea	esi,		DWORD PTR 2400959708[edi*1+esi]
-	mov	edi,		ebx
-	ror	ebx,		1
-	and	edi,		ecx
+	mov	edi,		ecx
+	ror	ecx,		1
+	and	edi,		ebx
 	or	ebp,		edi
 	mov	edi,		eax
 	rol	edi,		5
@@ -978,16 +979,16 @@ L000start:
 	mov	ebp,		DWORD PTR 36[esp]
 	xor	edi,		ebp
 	mov	ebp,		DWORD PTR 56[esp]
-	ror	ebx,		1
+	ror	ecx,		1
 	xor	edi,		ebp
 	rol	edi,		1
 	mov	ebp,		eax
 	mov	DWORD PTR 4[esp],edi
-	or	ebp,		ebx
+	or	ebp,		ecx
 	lea	edi,		DWORD PTR 2400959708[edx*1+edi]
 	mov	edx,		eax
-	and	ebp,		ecx
-	and	edx,		ebx
+	and	ebp,		ebx
+	and	edx,		ecx
 	or	ebp,		edx
 	mov	edx,		esi
 	rol	edx,		5
@@ -1008,63 +1009,63 @@ L000start:
 	rol	edx,		1
 	or	ebp,		eax
 	mov	DWORD PTR 8[esp],edx
-	and	ebp,		ebx
-	lea	edx,		DWORD PTR 2400959708[ecx*1+edx]
-	mov	ecx,		esi
+	and	ebp,		ecx
+	lea	edx,		DWORD PTR 2400959708[ebx*1+edx]
+	mov	ebx,		esi
 	ror	esi,		1
-	and	ecx,		eax
-	or	ebp,		ecx
-	mov	ecx,		edi
-	rol	ecx,		5
-	add	ebp,		ecx
-	mov	ecx,		DWORD PTR 12[esp]
+	and	ebx,		eax
+	or	ebp,		ebx
+	mov	ebx,		edi
+	rol	ebx,		5
+	add	ebp,		ebx
+	mov	ebx,		DWORD PTR 12[esp]
 	add	edx,		ebp
 	mov	ebp,		DWORD PTR 20[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 44[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR [esp]
 	ror	esi,		1
-	xor	ecx,		ebp
-	rol	ecx,		1
+	xor	ebx,		ebp
+	rol	ebx,		1
 	mov	ebp,		edi
-	mov	DWORD PTR 12[esp],ecx
+	mov	DWORD PTR 12[esp],ebx
 	or	ebp,		esi
-	lea	ecx,		DWORD PTR 2400959708[ebx*1+ecx]
-	mov	ebx,		edi
+	lea	ebx,		DWORD PTR 2400959708[ecx*1+ebx]
+	mov	ecx,		edi
 	and	ebp,		eax
-	and	ebx,		esi
-	or	ebp,		ebx
-	mov	ebx,		edx
-	rol	ebx,		5
+	and	ecx,		esi
+	or	ebp,		ecx
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebp,		ebx
+	add	ebp,		ecx
 	ror	edi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	; 40_59 51
 	; 40_59 52
-	mov	ebx,		DWORD PTR 16[esp]
+	mov	ecx,		DWORD PTR 16[esp]
 	mov	ebp,		DWORD PTR 24[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 48[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 4[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	or	ebp,		edi
-	mov	DWORD PTR 16[esp],ebx
+	mov	DWORD PTR 16[esp],ecx
 	and	ebp,		esi
-	lea	ebx,		DWORD PTR 2400959708[eax*1+ebx]
+	lea	ecx,		DWORD PTR 2400959708[eax*1+ecx]
 	mov	eax,		edx
 	ror	edx,		1
 	and	eax,		edi
 	or	ebp,		eax
-	mov	eax,		ecx
+	mov	eax,		ebx
 	rol	eax,		5
 	add	ebp,		eax
 	mov	eax,		DWORD PTR 20[esp]
-	add	ebx,		ebp
+	add	ecx,		ebp
 	mov	ebp,		DWORD PTR 28[esp]
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR 52[esp]
@@ -1073,19 +1074,19 @@ L000start:
 	ror	edx,		1
 	xor	eax,		ebp
 	rol	eax,		1
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	mov	DWORD PTR 20[esp],eax
 	or	ebp,		edx
 	lea	eax,		DWORD PTR 2400959708[esi*1+eax]
-	mov	esi,		ecx
+	mov	esi,		ebx
 	and	ebp,		edi
 	and	esi,		edx
 	or	ebp,		esi
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	ebp,		esi
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		ebp
 	; 40_59 53
 	; 40_59 54
@@ -1096,15 +1097,15 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 12[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	or	ebp,		ecx
+	or	ebp,		ebx
 	mov	DWORD PTR 24[esp],esi
 	and	ebp,		edx
 	lea	esi,		DWORD PTR 2400959708[edi*1+esi]
-	mov	edi,		ebx
-	ror	ebx,		1
-	and	edi,		ecx
+	mov	edi,		ecx
+	ror	ecx,		1
+	and	edi,		ebx
 	or	ebp,		edi
 	mov	edi,		eax
 	rol	edi,		5
@@ -1116,16 +1117,16 @@ L000start:
 	mov	ebp,		DWORD PTR 60[esp]
 	xor	edi,		ebp
 	mov	ebp,		DWORD PTR 16[esp]
-	ror	ebx,		1
+	ror	ecx,		1
 	xor	edi,		ebp
 	rol	edi,		1
 	mov	ebp,		eax
 	mov	DWORD PTR 28[esp],edi
-	or	ebp,		ebx
+	or	ebp,		ecx
 	lea	edi,		DWORD PTR 2400959708[edx*1+edi]
 	mov	edx,		eax
-	and	ebp,		ecx
-	and	edx,		ebx
+	and	ebp,		ebx
+	and	edx,		ecx
 	or	ebp,		edx
 	mov	edx,		esi
 	rol	edx,		5
@@ -1146,63 +1147,63 @@ L000start:
 	rol	edx,		1
 	or	ebp,		eax
 	mov	DWORD PTR 32[esp],edx
-	and	ebp,		ebx
-	lea	edx,		DWORD PTR 2400959708[ecx*1+edx]
-	mov	ecx,		esi
+	and	ebp,		ecx
+	lea	edx,		DWORD PTR 2400959708[ebx*1+edx]
+	mov	ebx,		esi
 	ror	esi,		1
-	and	ecx,		eax
-	or	ebp,		ecx
-	mov	ecx,		edi
-	rol	ecx,		5
-	add	ebp,		ecx
-	mov	ecx,		DWORD PTR 36[esp]
+	and	ebx,		eax
+	or	ebp,		ebx
+	mov	ebx,		edi
+	rol	ebx,		5
+	add	ebp,		ebx
+	mov	ebx,		DWORD PTR 36[esp]
 	add	edx,		ebp
 	mov	ebp,		DWORD PTR 44[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 4[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 24[esp]
 	ror	esi,		1
-	xor	ecx,		ebp
-	rol	ecx,		1
+	xor	ebx,		ebp
+	rol	ebx,		1
 	mov	ebp,		edi
-	mov	DWORD PTR 36[esp],ecx
+	mov	DWORD PTR 36[esp],ebx
 	or	ebp,		esi
-	lea	ecx,		DWORD PTR 2400959708[ebx*1+ecx]
-	mov	ebx,		edi
+	lea	ebx,		DWORD PTR 2400959708[ecx*1+ebx]
+	mov	ecx,		edi
 	and	ebp,		eax
-	and	ebx,		esi
-	or	ebp,		ebx
-	mov	ebx,		edx
-	rol	ebx,		5
+	and	ecx,		esi
+	or	ebp,		ecx
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebp,		ebx
+	add	ebp,		ecx
 	ror	edi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	; 40_59 57
 	; 40_59 58
-	mov	ebx,		DWORD PTR 40[esp]
+	mov	ecx,		DWORD PTR 40[esp]
 	mov	ebp,		DWORD PTR 48[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 8[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 28[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	or	ebp,		edi
-	mov	DWORD PTR 40[esp],ebx
+	mov	DWORD PTR 40[esp],ecx
 	and	ebp,		esi
-	lea	ebx,		DWORD PTR 2400959708[eax*1+ebx]
+	lea	ecx,		DWORD PTR 2400959708[eax*1+ecx]
 	mov	eax,		edx
 	ror	edx,		1
 	and	eax,		edi
 	or	ebp,		eax
-	mov	eax,		ecx
+	mov	eax,		ebx
 	rol	eax,		5
 	add	ebp,		eax
 	mov	eax,		DWORD PTR 44[esp]
-	add	ebx,		ebp
+	add	ecx,		ebp
 	mov	ebp,		DWORD PTR 52[esp]
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR 12[esp]
@@ -1211,19 +1212,19 @@ L000start:
 	ror	edx,		1
 	xor	eax,		ebp
 	rol	eax,		1
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	mov	DWORD PTR 44[esp],eax
 	or	ebp,		edx
 	lea	eax,		DWORD PTR 2400959708[esi*1+eax]
-	mov	esi,		ecx
+	mov	esi,		ebx
 	and	ebp,		edi
 	and	esi,		edx
 	or	ebp,		esi
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	ebp,		esi
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		ebp
 	; 40_59 59
 	; 20_39 60
@@ -1234,17 +1235,17 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 36[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	xor	ebp,		ecx
+	xor	ebp,		ebx
 	mov	DWORD PTR 48[esp],esi
 	xor	ebp,		edx
 	lea	esi,		DWORD PTR 3395469782[edi*1+esi]
 	mov	edi,		eax
 	rol	edi,		5
-	ror	ebx,		1
+	ror	ecx,		1
 	add	edi,		ebp
-	ror	ebx,		1
+	ror	ecx,		1
 	add	esi,		edi
 	; 20_39 61
 	mov	edi,		DWORD PTR 52[esp]
@@ -1256,9 +1257,9 @@ L000start:
 	xor	edi,		ebp
 	mov	ebp,		eax
 	rol	edi,		1
-	xor	ebp,		ebx
-	mov	DWORD PTR 52[esp],edi
 	xor	ebp,		ecx
+	mov	DWORD PTR 52[esp],edi
+	xor	ebp,		ebx
 	lea	edi,		DWORD PTR 3395469782[edx*1+edi]
 	mov	edx,		esi
 	rol	edx,		5
@@ -1278,54 +1279,54 @@ L000start:
 	rol	edx,		1
 	xor	ebp,		eax
 	mov	DWORD PTR 56[esp],edx
-	xor	ebp,		ebx
-	lea	edx,		DWORD PTR 3395469782[ecx*1+edx]
-	mov	ecx,		edi
-	rol	ecx,		5
+	xor	ebp,		ecx
+	lea	edx,		DWORD PTR 3395469782[ebx*1+edx]
+	mov	ebx,		edi
+	rol	ebx,		5
 	ror	esi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	ror	esi,		1
-	add	edx,		ecx
+	add	edx,		ebx
 	; 20_39 63
-	mov	ecx,		DWORD PTR 60[esp]
+	mov	ebx,		DWORD PTR 60[esp]
 	mov	ebp,		DWORD PTR 4[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 28[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 48[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		edi
-	rol	ecx,		1
+	rol	ebx,		1
 	xor	ebp,		esi
-	mov	DWORD PTR 60[esp],ecx
+	mov	DWORD PTR 60[esp],ebx
 	xor	ebp,		eax
-	lea	ecx,		DWORD PTR 3395469782[ebx*1+ecx]
-	mov	ebx,		edx
-	rol	ebx,		5
+	lea	ebx,		DWORD PTR 3395469782[ecx*1+ebx]
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebx,		ebp
+	add	ecx,		ebp
 	ror	edi,		1
-	add	ecx,		ebx
+	add	ebx,		ecx
 	; 20_39 64
-	mov	ebx,		DWORD PTR [esp]
+	mov	ecx,		DWORD PTR [esp]
 	mov	ebp,		DWORD PTR 8[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 32[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 52[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	xor	ebp,		edi
-	mov	DWORD PTR [esp],ebx
+	mov	DWORD PTR [esp],ecx
 	xor	ebp,		esi
-	lea	ebx,		DWORD PTR 3395469782[eax*1+ebx]
-	mov	eax,		ecx
+	lea	ecx,		DWORD PTR 3395469782[eax*1+ecx]
+	mov	eax,		ebx
 	rol	eax,		5
 	ror	edx,		1
 	add	eax,		ebp
 	ror	edx,		1
-	add	ebx,		eax
+	add	ecx,		eax
 	; 20_39 65
 	mov	eax,		DWORD PTR 4[esp]
 	mov	ebp,		DWORD PTR 12[esp]
@@ -1334,17 +1335,17 @@ L000start:
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR 56[esp]
 	xor	eax,		ebp
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	rol	eax,		1
 	xor	ebp,		edx
 	mov	DWORD PTR 4[esp],eax
 	xor	ebp,		edi
 	lea	eax,		DWORD PTR 3395469782[esi*1+eax]
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	esi,		ebp
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		esi
 	; 20_39 66
 	mov	esi,		DWORD PTR 8[esp]
@@ -1354,17 +1355,17 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 60[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	xor	ebp,		ecx
+	xor	ebp,		ebx
 	mov	DWORD PTR 8[esp],esi
 	xor	ebp,		edx
 	lea	esi,		DWORD PTR 3395469782[edi*1+esi]
 	mov	edi,		eax
 	rol	edi,		5
-	ror	ebx,		1
+	ror	ecx,		1
 	add	edi,		ebp
-	ror	ebx,		1
+	ror	ecx,		1
 	add	esi,		edi
 	; 20_39 67
 	mov	edi,		DWORD PTR 12[esp]
@@ -1376,9 +1377,9 @@ L000start:
 	xor	edi,		ebp
 	mov	ebp,		eax
 	rol	edi,		1
-	xor	ebp,		ebx
-	mov	DWORD PTR 12[esp],edi
 	xor	ebp,		ecx
+	mov	DWORD PTR 12[esp],edi
+	xor	ebp,		ebx
 	lea	edi,		DWORD PTR 3395469782[edx*1+edi]
 	mov	edx,		esi
 	rol	edx,		5
@@ -1398,54 +1399,54 @@ L000start:
 	rol	edx,		1
 	xor	ebp,		eax
 	mov	DWORD PTR 16[esp],edx
-	xor	ebp,		ebx
-	lea	edx,		DWORD PTR 3395469782[ecx*1+edx]
-	mov	ecx,		edi
-	rol	ecx,		5
+	xor	ebp,		ecx
+	lea	edx,		DWORD PTR 3395469782[ebx*1+edx]
+	mov	ebx,		edi
+	rol	ebx,		5
 	ror	esi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	ror	esi,		1
-	add	edx,		ecx
+	add	edx,		ebx
 	; 20_39 69
-	mov	ecx,		DWORD PTR 20[esp]
+	mov	ebx,		DWORD PTR 20[esp]
 	mov	ebp,		DWORD PTR 28[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 52[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 8[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		edi
-	rol	ecx,		1
+	rol	ebx,		1
 	xor	ebp,		esi
-	mov	DWORD PTR 20[esp],ecx
+	mov	DWORD PTR 20[esp],ebx
 	xor	ebp,		eax
-	lea	ecx,		DWORD PTR 3395469782[ebx*1+ecx]
-	mov	ebx,		edx
-	rol	ebx,		5
+	lea	ebx,		DWORD PTR 3395469782[ecx*1+ebx]
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebx,		ebp
+	add	ecx,		ebp
 	ror	edi,		1
-	add	ecx,		ebx
+	add	ebx,		ecx
 	; 20_39 70
-	mov	ebx,		DWORD PTR 24[esp]
+	mov	ecx,		DWORD PTR 24[esp]
 	mov	ebp,		DWORD PTR 32[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 56[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 12[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	xor	ebp,		edi
-	mov	DWORD PTR 24[esp],ebx
+	mov	DWORD PTR 24[esp],ecx
 	xor	ebp,		esi
-	lea	ebx,		DWORD PTR 3395469782[eax*1+ebx]
-	mov	eax,		ecx
+	lea	ecx,		DWORD PTR 3395469782[eax*1+ecx]
+	mov	eax,		ebx
 	rol	eax,		5
 	ror	edx,		1
 	add	eax,		ebp
 	ror	edx,		1
-	add	ebx,		eax
+	add	ecx,		eax
 	; 20_39 71
 	mov	eax,		DWORD PTR 28[esp]
 	mov	ebp,		DWORD PTR 36[esp]
@@ -1454,17 +1455,17 @@ L000start:
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR 16[esp]
 	xor	eax,		ebp
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	rol	eax,		1
 	xor	ebp,		edx
 	mov	DWORD PTR 28[esp],eax
 	xor	ebp,		edi
 	lea	eax,		DWORD PTR 3395469782[esi*1+eax]
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	esi,		ebp
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		esi
 	; 20_39 72
 	mov	esi,		DWORD PTR 32[esp]
@@ -1474,17 +1475,17 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 20[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	xor	ebp,		ecx
+	xor	ebp,		ebx
 	mov	DWORD PTR 32[esp],esi
 	xor	ebp,		edx
 	lea	esi,		DWORD PTR 3395469782[edi*1+esi]
 	mov	edi,		eax
 	rol	edi,		5
-	ror	ebx,		1
+	ror	ecx,		1
 	add	edi,		ebp
-	ror	ebx,		1
+	ror	ecx,		1
 	add	esi,		edi
 	; 20_39 73
 	mov	edi,		DWORD PTR 36[esp]
@@ -1496,9 +1497,9 @@ L000start:
 	xor	edi,		ebp
 	mov	ebp,		eax
 	rol	edi,		1
-	xor	ebp,		ebx
-	mov	DWORD PTR 36[esp],edi
 	xor	ebp,		ecx
+	mov	DWORD PTR 36[esp],edi
+	xor	ebp,		ebx
 	lea	edi,		DWORD PTR 3395469782[edx*1+edi]
 	mov	edx,		esi
 	rol	edx,		5
@@ -1518,54 +1519,54 @@ L000start:
 	rol	edx,		1
 	xor	ebp,		eax
 	mov	DWORD PTR 40[esp],edx
-	xor	ebp,		ebx
-	lea	edx,		DWORD PTR 3395469782[ecx*1+edx]
-	mov	ecx,		edi
-	rol	ecx,		5
+	xor	ebp,		ecx
+	lea	edx,		DWORD PTR 3395469782[ebx*1+edx]
+	mov	ebx,		edi
+	rol	ebx,		5
 	ror	esi,		1
-	add	ecx,		ebp
+	add	ebx,		ebp
 	ror	esi,		1
-	add	edx,		ecx
+	add	edx,		ebx
 	; 20_39 75
-	mov	ecx,		DWORD PTR 44[esp]
+	mov	ebx,		DWORD PTR 44[esp]
 	mov	ebp,		DWORD PTR 52[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 12[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		DWORD PTR 32[esp]
-	xor	ecx,		ebp
+	xor	ebx,		ebp
 	mov	ebp,		edi
-	rol	ecx,		1
+	rol	ebx,		1
 	xor	ebp,		esi
-	mov	DWORD PTR 44[esp],ecx
+	mov	DWORD PTR 44[esp],ebx
 	xor	ebp,		eax
-	lea	ecx,		DWORD PTR 3395469782[ebx*1+ecx]
-	mov	ebx,		edx
-	rol	ebx,		5
+	lea	ebx,		DWORD PTR 3395469782[ecx*1+ebx]
+	mov	ecx,		edx
+	rol	ecx,		5
 	ror	edi,		1
-	add	ebx,		ebp
+	add	ecx,		ebp
 	ror	edi,		1
-	add	ecx,		ebx
+	add	ebx,		ecx
 	; 20_39 76
-	mov	ebx,		DWORD PTR 48[esp]
+	mov	ecx,		DWORD PTR 48[esp]
 	mov	ebp,		DWORD PTR 56[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 16[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		DWORD PTR 36[esp]
-	xor	ebx,		ebp
+	xor	ecx,		ebp
 	mov	ebp,		edx
-	rol	ebx,		1
+	rol	ecx,		1
 	xor	ebp,		edi
-	mov	DWORD PTR 48[esp],ebx
+	mov	DWORD PTR 48[esp],ecx
 	xor	ebp,		esi
-	lea	ebx,		DWORD PTR 3395469782[eax*1+ebx]
-	mov	eax,		ecx
+	lea	ecx,		DWORD PTR 3395469782[eax*1+ecx]
+	mov	eax,		ebx
 	rol	eax,		5
 	ror	edx,		1
 	add	eax,		ebp
 	ror	edx,		1
-	add	ebx,		eax
+	add	ecx,		eax
 	; 20_39 77
 	mov	eax,		DWORD PTR 52[esp]
 	mov	ebp,		DWORD PTR 60[esp]
@@ -1574,17 +1575,17 @@ L000start:
 	xor	eax,		ebp
 	mov	ebp,		DWORD PTR 40[esp]
 	xor	eax,		ebp
-	mov	ebp,		ecx
+	mov	ebp,		ebx
 	rol	eax,		1
 	xor	ebp,		edx
 	mov	DWORD PTR 52[esp],eax
 	xor	ebp,		edi
 	lea	eax,		DWORD PTR 3395469782[esi*1+eax]
-	mov	esi,		ebx
+	mov	esi,		ecx
 	rol	esi,		5
-	ror	ecx,		1
+	ror	ebx,		1
 	add	esi,		ebp
-	ror	ecx,		1
+	ror	ebx,		1
 	add	eax,		esi
 	; 20_39 78
 	mov	esi,		DWORD PTR 56[esp]
@@ -1594,17 +1595,17 @@ L000start:
 	xor	esi,		ebp
 	mov	ebp,		DWORD PTR 44[esp]
 	xor	esi,		ebp
-	mov	ebp,		ebx
+	mov	ebp,		ecx
 	rol	esi,		1
-	xor	ebp,		ecx
+	xor	ebp,		ebx
 	mov	DWORD PTR 56[esp],esi
 	xor	ebp,		edx
 	lea	esi,		DWORD PTR 3395469782[edi*1+esi]
 	mov	edi,		eax
 	rol	edi,		5
-	ror	ebx,		1
+	ror	ecx,		1
 	add	edi,		ebp
-	ror	ebx,		1
+	ror	ecx,		1
 	add	esi,		edi
 	; 20_39 79
 	mov	edi,		DWORD PTR 60[esp]
@@ -1616,49 +1617,100 @@ L000start:
 	xor	edi,		ebp
 	mov	ebp,		eax
 	rol	edi,		1
-	xor	ebp,		ebx
-	mov	DWORD PTR 60[esp],edi
 	xor	ebp,		ecx
+	mov	DWORD PTR 60[esp],edi
+	xor	ebp,		ebx
 	lea	edi,		DWORD PTR 3395469782[edx*1+edi]
 	mov	edx,		esi
 	rol	edx,		5
 	add	edx,		ebp
-	mov	ebp,		DWORD PTR 92[esp]
+	mov	ebp,		DWORD PTR 128[esp]
 	ror	eax,		1
 	add	edi,		edx
 	ror	eax,		1
 	; End processing
 	; 
 	mov	edx,		DWORD PTR 12[ebp]
-	add	edx,		ebx
-	mov	ebx,		DWORD PTR 4[ebp]
-	add	ebx,		esi
+	add	edx,		ecx
+	mov	ecx,		DWORD PTR 4[ebp]
+	add	ecx,		esi
 	mov	esi,		eax
 	mov	eax,		DWORD PTR [ebp]
 	mov	DWORD PTR 12[ebp],edx
 	add	eax,		edi
 	mov	edi,		DWORD PTR 16[ebp]
-	add	edi,		ecx
-	mov	ecx,		DWORD PTR 8[ebp]
-	add	ecx,		esi
+	add	edi,		ebx
+	mov	ebx,		DWORD PTR 8[ebp]
+	add	ebx,		esi
 	mov	DWORD PTR [ebp],eax
-	mov	esi,		DWORD PTR 64[esp]
-	mov	DWORD PTR 8[ebp],ecx
+	mov	esi,		DWORD PTR 132[esp]
+	mov	DWORD PTR 8[ebp],ebx
 	add	esi,		64
 	mov	eax,		DWORD PTR 68[esp]
 	mov	DWORD PTR 16[ebp],edi
-	cmp	eax,		esi
-	mov	DWORD PTR 4[ebp],ebx
-	jl	$L001end
-	mov	eax,		DWORD PTR [esi]
-	jmp	L000start
-$L001end:
-	add	esp,		72
+	cmp	esi,		eax
+	mov	DWORD PTR 4[ebp],ecx
+	jl	L000start
+	add	esp,		108
 	pop	edi
 	pop	ebx
 	pop	ebp
 	pop	esi
 	ret
-_sha1_block_x86 ENDP
+_TEXT	SEGMENT
+PUBLIC	_sha1_block_asm_host_order
+
+_sha1_block_asm_host_order PROC NEAR
+	mov	ecx,		DWORD PTR 12[esp]
+	push	esi
+	shl	ecx,		6
+	mov	esi,		DWORD PTR 12[esp]
+	push	ebp
+	add	ecx,		esi
+	push	ebx
+	mov	ebp,		DWORD PTR 16[esp]
+	push	edi
+	mov	edx,		DWORD PTR 12[ebp]
+	sub	esp,		108
+	mov	edi,		DWORD PTR 16[ebp]
+	mov	ebx,		DWORD PTR 8[ebp]
+	mov	DWORD PTR 68[esp],ecx
+	; First we need to setup the X array
+	mov	eax,		DWORD PTR [esi]
+	mov	ecx,		DWORD PTR 4[esi]
+	mov	DWORD PTR [esp],eax
+	mov	DWORD PTR 4[esp],ecx
+	mov	eax,		DWORD PTR 8[esi]
+	mov	ecx,		DWORD PTR 12[esi]
+	mov	DWORD PTR 8[esp],eax
+	mov	DWORD PTR 12[esp],ecx
+	mov	eax,		DWORD PTR 16[esi]
+	mov	ecx,		DWORD PTR 20[esi]
+	mov	DWORD PTR 16[esp],eax
+	mov	DWORD PTR 20[esp],ecx
+	mov	eax,		DWORD PTR 24[esi]
+	mov	ecx,		DWORD PTR 28[esi]
+	mov	DWORD PTR 24[esp],eax
+	mov	DWORD PTR 28[esp],ecx
+	mov	eax,		DWORD PTR 32[esi]
+	mov	ecx,		DWORD PTR 36[esi]
+	mov	DWORD PTR 32[esp],eax
+	mov	DWORD PTR 36[esp],ecx
+	mov	eax,		DWORD PTR 40[esi]
+	mov	ecx,		DWORD PTR 44[esi]
+	mov	DWORD PTR 40[esp],eax
+	mov	DWORD PTR 44[esp],ecx
+	mov	eax,		DWORD PTR 48[esi]
+	mov	ecx,		DWORD PTR 52[esi]
+	mov	DWORD PTR 48[esp],eax
+	mov	DWORD PTR 52[esp],ecx
+	mov	eax,		DWORD PTR 56[esi]
+	mov	ecx,		DWORD PTR 60[esi]
+	mov	DWORD PTR 56[esp],eax
+	mov	DWORD PTR 60[esp],ecx
+	jmp	L001shortcut
+_sha1_block_asm_host_order ENDP
+_TEXT	ENDS
+_sha1_block_asm_data_order ENDP
 _TEXT	ENDS
 END
diff --git a/lib/libcrypto/sha/asm/sha1-586.pl b/lib/libcrypto/sha/asm/sha1-586.pl
index 04e42ab09fd..48d9192a4e6 100644
--- a/lib/libcrypto/sha/asm/sha1-586.pl
+++ b/lib/libcrypto/sha/asm/sha1-586.pl
@@ -8,8 +8,8 @@ require "x86asm.pl";
 &asm_init($ARGV[0],"sha1-586.pl",$ARGV[$#ARGV] eq "386");
 
 $A="eax";
-$B="ebx";
-$C="ecx";
+$B="ecx";
+$C="ebx";
 $D="edx";
 $E="edi";
 $T="esi";
@@ -19,7 +19,7 @@ $off=9*4;
 
 @K=(0x5a827999,0x6ed9eba1,0x8f1bbcdc,0xca62c1d6);
 
-&sha1_block("sha1_block_x86");
+&sha1_block_data("sha1_block_asm_data_order");
 
 &asm_finish();
 
@@ -53,11 +53,14 @@ sub X_expand
 	local($in)=@_;
 
 	&comment("First, load the words onto the stack in network byte order");
-	for ($i=0; $i<16; $i++)
+	for ($i=0; $i<16; $i+=2)
 		{
-		&mov("eax",&DWP(($i+0)*4,$in,"",0)) unless $i == 0;
-		&bswap("eax");
-		&mov(&swtmp($i+0),"eax");
+		&mov($A,&DWP(($i+0)*4,$in,"",0));# unless $i == 0;
+		 &mov($B,&DWP(($i+1)*4,$in,"",0));
+		&bswap($A);
+		 &bswap($B);
+		&mov(&swtmp($i+0),$A);
+		 &mov(&swtmp($i+1),$B);
 		}
 
 	&comment("We now have the X array on the stack");
@@ -312,7 +315,7 @@ sub BODY_60_79
 	&BODY_20_39(@_);
 	}
 
-sub sha1_block
+sub sha1_block_host
 	{
 	local($name)=@_;
 
@@ -325,35 +328,77 @@ sub sha1_block
 	# D 	12
 	# E 	16
 
-	&push("esi");
-	 &push("ebp");
-	&mov("eax",	&wparam(2));
+	&mov("ecx",	&wparam(2));
+	 &push("esi");
+	&shl("ecx",6);
 	 &mov("esi",	&wparam(1));
-	&add("eax",	"esi");	# offset to leave on
+	&push("ebp");
+	 &add("ecx","esi");	# offset to leave on
+	&push("ebx");
 	 &mov("ebp",	&wparam(0));
+	&push("edi");
+	 &mov($D,	&DWP(12,"ebp","",0));
+	&stack_push(18+9);
+	 &mov($E,	&DWP(16,"ebp","",0));
+	&mov($C,	&DWP( 8,"ebp","",0));
+	 &mov(&swtmp(17),"ecx");
+
+	&comment("First we need to setup the X array");
+
+	for ($i=0; $i<16; $i+=2)
+		{
+		&mov($A,&DWP(($i+0)*4,"esi","",0));# unless $i == 0;
+		 &mov($B,&DWP(($i+1)*4,"esi","",0));
+		&mov(&swtmp($i+0),$A);
+		 &mov(&swtmp($i+1),$B);
+		}
+	&jmp(&label("shortcut"));
+	&function_end_B($name);
+	}
+
+
+sub sha1_block_data
+	{
+	local($name)=@_;
+
+	&function_begin_B($name,"");
+
+	# parameter 1 is the MD5_CTX structure.
+	# A	0
+	# B	4
+	# C	8
+	# D 	12
+	# E 	16
+
+	&mov("ecx",	&wparam(2));
+	 &push("esi");
+	&shl("ecx",6);
+	 &mov("esi",	&wparam(1));
+	&push("ebp");
+	 &add("ecx","esi");	# offset to leave on
 	&push("ebx");
-	 &sub("eax",	64);
+	 &mov("ebp",	&wparam(0));
 	&push("edi");
-	 &mov($B,	&DWP( 4,"ebp","",0));
-	&stack_push(18);
 	 &mov($D,	&DWP(12,"ebp","",0));
-	&mov($E,	&DWP(16,"ebp","",0));
-	 &mov($C,	&DWP( 8,"ebp","",0));
-	&mov(&swtmp(17),"eax");
+	&stack_push(18+9);
+	 &mov($E,	&DWP(16,"ebp","",0));
+	&mov($C,	&DWP( 8,"ebp","",0));
+	 &mov(&swtmp(17),"ecx");
 
 	&comment("First we need to setup the X array");
-	 &mov("eax",&DWP(0,"esi","",0)); # pulled out of X_expand
 
 	&set_label("start") unless $normal;
 
 	&X_expand("esi");
-	 &mov(&swtmp(16),"esi");
+	 &mov(&wparam(1),"esi");
 
+	&set_label("shortcut", 1);
 	&comment("");
 	&comment("Start processing");
 
 	# odd start
 	&mov($A,	&DWP( 0,"ebp","",0));
+	 &mov($B,	&DWP( 4,"ebp","",0));
 	$X="esp";
 	&BODY_00_15(-2,$K[0],$X, 0,$A,$B,$C,$D,$E,$T);
 	&BODY_00_15( 0,$K[0],$X, 1,$T,$A,$B,$C,$D,$E);
@@ -468,24 +513,26 @@ sub sha1_block
 	&add($C,$T);
 
 	 &mov(&DWP( 0,$tmp1,"",0),$A);
-	&mov("esi",&swtmp(16));
-	 &mov(&DWP( 8,$tmp1,"",0),$C);	# This is for looping
+	&mov("esi",&wparam(1));
+	 &mov(&DWP( 8,$tmp1,"",0),$C);
  	&add("esi",64);
 	 &mov("eax",&swtmp(17));
 	&mov(&DWP(16,$tmp1,"",0),$E);
-	 &cmp("eax","esi");
-	&mov(&DWP( 4,$tmp1,"",0),$B);	# This is for looping
-	 &jl(&label("end"));
-	&mov("eax",&DWP(0,"esi","",0));	# Pulled down from 
-	 &jmp(&label("start"));
-
-	&set_label("end");
-	&stack_pop(18);
+	 &cmp("esi","eax");
+	&mov(&DWP( 4,$tmp1,"",0),$B);
+	 &jl(&label("start"));
+
+	&stack_pop(18+9);
 	 &pop("edi");
 	&pop("ebx");
 	 &pop("ebp");
 	&pop("esi");
 	 &ret();
+
+	# it has to reside within sha1_block_asm_host_order body
+	# because it calls &jmp(&label("shortcut"));
+	&sha1_block_host("sha1_block_asm_host_order");
+
 	&function_end_B($name);
 	}
 
diff --git a/lib/libcrypto/sha/sha.h b/lib/libcrypto/sha/sha.h
index cd6960ee1a3..77f6d9695e7 100644
--- a/lib/libcrypto/sha/sha.h
+++ b/lib/libcrypto/sha/sha.h
@@ -63,7 +63,7 @@
 extern "C" {
 #endif
 
-#ifdef NO_SHA
+#if defined(NO_SHA) || (defined(NO_SHA0) && defined(NO_SHA1))
 #error SHA is disabled.
 #endif
 
@@ -100,17 +100,17 @@ typedef struct SHAstate_st
 
 #ifndef NO_SHA0
 void SHA_Init(SHA_CTX *c);
-void SHA_Update(SHA_CTX *c, const unsigned char *data, unsigned long len);
+void SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
 void SHA_Final(unsigned char *md, SHA_CTX *c);
 unsigned char *SHA(const unsigned char *d, unsigned long n,unsigned char *md);
-void SHA_Transform(SHA_CTX *c, unsigned char *data);
+void SHA_Transform(SHA_CTX *c, const unsigned char *data);
 #endif
 #ifndef NO_SHA1
 void SHA1_Init(SHA_CTX *c);
-void SHA1_Update(SHA_CTX *c, const unsigned char *data, unsigned long len);
+void SHA1_Update(SHA_CTX *c, const void *data, unsigned long len);
 void SHA1_Final(unsigned char *md, SHA_CTX *c);
 unsigned char *SHA1(const unsigned char *d, unsigned long n,unsigned char *md);
-void SHA1_Transform(SHA_CTX *c, unsigned char *data);
+void SHA1_Transform(SHA_CTX *c, const unsigned char *data);
 #endif
 #ifdef  __cplusplus
 }
diff --git a/lib/libcrypto/sha/sha1dgst.c b/lib/libcrypto/sha/sha1dgst.c
index 66e885dd76d..c09edb4cd7c 100644
--- a/lib/libcrypto/sha/sha1dgst.c
+++ b/lib/libcrypto/sha/sha1dgst.c
@@ -56,443 +56,18 @@
  * [including the GNU Public Licence.]
  */
 
-#include <stdio.h>
-#include <string.h>
+#if !defined(NO_SHA1) && !defined(NO_SHA)
+
 #undef  SHA_0
 #define SHA_1
-#include <openssl/sha.h>
-#include "sha_locl.h"
-#include <openssl/opensslv.h>
-
-#ifndef NO_SHA1
-char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;
-
-/* Implemented from SHA-1 document - The Secure Hash Algorithm
- */
-
-#define INIT_DATA_h0 0x67452301UL
-#define INIT_DATA_h1 0xefcdab89UL
-#define INIT_DATA_h2 0x98badcfeUL
-#define INIT_DATA_h3 0x10325476UL
-#define INIT_DATA_h4 0xc3d2e1f0UL
-
-#define K_00_19	0x5a827999UL
-#define K_20_39 0x6ed9eba1UL
-#define K_40_59 0x8f1bbcdcUL
-#define K_60_79 0xca62c1d6UL
-
-#ifdef SHA1_ASM
-   void sha1_block_x86(SHA_CTX *c, register SHA_LONG *p, int num);
-#  define sha1_block(c,p,n) sha1_block_x86((c),(p),(n)*SHA_CBLOCK)
-#else
-   static void sha1_block(SHA_CTX *c, register SHA_LONG *p, int num);
-#endif
-
-#if !defined(B_ENDIAN) && defined(SHA1_ASM)
-#  define	M_c2nl 		c2l
-#  define	M_p_c2nl 	p_c2l
-#  define	M_c2nl_p	c2l_p
-#  define	M_p_c2nl_p	p_c2l_p
-#  define	M_nl2c		l2c
-#else
-#  define	M_c2nl 		c2nl
-#  define	M_p_c2nl	p_c2nl
-#  define	M_c2nl_p	c2nl_p
-#  define	M_p_c2nl_p	p_c2nl_p
-#  define	M_nl2c		nl2c
-#endif
-
-void SHA1_Init(SHA_CTX *c)
-	{
-	c->h0=INIT_DATA_h0;
-	c->h1=INIT_DATA_h1;
-	c->h2=INIT_DATA_h2;
-	c->h3=INIT_DATA_h3;
-	c->h4=INIT_DATA_h4;
-	c->Nl=0;
-	c->Nh=0;
-	c->num=0;
-	}
-
-void SHA1_Update(SHA_CTX *c, register const unsigned char *data,
-	     unsigned long len)
-	{
-	register SHA_LONG *p;
-	int ew,ec,sw,sc;
-	SHA_LONG l;
-
-	if (len == 0) return;
-
-	l=(c->Nl+(len<<3))&0xffffffffL;
-	if (l < c->Nl) /* overflow */
-		c->Nh++;
-	c->Nh+=(len>>29);
-	c->Nl=l;
-
-	if (c->num != 0)
-		{
-		p=c->data;
-		sw=c->num>>2;
-		sc=c->num&0x03;
-
-		if ((c->num+len) >= SHA_CBLOCK)
-			{
-			l= p[sw];
-			M_p_c2nl(data,l,sc);
-			p[sw++]=l;
-			for (; sw<SHA_LBLOCK; sw++)
-				{
-				M_c2nl(data,l);
-				p[sw]=l;
-				}
-			len-=(SHA_CBLOCK-c->num);
-
-			sha1_block(c,p,1);
-			c->num=0;
-			/* drop through and do the rest */
-			}
-		else
-			{
-			c->num+=(int)len;
-			if ((sc+len) < 4) /* ugly, add char's to a word */
-				{
-				l= p[sw];
-				M_p_c2nl_p(data,l,sc,len);
-				p[sw]=l;
-				}
-			else
-				{
-				ew=(c->num>>2);
-				ec=(c->num&0x03);
-				l= p[sw];
-				M_p_c2nl(data,l,sc);
-				p[sw++]=l;
-				for (; sw < ew; sw++)
-					{ M_c2nl(data,l); p[sw]=l; }
-				if (ec)
-					{
-					M_c2nl_p(data,l,ec);
-					p[sw]=l;
-					}
-				}
-			return;
-			}
-		}
-	/* We can only do the following code for assember, the reason
-	 * being that the sha1_block 'C' version changes the values
-	 * in the 'data' array.  The assember code avoids this and
-	 * copies it to a local array.  I should be able to do this for
-	 * the C version as well....
-	 */
-#if SHA_LONG_LOG2==2
-#if defined(B_ENDIAN) || defined(SHA1_ASM)
-	if ((((unsigned long)data)%sizeof(SHA_LONG)) == 0)
-		{
-		sw=len/SHA_CBLOCK;
-		if (sw)
-			{
-			sha1_block(c,(SHA_LONG *)data,sw);
-			sw*=SHA_CBLOCK;
-			data+=sw;
-			len-=sw;
-			}
-		}
-#endif
-#endif
-	/* we now can process the input data in blocks of SHA_CBLOCK
-	 * chars and save the leftovers to c->data. */
-	p=c->data;
-	while (len >= SHA_CBLOCK)
-		{
-#if SHA_LONG_LOG2==2
-#if defined(B_ENDIAN) || defined(SHA1_ASM)
-#define SHA_NO_TAIL_CODE
-		/*
-		 * Basically we get here only when data happens
-		 * to be unaligned.
-		 */
-		if (p != (SHA_LONG *)data)
-			memcpy(p,data,SHA_CBLOCK);
-		data+=SHA_CBLOCK;
-		sha1_block(c,p=c->data,1);
-		len-=SHA_CBLOCK;
-#elif defined(L_ENDIAN)
-#define BE_COPY(dst,src,i)	{				\
-				l = ((SHA_LONG *)src)[i];	\
-				Endian_Reverse32(l);		\
-				dst[i] = l;			\
-				}
-		if ((((unsigned long)data)%sizeof(SHA_LONG)) == 0)
-			{
-			for (sw=(SHA_LBLOCK/4); sw; sw--)
-				{
-				BE_COPY(p,data,0);
-				BE_COPY(p,data,1);
-				BE_COPY(p,data,2);
-				BE_COPY(p,data,3);
-				p+=4;
-				data += 4*sizeof(SHA_LONG);
-				}
-			sha1_block(c,p=c->data,1);
-			len-=SHA_CBLOCK;
-			continue;
-			}
-#endif
-#endif
-#ifndef SHA_NO_TAIL_CODE
-		/*
-		 * In addition to "sizeof(SHA_LONG)!= 4" case the
-		 * following code covers unaligned access cases on
-		 * little-endian machines.
-		 *			<appro@fy.chalmers.se>
-		 */
-		p=c->data;
-		for (sw=(SHA_LBLOCK/4); sw; sw--)
-			{
-			M_c2nl(data,l); p[0]=l;
-			M_c2nl(data,l); p[1]=l;
-			M_c2nl(data,l); p[2]=l;
-			M_c2nl(data,l); p[3]=l;
-			p+=4;
-			}
-		p=c->data;
-		sha1_block(c,p,1);
-		len-=SHA_CBLOCK;
-#endif
-		}
-	ec=(int)len;
-	c->num=ec;
-	ew=(ec>>2);
-	ec&=0x03;
-
-	for (sw=0; sw < ew; sw++)
-		{ M_c2nl(data,l); p[sw]=l; }
-	M_c2nl_p(data,l,ec);
-	p[sw]=l;
-	}
-
-void SHA1_Transform(SHA_CTX *c, unsigned char *b)
-	{
-	SHA_LONG p[SHA_LBLOCK];
-
-#if SHA_LONG_LOG2==2
-#if defined(B_ENDIAN) || defined(SHA1_ASM)
-	memcpy(p,b,SHA_CBLOCK);
-	sha1_block(c,p,1);
-	return;
-#elif defined(L_ENDIAN)
-	if (((unsigned long)b%sizeof(SHA_LONG)) == 0)
-		{
-		SHA_LONG *q;
-		int i;
-
-		q=p;
-		for (i=(SHA_LBLOCK/4); i; i--)
-			{
-			unsigned long l;
-			BE_COPY(q,b,0);	/* BE_COPY was defined above */
-			BE_COPY(q,b,1);
-			BE_COPY(q,b,2);
-			BE_COPY(q,b,3);
-			q+=4;
-			b+=4*sizeof(SHA_LONG);
-			}
-		sha1_block(c,p,1);
-		return;
-		}
-#endif
-#endif
-#ifndef SHA_NO_TAIL_CODE /* defined above, see comment */
-		{
-		SHA_LONG *q;
-		int i;
-	
-		q=p;
-		for (i=(SHA_LBLOCK/4); i; i--)
-			{
-			SHA_LONG l;
-			c2nl(b,l); *(q++)=l;
-			c2nl(b,l); *(q++)=l;
-			c2nl(b,l); *(q++)=l;
-			c2nl(b,l); *(q++)=l; 
-			} 
-		sha1_block(c,p,1);
-		}
-#endif
-	}
-
-#ifndef SHA1_ASM
-static void sha1_block(SHA_CTX *c, register SHA_LONG *W, int num)
-	{
-	register SHA_LONG A,B,C,D,E,T;
-	SHA_LONG X[SHA_LBLOCK];
-
-	A=c->h0;
-	B=c->h1;
-	C=c->h2;
-	D=c->h3;
-	E=c->h4;
 
-	for (;;)
-		{
-	BODY_00_15( 0,A,B,C,D,E,T,W);
-	BODY_00_15( 1,T,A,B,C,D,E,W);
-	BODY_00_15( 2,E,T,A,B,C,D,W);
-	BODY_00_15( 3,D,E,T,A,B,C,W);
-	BODY_00_15( 4,C,D,E,T,A,B,W);
-	BODY_00_15( 5,B,C,D,E,T,A,W);
-	BODY_00_15( 6,A,B,C,D,E,T,W);
-	BODY_00_15( 7,T,A,B,C,D,E,W);
-	BODY_00_15( 8,E,T,A,B,C,D,W);
-	BODY_00_15( 9,D,E,T,A,B,C,W);
-	BODY_00_15(10,C,D,E,T,A,B,W);
-	BODY_00_15(11,B,C,D,E,T,A,W);
-	BODY_00_15(12,A,B,C,D,E,T,W);
-	BODY_00_15(13,T,A,B,C,D,E,W);
-	BODY_00_15(14,E,T,A,B,C,D,W);
-	BODY_00_15(15,D,E,T,A,B,C,W);
-	BODY_16_19(16,C,D,E,T,A,B,W,W,W,W);
-	BODY_16_19(17,B,C,D,E,T,A,W,W,W,W);
-	BODY_16_19(18,A,B,C,D,E,T,W,W,W,W);
-	BODY_16_19(19,T,A,B,C,D,E,W,W,W,X);
-
-	BODY_20_31(20,E,T,A,B,C,D,W,W,W,X);
-	BODY_20_31(21,D,E,T,A,B,C,W,W,W,X);
-	BODY_20_31(22,C,D,E,T,A,B,W,W,W,X);
-	BODY_20_31(23,B,C,D,E,T,A,W,W,W,X);
-	BODY_20_31(24,A,B,C,D,E,T,W,W,X,X);
-	BODY_20_31(25,T,A,B,C,D,E,W,W,X,X);
-	BODY_20_31(26,E,T,A,B,C,D,W,W,X,X);
-	BODY_20_31(27,D,E,T,A,B,C,W,W,X,X);
-	BODY_20_31(28,C,D,E,T,A,B,W,W,X,X);
-	BODY_20_31(29,B,C,D,E,T,A,W,W,X,X);
-	BODY_20_31(30,A,B,C,D,E,T,W,X,X,X);
-	BODY_20_31(31,T,A,B,C,D,E,W,X,X,X);
-	BODY_32_39(32,E,T,A,B,C,D,X);
-	BODY_32_39(33,D,E,T,A,B,C,X);
-	BODY_32_39(34,C,D,E,T,A,B,X);
-	BODY_32_39(35,B,C,D,E,T,A,X);
-	BODY_32_39(36,A,B,C,D,E,T,X);
-	BODY_32_39(37,T,A,B,C,D,E,X);
-	BODY_32_39(38,E,T,A,B,C,D,X);
-	BODY_32_39(39,D,E,T,A,B,C,X);
-
-	BODY_40_59(40,C,D,E,T,A,B,X);
-	BODY_40_59(41,B,C,D,E,T,A,X);
-	BODY_40_59(42,A,B,C,D,E,T,X);
-	BODY_40_59(43,T,A,B,C,D,E,X);
-	BODY_40_59(44,E,T,A,B,C,D,X);
-	BODY_40_59(45,D,E,T,A,B,C,X);
-	BODY_40_59(46,C,D,E,T,A,B,X);
-	BODY_40_59(47,B,C,D,E,T,A,X);
-	BODY_40_59(48,A,B,C,D,E,T,X);
-	BODY_40_59(49,T,A,B,C,D,E,X);
-	BODY_40_59(50,E,T,A,B,C,D,X);
-	BODY_40_59(51,D,E,T,A,B,C,X);
-	BODY_40_59(52,C,D,E,T,A,B,X);
-	BODY_40_59(53,B,C,D,E,T,A,X);
-	BODY_40_59(54,A,B,C,D,E,T,X);
-	BODY_40_59(55,T,A,B,C,D,E,X);
-	BODY_40_59(56,E,T,A,B,C,D,X);
-	BODY_40_59(57,D,E,T,A,B,C,X);
-	BODY_40_59(58,C,D,E,T,A,B,X);
-	BODY_40_59(59,B,C,D,E,T,A,X);
-
-	BODY_60_79(60,A,B,C,D,E,T,X);
-	BODY_60_79(61,T,A,B,C,D,E,X);
-	BODY_60_79(62,E,T,A,B,C,D,X);
-	BODY_60_79(63,D,E,T,A,B,C,X);
-	BODY_60_79(64,C,D,E,T,A,B,X);
-	BODY_60_79(65,B,C,D,E,T,A,X);
-	BODY_60_79(66,A,B,C,D,E,T,X);
-	BODY_60_79(67,T,A,B,C,D,E,X);
-	BODY_60_79(68,E,T,A,B,C,D,X);
-	BODY_60_79(69,D,E,T,A,B,C,X);
-	BODY_60_79(70,C,D,E,T,A,B,X);
-	BODY_60_79(71,B,C,D,E,T,A,X);
-	BODY_60_79(72,A,B,C,D,E,T,X);
-	BODY_60_79(73,T,A,B,C,D,E,X);
-	BODY_60_79(74,E,T,A,B,C,D,X);
-	BODY_60_79(75,D,E,T,A,B,C,X);
-	BODY_60_79(76,C,D,E,T,A,B,X);
-	BODY_60_79(77,B,C,D,E,T,A,X);
-	BODY_60_79(78,A,B,C,D,E,T,X);
-	BODY_60_79(79,T,A,B,C,D,E,X);
-	
-	c->h0=(c->h0+E)&0xffffffffL; 
-	c->h1=(c->h1+T)&0xffffffffL;
-	c->h2=(c->h2+A)&0xffffffffL;
-	c->h3=(c->h3+B)&0xffffffffL;
-	c->h4=(c->h4+C)&0xffffffffL;
-
-	if (--num <= 0) break;
+#include <openssl/opensslv.h>
 
-	A=c->h0;
-	B=c->h1;
-	C=c->h2;
-	D=c->h3;
-	E=c->h4;
+const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;
 
-	W+=SHA_LBLOCK;	/* Note! This can happen only when sizeof(SHA_LONG)
-			 * is 4. Whenever it's not the actual case this
-			 * function is never called with num larger than 1
-			 * and we never advance down here.
-			 *			<appro@fy.chalmers.se>
-			 */
-		}
-	}
-#endif
+/* The implementation is in ../md32_common.h */
 
-void SHA1_Final(unsigned char *md, SHA_CTX *c)
-	{
-	register int i,j;
-	register SHA_LONG l;
-	register SHA_LONG *p;
-	static unsigned char end[4]={0x80,0x00,0x00,0x00};
-	unsigned char *cp=end;
-
-	/* c->num should definitly have room for at least one more byte. */
-	p=c->data;
-	j=c->num;
-	i=j>>2;
-#ifdef PURIFY
-	if ((j&0x03) == 0) p[i]=0;
-#endif
-	l=p[i];
-	M_p_c2nl(cp,l,j&0x03);
-	p[i]=l;
-	i++;
-	/* i is the next 'undefined word' */
-	if (c->num >= SHA_LAST_BLOCK)
-		{
-		for (; i<SHA_LBLOCK; i++)
-			p[i]=0;
-		sha1_block(c,p,1);
-		i=0;
-		}
-	for (; i<(SHA_LBLOCK-2); i++)
-		p[i]=0;
-	p[SHA_LBLOCK-2]=c->Nh;
-	p[SHA_LBLOCK-1]=c->Nl;
-#if SHA_LONG_LOG2==2
-#if !defined(B_ENDIAN) && defined(SHA1_ASM)
-	Endian_Reverse32(p[SHA_LBLOCK-2]);
-	Endian_Reverse32(p[SHA_LBLOCK-1]);
-#endif
-#endif
-	sha1_block(c,p,1);
-	cp=md;
-	l=c->h0; nl2c(l,cp);
-	l=c->h1; nl2c(l,cp);
-	l=c->h2; nl2c(l,cp);
-	l=c->h3; nl2c(l,cp);
-	l=c->h4; nl2c(l,cp);
+#include "sha_locl.h"
 
-	c->num=0;
-	/* sha_block may be leaving some stuff on the stack
-	 * but I'm not worried :-)
-	memset((void *)c,0,sizeof(SHA_CTX));
-	 */
-	}
 #endif
 
diff --git a/lib/libcrypto/sha/sha1s.cpp b/lib/libcrypto/sha/sha1s.cpp
index 3103e1871bb..af23d1e0f21 100644
--- a/lib/libcrypto/sha/sha1s.cpp
+++ b/lib/libcrypto/sha/sha1s.cpp
@@ -34,6 +34,7 @@ void GetTSC(unsigned long& tsc)
 #include <stdlib.h>
 #include <openssl/sha.h>
 
+#define sha1_block_x86 sha1_block_asm_data_order
 extern "C" {
 void sha1_block_x86(SHA_CTX *ctx, unsigned char *buffer,int num);
 }
@@ -55,8 +56,10 @@ void main(int argc,char *argv[])
 	if (num == 0) num=16;
 	if (num > 250) num=16;
 	numm=num+2;
+#if 0
 	num*=64;
 	numm*=64;
+#endif
 
 	for (j=0; j<6; j++)
 		{
@@ -72,7 +75,7 @@ void main(int argc,char *argv[])
 			sha1_block_x86(&ctx,buffer,num);
 			}
 
-		printf("sha1 (%d bytes) %d %d (%.2f)\n",num,
+		printf("sha1 (%d bytes) %d %d (%.2f)\n",num*64,
 			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
 		}
 	}
diff --git a/lib/libcrypto/sha/sha1test.c b/lib/libcrypto/sha/sha1test.c
index 9400ad2a61f..688d06c6374 100644
--- a/lib/libcrypto/sha/sha1test.c
+++ b/lib/libcrypto/sha/sha1test.c
@@ -76,26 +76,26 @@ int main(int argc, char *argv[])
 #undef SHA_0 /* FIPS 180 */
 #define  SHA_1 /* FIPS 180-1 */
 
-char *test[]={
+static char *test[]={
 	"abc",
 	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
 	NULL,
 	};
 
 #ifdef SHA_0
-char *ret[]={
+static char *ret[]={
 	"0164b8a914cd2a5e74c4f7ff082c4d97f1edf880",
 	"d2516ee1acfa5baf33dfc1c471e438449ef134c8",
 	};
-char *bigret=
+static char *bigret=
 	"3232affa48628a26653b5aaa44541fd90d690603";
 #endif
 #ifdef SHA_1
-char *ret[]={
+static char *ret[]={
 	"a9993e364706816aba3e25717850c26c9cd0d89d",
 	"84983e441c3bd26ebaae4aa1f95129e5e54670f1",
 	};
-char *bigret=
+static char *bigret=
 	"34aa973cd4c4daa4f61eeb2bdbad27316534016f";
 #endif
 
diff --git a/lib/libcrypto/sha/sha_dgst.c b/lib/libcrypto/sha/sha_dgst.c
index 4df535360f3..894a96274af 100644
--- a/lib/libcrypto/sha/sha_dgst.c
+++ b/lib/libcrypto/sha/sha_dgst.c
@@ -1,4 +1,4 @@
-/* crypto/sha/sha_dgst.c */
+/* crypto/sha/sha1dgst.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -56,437 +56,18 @@
  * [including the GNU Public Licence.]
  */
 
-#include <stdio.h>
-#include <string.h>
-#define  SHA_0
-#undef SHA_1
-#include <openssl/sha.h>
-#include "sha_locl.h"
-#include <openssl/opensslv.h>
-
-#ifndef NO_SHA0
-char *SHA_version="SHA" OPENSSL_VERSION_PTEXT;
-
-/* Implemented from SHA-0 document - The Secure Hash Algorithm
- */
-
-#define INIT_DATA_h0 0x67452301UL
-#define INIT_DATA_h1 0xefcdab89UL
-#define INIT_DATA_h2 0x98badcfeUL
-#define INIT_DATA_h3 0x10325476UL
-#define INIT_DATA_h4 0xc3d2e1f0UL
-
-#define K_00_19	0x5a827999UL
-#define K_20_39 0x6ed9eba1UL
-#define K_40_59 0x8f1bbcdcUL
-#define K_60_79 0xca62c1d6UL
-
-static void sha_block(SHA_CTX *c, register SHA_LONG *p, int num);
-
-#if !defined(B_ENDIAN) && defined(SHA_ASM)
-#  define	M_c2nl 		c2l
-#  define	M_p_c2nl 	p_c2l
-#  define	M_c2nl_p	c2l_p
-#  define	M_p_c2nl_p	p_c2l_p
-#  define	M_nl2c		l2c
-#else
-#  define	M_c2nl 		c2nl
-#  define	M_p_c2nl	p_c2nl
-#  define	M_c2nl_p	c2nl_p
-#  define	M_p_c2nl_p	p_c2nl_p
-#  define	M_nl2c		nl2c
-#endif
-
-void SHA_Init(SHA_CTX *c)
-	{
-	c->h0=INIT_DATA_h0;
-	c->h1=INIT_DATA_h1;
-	c->h2=INIT_DATA_h2;
-	c->h3=INIT_DATA_h3;
-	c->h4=INIT_DATA_h4;
-	c->Nl=0;
-	c->Nh=0;
-	c->num=0;
-	}
+#if !defined(NO_SHA0) && !defined(NO_SHA)
 
-void SHA_Update(SHA_CTX *c, register const unsigned char *data,
-		unsigned long len)
-	{
-	register SHA_LONG *p;
-	int ew,ec,sw,sc;
-	SHA_LONG l;
-
-	if (len == 0) return;
-
-	l=(c->Nl+(len<<3))&0xffffffffL;
-	if (l < c->Nl) /* overflow */
-		c->Nh++;
-	c->Nh+=(len>>29);
-	c->Nl=l;
-
-	if (c->num != 0)
-		{
-		p=c->data;
-		sw=c->num>>2;
-		sc=c->num&0x03;
-
-		if ((c->num+len) >= SHA_CBLOCK)
-			{
-			l= p[sw];
-			M_p_c2nl(data,l,sc);
-			p[sw++]=l;
-			for (; sw<SHA_LBLOCK; sw++)
-				{
-				M_c2nl(data,l);
-				p[sw]=l;
-				}
-			len-=(SHA_CBLOCK-c->num);
-
-			sha_block(c,p,1);
-			c->num=0;
-			/* drop through and do the rest */
-			}
-		else
-			{
-			c->num+=(int)len;
-			if ((sc+len) < 4) /* ugly, add char's to a word */
-				{
-				l= p[sw];
-				M_p_c2nl_p(data,l,sc,len);
-				p[sw]=l;
-				}
-			else
-				{
-				ew=(c->num>>2);
-				ec=(c->num&0x03);
-				l= p[sw];
-				M_p_c2nl(data,l,sc);
-				p[sw++]=l;
-				for (; sw < ew; sw++)
-					{ M_c2nl(data,l); p[sw]=l; }
-				if (ec)
-					{
-					M_c2nl_p(data,l,ec);
-					p[sw]=l;
-					}
-				}
-			return;
-			}
-		}
-	/* We can only do the following code for assember, the reason
-	 * being that the sha_block 'C' version changes the values
-	 * in the 'data' array.  The assember code avoids this and
-	 * copies it to a local array.  I should be able to do this for
-	 * the C version as well....
-	 */
-#if SHA_LONG_LOG2==2
-#if defined(B_ENDIAN) || defined(SHA_ASM)
-	if ((((unsigned long)data)%sizeof(SHA_LONG)) == 0)
-		{
-		sw=len/SHA_CBLOCK;
-		if (sw)
-			{
-			sha_block(c,(SHA_LONG *)data,sw);
-			sw*=SHA_CBLOCK;
-			data+=sw;
-			len-=sw;
-			}
-		}
-#endif
-#endif
-	/* we now can process the input data in blocks of SHA_CBLOCK
-	 * chars and save the leftovers to c->data. */
-	p=c->data;
-	while (len >= SHA_CBLOCK)
-		{
-#if SHA_LONG_LOG2==2
-#if defined(B_ENDIAN) || defined(SHA_ASM)
-#define SHA_NO_TAIL_CODE
-		/*
-		 * Basically we get here only when data happens
-		 * to be unaligned.
-		 */
-		if (p != (SHA_LONG *)data)
-			memcpy(p,data,SHA_CBLOCK);
-		data+=SHA_CBLOCK;
-		sha_block(c,p=c->data,1);
-		len-=SHA_CBLOCK;
-#elif defined(L_ENDIAN)
-#define BE_COPY(dst,src,i)	{				\
-				l = ((SHA_LONG *)src)[i];	\
-				Endian_Reverse32(l);		\
-				dst[i] = l;			\
-				}
-		if ((((unsigned long)data)%sizeof(SHA_LONG)) == 0)
-			{
-			for (sw=(SHA_LBLOCK/4); sw; sw--)
-				{
-				BE_COPY(p,data,0);
-				BE_COPY(p,data,1);
-				BE_COPY(p,data,2);
-				BE_COPY(p,data,3);
-				p+=4;
-				data += 4*sizeof(SHA_LONG);
-				}
-			sha_block(c,p=c->data,1);
-			len-=SHA_CBLOCK;
-			continue;
-			}
-#endif
-#endif
-#ifndef SHA_NO_TAIL_CODE
-		/*
-		 * In addition to "sizeof(SHA_LONG)!= 4" case the
-		 * following code covers unaligned access cases on
-		 * little-endian machines.
-		 *			<appro@fy.chalmers.se>
-		 */
-		p=c->data;
-		for (sw=(SHA_LBLOCK/4); sw; sw--)
-			{
-			M_c2nl(data,l); p[0]=l;
-			M_c2nl(data,l); p[1]=l;
-			M_c2nl(data,l); p[2]=l;
-			M_c2nl(data,l); p[3]=l;
-			p+=4;
-			}
-		p=c->data;
-		sha_block(c,p,1);
-		len-=SHA_CBLOCK;
-#endif
-		}
-	ec=(int)len;
-	c->num=ec;
-	ew=(ec>>2);
-	ec&=0x03;
+#undef  SHA_1
+#define SHA_0
 
-	for (sw=0; sw < ew; sw++)
-		{ M_c2nl(data,l); p[sw]=l; }
-	M_c2nl_p(data,l,ec);
-	p[sw]=l;
-	}
-
-void SHA_Transform(SHA_CTX *c, unsigned char *b)
-	{
-	SHA_LONG p[SHA_LBLOCK];
-
-#if SHA_LONG_LOG2==2
-#if defined(B_ENDIAN) || defined(SHA_ASM)
-	memcpy(p,b,SHA_CBLOCK);
-	sha_block(c,p,1);
-	return;
-#elif defined(L_ENDIAN)
-	if (((unsigned long)b%sizeof(SHA_LONG)) == 0)
-		{
-		SHA_LONG *q;
-		int i;
-
-		q=p;
-		for (i=(SHA_LBLOCK/4); i; i--)
-			{
-			unsigned long l;
-			BE_COPY(q,b,0);	/* BE_COPY was defined above */
-			BE_COPY(q,b,1);
-			BE_COPY(q,b,2);
-			BE_COPY(q,b,3);
-			q+=4;
-			b+=4*sizeof(SHA_LONG);
-			}
-		sha_block(c,p,1);
-		return;
-		}
-#endif
-#endif
-#ifndef SHA_NO_TAIL_CODE /* defined above, see comment */
-		{
-		SHA_LONG *q;
-		int i;
-
-		q=p;
-		for (i=(SHA_LBLOCK/4); i; i--)
-			{
-			SHA_LONG l;
-			c2nl(b,l); *(q++)=l;
-			c2nl(b,l); *(q++)=l;
-			c2nl(b,l); *(q++)=l;
-			c2nl(b,l); *(q++)=l; 
-			} 
-		sha_block(c,p,1);
-		}
-#endif
-	}
-
-#ifndef SHA_ASM
-static void sha_block(SHA_CTX *c, register SHA_LONG *W, int num)
-	{
-	register SHA_LONG A,B,C,D,E,T;
-	SHA_LONG X[SHA_LBLOCK];
-
-	A=c->h0;
-	B=c->h1;
-	C=c->h2;
-	D=c->h3;
-	E=c->h4;
-
-	for (;;)
-		{
-	BODY_00_15( 0,A,B,C,D,E,T,W);
-	BODY_00_15( 1,T,A,B,C,D,E,W);
-	BODY_00_15( 2,E,T,A,B,C,D,W);
-	BODY_00_15( 3,D,E,T,A,B,C,W);
-	BODY_00_15( 4,C,D,E,T,A,B,W);
-	BODY_00_15( 5,B,C,D,E,T,A,W);
-	BODY_00_15( 6,A,B,C,D,E,T,W);
-	BODY_00_15( 7,T,A,B,C,D,E,W);
-	BODY_00_15( 8,E,T,A,B,C,D,W);
-	BODY_00_15( 9,D,E,T,A,B,C,W);
-	BODY_00_15(10,C,D,E,T,A,B,W);
-	BODY_00_15(11,B,C,D,E,T,A,W);
-	BODY_00_15(12,A,B,C,D,E,T,W);
-	BODY_00_15(13,T,A,B,C,D,E,W);
-	BODY_00_15(14,E,T,A,B,C,D,W);
-	BODY_00_15(15,D,E,T,A,B,C,W);
-	BODY_16_19(16,C,D,E,T,A,B,W,W,W,W);
-	BODY_16_19(17,B,C,D,E,T,A,W,W,W,W);
-	BODY_16_19(18,A,B,C,D,E,T,W,W,W,W);
-	BODY_16_19(19,T,A,B,C,D,E,W,W,W,X);
-
-	BODY_20_31(20,E,T,A,B,C,D,W,W,W,X);
-	BODY_20_31(21,D,E,T,A,B,C,W,W,W,X);
-	BODY_20_31(22,C,D,E,T,A,B,W,W,W,X);
-	BODY_20_31(23,B,C,D,E,T,A,W,W,W,X);
-	BODY_20_31(24,A,B,C,D,E,T,W,W,X,X);
-	BODY_20_31(25,T,A,B,C,D,E,W,W,X,X);
-	BODY_20_31(26,E,T,A,B,C,D,W,W,X,X);
-	BODY_20_31(27,D,E,T,A,B,C,W,W,X,X);
-	BODY_20_31(28,C,D,E,T,A,B,W,W,X,X);
-	BODY_20_31(29,B,C,D,E,T,A,W,W,X,X);
-	BODY_20_31(30,A,B,C,D,E,T,W,X,X,X);
-	BODY_20_31(31,T,A,B,C,D,E,W,X,X,X);
-	BODY_32_39(32,E,T,A,B,C,D,X);
-	BODY_32_39(33,D,E,T,A,B,C,X);
-	BODY_32_39(34,C,D,E,T,A,B,X);
-	BODY_32_39(35,B,C,D,E,T,A,X);
-	BODY_32_39(36,A,B,C,D,E,T,X);
-	BODY_32_39(37,T,A,B,C,D,E,X);
-	BODY_32_39(38,E,T,A,B,C,D,X);
-	BODY_32_39(39,D,E,T,A,B,C,X);
-
-	BODY_40_59(40,C,D,E,T,A,B,X);
-	BODY_40_59(41,B,C,D,E,T,A,X);
-	BODY_40_59(42,A,B,C,D,E,T,X);
-	BODY_40_59(43,T,A,B,C,D,E,X);
-	BODY_40_59(44,E,T,A,B,C,D,X);
-	BODY_40_59(45,D,E,T,A,B,C,X);
-	BODY_40_59(46,C,D,E,T,A,B,X);
-	BODY_40_59(47,B,C,D,E,T,A,X);
-	BODY_40_59(48,A,B,C,D,E,T,X);
-	BODY_40_59(49,T,A,B,C,D,E,X);
-	BODY_40_59(50,E,T,A,B,C,D,X);
-	BODY_40_59(51,D,E,T,A,B,C,X);
-	BODY_40_59(52,C,D,E,T,A,B,X);
-	BODY_40_59(53,B,C,D,E,T,A,X);
-	BODY_40_59(54,A,B,C,D,E,T,X);
-	BODY_40_59(55,T,A,B,C,D,E,X);
-	BODY_40_59(56,E,T,A,B,C,D,X);
-	BODY_40_59(57,D,E,T,A,B,C,X);
-	BODY_40_59(58,C,D,E,T,A,B,X);
-	BODY_40_59(59,B,C,D,E,T,A,X);
-
-	BODY_60_79(60,A,B,C,D,E,T,X);
-	BODY_60_79(61,T,A,B,C,D,E,X);
-	BODY_60_79(62,E,T,A,B,C,D,X);
-	BODY_60_79(63,D,E,T,A,B,C,X);
-	BODY_60_79(64,C,D,E,T,A,B,X);
-	BODY_60_79(65,B,C,D,E,T,A,X);
-	BODY_60_79(66,A,B,C,D,E,T,X);
-	BODY_60_79(67,T,A,B,C,D,E,X);
-	BODY_60_79(68,E,T,A,B,C,D,X);
-	BODY_60_79(69,D,E,T,A,B,C,X);
-	BODY_60_79(70,C,D,E,T,A,B,X);
-	BODY_60_79(71,B,C,D,E,T,A,X);
-	BODY_60_79(72,A,B,C,D,E,T,X);
-	BODY_60_79(73,T,A,B,C,D,E,X);
-	BODY_60_79(74,E,T,A,B,C,D,X);
-	BODY_60_79(75,D,E,T,A,B,C,X);
-	BODY_60_79(76,C,D,E,T,A,B,X);
-	BODY_60_79(77,B,C,D,E,T,A,X);
-	BODY_60_79(78,A,B,C,D,E,T,X);
-	BODY_60_79(79,T,A,B,C,D,E,X);
-	
-	c->h0=(c->h0+E)&0xffffffffL; 
-	c->h1=(c->h1+T)&0xffffffffL;
-	c->h2=(c->h2+A)&0xffffffffL;
-	c->h3=(c->h3+B)&0xffffffffL;
-	c->h4=(c->h4+C)&0xffffffffL;
-
-	if (--num <= 0) break;
+#include <openssl/opensslv.h>
 
-	A=c->h0;
-	B=c->h1;
-	C=c->h2;
-	D=c->h3;
-	E=c->h4;
+const char *SHA_version="SHA" OPENSSL_VERSION_PTEXT;
 
-	W+=SHA_LBLOCK;	/* Note! This can happen only when sizeof(SHA_LONG)
-			 * is 4. Whenever it's not the actual case this
-			 * function is never called with num larger than 1
-			 * and we never advance down here.
-			 *			<appro@fy.chalmers.se>
-			 */
-		}
-	}
-#endif
+/* The implementation is in ../md32_common.h */
 
-void SHA_Final(unsigned char *md, SHA_CTX *c)
-	{
-	register int i,j;
-	register SHA_LONG l;
-	register SHA_LONG *p;
-	static unsigned char end[4]={0x80,0x00,0x00,0x00};
-	unsigned char *cp=end;
+#include "sha_locl.h"
 
-	/* c->num should definitly have room for at least one more byte. */
-	p=c->data;
-	j=c->num;
-	i=j>>2;
-#ifdef PURIFY
-	if ((j&0x03) == 0) p[i]=0;
-#endif
-	l=p[i];
-	M_p_c2nl(cp,l,j&0x03);
-	p[i]=l;
-	i++;
-	/* i is the next 'undefined word' */
-	if (c->num >= SHA_LAST_BLOCK)
-		{
-		for (; i<SHA_LBLOCK; i++)
-			p[i]=0;
-		sha_block(c,p,1);
-		i=0;
-		}
-	for (; i<(SHA_LBLOCK-2); i++)
-		p[i]=0;
-	p[SHA_LBLOCK-2]=c->Nh;
-	p[SHA_LBLOCK-1]=c->Nl;
-#if SHA_LONG_LOG2==2
-#if !defined(B_ENDIAN) && defined(SHA_ASM)
-	Endian_Reverse32(p[SHA_LBLOCK-2]);
-	Endian_Reverse32(p[SHA_LBLOCK-1]);
 #endif
-#endif
-	sha_block(c,p,1);
-	cp=md;
-	l=c->h0; nl2c(l,cp);
-	l=c->h1; nl2c(l,cp);
-	l=c->h2; nl2c(l,cp);
-	l=c->h3; nl2c(l,cp);
-	l=c->h4; nl2c(l,cp);
 
-	c->num=0;
-	/* sha_block may be leaving some stuff on the stack
-	 * but I'm not worried :-)
-	memset((void *)c,0,sizeof(SHA_CTX));
-	 */
-	}
-#endif
diff --git a/lib/libcrypto/sha/sha_locl.h b/lib/libcrypto/sha/sha_locl.h
index 6646a8915b7..3e6f489b876 100644
--- a/lib/libcrypto/sha/sha_locl.h
+++ b/lib/libcrypto/sha/sha_locl.h
@@ -60,180 +60,105 @@
 #include <string.h>
 
 #include <openssl/opensslconf.h>
-
-#ifdef undef
-/* one or the other needs to be defined */
-#ifndef SHA_1 /* FIPE 180-1 */
-#define SHA_0 /* FIPS 180   */
-#endif
-#endif
-
-#undef c2nl
-#define c2nl(c,l)	(l =(((unsigned long)(*((c)++)))<<24), \
-			 l|=(((unsigned long)(*((c)++)))<<16), \
-			 l|=(((unsigned long)(*((c)++)))<< 8), \
-			 l|=(((unsigned long)(*((c)++)))    ))
-
-#undef p_c2nl
-#define p_c2nl(c,l,n)	{ \
-			switch (n) { \
-			case 0: l =((unsigned long)(*((c)++)))<<24; \
-			case 1: l|=((unsigned long)(*((c)++)))<<16; \
-			case 2: l|=((unsigned long)(*((c)++)))<< 8; \
-			case 3: l|=((unsigned long)(*((c)++))); \
-				} \
-			}
-
-#undef c2nl_p
-/* NOTE the pointer is not incremented at the end of this */
-#define c2nl_p(c,l,n)	{ \
-			l=0; \
-			(c)+=n; \
-			switch (n) { \
-			case 3: l =((unsigned long)(*(--(c))))<< 8; \
-			case 2: l|=((unsigned long)(*(--(c))))<<16; \
-			case 1: l|=((unsigned long)(*(--(c))))<<24; \
-				} \
-			}
-
-#undef p_c2nl_p
-#define p_c2nl_p(c,l,sc,len) { \
-			switch (sc) \
-				{ \
-			case 0: l =((unsigned long)(*((c)++)))<<24; \
-				if (--len == 0) break; \
-			case 1: l|=((unsigned long)(*((c)++)))<<16; \
-				if (--len == 0) break; \
-			case 2: l|=((unsigned long)(*((c)++)))<< 8; \
-				} \
-			}
-
-#undef nl2c
-#define nl2c(l,c)	(*((c)++)=(unsigned char)(((l)>>24)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-			 *((c)++)=(unsigned char)(((l)    )&0xff))
-
-#undef c2l
-#define c2l(c,l)	(l =(((unsigned long)(*((c)++)))    ), \
-			 l|=(((unsigned long)(*((c)++)))<< 8), \
-			 l|=(((unsigned long)(*((c)++)))<<16), \
-			 l|=(((unsigned long)(*((c)++)))<<24))
-
-#undef p_c2l
-#define p_c2l(c,l,n)	{ \
-			switch (n) { \
-			case 0: l =((unsigned long)(*((c)++))); \
-			case 1: l|=((unsigned long)(*((c)++)))<< 8; \
-			case 2: l|=((unsigned long)(*((c)++)))<<16; \
-			case 3: l|=((unsigned long)(*((c)++)))<<24; \
-				} \
-			}
-
-#undef c2l_p
-/* NOTE the pointer is not incremented at the end of this */
-#define c2l_p(c,l,n)	{ \
-			l=0; \
-			(c)+=n; \
-			switch (n) { \
-			case 3: l =((unsigned long)(*(--(c))))<<16; \
-			case 2: l|=((unsigned long)(*(--(c))))<< 8; \
-			case 1: l|=((unsigned long)(*(--(c)))); \
-				} \
-			}
-
-#undef p_c2l_p
-#define p_c2l_p(c,l,sc,len) { \
-			switch (sc) \
-				{ \
-			case 0: l =((unsigned long)(*((c)++))); \
-				if (--len == 0) break; \
-			case 1: l|=((unsigned long)(*((c)++)))<< 8; \
-				if (--len == 0) break; \
-			case 2: l|=((unsigned long)(*((c)++)))<<16; \
-				} \
-			}
-
-#undef l2c
-#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff), \
-			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>24)&0xff))
+#include <openssl/sha.h>
 
 #ifndef SHA_LONG_LOG2
 #define SHA_LONG_LOG2	2	/* default to 32 bits */
 #endif
 
-#undef ROTATE
-#undef Endian_Reverse32
-#if defined(WIN32)
-#define ROTATE(a,n)     _lrotl(a,n)
-#elif defined(__GNUC__) && !defined(PEDANTIC)
-/* some inline assembler templates by <appro@fy.chalmers.se> */
-#if defined(__i386) && !defined(NO_ASM)
-#define ROTATE(a,n)	({ register unsigned int ret;	\
-				asm ("roll %1,%0"	\
-				: "=r"(ret)		\
-				: "I"(n), "0"(a)	\
-				: "cc");		\
-			   ret;				\
-			})
-#ifndef I386_ONLY
-#define Endian_Reverse32(a) \
-			{ register unsigned int ltmp=(a);	\
-				asm ("bswapl %0"	\
-				: "=r"(ltmp) : "0"(ltmp));	\
-			  (a)=ltmp;			\
-			}
-#endif
-#elif defined(__powerpc)
-#define ROTATE(a,n)	({ register unsigned int ret;		\
-				asm ("rlwinm %0,%1,%2,0,31"	\
-				: "=r"(ret)			\
-				: "r"(a), "I"(n));		\
-			   ret;					\
-			})
-/* Endian_Reverse32 is not needed for PowerPC */
-#endif
-#endif
+#define DATA_ORDER_IS_BIG_ENDIAN
+
+#define HASH_LONG               SHA_LONG
+#define HASH_LONG_LOG2          SHA_LONG_LOG2
+#define HASH_CTX                SHA_CTX
+#define HASH_CBLOCK             SHA_CBLOCK
+#define HASH_LBLOCK             SHA_LBLOCK
+#define HASH_MAKE_STRING(c,s)   do {	\
+	unsigned long ll;		\
+	ll=(c)->h0; HOST_l2c(ll,(s));	\
+	ll=(c)->h1; HOST_l2c(ll,(s));	\
+	ll=(c)->h2; HOST_l2c(ll,(s));	\
+	ll=(c)->h3; HOST_l2c(ll,(s));	\
+	ll=(c)->h4; HOST_l2c(ll,(s));	\
+	} while (0)
+
+#if defined(SHA_0)
+
+# define HASH_UPDATE             	SHA_Update
+# define HASH_TRANSFORM          	SHA_Transform
+# define HASH_FINAL              	SHA_Final
+# define HASH_INIT			SHA_Init
+# define HASH_BLOCK_HOST_ORDER   	sha_block_host_order
+# define HASH_BLOCK_DATA_ORDER   	sha_block_data_order
+# define Xupdate(a,ix,ia,ib,ic,id)	(ix=(a)=(ia^ib^ic^id))
+
+  void sha_block_host_order (SHA_CTX *c, const void *p,int num);
+  void sha_block_data_order (SHA_CTX *c, const void *p,int num);
+
+#elif defined(SHA_1)
+
+# define HASH_UPDATE             	SHA1_Update
+# define HASH_TRANSFORM          	SHA1_Transform
+# define HASH_FINAL              	SHA1_Final
+# define HASH_INIT			SHA1_Init
+# define HASH_BLOCK_HOST_ORDER   	sha1_block_host_order
+# define HASH_BLOCK_DATA_ORDER   	sha1_block_data_order
+# if defined(__MWERKS__) && defined(__MC68K__)
+   /* Metrowerks for Motorola fails otherwise:-( <appro@fy.chalmers.se> */
+#  define Xupdate(a,ix,ia,ib,ic,id)	do { (a)=(ia^ib^ic^id);		\
+					     ix=(a)=ROTATE((a),1);	\
+					} while (0)
+# else
+#  define Xupdate(a,ix,ia,ib,ic,id)	( (a)=(ia^ib^ic^id),	\
+					  ix=(a)=ROTATE((a),1)	\
+					)
+# endif
+
+# ifdef SHA1_ASM
+#  if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#   define sha1_block_host_order		sha1_block_asm_host_order
+#   define DONT_IMPLEMENT_BLOCK_HOST_ORDER
+#   define sha1_block_data_order		sha1_block_asm_data_order
+#   define DONT_IMPLEMENT_BLOCK_DATA_ORDER
+#   define HASH_BLOCK_DATA_ORDER_ALIGNED	sha1_block_asm_data_order
+#  endif
+# endif
+  void sha1_block_host_order (SHA_CTX *c, const void *p,int num);
+  void sha1_block_data_order (SHA_CTX *c, const void *p,int num);
 
-/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
-#ifdef ROTATE
-#ifndef Endian_Reverse32
-/* 5 instructions with rotate instruction, else 9 */
-#define Endian_Reverse32(a) \
-	{ \
-	unsigned long t=(a); \
-	(a)=((ROTATE(t,8)&0x00FF00FF)|(ROTATE((t&0x00FF00FF),24))); \
-	}
-#endif
 #else
-#define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
-#ifndef Endian_Reverse32
-/* 6 instructions with rotate instruction, else 8 */
-#define Endian_Reverse32(a) \
-	{ \
-	unsigned long t=(a); \
-	t=(((t>>8)&0x00FF00FF)|((t&0x00FF00FF)<<8)); \
-	(a)=ROTATE(t,16); \
-	}
+# error "Either SHA_0 or SHA_1 must be defined."
 #endif
-/*
- * Originally the middle line started with l=(((l&0xFF00FF00)>>8)|...
- * It's rewritten as above for two reasons:
- *	- RISCs aren't good at long constants and have to explicitely
- *	  compose 'em with several (well, usually 2) instructions in a
- *	  register before performing the actual operation and (as you
- *	  already realized:-) having same constant should inspire the
- *	  compiler to permanently allocate the only register for it;
- *	- most modern CPUs have two ALUs, but usually only one has
- *	  circuitry for shifts:-( this minor tweak inspires compiler
- *	  to schedule shift instructions in a better way...
- *
- *				<appro@fy.chalmers.se>
- */
+
+#ifndef FLAT_INC
+#include "../md32_common.h"
+#else
+#include "md32_common.h"
 #endif
 
+#define INIT_DATA_h0 0x67452301UL
+#define INIT_DATA_h1 0xefcdab89UL
+#define INIT_DATA_h2 0x98badcfeUL
+#define INIT_DATA_h3 0x10325476UL
+#define INIT_DATA_h4 0xc3d2e1f0UL
+
+void HASH_INIT (SHA_CTX *c)
+	{
+	c->h0=INIT_DATA_h0;
+	c->h1=INIT_DATA_h1;
+	c->h2=INIT_DATA_h2;
+	c->h3=INIT_DATA_h3;
+	c->h4=INIT_DATA_h4;
+	c->Nl=0;
+	c->Nh=0;
+	c->num=0;
+	}
+
+#define K_00_19	0x5a827999UL
+#define K_20_39 0x6ed9eba1UL
+#define K_40_59 0x8f1bbcdcUL
+#define K_60_79 0xca62c1d6UL
+
 /* As  pointed out by Wei Dai <weidai@eskimo.com>, F() below can be
  * simplified to the code in F_00_19.  Wei attributes these optimisations
  * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
@@ -246,43 +171,305 @@
 #define F_40_59(b,c,d)	(((b) & (c)) | (((b)|(c)) & (d))) 
 #define	F_60_79(b,c,d)	F_20_39(b,c,d)
 
-#undef Xupdate
-#ifdef SHA_0
-#define Xupdate(a,i,ia,ib,ic,id) X[(i)&0x0f]=(a)=\
-	(ia[(i)&0x0f]^ib[((i)+2)&0x0f]^ic[((i)+8)&0x0f]^id[((i)+13)&0x0f]);
-#endif
-#ifdef SHA_1
-#define Xupdate(a,i,ia,ib,ic,id) (a)=\
-	(ia[(i)&0x0f]^ib[((i)+2)&0x0f]^ic[((i)+8)&0x0f]^id[((i)+13)&0x0f]);\
-	X[(i)&0x0f]=(a)=ROTATE((a),1);
-#endif
-
-#define BODY_00_15(i,a,b,c,d,e,f,xa) \
-	(f)=xa[i]+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \
+#define BODY_00_15(i,a,b,c,d,e,f,xi) \
+	(f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \
 	(b)=ROTATE((b),30);
 
-#define BODY_16_19(i,a,b,c,d,e,f,xa,xb,xc,xd) \
-	Xupdate(f,i,xa,xb,xc,xd); \
+#define BODY_16_19(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \
+	Xupdate(f,xi,xa,xb,xc,xd); \
 	(f)+=(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \
 	(b)=ROTATE((b),30);
 
-#define BODY_20_31(i,a,b,c,d,e,f,xa,xb,xc,xd) \
-	Xupdate(f,i,xa,xb,xc,xd); \
+#define BODY_20_31(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \
+	Xupdate(f,xi,xa,xb,xc,xd); \
 	(f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \
 	(b)=ROTATE((b),30);
 
-#define BODY_32_39(i,a,b,c,d,e,f,xa) \
-	Xupdate(f,i,xa,xa,xa,xa); \
+#define BODY_32_39(i,a,b,c,d,e,f,xa,xb,xc,xd) \
+	Xupdate(f,xa,xa,xb,xc,xd); \
 	(f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \
 	(b)=ROTATE((b),30);
 
-#define BODY_40_59(i,a,b,c,d,e,f,xa) \
-	Xupdate(f,i,xa,xa,xa,xa); \
+#define BODY_40_59(i,a,b,c,d,e,f,xa,xb,xc,xd) \
+	Xupdate(f,xa,xa,xb,xc,xd); \
 	(f)+=(e)+K_40_59+ROTATE((a),5)+F_40_59((b),(c),(d)); \
 	(b)=ROTATE((b),30);
 
-#define BODY_60_79(i,a,b,c,d,e,f,xa) \
-	Xupdate(f,i,xa,xa,xa,xa); \
-	(f)=X[(i)&0x0f]+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \
+#define BODY_60_79(i,a,b,c,d,e,f,xa,xb,xc,xd) \
+	Xupdate(f,xa,xa,xb,xc,xd); \
+	(f)=xa+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \
 	(b)=ROTATE((b),30);
 
+#ifdef X
+#undef X
+#endif
+#ifndef MD32_XARRAY
+  /*
+   * Originally X was an array. As it's automatic it's natural
+   * to expect RISC compiler to accomodate at least part of it in
+   * the register bank, isn't it? Unfortunately not all compilers
+   * "find" this expectation reasonable:-( On order to make such
+   * compilers generate better code I replace X[] with a bunch of
+   * X0, X1, etc. See the function body below...
+   *					<appro@fy.chalmers.se>
+   */
+# define X(i)	XX##i
+#else
+  /*
+   * However! Some compilers (most notably HP C) get overwhelmed by
+   * that many local variables so that we have to have the way to
+   * fall down to the original behavior.
+   */
+# define X(i)	XX[i]
+#endif
+
+#ifndef DONT_IMPLEMENT_BLOCK_HOST_ORDER
+void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
+	{
+	const SHA_LONG *W=d;
+	register unsigned long A,B,C,D,E,T;
+#ifndef MD32_XARRAY
+	unsigned long	XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+			XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+#else
+	SHA_LONG	XX[16];
+#endif
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+	for (;;)
+		{
+	BODY_00_15( 0,A,B,C,D,E,T,W[ 0]);
+	BODY_00_15( 1,T,A,B,C,D,E,W[ 1]);
+	BODY_00_15( 2,E,T,A,B,C,D,W[ 2]);
+	BODY_00_15( 3,D,E,T,A,B,C,W[ 3]);
+	BODY_00_15( 4,C,D,E,T,A,B,W[ 4]);
+	BODY_00_15( 5,B,C,D,E,T,A,W[ 5]);
+	BODY_00_15( 6,A,B,C,D,E,T,W[ 6]);
+	BODY_00_15( 7,T,A,B,C,D,E,W[ 7]);
+	BODY_00_15( 8,E,T,A,B,C,D,W[ 8]);
+	BODY_00_15( 9,D,E,T,A,B,C,W[ 9]);
+	BODY_00_15(10,C,D,E,T,A,B,W[10]);
+	BODY_00_15(11,B,C,D,E,T,A,W[11]);
+	BODY_00_15(12,A,B,C,D,E,T,W[12]);
+	BODY_00_15(13,T,A,B,C,D,E,W[13]);
+	BODY_00_15(14,E,T,A,B,C,D,W[14]);
+	BODY_00_15(15,D,E,T,A,B,C,W[15]);
+
+	BODY_16_19(16,C,D,E,T,A,B,X( 0),W[ 0],W[ 2],W[ 8],W[13]);
+	BODY_16_19(17,B,C,D,E,T,A,X( 1),W[ 1],W[ 3],W[ 9],W[14]);
+	BODY_16_19(18,A,B,C,D,E,T,X( 2),W[ 2],W[ 4],W[10],W[15]);
+	BODY_16_19(19,T,A,B,C,D,E,X( 3),W[ 3],W[ 5],W[11],X( 0));
+
+	BODY_20_31(20,E,T,A,B,C,D,X( 4),W[ 4],W[ 6],W[12],X( 1));
+	BODY_20_31(21,D,E,T,A,B,C,X( 5),W[ 5],W[ 7],W[13],X( 2));
+	BODY_20_31(22,C,D,E,T,A,B,X( 6),W[ 6],W[ 8],W[14],X( 3));
+	BODY_20_31(23,B,C,D,E,T,A,X( 7),W[ 7],W[ 9],W[15],X( 4));
+	BODY_20_31(24,A,B,C,D,E,T,X( 8),W[ 8],W[10],X( 0),X( 5));
+	BODY_20_31(25,T,A,B,C,D,E,X( 9),W[ 9],W[11],X( 1),X( 6));
+	BODY_20_31(26,E,T,A,B,C,D,X(10),W[10],W[12],X( 2),X( 7));
+	BODY_20_31(27,D,E,T,A,B,C,X(11),W[11],W[13],X( 3),X( 8));
+	BODY_20_31(28,C,D,E,T,A,B,X(12),W[12],W[14],X( 4),X( 9));
+	BODY_20_31(29,B,C,D,E,T,A,X(13),W[13],W[15],X( 5),X(10));
+	BODY_20_31(30,A,B,C,D,E,T,X(14),W[14],X( 0),X( 6),X(11));
+	BODY_20_31(31,T,A,B,C,D,E,X(15),W[15],X( 1),X( 7),X(12));
+
+	BODY_32_39(32,E,T,A,B,C,D,X( 0),X( 2),X( 8),X(13));
+	BODY_32_39(33,D,E,T,A,B,C,X( 1),X( 3),X( 9),X(14));
+	BODY_32_39(34,C,D,E,T,A,B,X( 2),X( 4),X(10),X(15));
+	BODY_32_39(35,B,C,D,E,T,A,X( 3),X( 5),X(11),X( 0));
+	BODY_32_39(36,A,B,C,D,E,T,X( 4),X( 6),X(12),X( 1));
+	BODY_32_39(37,T,A,B,C,D,E,X( 5),X( 7),X(13),X( 2));
+	BODY_32_39(38,E,T,A,B,C,D,X( 6),X( 8),X(14),X( 3));
+	BODY_32_39(39,D,E,T,A,B,C,X( 7),X( 9),X(15),X( 4));
+
+	BODY_40_59(40,C,D,E,T,A,B,X( 8),X(10),X( 0),X( 5));
+	BODY_40_59(41,B,C,D,E,T,A,X( 9),X(11),X( 1),X( 6));
+	BODY_40_59(42,A,B,C,D,E,T,X(10),X(12),X( 2),X( 7));
+	BODY_40_59(43,T,A,B,C,D,E,X(11),X(13),X( 3),X( 8));
+	BODY_40_59(44,E,T,A,B,C,D,X(12),X(14),X( 4),X( 9));
+	BODY_40_59(45,D,E,T,A,B,C,X(13),X(15),X( 5),X(10));
+	BODY_40_59(46,C,D,E,T,A,B,X(14),X( 0),X( 6),X(11));
+	BODY_40_59(47,B,C,D,E,T,A,X(15),X( 1),X( 7),X(12));
+	BODY_40_59(48,A,B,C,D,E,T,X( 0),X( 2),X( 8),X(13));
+	BODY_40_59(49,T,A,B,C,D,E,X( 1),X( 3),X( 9),X(14));
+	BODY_40_59(50,E,T,A,B,C,D,X( 2),X( 4),X(10),X(15));
+	BODY_40_59(51,D,E,T,A,B,C,X( 3),X( 5),X(11),X( 0));
+	BODY_40_59(52,C,D,E,T,A,B,X( 4),X( 6),X(12),X( 1));
+	BODY_40_59(53,B,C,D,E,T,A,X( 5),X( 7),X(13),X( 2));
+	BODY_40_59(54,A,B,C,D,E,T,X( 6),X( 8),X(14),X( 3));
+	BODY_40_59(55,T,A,B,C,D,E,X( 7),X( 9),X(15),X( 4));
+	BODY_40_59(56,E,T,A,B,C,D,X( 8),X(10),X( 0),X( 5));
+	BODY_40_59(57,D,E,T,A,B,C,X( 9),X(11),X( 1),X( 6));
+	BODY_40_59(58,C,D,E,T,A,B,X(10),X(12),X( 2),X( 7));
+	BODY_40_59(59,B,C,D,E,T,A,X(11),X(13),X( 3),X( 8));
+
+	BODY_60_79(60,A,B,C,D,E,T,X(12),X(14),X( 4),X( 9));
+	BODY_60_79(61,T,A,B,C,D,E,X(13),X(15),X( 5),X(10));
+	BODY_60_79(62,E,T,A,B,C,D,X(14),X( 0),X( 6),X(11));
+	BODY_60_79(63,D,E,T,A,B,C,X(15),X( 1),X( 7),X(12));
+	BODY_60_79(64,C,D,E,T,A,B,X( 0),X( 2),X( 8),X(13));
+	BODY_60_79(65,B,C,D,E,T,A,X( 1),X( 3),X( 9),X(14));
+	BODY_60_79(66,A,B,C,D,E,T,X( 2),X( 4),X(10),X(15));
+	BODY_60_79(67,T,A,B,C,D,E,X( 3),X( 5),X(11),X( 0));
+	BODY_60_79(68,E,T,A,B,C,D,X( 4),X( 6),X(12),X( 1));
+	BODY_60_79(69,D,E,T,A,B,C,X( 5),X( 7),X(13),X( 2));
+	BODY_60_79(70,C,D,E,T,A,B,X( 6),X( 8),X(14),X( 3));
+	BODY_60_79(71,B,C,D,E,T,A,X( 7),X( 9),X(15),X( 4));
+	BODY_60_79(72,A,B,C,D,E,T,X( 8),X(10),X( 0),X( 5));
+	BODY_60_79(73,T,A,B,C,D,E,X( 9),X(11),X( 1),X( 6));
+	BODY_60_79(74,E,T,A,B,C,D,X(10),X(12),X( 2),X( 7));
+	BODY_60_79(75,D,E,T,A,B,C,X(11),X(13),X( 3),X( 8));
+	BODY_60_79(76,C,D,E,T,A,B,X(12),X(14),X( 4),X( 9));
+	BODY_60_79(77,B,C,D,E,T,A,X(13),X(15),X( 5),X(10));
+	BODY_60_79(78,A,B,C,D,E,T,X(14),X( 0),X( 6),X(11));
+	BODY_60_79(79,T,A,B,C,D,E,X(15),X( 1),X( 7),X(12));
+	
+	c->h0=(c->h0+E)&0xffffffffL; 
+	c->h1=(c->h1+T)&0xffffffffL;
+	c->h2=(c->h2+A)&0xffffffffL;
+	c->h3=(c->h3+B)&0xffffffffL;
+	c->h4=(c->h4+C)&0xffffffffL;
+
+	if (--num <= 0) break;
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+	W+=SHA_LBLOCK;
+		}
+	}
+#endif
+
+#ifndef DONT_IMPLEMENT_BLOCK_DATA_ORDER
+void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num)
+	{
+	const unsigned char *data=p;
+	register unsigned long A,B,C,D,E,T,l;
+#ifndef MD32_XARRAY
+	unsigned long	XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+			XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+#else
+	SHA_LONG	XX[16];
+#endif
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+	for (;;)
+		{
+
+	HOST_c2l(data,l); X( 0)=l;		HOST_c2l(data,l); X( 1)=l;
+	BODY_00_15( 0,A,B,C,D,E,T,X( 0));	HOST_c2l(data,l); X( 2)=l;
+	BODY_00_15( 1,T,A,B,C,D,E,X( 1));	HOST_c2l(data,l); X( 3)=l;
+	BODY_00_15( 2,E,T,A,B,C,D,X( 2));	HOST_c2l(data,l); X( 4)=l;
+	BODY_00_15( 3,D,E,T,A,B,C,X( 3));	HOST_c2l(data,l); X( 5)=l;
+	BODY_00_15( 4,C,D,E,T,A,B,X( 4));	HOST_c2l(data,l); X( 6)=l;
+	BODY_00_15( 5,B,C,D,E,T,A,X( 5));	HOST_c2l(data,l); X( 7)=l;
+	BODY_00_15( 6,A,B,C,D,E,T,X( 6));	HOST_c2l(data,l); X( 8)=l;
+	BODY_00_15( 7,T,A,B,C,D,E,X( 7));	HOST_c2l(data,l); X( 9)=l;
+	BODY_00_15( 8,E,T,A,B,C,D,X( 8));	HOST_c2l(data,l); X(10)=l;
+	BODY_00_15( 9,D,E,T,A,B,C,X( 9));	HOST_c2l(data,l); X(11)=l;
+	BODY_00_15(10,C,D,E,T,A,B,X(10));	HOST_c2l(data,l); X(12)=l;
+	BODY_00_15(11,B,C,D,E,T,A,X(11));	HOST_c2l(data,l); X(13)=l;
+	BODY_00_15(12,A,B,C,D,E,T,X(12));	HOST_c2l(data,l); X(14)=l;
+	BODY_00_15(13,T,A,B,C,D,E,X(13));	HOST_c2l(data,l); X(15)=l;
+	BODY_00_15(14,E,T,A,B,C,D,X(14));
+	BODY_00_15(15,D,E,T,A,B,C,X(15));
+
+	BODY_16_19(16,C,D,E,T,A,B,X( 0),X( 0),X( 2),X( 8),X(13));
+	BODY_16_19(17,B,C,D,E,T,A,X( 1),X( 1),X( 3),X( 9),X(14));
+	BODY_16_19(18,A,B,C,D,E,T,X( 2),X( 2),X( 4),X(10),X(15));
+	BODY_16_19(19,T,A,B,C,D,E,X( 3),X( 3),X( 5),X(11),X( 0));
+
+	BODY_20_31(20,E,T,A,B,C,D,X( 4),X( 4),X( 6),X(12),X( 1));
+	BODY_20_31(21,D,E,T,A,B,C,X( 5),X( 5),X( 7),X(13),X( 2));
+	BODY_20_31(22,C,D,E,T,A,B,X( 6),X( 6),X( 8),X(14),X( 3));
+	BODY_20_31(23,B,C,D,E,T,A,X( 7),X( 7),X( 9),X(15),X( 4));
+	BODY_20_31(24,A,B,C,D,E,T,X( 8),X( 8),X(10),X( 0),X( 5));
+	BODY_20_31(25,T,A,B,C,D,E,X( 9),X( 9),X(11),X( 1),X( 6));
+	BODY_20_31(26,E,T,A,B,C,D,X(10),X(10),X(12),X( 2),X( 7));
+	BODY_20_31(27,D,E,T,A,B,C,X(11),X(11),X(13),X( 3),X( 8));
+	BODY_20_31(28,C,D,E,T,A,B,X(12),X(12),X(14),X( 4),X( 9));
+	BODY_20_31(29,B,C,D,E,T,A,X(13),X(13),X(15),X( 5),X(10));
+	BODY_20_31(30,A,B,C,D,E,T,X(14),X(14),X( 0),X( 6),X(11));
+	BODY_20_31(31,T,A,B,C,D,E,X(15),X(15),X( 1),X( 7),X(12));
+
+	BODY_32_39(32,E,T,A,B,C,D,X( 0),X( 2),X( 8),X(13));
+	BODY_32_39(33,D,E,T,A,B,C,X( 1),X( 3),X( 9),X(14));
+	BODY_32_39(34,C,D,E,T,A,B,X( 2),X( 4),X(10),X(15));
+	BODY_32_39(35,B,C,D,E,T,A,X( 3),X( 5),X(11),X( 0));
+	BODY_32_39(36,A,B,C,D,E,T,X( 4),X( 6),X(12),X( 1));
+	BODY_32_39(37,T,A,B,C,D,E,X( 5),X( 7),X(13),X( 2));
+	BODY_32_39(38,E,T,A,B,C,D,X( 6),X( 8),X(14),X( 3));
+	BODY_32_39(39,D,E,T,A,B,C,X( 7),X( 9),X(15),X( 4));
+
+	BODY_40_59(40,C,D,E,T,A,B,X( 8),X(10),X( 0),X( 5));
+	BODY_40_59(41,B,C,D,E,T,A,X( 9),X(11),X( 1),X( 6));
+	BODY_40_59(42,A,B,C,D,E,T,X(10),X(12),X( 2),X( 7));
+	BODY_40_59(43,T,A,B,C,D,E,X(11),X(13),X( 3),X( 8));
+	BODY_40_59(44,E,T,A,B,C,D,X(12),X(14),X( 4),X( 9));
+	BODY_40_59(45,D,E,T,A,B,C,X(13),X(15),X( 5),X(10));
+	BODY_40_59(46,C,D,E,T,A,B,X(14),X( 0),X( 6),X(11));
+	BODY_40_59(47,B,C,D,E,T,A,X(15),X( 1),X( 7),X(12));
+	BODY_40_59(48,A,B,C,D,E,T,X( 0),X( 2),X( 8),X(13));
+	BODY_40_59(49,T,A,B,C,D,E,X( 1),X( 3),X( 9),X(14));
+	BODY_40_59(50,E,T,A,B,C,D,X( 2),X( 4),X(10),X(15));
+	BODY_40_59(51,D,E,T,A,B,C,X( 3),X( 5),X(11),X( 0));
+	BODY_40_59(52,C,D,E,T,A,B,X( 4),X( 6),X(12),X( 1));
+	BODY_40_59(53,B,C,D,E,T,A,X( 5),X( 7),X(13),X( 2));
+	BODY_40_59(54,A,B,C,D,E,T,X( 6),X( 8),X(14),X( 3));
+	BODY_40_59(55,T,A,B,C,D,E,X( 7),X( 9),X(15),X( 4));
+	BODY_40_59(56,E,T,A,B,C,D,X( 8),X(10),X( 0),X( 5));
+	BODY_40_59(57,D,E,T,A,B,C,X( 9),X(11),X( 1),X( 6));
+	BODY_40_59(58,C,D,E,T,A,B,X(10),X(12),X( 2),X( 7));
+	BODY_40_59(59,B,C,D,E,T,A,X(11),X(13),X( 3),X( 8));
+
+	BODY_60_79(60,A,B,C,D,E,T,X(12),X(14),X( 4),X( 9));
+	BODY_60_79(61,T,A,B,C,D,E,X(13),X(15),X( 5),X(10));
+	BODY_60_79(62,E,T,A,B,C,D,X(14),X( 0),X( 6),X(11));
+	BODY_60_79(63,D,E,T,A,B,C,X(15),X( 1),X( 7),X(12));
+	BODY_60_79(64,C,D,E,T,A,B,X( 0),X( 2),X( 8),X(13));
+	BODY_60_79(65,B,C,D,E,T,A,X( 1),X( 3),X( 9),X(14));
+	BODY_60_79(66,A,B,C,D,E,T,X( 2),X( 4),X(10),X(15));
+	BODY_60_79(67,T,A,B,C,D,E,X( 3),X( 5),X(11),X( 0));
+	BODY_60_79(68,E,T,A,B,C,D,X( 4),X( 6),X(12),X( 1));
+	BODY_60_79(69,D,E,T,A,B,C,X( 5),X( 7),X(13),X( 2));
+	BODY_60_79(70,C,D,E,T,A,B,X( 6),X( 8),X(14),X( 3));
+	BODY_60_79(71,B,C,D,E,T,A,X( 7),X( 9),X(15),X( 4));
+	BODY_60_79(72,A,B,C,D,E,T,X( 8),X(10),X( 0),X( 5));
+	BODY_60_79(73,T,A,B,C,D,E,X( 9),X(11),X( 1),X( 6));
+	BODY_60_79(74,E,T,A,B,C,D,X(10),X(12),X( 2),X( 7));
+	BODY_60_79(75,D,E,T,A,B,C,X(11),X(13),X( 3),X( 8));
+	BODY_60_79(76,C,D,E,T,A,B,X(12),X(14),X( 4),X( 9));
+	BODY_60_79(77,B,C,D,E,T,A,X(13),X(15),X( 5),X(10));
+	BODY_60_79(78,A,B,C,D,E,T,X(14),X( 0),X( 6),X(11));
+	BODY_60_79(79,T,A,B,C,D,E,X(15),X( 1),X( 7),X(12));
+	
+	c->h0=(c->h0+E)&0xffffffffL; 
+	c->h1=(c->h1+T)&0xffffffffL;
+	c->h2=(c->h2+A)&0xffffffffL;
+	c->h3=(c->h3+B)&0xffffffffL;
+	c->h4=(c->h4+C)&0xffffffffL;
+
+	if (--num <= 0) break;
+
+	A=c->h0;
+	B=c->h1;
+	C=c->h2;
+	D=c->h3;
+	E=c->h4;
+
+		}
+	}
+#endif
diff --git a/lib/libcrypto/sha/shatest.c b/lib/libcrypto/sha/shatest.c
index 2b0744d937c..a5786bbf768 100644
--- a/lib/libcrypto/sha/shatest.c
+++ b/lib/libcrypto/sha/shatest.c
@@ -76,26 +76,26 @@ int main(int argc, char *argv[])
 #define SHA_0 /* FIPS 180 */
 #undef  SHA_1 /* FIPS 180-1 */
 
-char *test[]={
+static char *test[]={
 	"abc",
 	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
 	NULL,
 	};
 
 #ifdef SHA_0
-char *ret[]={
+static char *ret[]={
 	"0164b8a914cd2a5e74c4f7ff082c4d97f1edf880",
 	"d2516ee1acfa5baf33dfc1c471e438449ef134c8",
 	};
-char *bigret=
+static char *bigret=
 	"3232affa48628a26653b5aaa44541fd90d690603";
 #endif
 #ifdef SHA_1
-char *ret[]={
+static char *ret[]={
 	"a9993e364706816aba3e25717850c26c9cd0d89d",
 	"84983e441c3bd26ebaae4aa1f95129e5e54670f1",
 	};
-char *bigret=
+static char *bigret=
 	"34aa973cd4c4daa4f61eeb2bdbad27316534016f";
 #endif
 
diff --git a/lib/libcrypto/stack/Makefile.ssl b/lib/libcrypto/stack/Makefile.ssl
index faed4d03649..64a93b33ac0 100644
--- a/lib/libcrypto/stack/Makefile.ssl
+++ b/lib/libcrypto/stack/Makefile.ssl
@@ -82,4 +82,5 @@ stack.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 stack.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 stack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 stack.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-stack.o: ../../include/openssl/stack.h ../cryptlib.h
+stack.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+stack.o: ../cryptlib.h
diff --git a/lib/libcrypto/stack/stack.c b/lib/libcrypto/stack/stack.c
index 8b967138848..58e9126339b 100644
--- a/lib/libcrypto/stack/stack.c
+++ b/lib/libcrypto/stack/stack.c
@@ -59,7 +59,7 @@
 /* Code for stacks
  * Author - Eric Young v 1.0
  * 1.2 eay 12-Mar-97 -	Modified sk_find so that it _DOES_ return the
- *			lowest index for the seached item.
+ *			lowest index for the searched item.
  *
  * 1.1 eay - Take from netdb and added to SSLeay
  *
@@ -126,7 +126,7 @@ STACK *sk_new(int (*c)())
 	ret->sorted=0;
 	return(ret);
 err1:
-	Free((char *)ret);
+	Free(ret);
 err0:
 	return(NULL);
 	}
@@ -276,8 +276,8 @@ void sk_pop_free(STACK *st, void (*func)())
 void sk_free(STACK *st)
 	{
 	if (st == NULL) return;
-	if (st->data != NULL) Free((char *)st->data);
-	Free((char *)st);
+	if (st->data != NULL) Free(st->data);
+	Free(st);
 	}
 
 int sk_num(STACK *st)
diff --git a/lib/libcrypto/stack/stack.h b/lib/libcrypto/stack/stack.h
index 0f825cc0c4a..a615d9b4c94 100644
--- a/lib/libcrypto/stack/stack.h
+++ b/lib/libcrypto/stack/stack.h
@@ -76,8 +76,8 @@ typedef struct stack_st
 
 #define sk_new_null()	sk_new(NULL)
 
-#define M_sk_num(sk)		((sk)->num)
-#define M_sk_value(sk,n)	((sk)->data[n])
+#define M_sk_num(sk)		((sk) ? (sk)->num:-1)
+#define M_sk_value(sk,n)	((sk) ? (sk)->data[n] : NULL)
 
 int sk_num(STACK *);
 char *sk_value(STACK *, int);
diff --git a/lib/libcrypto/threads/mttest.c b/lib/libcrypto/threads/mttest.c
index 142623eddab..24713a31573 100644
--- a/lib/libcrypto/threads/mttest.c
+++ b/lib/libcrypto/threads/mttest.c
@@ -74,26 +74,29 @@
 #include <ulocks.h>
 #include <sys/prctl.h>
 #endif
+#ifdef PTHREADS
+#include <pthread.h>
+#endif
 #include <openssl/lhash.h>
 #include <openssl/crypto.h>
 #include <openssl/buffer.h>
-#include "../e_os.h"
+#include "../../e_os.h"
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
+#include <openssl/rand.h>
 
 #ifdef NO_FP_API
 #define APPS_WIN16
-#include "../crypto/buffer/bss_file.c"
+#include "../buffer/bss_file.c"
 #endif
 
-#define TEST_SERVER_CERT "../apps/server.pem"
-#define TEST_CLIENT_CERT "../apps/client.pem"
+#define TEST_SERVER_CERT "../../apps/server.pem"
+#define TEST_CLIENT_CERT "../../apps/client.pem"
 
 #define MAX_THREAD_NUMBER	100
 
-int MS_CALLBACK verify_callback(int ok, X509 *xs, X509 *xi, int depth,
-	int error,char *arg);
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *xs);
 void thread_setup(void);
 void thread_cleanup(void);
 void do_threads(SSL_CTX *s_ctx,SSL_CTX *c_ctx);
@@ -121,6 +124,8 @@ int number_of_loops=10;
 int reconnect=0;
 int cache_stats=0;
 
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
 int doit(char *ctx[4]);
 static void print_stats(FILE *fp, SSL_CTX *ctx)
 {
@@ -170,6 +175,8 @@ int main(int argc, char *argv[])
 	char *ccert=TEST_CLIENT_CERT;
 	SSL_METHOD *ssl_method=SSLv23_method();
 
+	RAND_seed(rnd_seed, sizeof rnd_seed);
+
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	if (bio_stdout == NULL)
@@ -244,7 +251,7 @@ bad:
 	if (cipher == NULL) cipher=getenv("SSL_CIPHER");
 
 	SSL_load_error_strings();
-	SSLeay_add_ssl_algorithms();
+	OpenSSL_add_ssl_algorithms();
 
 	c_ctx=SSL_CTX_new(ssl_method);
 	s_ctx=SSL_CTX_new(ssl_method);
@@ -259,8 +266,15 @@ bad:
 	SSL_CTX_set_session_cache_mode(c_ctx,
 		SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER);
 
-	SSL_CTX_use_certificate_file(s_ctx,scert,SSL_FILETYPE_PEM);
-	SSL_CTX_use_RSAPrivateKey_file(s_ctx,scert,SSL_FILETYPE_PEM);
+	if (!SSL_CTX_use_certificate_file(s_ctx,scert,SSL_FILETYPE_PEM))
+		{
+		ERR_print_errors(bio_err);
+		}
+	else if (!SSL_CTX_use_RSAPrivateKey_file(s_ctx,scert,SSL_FILETYPE_PEM))
+		{
+		ERR_print_errors(bio_err);
+		goto end;
+		}
 
 	if (client_auth)
 		{
@@ -489,6 +503,7 @@ int doit(char *ctx[4])
 					else
 						{
 						fprintf(stderr,"ERROR in CLIENT\n");
+						ERR_print_errors_fp(stderr);
 						return(1);
 						}
 					}
@@ -520,6 +535,7 @@ int doit(char *ctx[4])
 					else
 						{
 						fprintf(stderr,"ERROR in CLIENT\n");
+						ERR_print_errors_fp(stderr);
 						return(1);
 						}
 					}
@@ -652,18 +668,23 @@ err:
 	return(0);
 	}
 
-int MS_CALLBACK verify_callback(int ok, X509 *xs, X509 *xi, int depth,
-	     int error, char *arg)
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	{
-	char buf[256];
+	char *s, buf[256];
 
 	if (verbose)
 		{
-		X509_NAME_oneline(X509_get_subject_name(xs),buf,256);
-		if (ok)
-			fprintf(stderr,"depth=%d %s\n",depth,buf);
-		else
-			fprintf(stderr,"depth=%d error=%d %s\n",depth,error,buf);
+		s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
+				    buf,256);
+		if (s != NULL)
+			{
+			if (ok)
+				fprintf(stderr,"depth=%d %s\n",
+					ctx->error_depth,buf);
+			else
+				fprintf(stderr,"depth=%d error=%d %s\n",
+					ctx->error_depth,ctx->error,buf);
+			}
 		}
 	return(ok);
 	}
@@ -672,13 +693,14 @@ int MS_CALLBACK verify_callback(int ok, X509 *xs, X509 *xi, int depth,
 
 #ifdef WIN32
 
-static HANDLE lock_cs[CRYPTO_NUM_LOCKS];
+static HANDLE *lock_cs;
 
 void thread_setup(void)
 	{
 	int i;
 
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(HANDLE));
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		lock_cs[i]=CreateMutex(NULL,FALSE,NULL);
 		}
@@ -692,8 +714,9 @@ void thread_cleanup(void)
 	int i;
 
 	CRYPTO_set_locking_callback(NULL);
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		CloseHandle(lock_cs[i]);
+	Free(lock_cs);
 	}
 
 void win32_locking_callback(int mode, int type, char *file, int line)
@@ -763,15 +786,17 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
 
 #ifdef SOLARIS
 
-static mutex_t lock_cs[CRYPTO_NUM_LOCKS];
-/*static rwlock_t lock_cs[CRYPTO_NUM_LOCKS]; */
-static long lock_count[CRYPTO_NUM_LOCKS];
+static mutex_t *lock_cs;
+/*static rwlock_t *lock_cs; */
+static long *lock_count;
 
 void thread_setup(void)
 	{
 	int i;
 
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(mutex_t));
+	lock_count=Malloc(CRYPTO_num_locks() * sizeof(long));
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		lock_count[i]=0;
 		/* rwlock_init(&(lock_cs[i]),USYNC_THREAD,NULL); */
@@ -787,31 +812,37 @@ void thread_cleanup(void)
 	int i;
 
 	CRYPTO_set_locking_callback(NULL);
-fprintf(stderr,"cleanup\n");
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+
+	fprintf(stderr,"cleanup\n");
+
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		/* rwlock_destroy(&(lock_cs[i])); */
 		mutex_destroy(&(lock_cs[i]));
 		fprintf(stderr,"%8ld:%s\n",lock_count[i],CRYPTO_get_lock_name(i));
 		}
-fprintf(stderr,"done cleanup\n");
+	Free(lock_cs);
+	Free(lock_count);
+
+	fprintf(stderr,"done cleanup\n");
+
 	}
 
 void solaris_locking_callback(int mode, int type, char *file, int line)
 	{
 #ifdef undef
-fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
-	CRYPTO_thread_id(),
-	(mode&CRYPTO_LOCK)?"l":"u",
-	(type&CRYPTO_READ)?"r":"w",file,line);
+	fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
+		CRYPTO_thread_id(),
+		(mode&CRYPTO_LOCK)?"l":"u",
+		(type&CRYPTO_READ)?"r":"w",file,line);
 #endif
 
-/*
-if (CRYPTO_LOCK_SSL_CERT == type)
+	/*
+	if (CRYPTO_LOCK_SSL_CERT == type)
 	fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
 		CRYPTO_thread_id(),
 		mode,file,line);
-*/
+	*/
 	if (mode & CRYPTO_LOCK)
 		{
 	/*	if (mode & CRYPTO_READ)
@@ -871,7 +902,7 @@ unsigned long solaris_thread_id(void)
 
 
 static usptr_t *arena;
-static usema_t *lock_cs[CRYPTO_NUM_LOCKS];
+static usema_t **lock_cs;
 
 void thread_setup(void)
 	{
@@ -888,7 +919,8 @@ void thread_setup(void)
 	arena=usinit(filename);
 	unlink(filename);
 
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(usema_t *));
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		lock_cs[i]=usnewsema(arena,1);
 		}
@@ -902,7 +934,7 @@ void thread_cleanup(void)
 	int i;
 
 	CRYPTO_set_locking_callback(NULL);
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		char buf[10];
 
@@ -910,6 +942,7 @@ void thread_cleanup(void)
 		usdumpsema(lock_cs[i],stdout,buf);
 		usfreesema(lock_cs[i],arena);
 		}
+	Free(lock_cs);
 	}
 
 void irix_locking_callback(int mode, int type, char *file, int line)
@@ -962,14 +995,16 @@ unsigned long irix_thread_id(void)
 
 #ifdef PTHREADS
 
-static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
-static long lock_count[CRYPTO_NUM_LOCKS];
+static pthread_mutex_t *lock_cs;
+static long *lock_count;
 
 void thread_setup(void)
 	{
 	int i;
 
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
+	lock_count=Malloc(CRYPTO_num_locks() * sizeof(long));
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		lock_count[i]=0;
 		pthread_mutex_init(&(lock_cs[i]),NULL);
@@ -985,12 +1020,15 @@ void thread_cleanup(void)
 
 	CRYPTO_set_locking_callback(NULL);
 	fprintf(stderr,"cleanup\n");
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		pthread_mutex_destroy(&(lock_cs[i]));
 		fprintf(stderr,"%8ld:%s\n",lock_count[i],
 			CRYPTO_get_lock_name(i));
 		}
+	Free(lock_cs);
+	Free(lock_count);
+
 	fprintf(stderr,"done cleanup\n");
 	}
 
@@ -1045,7 +1083,7 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
 		}
 
 	printf("pthreads threads done (%d,%d)\n",
-	s_ctx->references,c_ctx->references);
+		s_ctx->references,c_ctx->references);
 	}
 
 unsigned long pthreads_thread_id(void)
diff --git a/lib/libcrypto/threads/th-lock.c b/lib/libcrypto/threads/th-lock.c
index afb4f4caf29..3ee978060c2 100644
--- a/lib/libcrypto/threads/th-lock.c
+++ b/lib/libcrypto/threads/th-lock.c
@@ -74,6 +74,9 @@
 #include <ulocks.h>
 #include <sys/prctl.h>
 #endif
+#ifdef PTHREADS
+#include <pthread.h>
+#endif
 #include <openssl/lhash.h>
 #include <openssl/crypto.h>
 #include <openssl/buffer.h>
@@ -82,7 +85,7 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
-int CRYPTO_thread_setup(void);
+void CRYPTO_thread_setup(void);
 void CRYPTO_thread_cleanup(void);
 
 static void irix_locking_callback(int mode,int type,char *file,int line);
@@ -96,7 +99,7 @@ static unsigned long pthreads_thread_id(void );
 
 /* usage:
  * CRYPTO_thread_setup();
- * applicaion code
+ * application code
  * CRYPTO_thread_cleanup();
  */
 
@@ -104,13 +107,14 @@ static unsigned long pthreads_thread_id(void );
 
 #ifdef WIN32
 
-static HANDLE lock_cs[CRYPTO_NUM_LOCKS];
+static HANDLE *lock_cs;
 
-int CRYPTO_thread_setup(void)
+void CRYPTO_thread_setup(void)
 	{
 	int i;
 
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(HANDLE));
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		lock_cs[i]=CreateMutex(NULL,FALSE,NULL);
 		}
@@ -125,8 +129,9 @@ static void CRYPTO_thread_cleanup(void)
 	int i;
 
 	CRYPTO_set_locking_callback(NULL);
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		CloseHandle(lock_cs[i]);
+	Free(lock_cs);
 	}
 
 void win32_locking_callback(int mode, int type, char *file, int line)
@@ -147,18 +152,24 @@ void win32_locking_callback(int mode, int type, char *file, int line)
 
 #define USE_MUTEX
 
-static mutex_t lock_cs[CRYPTO_NUM_LOCKS];
 #ifdef USE_MUTEX
-static long lock_count[CRYPTO_NUM_LOCKS];
+static mutex_t *lock_cs;
 #else
-static rwlock_t lock_cs[CRYPTO_NUM_LOCKS];
+static rwlock_t *lock_cs;
 #endif
+static long *lock_count;
 
 void CRYPTO_thread_setup(void)
 	{
 	int i;
 
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+#ifdef USE_MUTEX
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(mutex_t));
+#else
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(rwlock_t));
+#endif
+	lock_count=Malloc(CRYPTO_num_locks() * sizeof(long));
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		lock_count[i]=0;
 #ifdef USE_MUTEX
@@ -177,7 +188,7 @@ void CRYPTO_thread_cleanup(void)
 	int i;
 
 	CRYPTO_set_locking_callback(NULL);
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 #ifdef USE_MUTEX
 		mutex_destroy(&(lock_cs[i]));
@@ -185,6 +196,8 @@ void CRYPTO_thread_cleanup(void)
 		rwlock_destroy(&(lock_cs[i]));
 #endif
 		}
+	Free(lock_cs);
+	Free(lock_count);
 	}
 
 void solaris_locking_callback(int mode, int type, char *file, int line)
@@ -237,7 +250,7 @@ unsigned long solaris_thread_id(void)
 /* I don't think this works..... */
 
 static usptr_t *arena;
-static usema_t *lock_cs[CRYPTO_NUM_LOCKS];
+static usema_t **lock_cs;
 
 void CRYPTO_thread_setup(void)
 	{
@@ -254,7 +267,8 @@ void CRYPTO_thread_setup(void)
 	arena=usinit(filename);
 	unlink(filename);
 
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(usema_t *));
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		lock_cs[i]=usnewsema(arena,1);
 		}
@@ -268,7 +282,7 @@ void CRYPTO_thread_cleanup(void)
 	int i;
 
 	CRYPTO_set_locking_callback(NULL);
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		char buf[10];
 
@@ -276,6 +290,7 @@ void CRYPTO_thread_cleanup(void)
 		usdumpsema(lock_cs[i],stdout,buf);
 		usfreesema(lock_cs[i],arena);
 		}
+	Free(lock_cs);
 	}
 
 void irix_locking_callback(int mode, int type, char *file, int line)
@@ -302,14 +317,16 @@ unsigned long irix_thread_id(void)
 /* Linux and a few others */
 #ifdef PTHREADS
 
-static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
-static long lock_count[CRYPTO_NUM_LOCKS];
+static pthread_mutex_t *lock_cs;
+static long *lock_count;
 
 void CRYPTO_thread_setup(void)
 	{
 	int i;
 
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	lock_cs=Malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
+	lock_count=Malloc(CRYPTO_num_locks() * sizeof(long));
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		lock_count[i]=0;
 		pthread_mutex_init(&(lock_cs[i]),NULL);
@@ -324,10 +341,12 @@ void thread_cleanup(void)
 	int i;
 
 	CRYPTO_set_locking_callback(NULL);
-	for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+	for (i=0; i<CRYPTO_num_locks(); i++)
 		{
 		pthread_mutex_destroy(&(lock_cs[i]));
 		}
+	Free(lock_cs);
+	Free(lock_count);
 	}
 
 void pthreads_locking_callback(int mode, int type, char *file,
diff --git a/lib/libcrypto/txt_db/Makefile.ssl b/lib/libcrypto/txt_db/Makefile.ssl
index 02b863bf89f..a631dce6f2d 100644
--- a/lib/libcrypto/txt_db/Makefile.ssl
+++ b/lib/libcrypto/txt_db/Makefile.ssl
@@ -82,5 +82,6 @@ txt_db.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 txt_db.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
 txt_db.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 txt_db.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-txt_db.o: ../../include/openssl/opensslv.h ../../include/openssl/stack.h
-txt_db.o: ../../include/openssl/txt_db.h ../cryptlib.h
+txt_db.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+txt_db.o: ../../include/openssl/stack.h ../../include/openssl/txt_db.h
+txt_db.o: ../cryptlib.h
diff --git a/lib/libcrypto/txt_db/txt_db.c b/lib/libcrypto/txt_db/txt_db.c
index 9a9fa5ce557..33acc81f3fa 100644
--- a/lib/libcrypto/txt_db/txt_db.c
+++ b/lib/libcrypto/txt_db/txt_db.c
@@ -181,7 +181,7 @@ err:
 #endif
 		if (ret->data != NULL) sk_free(ret->data);
 		if (ret->index != NULL) Free(ret->index);
-		if (ret->qual != NULL) Free((char *)ret->qual);
+		if (ret->qual != NULL) Free(ret->qual);
 		if (ret != NULL) Free(ret);
 		return(NULL);
 		}
@@ -205,7 +205,7 @@ char **TXT_DB_get_by_index(TXT_DB *db, int idx, char **value)
 		db->error=DB_ERROR_NO_INDEX;
 		return(NULL);
 		}
-	ret=(char **)lh_retrieve(lh,(char *)value);
+	ret=(char **)lh_retrieve(lh,value);
 	db->error=DB_ERROR_OK;
 	return(ret);
 	}
@@ -306,7 +306,7 @@ int TXT_DB_insert(TXT_DB *db, char **row)
 			{
 			if ((db->qual[i] != NULL) &&
 				(db->qual[i](row) == 0)) continue;
-			r=(char **)lh_retrieve(db->index[i],(char *)row);
+			r=(char **)lh_retrieve(db->index[i],row);
 			if (r != NULL)
 				{
 				db->error=DB_ERROR_INDEX_CLASH;
@@ -329,7 +329,7 @@ int TXT_DB_insert(TXT_DB *db, char **row)
 			{
 			if ((db->qual[i] != NULL) &&
 				(db->qual[i](row) == 0)) continue;
-			lh_insert(db->index[i],(char *)row);
+			lh_insert(db->index[i],row);
 			}
 		}
 	return(1);
diff --git a/lib/libcrypto/util/domd b/lib/libcrypto/util/domd
index 324051f60b2..9f75131f221 100644
--- a/lib/libcrypto/util/domd
+++ b/lib/libcrypto/util/domd
@@ -7,5 +7,5 @@ shift
 
 cp Makefile.ssl Makefile.save
 makedepend -f Makefile.ssl $@
-$TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
+perl $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
 mv Makefile.new Makefile.ssl
diff --git a/lib/libcrypto/util/libeay.num b/lib/libcrypto/util/libeay.num
index 59c2040a29d..e3818ef6e4b 100644
--- a/lib/libcrypto/util/libeay.num
+++ b/lib/libcrypto/util/libeay.num
@@ -499,9 +499,9 @@ SHA1_Update				504
 SHA_Final				505
 SHA_Init				506
 SHA_Update				507
-SSLeay_add_all_algorithms		508
-SSLeay_add_all_ciphers			509
-SSLeay_add_all_digests			510
+OpenSSL_add_all_algorithms		508
+OpenSSL_add_all_ciphers			509
+OpenSSL_add_all_digests			510
 TXT_DB_create_index			511
 TXT_DB_free				512
 TXT_DB_get_by_index			513
@@ -1304,13 +1304,12 @@ i2d_SXNETID                             1329
 d2i_SXNETID                             1330
 SXNETID_new                             1331
 SXNETID_free                            1332
-DSA_SIG_new								1333
-DSA_SIG_free							1334
-DSA_do_sign								1335
-DSA_do_verify							1336
-d2i_DSA_SIG								1337
-i2d_DSA_SIG								1338
-
+DSA_SIG_new                             1333
+DSA_SIG_free                            1334
+DSA_do_sign                             1335
+DSA_do_verify                           1336
+d2i_DSA_SIG                             1337
+i2d_DSA_SIG                             1338
 i2d_ASN1_VISIBLESTRING                  1339
 d2i_ASN1_VISIBLESTRING                  1340
 i2d_ASN1_UTF8STRING                     1341
@@ -1844,3 +1843,387 @@ sk_DIST_POINT_sort                      1868
 RSA_check_key                           1869
 OBJ_obj2txt                             1870
 DSA_dup_DH                              1871
+X509_REQ_get_extensions                 1872
+X509_REQ_set_extension_nids             1873
+BIO_nwrite                              1874
+X509_REQ_extension_nid                  1875
+BIO_nread                               1876
+X509_REQ_get_extension_nids              1877
+BIO_nwrite0                             1878
+X509_REQ_add_extensions_nid             1879
+BIO_nread0                              1880
+X509_REQ_add_extensions                 1881
+BIO_new_mem_buf                         1882
+DH_set_ex_data                          1883
+DH_set_method                           1884
+DSA_OpenSSL                             1885
+DH_get_ex_data                          1886
+DH_get_ex_new_index                     1887
+DSA_new_method                          1888
+DH_new_method                           1889
+DH_OpenSSL                              1890
+DSA_get_ex_new_index                    1891
+DH_get_default_method                   1892
+DSA_set_ex_data                         1893
+DH_set_default_method                   1894
+DSA_get_ex_data                         1895
+X509V3_EXT_REQ_add_conf                 1896
+NETSCAPE_SPKI_print                     1897
+NETSCAPE_SPKI_set_pubkey                1898
+NETSCAPE_SPKI_b64_encode                1899
+NETSCAPE_SPKI_get_pubkey                1900
+NETSCAPE_SPKI_b64_decode                1901
+UTF8_putc                               1902
+UTF8_getc                               1903
+RSA_null_method                         1904
+ASN1_tag2str                            1905
+BIO_ctrl_reset_read_request             1906
+DISPLAYTEXT_new                         1907
+ASN1_GENERALIZEDTIME_free               1908
+X509_REVOKED_get_ext_d2i                1909
+X509_set_ex_data                        1910
+X509_reject_set_bit_asc                 1911
+X509_NAME_add_entry_by_txt              1912
+sk_X509_TRUST_pop                       1913
+X509_NAME_add_entry_by_NID              1914
+X509_PURPOSE_get0                       1915
+sk_ACCESS_DESCRIPTION_shift             1916
+PEM_read_X509_AUX                       1917
+d2i_AUTHORITY_INFO_ACCESS               1918
+sk_X509_TRUST_set_cmp_func              1919
+sk_X509_TRUST_free                      1920
+PEM_write_PUBKEY                        1921
+sk_X509_TRUST_num                       1922
+sk_ACCESS_DESCRIPTION_delete            1923
+sk_ASN1_STRING_TABLE_value              1924
+ACCESS_DESCRIPTION_new                  1925
+X509_CERT_AUX_free                      1926
+d2i_ACCESS_DESCRIPTION                  1927
+X509_trust_clear                        1928
+sk_X509_PURPOSE_value                   1929
+sk_X509_PURPOSE_zero                    1930
+X509_TRUST_add                          1931
+ASN1_VISIBLESTRING_new                  1932
+X509_alias_set1                         1933
+ASN1_PRINTABLESTRING_free               1934
+EVP_PKEY_get1_DSA                       1935
+ASN1_BMPSTRING_new                      1936
+ASN1_mbstring_copy                      1937
+ASN1_UTF8STRING_new                     1938
+sk_ACCESS_DESCRIPTION_set               1939
+sk_X509_PURPOSE_pop                     1940
+DSA_get_default_method                  1941
+sk_X509_PURPOSE_push                    1942
+sk_X509_PURPOSE_delete                  1943
+sk_X509_PURPOSE_num                     1944
+i2d_ASN1_SET_OF_ACCESS_DESCRIPTION      1945
+ASN1_T61STRING_free                     1946
+sk_ACCESS_DESCRIPTION_free              1947
+sk_ASN1_STRING_TABLE_pop                1948
+DSA_set_method                          1949
+X509_get_ex_data                        1950
+ASN1_STRING_type                        1951
+X509_PURPOSE_get_by_sname               1952
+sk_X509_PURPOSE_find                    1953
+ASN1_TIME_free                          1954
+ASN1_OCTET_STRING_cmp                   1955
+sk_ACCESS_DESCRIPTION_value             1956
+ASN1_BIT_STRING_new                     1957
+X509_get_ext_d2i                        1958
+PEM_read_bio_X509_AUX                   1959
+ASN1_STRING_set_default_mask_asc        1960
+PEM_write_bio_RSA_PUBKEY                1961
+sk_ASN1_STRING_TABLE_num                1962
+ASN1_INTEGER_cmp                        1963
+d2i_RSA_PUBKEY_fp                       1964
+sk_ACCESS_DESCRIPTION_unshift           1965
+sk_ASN1_STRING_TABLE_delete_ptr         1966
+X509_trust_set_bit_asc                  1967
+PEM_write_bio_DSA_PUBKEY                1968
+X509_STORE_CTX_free                     1969
+EVP_PKEY_set1_DSA                       1970
+i2d_DSA_PUBKEY_fp                       1971
+X509_load_cert_crl_file                 1972
+ASN1_TIME_new                           1973
+i2d_RSA_PUBKEY                          1974
+sk_X509_TRUST_pop_free                  1975
+X509_STORE_CTX_purpose_inherit          1976
+PEM_read_RSA_PUBKEY                     1977
+sk_X509_TRUST_zero                      1978
+sk_ACCESS_DESCRIPTION_pop_free          1979
+d2i_X509_AUX                            1980
+i2d_DSA_PUBKEY                          1981
+X509_CERT_AUX_print                     1982
+sk_X509_PURPOSE_new_null                1983
+PEM_read_DSA_PUBKEY                     1984
+i2d_RSA_PUBKEY_bio                      1985
+ASN1_BIT_STRING_num_asc                 1986
+i2d_PUBKEY                              1987
+ASN1_UTCTIME_free                       1988
+DSA_set_default_method                  1989
+X509_PURPOSE_get_by_id                  1990
+sk_X509_TRUST_push                      1991
+sk_ASN1_STRING_TABLE_sort               1992
+sk_X509_PURPOSE_set_cmp_func            1993
+ACCESS_DESCRIPTION_free                 1994
+PEM_read_bio_PUBKEY                     1995
+ASN1_STRING_set_by_NID                  1996
+X509_PURPOSE_get_id                     1997
+DISPLAYTEXT_free                        1998
+OTHERNAME_new                           1999
+sk_X509_TRUST_find                      2000
+X509_CERT_AUX_new                       2001
+sk_ACCESS_DESCRIPTION_dup               2002
+sk_ASN1_STRING_TABLE_pop_free           2003
+sk_ASN1_STRING_TABLE_unshift            2004
+sk_X509_TRUST_shift                     2005
+sk_ACCESS_DESCRIPTION_zero              2006
+X509_TRUST_cleanup                      2007
+X509_NAME_add_entry_by_OBJ              2008
+X509_CRL_get_ext_d2i                    2009
+sk_X509_TRUST_set                       2010
+X509_PURPOSE_get0_name                  2011
+PEM_read_PUBKEY                         2012
+sk_ACCESS_DESCRIPTION_new               2013
+i2d_DSA_PUBKEY_bio                      2014
+i2d_OTHERNAME                           2015
+ASN1_OCTET_STRING_free                  2016
+ASN1_BIT_STRING_set_asc                 2017
+sk_ACCESS_DESCRIPTION_push              2018
+X509_get_ex_new_index                   2019
+ASN1_STRING_TABLE_cleanup               2020
+X509_TRUST_get_by_id                    2021
+X509_PURPOSE_get_trust                  2022
+ASN1_STRING_length                      2023
+d2i_ASN1_SET_OF_ACCESS_DESCRIPTION      2024
+ASN1_PRINTABLESTRING_new                2025
+X509V3_get_d2i                          2026
+ASN1_ENUMERATED_free                    2027
+i2d_X509_CERT_AUX                       2028
+sk_ACCESS_DESCRIPTION_find              2029
+X509_STORE_CTX_set_trust                2030
+sk_X509_PURPOSE_unshift                 2031
+ASN1_STRING_set_default_mask            2032
+X509_STORE_CTX_new                      2033
+EVP_PKEY_get1_RSA                       2034
+sk_X509_PURPOSE_set                     2035
+sk_ASN1_STRING_TABLE_insert             2036
+sk_X509_PURPOSE_sort                    2037
+DIRECTORYSTRING_free                    2038
+PEM_write_X509_AUX                      2039
+ASN1_OCTET_STRING_set                   2040
+d2i_DSA_PUBKEY_fp                       2041
+sk_ASN1_STRING_TABLE_free               2042
+sk_X509_TRUST_value                     2043
+d2i_RSA_PUBKEY                          2044
+sk_ASN1_STRING_TABLE_set                2045
+X509_TRUST_get0_name                    2046
+X509_TRUST_get0                         2047
+AUTHORITY_INFO_ACCESS_free              2048
+ASN1_IA5STRING_new                      2049
+d2i_DSA_PUBKEY                          2050
+X509_check_purpose                      2051
+ASN1_ENUMERATED_new                     2052
+d2i_RSA_PUBKEY_bio                      2053
+d2i_PUBKEY                              2054
+X509_TRUST_get_trust                    2055
+X509_TRUST_get_flags                    2056
+ASN1_BMPSTRING_free                     2057
+ASN1_T61STRING_new                      2058
+sk_X509_TRUST_unshift                   2059
+ASN1_UTCTIME_new                        2060
+sk_ACCESS_DESCRIPTION_pop               2061
+i2d_AUTHORITY_INFO_ACCESS               2062
+EVP_PKEY_set1_RSA                       2063
+X509_STORE_CTX_set_purpose              2064
+ASN1_IA5STRING_free                     2065
+PEM_write_bio_X509_AUX                  2066
+X509_PURPOSE_get_count                  2067
+CRYPTO_add_info                         2068
+sk_ACCESS_DESCRIPTION_num               2069
+sk_ASN1_STRING_TABLE_set_cmp_func       2070
+X509_NAME_ENTRY_create_by_txt           2071
+ASN1_STRING_get_default_mask            2072
+sk_X509_TRUST_dup                       2073
+X509_alias_get0                         2074
+ASN1_STRING_data                        2075
+sk_X509_TRUST_insert                    2076
+i2d_ACCESS_DESCRIPTION                  2077
+X509_trust_set_bit                      2078
+sk_X509_PURPOSE_delete_ptr              2079
+ASN1_BIT_STRING_free                    2080
+PEM_read_bio_RSA_PUBKEY                 2081
+X509_add1_reject_object                 2082
+X509_check_trust                        2083
+sk_X509_TRUST_new_null                  2084
+sk_ACCESS_DESCRIPTION_new_null          2085
+sk_ACCESS_DESCRIPTION_delete_ptr        2086
+sk_X509_TRUST_sort                      2087
+PEM_read_bio_DSA_PUBKEY                 2088
+sk_X509_TRUST_new                       2089
+X509_PURPOSE_add                        2090
+ASN1_STRING_TABLE_get                   2091
+ASN1_UTF8STRING_free                    2092
+d2i_DSA_PUBKEY_bio                      2093
+sk_ASN1_STRING_TABLE_delete             2094
+PEM_write_RSA_PUBKEY                    2095
+d2i_OTHERNAME                           2096
+sk_ACCESS_DESCRIPTION_insert            2097
+X509_reject_set_bit                     2098
+sk_X509_TRUST_delete_ptr                2099
+sk_X509_PURPOSE_pop_free                2100
+PEM_write_DSA_PUBKEY                    2101
+sk_X509_PURPOSE_free                    2102
+sk_X509_PURPOSE_dup                     2103
+sk_ASN1_STRING_TABLE_zero               2104
+X509_PURPOSE_get0_sname                 2105
+sk_ASN1_STRING_TABLE_shift              2106
+EVP_PKEY_set1_DH                        2107
+ASN1_OCTET_STRING_dup                   2108
+ASN1_BIT_STRING_set                     2109
+X509_TRUST_get_count                    2110
+ASN1_INTEGER_free                       2111
+OTHERNAME_free                          2112
+i2d_RSA_PUBKEY_fp                       2113
+ASN1_INTEGER_dup                        2114
+d2i_X509_CERT_AUX                       2115
+sk_ASN1_STRING_TABLE_new_null           2116
+PEM_write_bio_PUBKEY                    2117
+ASN1_VISIBLESTRING_free                 2118
+X509_PURPOSE_cleanup                    2119
+sk_ASN1_STRING_TABLE_push               2120
+sk_ASN1_STRING_TABLE_dup                2121
+sk_X509_PURPOSE_shift                   2122
+ASN1_mbstring_ncopy                     2123
+sk_X509_PURPOSE_new                     2124
+sk_X509_PURPOSE_insert                  2125
+ASN1_GENERALIZEDTIME_new                2126
+sk_ACCESS_DESCRIPTION_sort              2127
+EVP_PKEY_get1_DH                        2128
+sk_ACCESS_DESCRIPTION_set_cmp_func      2129
+ASN1_OCTET_STRING_new                   2130
+ASN1_INTEGER_new                        2131
+i2d_X509_AUX                            2132
+sk_ASN1_STRING_TABLE_find               2133
+ASN1_BIT_STRING_name_print              2134
+X509_cmp                                2135
+ASN1_STRING_length_set                  2136
+DIRECTORYSTRING_new                     2137
+sk_ASN1_STRING_TABLE_new                2138
+sk_X509_TRUST_delete                    2139
+X509_add1_trust_object                  2140
+PKCS12_newpass                          2141
+SMIME_write_PKCS7                       2142
+SMIME_read_PKCS7                        2143
+des_set_key_checked                     2144
+PKCS7_verify                            2145
+PKCS7_encrypt                           2146
+des_set_key_unchecked                   2147
+SMIME_crlf_copy                         2148
+i2d_ASN1_PRINTABLESTRING                2149
+PKCS7_get0_signers                      2150
+PKCS7_decrypt                           2151
+SMIME_text                              2152
+PKCS7_simple_smimecap                   2153
+PKCS7_get_smimecap                      2154
+PKCS7_sign                              2155
+PKCS7_add_attrib_smimecap               2156
+CRYPTO_dbg_set_options                  2157
+CRYPTO_remove_all_info                  2158
+CRYPTO_get_mem_debug_functions          2159
+CRYPTO_is_mem_check_on                  2160
+CRYPTO_set_mem_debug_functions          2161
+CRYPTO_pop_info                         2162
+CRYPTO_push_info_                       2163
+CRYPTO_set_mem_debug_options            2164
+PEM_write_PKCS8PrivateKey_nid           2165
+PEM_write_bio_PKCS8PrivateKey_nid       2166
+d2i_PKCS8PrivateKey_bio                 2167
+ASN1_NULL_free                          2168
+d2i_ASN1_NULL                           2169
+ASN1_NULL_new                           2170
+i2d_PKCS8PrivateKey_bio                 2171
+i2d_PKCS8PrivateKey_fp                  2172
+i2d_ASN1_NULL                           2173
+i2d_PKCS8PrivateKey_nid_fp              2174
+d2i_PKCS8PrivateKey_fp                  2175
+i2d_PKCS8PrivateKey_nid_bio             2176
+i2d_PKCS8PrivateKeyInfo_fp              2177
+i2d_PKCS8PrivateKeyInfo_bio             2178
+PEM_cb                                  2179
+i2d_PrivateKey_fp                       2180
+d2i_PrivateKey_bio                      2181
+d2i_PrivateKey_fp                       2182
+i2d_PrivateKey_bio                      2183
+X509_reject_clear                       2184
+X509_TRUST_set_default                  2185
+d2i_AutoPrivateKey                      2186
+X509_ATTRIBUTE_get0_type                2187
+X509_ATTRIBUTE_set1_data                2188
+X509at_get_attr                         2189
+X509at_get_attr_count                   2190
+X509_ATTRIBUTE_create_by_NID            2191
+X509_ATTRIBUTE_set1_object              2192
+X509_ATTRIBUTE_count                    2193
+X509_ATTRIBUTE_create_by_OBJ            2194
+X509_ATTRIBUTE_get0_object              2195
+X509at_get_attr_by_NID                  2196
+X509at_add1_attr                        2197
+X509_ATTRIBUTE_get0_data                2198
+X509at_delete_attr                      2199
+X509at_get_attr_by_OBJ                  2200
+RAND_add                                2201
+BIO_number_written                      2202
+BIO_number_read                         2203
+X509_STORE_CTX_get1_chain               2204
+ERR_load_RAND_strings                   2205
+RAND_pseudo_bytes                       2206
+X509_REQ_get_attr_by_NID                2207
+X509_REQ_get_attr                       2208
+X509_REQ_add1_attr_by_NID               2209
+X509_REQ_get_attr_by_OBJ                2210
+X509at_add1_attr_by_NID                 2211
+X509_REQ_add1_attr_by_OBJ               2212
+X509_REQ_get_attr_count                 2213
+X509_REQ_add1_attr                      2214
+X509_REQ_delete_attr                    2215
+X509at_add1_attr_by_OBJ                 2216
+X509_REQ_add1_attr_by_txt               2217
+X509_ATTRIBUTE_create_by_txt            2218
+X509at_add1_attr_by_txt                 2219
+sk_CRYPTO_EX_DATA_FUNCS_delete          2220
+sk_CRYPTO_EX_DATA_FUNCS_set             2221
+sk_CRYPTO_EX_DATA_FUNCS_unshift         2222
+sk_CRYPTO_EX_DATA_FUNCS_new_null        2223
+sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func    2224
+sk_CRYPTO_EX_DATA_FUNCS_sort            2225
+sk_CRYPTO_EX_DATA_FUNCS_dup             2226
+sk_CRYPTO_EX_DATA_FUNCS_shift           2227
+sk_CRYPTO_EX_DATA_FUNCS_value           2228
+sk_CRYPTO_EX_DATA_FUNCS_pop             2229
+sk_CRYPTO_EX_DATA_FUNCS_push            2230
+sk_CRYPTO_EX_DATA_FUNCS_find            2231
+sk_CRYPTO_EX_DATA_FUNCS_new             2232
+sk_CRYPTO_EX_DATA_FUNCS_free            2233
+sk_CRYPTO_EX_DATA_FUNCS_delete_ptr      2234
+sk_CRYPTO_EX_DATA_FUNCS_num             2235
+sk_CRYPTO_EX_DATA_FUNCS_pop_free        2236
+sk_CRYPTO_EX_DATA_FUNCS_insert          2237
+sk_CRYPTO_EX_DATA_FUNCS_zero            2238
+BN_pseudo_rand                          2239
+BN_is_prime_fasttest                    2240
+BN_CTX_end                              2241
+BN_CTX_start                            2242
+BN_CTX_get                              2243
+EVP_PKEY2PKCS8_broken                   2244
+ASN1_STRING_TABLE_add                   2245
+CRYPTO_dbg_get_options                  2246
+AUTHORITY_INFO_ACCESS_new               2247
+CRYPTO_get_mem_debug_options            2248
+des_crypt                               2249
+PEM_write_bio_X509_REQ_NEW              2250
+PEM_write_X509_REQ_NEW                  2251
+BIO_callback_ctrl                       2252
+RAND_egd                                2253
+RAND_status                             2254
+bn_dump1                                2255
diff --git a/lib/libcrypto/util/mkdef.pl b/lib/libcrypto/util/mkdef.pl
index 80384af325a..4e2845a4e19 100644
--- a/lib/libcrypto/util/mkdef.pl
+++ b/lib/libcrypto/util/mkdef.pl
@@ -6,26 +6,34 @@
 # prototyped functions: it then prunes the output.
 #
 
-$crypto_num="util/libeay.num";
-$ssl_num=   "util/ssleay.num";
+my $crypto_num="util/libeay.num";
+my $ssl_num=   "util/ssleay.num";
 
 my $do_update = 0;
 my $do_crypto = 0;
 my $do_ssl = 0;
-$rsaref = 0;
+my $do_ctest = 0;
+my $rsaref = 0;
 
-$W32=1;
-$NT=0;
+my $W32=1;
+my $NT=0;
 # Set this to make typesafe STACK definitions appear in DEF
-$safe_stack_def = 1;
+my $safe_stack_def = 1;
 
-$options="";
+my $options="";
 open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
 while(<IN>) {
     $options=$1 if (/^OPTIONS=(.*)$/);
 }
 close(IN);
 
+# The following ciphers may be excluded (by Configure). This means functions
+# defined with ifndef(NO_XXX) are not included in the .def file, and everything
+# in directory xxx is ignored.
+my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
+my $no_cast; my $no_md2; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
+my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0;
+
 foreach (@ARGV, split(/ /, $options))
 	{
 	$W32=1 if $_ eq "32";
@@ -39,6 +47,7 @@ foreach (@ARGV, split(/ /, $options))
 	$do_crypto=1 if $_ eq "libeay";
 	$do_crypto=1 if $_ eq "crypto";
 	$do_update=1 if $_ eq "update";
+	$do_ctest=1 if $_ eq "ctest";
 	$rsaref=1 if $_ eq "rsaref";
 
 	if    (/^no-rc2$/)      { $no_rc2=1; }
@@ -59,6 +68,7 @@ foreach (@ARGV, split(/ /, $options))
 	elsif (/^no-hmac$/)	{ $no_hmac=1; }
 	}
 
+
 if (!$do_ssl && !$do_crypto)
 	{
 	print STDERR "usage: $0 ( ssl | crypto ) [ 16 | 32 | NT ] [rsaref]\n";
@@ -70,9 +80,9 @@ $max_ssl = $max_num;
 %crypto_list=&load_numbers($crypto_num);
 $max_crypto = $max_num;
 
-$ssl="ssl/ssl.h";
+my $ssl="ssl/ssl.h";
 
-$crypto ="crypto/crypto.h";
+my $crypto ="crypto/crypto.h";
 $crypto.=" crypto/des/des.h" unless $no_des;
 $crypto.=" crypto/idea/idea.h" unless $no_idea;
 $crypto.=" crypto/rc4/rc4.h" unless $no_rc4;
@@ -115,8 +125,8 @@ $crypto.=" crypto/rand/rand.h";
 $crypto.=" crypto/comp/comp.h";
 $crypto.=" crypto/tmdiff.h";
 
-@ssl_func = &do_defs("SSLEAY", $ssl);
-@crypto_func = &do_defs("LIBEAY", $crypto);
+my @ssl_func = &do_defs("SSLEAY", $ssl);
+my @crypto_func = &do_defs("LIBEAY", $crypto);
 
 
 if ($do_update) {
@@ -131,7 +141,26 @@ if($do_crypto == 1) {
 	open(OUT, ">>$crypto_num");
 	&update_numbers(*OUT,"LIBEAY",*crypto_list,$max_crypto, @crypto_func);
 	close OUT;
-}
+} 
+
+} elsif ($do_ctest) {
+
+	print <<"EOF";
+
+/* Test file to check all DEF file symbols are present by trying
+ * to link to all of them. This is *not* intended to be run!
+ */
+
+int main()
+{
+EOF
+	&print_test_file(*STDOUT,"SSLEAY",*ssl_list,@ssl_func)
+		if $do_ssl == 1;
+
+	&print_test_file(*STDOUT,"LIBEAY",*crypto_list,@crypto_func)
+		if $do_crypto == 1;
+
+	print "}\n";
 
 } else {
 
@@ -147,14 +176,15 @@ if($do_crypto == 1) {
 sub do_defs
 {
 	my($name,$files)=@_;
+	my $file;
 	my @ret;
 	my %funcs;
+	my $cpp;
 
 	foreach $file (split(/\s+/,$files))
 		{
 		open(IN,"<$file") || die "unable to open $file:$!\n";
-
-		my $line = "", $def= "";
+		my $line = "", my $def= "";
 		my %tag = (
 			FreeBSD		=> 0,
 			NOPROTO		=> 0,
@@ -164,6 +194,22 @@ sub do_defs
 			NO_FP_API	=> 0,
 			CONST_STRICT	=> 0,
 			TRUE		=> 1,
+			NO_RC2		=> 0,
+			NO_RC4		=> 0,
+			NO_RC5		=> 0,
+			NO_IDEA		=> 0,
+			NO_DES		=> 0,
+			NO_BF		=> 0,
+			NO_CAST		=> 0,
+			NO_MD2		=> 0,
+			NO_MD5		=> 0,
+			NO_SHA		=> 0,
+			NO_RIPEMD	=> 0,
+			NO_MDC2		=> 0,
+			NO_RSA		=> 0,
+			NO_DSA		=> 0,
+			NO_DH		=> 0,
+			NO_HMAC		=> 0,
 		);
 		while(<IN>) {
 			last if (/BEGIN ERROR CODES/);
@@ -214,6 +260,11 @@ sub do_defs
 				push(@tag,"TRUE");
 				$tag{"TRUE"}=1;
 				next;
+			} elsif (/^\#\s*if\s+0/) {
+				# Dummy tag
+				push(@tag,"TRUE");
+				$tag{"TRUE"}=-1;
+				next;
 			} elsif (/^\#/) {
 				next;
 			}
@@ -250,7 +301,20 @@ sub do_defs
 				}
 				$funcs{"PEM_read_bio_${1}"} = 1;
 				$funcs{"PEM_write_bio_${1}"} = 1;
-			} elsif ( 
+			} elsif (/^DECLARE_PEM_write\s*\(\s*(\w*)\s*,/ ||
+				     /^DECLARE_PEM_write_cb\s*\(\s*(\w*)\s*,/ ) {
+				if($W32) {
+					$funcs{"PEM_write_${1}"} = 1;
+				}
+				$funcs{"PEM_write_bio_${1}"} = 1;
+			} elsif (/^DECLARE_PEM_read\s*\(\s*(\w*)\s*,/ ||
+				     /^DECLARE_PEM_read_cb\s*\(\s*(\w*)\s*,/ ) {
+				if($W32) {
+					$funcs{"PEM_read_${1}"} = 1;
+				}
+				$funcs{"PEM_read_bio_${1}"} = 1;
+			} elsif (
+				($tag{'TRUE'} != -1) &&
 				($tag{'FreeBSD'} != 1) &&
 				($tag{'CONST_STRICT'} != 1) &&
 				(($W32 && ($tag{'WIN16'} != 1)) ||
@@ -260,7 +324,23 @@ sub do_defs
 				((!$W32 && $tag{'_WINDLL'} != -1) ||
 				 ($W32 && $tag{'_WINDLL'} != 1)) &&
 				((($tag{'NO_FP_API'} != 1) && $W32) ||
-				 (($tag{'NO_FP_API'} != -1) && !$W32)))
+				 (($tag{'NO_FP_API'} != -1) && !$W32)) &&
+				($tag{'NO_RC2'} == 0  || !$no_rc2) &&
+				($tag{'NO_RC4'} == 0  || !$no_rc4) &&
+				($tag{'NO_RC5'} == 0  || !$no_rc5) &&
+				($tag{'NO_IDEA'} == 0 || !$no_idea) &&
+				($tag{'NO_DES'} == 0  || !$no_des) &&
+				($tag{'NO_BF'} == 0   || !$no_bf) &&
+				($tag{'NO_CAST'} == 0 || !$no_cast) &&
+				($tag{'NO_MD2'} == 0  || !$no_md2) &&
+				($tag{'NO_MD5'} == 0  || !$no_md5) &&
+				($tag{'NO_SHA'} == 0  || !$no_sha) &&
+				($tag{'NO_RIPEMD'} == 0 || !$no_ripemd) &&
+				($tag{'NO_MDC2'} == 0 || !$no_mdc2) &&
+				($tag{'NO_RSA'} == 0  || !$no_rsa) &&
+				($tag{'NO_DSA'} == 0  || !$no_dsa) &&
+				($tag{'NO_DH'} == 0   || !$no_dh) &&
+				($tag{'NO_HMAC'} == 0 || !$no_hmac))
 				{
 					if (/{|\/\*/) { # }
 						$line = $_;
@@ -309,8 +389,8 @@ sub do_defs
 	# Prune the returned functions
 
         delete $funcs{"SSL_add_dir_cert_subjects_to_stack"};
-        delete $funcs{"des_crypt"};
         delete $funcs{"RSA_PKCS1_RSAref"} unless $rsaref;
+        delete $funcs{"bn_dump1"};
 
 	if($W32) {
 		delete $funcs{"BIO_s_file_internal"};
@@ -334,10 +414,31 @@ sub do_defs
 	return(@ret);
 }
 
+sub print_test_file
+{
+	(*OUT,my $name,*nums,my @functions)=@_;
+	my $n = 1; my @e; my @r;
+	my $func;
+
+	(@e)=grep(/^SSLeay/,@functions);
+	(@r)=grep(!/^SSLeay/,@functions);
+	@functions=((sort @e),(sort @r));
+
+	foreach $func (@functions) {
+		if (!defined($nums{$func})) {
+			printf STDERR "$func does not have a number assigned\n"
+					if(!$do_update);
+		} else {
+			$n=$nums{$func};
+			print OUT "\t$func();\n";
+		}
+	}
+}
+
 sub print_def_file
 {
-	(*OUT,my $name,*nums,@functions)=@_;
-	my $n =1;
+	(*OUT,my $name,*nums,my @functions)=@_;
+	my $n = 1; my @e; my @r;
 
 	if ($W32)
 		{ $name.="32"; }
diff --git a/lib/libcrypto/util/mkerr.pl b/lib/libcrypto/util/mkerr.pl
index 4b3bccb13e7..ebc059ef228 100644
--- a/lib/libcrypto/util/mkerr.pl
+++ b/lib/libcrypto/util/mkerr.pl
@@ -450,7 +450,7 @@ void ERR_load_${lib}_strings(void)
 #ifdef ${lib}_LIB_NAME
 		${lib}_lib_name->error = ERR_PACK(${lib}_lib_error_code,0,0);
 		ERR_load_strings(0,${lib}_lib_name);
-#endif;
+#endif
 		}
 	}
 
diff --git a/lib/libcrypto/util/pl/BC-32.pl b/lib/libcrypto/util/pl/BC-32.pl
index 09c45a21a6b..df6e2c742e4 100644
--- a/lib/libcrypto/util/pl/BC-32.pl
+++ b/lib/libcrypto/util/pl/BC-32.pl
@@ -19,7 +19,7 @@ $out_def="out32";
 $tmp_def="tmp32";
 $inc_def="inc32";
 #enable max error messages, disable most common warnings
-$cflags="-DWIN32_LEAN_AND_MEAN -j255 -w-aus -w-par -w-inl  -c -tWC -tWM -DWINDOWS -DWIN32 -DL_ENDIAN ";
+$cflags="-DWIN32_LEAN_AND_MEAN -q -w-aus -w-par -w-inl  -c -tWC -tWM -DWINDOWS -DWIN32 -DL_ENDIAN ";
 if ($debug)
 {
     $cflags.="-Od -y -v -vi- -D_DEBUG";
diff --git a/lib/libcrypto/util/pl/Mingw32.pl b/lib/libcrypto/util/pl/Mingw32.pl
index 84c2a22db30..585cacd8203 100644
--- a/lib/libcrypto/util/pl/Mingw32.pl
+++ b/lib/libcrypto/util/pl/Mingw32.pl
@@ -17,7 +17,7 @@ $mkdir='gmkdir';
 
 $cc='gcc';
 if ($debug)
-	{ $cflags="-g2 -ggdb"; }
+	{ $cflags="-DL_ENDIAN -g2 -ggdb"; }
 else
 	{ $cflags="-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall"; }
 
diff --git a/lib/libcrypto/util/pl/VC-32.pl b/lib/libcrypto/util/pl/VC-32.pl
index 6db1c9fe237..046f0e253c3 100644
--- a/lib/libcrypto/util/pl/VC-32.pl
+++ b/lib/libcrypto/util/pl/VC-32.pl
@@ -22,7 +22,7 @@ $inc_def="inc32";
 
 if ($debug)
 	{
-	$cflags=" /MDd /W3 /WX /Zi /Yd /Od /nologo -DWINDOWS -DWIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG";
+	$cflags=" /MDd /W3 /WX /Zi /Yd /Od /nologo -DWIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG";
 	$lflags.=" /debug";
 	$mlflags.=' /debug';
 	}
diff --git a/lib/libcrypto/util/ssleay.num b/lib/libcrypto/util/ssleay.num
index 8121738bd67..32b2e960c4a 100644
--- a/lib/libcrypto/util/ssleay.num
+++ b/lib/libcrypto/util/ssleay.num
@@ -215,3 +215,13 @@ SSL_CTX_set_cert_verify_callback        232
 sk_SSL_COMP_sort                        233
 sk_SSL_CIPHER_sort                      234
 SSL_CTX_set_default_passwd_cb_userdata  235
+SSL_set_purpose                         236
+SSL_CTX_set_trust                       237
+SSL_CTX_set_purpose                     238
+SSL_set_trust                           239
+SSL_get_finished                        240
+SSL_get_peer_finished                   241
+SSL_get1_session                        242
+SSL_CTX_callback_ctrl                   243
+SSL_callback_ctrl                       244
+SSL_CTX_sessions                        245
diff --git a/lib/libcrypto/x509/Makefile.ssl b/lib/libcrypto/x509/Makefile.ssl
index c7ac35f6cc9..48937b43af5 100644
--- a/lib/libcrypto/x509/Makefile.ssl
+++ b/lib/libcrypto/x509/Makefile.ssl
@@ -23,17 +23,17 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC=	x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
-	x509_obj.c x509_req.c x509_vfy.c \
+	x509_obj.c x509_req.c x509spki.c x509_vfy.c \
 	x509_set.c x509rset.c x509_err.c \
-	x509name.c x509_v3.c x509_ext.c \
+	x509name.c x509_v3.c x509_ext.c x509_att.c \
 	x509type.c x509_lu.c x_all.c x509_txt.c \
-	by_file.c by_dir.c 
+	x509_trs.c by_file.c by_dir.c 
 LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
-	x509_obj.o x509_req.o x509_vfy.o \
+	x509_obj.o x509_req.o x509spki.o x509_vfy.o \
 	x509_set.o x509rset.o x509_err.o \
-	x509name.o x509_v3.o x509_ext.o \
+	x509name.o x509_v3.o x509_ext.o x509_att.o \
 	x509type.o x509_lu.o x_all.o x509_txt.o \
-	by_file.o by_dir.o
+	x509_trs.o by_file.o by_dir.o
 
 SRC= $(LIBSRC)
 
@@ -123,14 +123,33 @@ by_file.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 by_file.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 by_file.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
 by_file.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x509_att.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_att.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_att.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_att.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_att.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_att.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_att.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_att.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_att.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_att.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_att.o: ../../include/openssl/x509v3.h ../cryptlib.h
 x509_cmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_cmp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_cmp.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_cmp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_cmp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_cmp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_cmp.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_cmp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_cmp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_cmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_cmp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 x509_cmp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
 x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
@@ -139,7 +158,7 @@ x509_cmp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_cmp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_cmp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509_cmp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_cmp.o: ../cryptlib.h
+x509_cmp.o: ../../include/openssl/x509v3.h ../cryptlib.h
 x509_d2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_d2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -192,11 +211,12 @@ x509_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x509_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_ext.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_ext.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_ext.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_ext.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_ext.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_ext.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 x509_ext.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
 x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
@@ -205,7 +225,7 @@ x509_ext.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_ext.o: ../cryptlib.h
+x509_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h
 x509_lu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_lu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -293,6 +313,24 @@ x509_set.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x509_set.o: ../cryptlib.h
+x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_trs.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_trs.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_trs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509_trs.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509_trs.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509_trs.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h
 x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -314,11 +352,12 @@ x509_txt.o: ../cryptlib.h
 x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_v3.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_v3.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_v3.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_v3.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_v3.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_v3.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_v3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 x509_v3.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
 x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
@@ -327,25 +366,25 @@ x509_v3.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_v3.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_v3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_v3.o: ../cryptlib.h
+x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h
 x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_vfy.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_vfy.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_vfy.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_vfy.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_vfy.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_vfy.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509_vfy.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-x509_vfy.o: ../../include/openssl/opensslconf.h
+x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_vfy.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_vfy.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_vfy.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_vfy.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_vfy.o: ../cryptlib.h
+x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h
 x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -380,6 +419,24 @@ x509rset.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509rset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x509rset.o: ../cryptlib.h
+x509spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+x509spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x509spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x509spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+x509spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+x509spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+x509spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509spki.o: ../../include/openssl/opensslconf.h
+x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+x509spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+x509spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x509spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509spki.o: ../cryptlib.h
 x509type.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509type.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509type.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
diff --git a/lib/libcrypto/x509/by_dir.c b/lib/libcrypto/x509/by_dir.c
index 734e39ac773..14d12c56bd7 100644
--- a/lib/libcrypto/x509/by_dir.c
+++ b/lib/libcrypto/x509/by_dir.c
@@ -59,10 +59,18 @@
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
-#include <sys/types.h>
-#include <sys/stat.h>
 
 #include "cryptlib.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef MAC_OS_pre_X
+# include <stat.h>
+#else
+# include <sys/stat.h>
+#endif
+
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 
@@ -210,9 +218,9 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
 				memcpy(ip,ctx->dirs_type,(ctx->num_dirs_alloced-10)*
 					sizeof(int));
 				if (ctx->dirs != NULL)
-					Free((char *)ctx->dirs);
+					Free(ctx->dirs);
 				if (ctx->dirs_type != NULL)
-					Free((char *)ctx->dirs_type);
+					Free(ctx->dirs_type);
 				ctx->dirs=pp;
 				ctx->dirs_type=ip;
 				}
@@ -318,8 +326,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
 		/* we have added it to the cache so now pull
 		 * it out again */
 		CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
-		tmp=(X509_OBJECT *)lh_retrieve(xl->store_ctx->certs,
-			(char *)&stmp);
+		tmp=(X509_OBJECT *)lh_retrieve(xl->store_ctx->certs,&stmp);
 		CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
 
 		if (tmp != NULL)
diff --git a/lib/libcrypto/x509/by_file.c b/lib/libcrypto/x509/by_file.c
index 00ee5e8bbc4..78e9240a8d0 100644
--- a/lib/libcrypto/x509/by_file.c
+++ b/lib/libcrypto/x509/by_file.c
@@ -59,8 +59,6 @@
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
-#include <sys/types.h>
-#include <sys/stat.h>
 
 #include "cryptlib.h"
 #include <openssl/lhash.h>
@@ -94,7 +92,7 @@ X509_LOOKUP_METHOD *X509_LOOKUP_file(void)
 static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
 	     char **ret)
 	{
-	int ok=0,ok2=0;
+	int ok=0;
 	char *file;
 
 	switch (cmd)
@@ -102,31 +100,30 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
 	case X509_L_FILE_LOAD:
 		if (argl == X509_FILETYPE_DEFAULT)
 			{
-			ok=X509_load_cert_file(ctx,X509_get_default_cert_file(),
-				X509_FILETYPE_PEM);
-			ok2=X509_load_crl_file(ctx,X509_get_default_cert_file(),
-				X509_FILETYPE_PEM);
-			if (!ok || !ok2)
+			ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
+				X509_FILETYPE_PEM) != 0);
+			if (!ok)
 				{
 				X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
 				}
 			else
 				{
 				file=(char *)Getenv(X509_get_default_cert_file_env());
-				ok=X509_load_cert_file(ctx,file,
-					X509_FILETYPE_PEM);
-				ok2=X509_load_crl_file(ctx,file,
-					X509_FILETYPE_PEM);
+				ok = (X509_load_cert_crl_file(ctx,file,
+					X509_FILETYPE_PEM) != 0);
 				}
 			}
 		else
 			{
-			ok=X509_load_cert_file(ctx,argp,(int)argl);
-			ok2=X509_load_crl_file(ctx,argp,(int)argl);
+			if(argl == X509_FILETYPE_PEM)
+				ok = (X509_load_cert_crl_file(ctx,argp,
+					X509_FILETYPE_PEM) != 0);
+			else
+				ok = (X509_load_cert_file(ctx,argp,(int)argl) != 0);
 			}
 		break;
 		}
-	return((ok && ok2)?ok:0);
+	return(ok);
 	}
 
 int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
@@ -149,7 +146,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
 		{
 		for (;;)
 			{
-			x=PEM_read_bio_X509(in,NULL,NULL,NULL);
+			x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
 			if (x == NULL)
 				{
 				if ((ERR_GET_REASON(ERR_peek_error()) ==
@@ -263,5 +260,39 @@ err:
 	return(ret);
 	}
 
+int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
+{
+	STACK_OF(X509_INFO) *inf;
+	X509_INFO *itmp;
+	BIO *in;
+	int i, count = 0;
+	if(type != X509_FILETYPE_PEM)
+		return X509_load_cert_file(ctx, file, type);
+	in = BIO_new_file(file, "r");
+	if(!in) {
+		X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_SYS_LIB);
+		return 0;
+	}
+	inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
+	BIO_free(in);
+	if(!inf) {
+		X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
+		return 0;
+	}
+	for(i = 0; i < sk_X509_INFO_num(inf); i++) {
+		itmp = sk_X509_INFO_value(inf, i);
+		if(itmp->x509) {
+			X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
+			count++;
+		} else if(itmp->crl) {
+			X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
+			count++;
+		}
+	}
+	sk_X509_INFO_pop_free(inf, X509_INFO_free);
+	return count;
+}
+
+
 #endif /* NO_STDIO */
 
diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h
index 35f9484f8b9..d3336d9cebb 100644
--- a/lib/libcrypto/x509/x509.h
+++ b/lib/libcrypto/x509/x509.h
@@ -176,9 +176,8 @@ typedef struct X509_extension_st
 	short critical;
 	short netscape_hack;
 	ASN1_OCTET_STRING *value;
-	long argl;			/* used when decoding */
-	char *argp;			/* used when decoding */
-	void (*ex_free)();		/* clear argp stuff */
+	struct v3_ext_method *method;	/* V3 method to use */
+	void *ext_val;			/* extension value */
 	} X509_EXTENSION;
 
 DECLARE_STACK_OF(X509_EXTENSION)
@@ -231,6 +230,21 @@ typedef struct x509_cinf_st
 	STACK_OF(X509_EXTENSION) *extensions;	/* [ 3 ] optional in v3 */
 	} X509_CINF;
 
+/* This stuff is certificate "auxiliary info"
+ * it contains details which are useful in certificate
+ * stores and databases. When used this is tagged onto
+ * the end of the certificate itself
+ */
+
+typedef struct x509_cert_aux_st
+	{
+	STACK_OF(ASN1_OBJECT) *trust;		/* trusted uses */
+	STACK_OF(ASN1_OBJECT) *reject;		/* rejected uses */
+	ASN1_UTF8STRING *alias;			/* "friendly name" */
+	ASN1_OCTET_STRING *keyid;		/* key id of private key */
+	STACK_OF(X509_ALGOR) *other;		/* other unspecified info */
+	} X509_CERT_AUX;
+
 typedef struct x509_st
 	{
 	X509_CINF *cert_info;
@@ -239,11 +253,58 @@ typedef struct x509_st
 	int valid;
 	int references;
 	char *name;
+	CRYPTO_EX_DATA ex_data;
+	/* These contain copies of various extension values */
+	long ex_pathlen;
+	unsigned long ex_flags;
+	unsigned long ex_kusage;
+	unsigned long ex_xkusage;
+	unsigned long ex_nscert;
+#ifndef NO_SHA
+	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+#endif
+	X509_CERT_AUX *aux;
 	} X509;
 
 DECLARE_STACK_OF(X509)
 DECLARE_ASN1_SET_OF(X509)
 
+/* This is used for a table of trust checking functions */
+
+typedef struct x509_trust_st {
+	int trust;
+	int flags;
+	int (*check_trust)(struct x509_trust_st *, X509 *, int);
+	char *name;
+	int arg1;
+	void *arg2;
+} X509_TRUST;
+
+DECLARE_STACK_OF(X509_TRUST)
+
+/* standard trust ids */
+
+#define X509_TRUST_ANY		1
+#define X509_TRUST_SSL_CLIENT	2
+#define X509_TRUST_SSL_SERVER	3
+#define X509_TRUST_EMAIL	4
+#define X509_TRUST_OBJECT_SIGN	5
+
+/* Keep these up to date! */
+#define X509_TRUST_MIN		1
+#define X509_TRUST_MAX		5
+
+
+/* trust_flags values */
+#define	X509_TRUST_DYNAMIC 	1
+#define	X509_TRUST_DYNAMIC_NAME	2
+
+/* check_trust return codes */
+
+#define X509_TRUST_TRUSTED	1
+#define X509_TRUST_REJECTED	2
+#define X509_TRUST_UNTRUSTED	3
+
 typedef struct X509_revoked_st
 	{
 	ASN1_INTEGER *serialNumber;
@@ -318,7 +379,7 @@ DECLARE_STACK_OF(X509_INFO)
 
 /* The next 2 structures and their 8 routines were sent to me by
  * Pat Richard <patr@x509.com> and are used to manipulate
- * Netscapes spki strucutres - usefull if you are writing a CA web page
+ * Netscapes spki structures - useful if you are writing a CA web page
  */
 typedef struct Netscape_spkac_st
 	{
@@ -372,8 +433,10 @@ X509_ALGOR *prf;
 typedef struct pkcs8_priv_key_info_st
         {
         int broken;     /* Flag for various broken formats */
-#define PKCS8_OK        0
-#define PKCS8_NO_OCTET  1
+#define PKCS8_OK		0
+#define PKCS8_NO_OCTET		1
+#define PKCS8_EMBEDDED_PARAM	2
+#define PKCS8_NS_DB		3
         ASN1_INTEGER *version;
         X509_ALGOR *pkeyalg;
         ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */
@@ -552,13 +615,20 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
 int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r);
 
+NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len);
+char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *x);
+EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x);
+int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
+
+int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
+
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
 
-int X509_digest(X509 *data,EVP_MD *type,unsigned char *md,unsigned int *len);
-int X509_NAME_digest(X509_NAME *data,EVP_MD *type,
+int X509_digest(X509 *data,const EVP_MD *type,unsigned char *md,unsigned int *len);
+int X509_NAME_digest(X509_NAME *data,const EVP_MD *type,
 	unsigned char *md,unsigned int *len);
 #endif
 
@@ -574,16 +644,23 @@ RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
 int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
 RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
 int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
+RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa);
+int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
 #endif
 #ifndef NO_DSA
+DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
+int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
 int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
+#endif
 X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
 int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
 						PKCS8_PRIV_KEY_INFO **p8inf);
 int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
-#endif
+int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
+int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
+EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
 #endif
 
 #ifdef HEADER_BIO_H
@@ -598,8 +675,12 @@ RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
 int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
 RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
 int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
+RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa);
+int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa);
 #endif
 #ifndef NO_DSA
+DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
+int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
 int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
 #endif
@@ -608,6 +689,9 @@ int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
 						PKCS8_PRIV_KEY_INFO **p8inf);
 int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
+int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
+int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
+EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
 #endif
 
 X509 *X509_dup(X509 *x509);
@@ -635,7 +719,7 @@ const char *	X509_get_default_cert_dir_env(void );
 const char *	X509_get_default_cert_file_env(void );
 const char *	X509_get_default_private_dir(void );
 
-X509_REQ *	X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md);
+X509_REQ *	X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
 X509 *		X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
 void ERR_load_X509_strings(void );
 
@@ -660,7 +744,19 @@ int		X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
 EVP_PKEY *	X509_PUBKEY_get(X509_PUBKEY *key);
 int		X509_get_pubkey_parameters(EVP_PKEY *pkey,
 					   STACK_OF(X509) *chain);
-
+int		i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
+EVP_PKEY *	d2i_PUBKEY(EVP_PKEY **a,unsigned char **pp,
+			long length);
+#ifndef NO_RSA
+int		i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
+RSA *		d2i_RSA_PUBKEY(RSA **a,unsigned char **pp,
+			long length);
+#endif
+#ifndef NO_DSA
+int		i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
+DSA *		d2i_DSA_PUBKEY(DSA **a,unsigned char **pp,
+			long length);
+#endif
 
 X509_SIG *	X509_SIG_new(void );
 void		X509_SIG_free(X509_SIG *a);
@@ -714,6 +810,25 @@ X509 *		X509_new(void);
 void		X509_free(X509 *a);
 int		i2d_X509(X509 *a,unsigned char **pp);
 X509 *		d2i_X509(X509 **a,unsigned char **pp,long length);
+int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int X509_set_ex_data(X509 *r, int idx, void *arg);
+void *X509_get_ex_data(X509 *r, int idx);
+int		i2d_X509_AUX(X509 *a,unsigned char **pp);
+X509 *		d2i_X509_AUX(X509 **a,unsigned char **pp,long length);
+
+X509_CERT_AUX *	X509_CERT_AUX_new(void);
+void		X509_CERT_AUX_free(X509_CERT_AUX *a);
+int		i2d_X509_CERT_AUX(X509_CERT_AUX *a,unsigned char **pp);
+X509_CERT_AUX *	d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
+								long length);
+int X509_alias_set1(X509 *x, unsigned char *name, int len);
+unsigned char * X509_alias_get0(X509 *x, int *len);
+int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
+int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
+int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
+void X509_trust_clear(X509 *x);
+void X509_reject_clear(X509 *x);
 
 X509_REVOKED *	X509_REVOKED_new(void);
 void		X509_REVOKED_free(X509_REVOKED *a);
@@ -762,7 +877,7 @@ char *		X509_NAME_oneline(X509_NAME *a,char *buf,int size);
 int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1,
 	ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey);
 
-int ASN1_digest(int (*i2d)(),EVP_MD *type,char *data,
+int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data,
 	unsigned char *md,unsigned int *len);
 
 int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
@@ -787,6 +902,30 @@ int		X509_REQ_set_version(X509_REQ *x,long version);
 int		X509_REQ_set_subject_name(X509_REQ *req,X509_NAME *name);
 int		X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
 EVP_PKEY *	X509_REQ_get_pubkey(X509_REQ *req);
+int		X509_REQ_extension_nid(int nid);
+int *		X509_REQ_get_extension_nids(void);
+void		X509_REQ_set_extension_nids(int *nids);
+STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
+int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
+				int nid);
+int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts);
+int X509_REQ_get_attr_count(const X509_REQ *req);
+int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
+			  int lastpos);
+int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
+			  int lastpos);
+X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
+X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
+int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
+int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
+			ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len);
+int X509_REQ_add1_attr_by_NID(X509_REQ *req,
+			int nid, int type,
+			unsigned char *bytes, int len);
+int X509_REQ_add1_attr_by_txt(X509_REQ *req,
+			char *attrname, int type,
+			unsigned char *bytes, int len);
 
 int		X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
 
@@ -799,6 +938,7 @@ unsigned long	X509_issuer_name_hash(X509 *a);
 int		X509_subject_name_cmp(X509 *a,X509 *b);
 unsigned long	X509_subject_name_hash(X509 *x);
 
+int		X509_cmp (X509 *a, X509 *b);
 int		X509_NAME_cmp (X509_NAME *a, X509_NAME *b);
 unsigned long	X509_NAME_hash(X509_NAME *x);
 
@@ -812,6 +952,7 @@ int		X509_REQ_print_fp(FILE *bp,X509_REQ *req);
 #ifdef HEADER_BIO_H
 int		X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
 int		X509_print(BIO *bp,X509 *x);
+int		X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
 int		X509_CRL_print(BIO *bp,X509_CRL *x);
 int		X509_REQ_print(BIO *bp,X509_REQ *req);
 #endif
@@ -823,7 +964,7 @@ int		X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj,
 			char *buf,int len);
 
 /* NOTE: you should be passsing -1, not 0 as lastpos.  The functions that use
- * lastpos, seach after that position on. */
+ * lastpos, search after that position on. */
 int 		X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos);
 int 		X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj,
 			int lastpos);
@@ -831,8 +972,16 @@ X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc);
 X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
 int 		X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne,
 			int loc, int set);
+int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len, int loc, int set);
+int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
+			unsigned char *bytes, int len, int loc, int set);
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
+		char *field, int type, unsigned char *bytes, int len);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
 			int type,unsigned char *bytes, int len);
+int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
+			unsigned char *bytes, int len, int loc, int set);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
 			ASN1_OBJECT *obj, int type,unsigned char *bytes,
 			int len);
@@ -862,6 +1011,7 @@ int		X509_get_ext_by_critical(X509 *x, int crit, int lastpos);
 X509_EXTENSION *X509_get_ext(X509 *x, int loc);
 X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
 int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
+void	*	X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
 
 int		X509_CRL_get_ext_count(X509_CRL *x);
 int		X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos);
@@ -870,6 +1020,7 @@ int		X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos);
 X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
 X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
 int		X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
+void	*	X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx);
 
 int		X509_REVOKED_get_ext_count(X509_REVOKED *x);
 int		X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos);
@@ -878,6 +1029,7 @@ int		X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos);
 X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc);
 X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
 int		X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
+void	*	X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx);
 
 X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
 			int nid, int crit, ASN1_OCTET_STRING *data);
@@ -891,6 +1043,38 @@ ASN1_OBJECT *	X509_EXTENSION_get_object(X509_EXTENSION *ex);
 ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
 int		X509_EXTENSION_get_critical(X509_EXTENSION *ex);
 
+int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
+int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
+			  int lastpos);
+int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
+			  int lastpos);
+X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc);
+X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+					 X509_ATTRIBUTE *attr);
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
+			ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len);
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
+			int nid, int type,
+			unsigned char *bytes, int len);
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
+			char *attrname, int type,
+			unsigned char *bytes, int len);
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
+	     int atrtype, void *data, int len);
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
+	     ASN1_OBJECT *obj, int atrtype, void *data, int len);
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
+		char *atrname, int type, unsigned char *bytes, int len);
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj);
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len);
+void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
+					int atrtype, void *data);
+int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
+ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
+ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
+
 int		X509_verify_cert(X509_STORE_CTX *ctx);
 
 /* lookup a cert from a X509 STACK */
@@ -926,8 +1110,20 @@ void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *a);
 
 EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
 PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken);
 PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
 
+int X509_check_trust(X509 *x, int id, int flags);
+int X509_TRUST_get_count(void);
+X509_TRUST * X509_TRUST_get0(int idx);
+int X509_TRUST_get_by_id(int id);
+int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
+					char *name, int arg1, void *arg2);
+void X509_TRUST_cleanup(void);
+int X509_TRUST_get_flags(X509_TRUST *xp);
+char *X509_TRUST_get0_name(X509_TRUST *xp);
+int X509_TRUST_get_trust(X509_TRUST *xp);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -940,15 +1136,25 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
 #define X509_F_BY_FILE_CTRL				 101
 #define X509_F_DIR_CTRL					 102
 #define X509_F_GET_CERT_BY_SUBJECT			 103
+#define X509_F_NETSCAPE_SPKI_B64_DECODE			 129
+#define X509_F_NETSCAPE_SPKI_B64_ENCODE			 130
 #define X509_F_X509V3_ADD_EXT				 104
+#define X509_F_X509_ADD_ATTR				 135
+#define X509_F_X509_ATTRIBUTE_CREATE_BY_NID		 136
+#define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ		 137
+#define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT		 140
+#define X509_F_X509_ATTRIBUTE_GET0_DATA			 139
+#define X509_F_X509_ATTRIBUTE_SET1_DATA			 138
 #define X509_F_X509_CHECK_PRIVATE_KEY			 128
 #define X509_F_X509_EXTENSION_CREATE_BY_NID		 108
 #define X509_F_X509_EXTENSION_CREATE_BY_OBJ		 109
 #define X509_F_X509_GET_PUBKEY_PARAMETERS		 110
+#define X509_F_X509_LOAD_CERT_CRL_FILE			 132
 #define X509_F_X509_LOAD_CERT_FILE			 111
 #define X509_F_X509_LOAD_CRL_FILE			 112
 #define X509_F_X509_NAME_ADD_ENTRY			 113
 #define X509_F_X509_NAME_ENTRY_CREATE_BY_NID		 114
+#define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT		 131
 #define X509_F_X509_NAME_ENTRY_SET_OBJECT		 115
 #define X509_F_X509_NAME_ONELINE			 116
 #define X509_F_X509_NAME_PRINT				 117
@@ -960,15 +1166,19 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
 #define X509_F_X509_REQ_TO_X509				 123
 #define X509_F_X509_STORE_ADD_CERT			 124
 #define X509_F_X509_STORE_ADD_CRL			 125
+#define X509_F_X509_STORE_CTX_PURPOSE_INHERIT		 134
 #define X509_F_X509_TO_X509_REQ				 126
+#define X509_F_X509_TRUST_ADD				 133
 #define X509_F_X509_VERIFY_CERT				 127
 
 /* Reason codes. */
 #define X509_R_BAD_X509_FILETYPE			 100
+#define X509_R_BASE64_DECODE_ERROR			 118
 #define X509_R_CANT_CHECK_DH_KEY			 114
 #define X509_R_CERT_ALREADY_IN_HASH_TABLE		 101
 #define X509_R_ERR_ASN1_LIB				 102
 #define X509_R_INVALID_DIRECTORY			 113
+#define X509_R_INVALID_FIELD_NAME			 119
 #define X509_R_KEY_TYPE_MISMATCH			 115
 #define X509_R_KEY_VALUES_MISMATCH			 116
 #define X509_R_LOADING_CERT_DIR				 103
@@ -979,8 +1189,11 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken);
 #define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY		 108
 #define X509_R_UNKNOWN_KEY_TYPE				 117
 #define X509_R_UNKNOWN_NID				 109
+#define X509_R_UNKNOWN_PURPOSE_ID			 121
+#define X509_R_UNKNOWN_TRUST_ID				 120
 #define X509_R_UNSUPPORTED_ALGORITHM			 111
 #define X509_R_WRONG_LOOKUP_TYPE			 112
+#define X509_R_WRONG_TYPE				 122
 
 #ifdef  __cplusplus
 }
diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c
index 9a93bae3ff3..a8a5ca8b03e 100644
--- a/lib/libcrypto/x509/x509_cmp.c
+++ b/lib/libcrypto/x509/x509_cmp.c
@@ -57,12 +57,11 @@
  */
 
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 
 int X509_issuer_and_serial_cmp(X509 *a, X509 *b)
 	{
@@ -71,7 +70,7 @@ int X509_issuer_and_serial_cmp(X509 *a, X509 *b)
 
 	ai=a->cert_info;
 	bi=b->cert_info;
-	i=ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
+	i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
 	if (i) return(i);
 	return(X509_NAME_cmp(ai->issuer,bi->issuer));
 	}
@@ -138,6 +137,20 @@ unsigned long X509_subject_name_hash(X509 *x)
 	return(X509_NAME_hash(x->cert_info->subject));
 	}
 
+#ifndef NO_SHA
+/* Compare two certificates: they must be identical for
+ * this to work.
+ */
+int X509_cmp(X509 *a, X509 *b)
+{
+	/* ensure hash is valid */
+	X509_check_purpose(a, -1, 0);
+	X509_check_purpose(b, -1, 0);
+
+	return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+}
+#endif
+
 int X509_NAME_cmp(X509_NAME *a, X509_NAME *b)
 	{
 	int i,j;
@@ -175,7 +188,7 @@ int X509_NAME_cmp(X509_NAME *a, X509_NAME *b)
 
 #ifndef NO_MD5
 /* I now DER encode the name and hash it.  Since I cache the DER encoding,
- * this is reasonably effiecent. */
+ * this is reasonably efficient. */
 unsigned long X509_NAME_hash(X509_NAME *x)
 	{
 	unsigned long ret=0;
@@ -209,6 +222,8 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
 	X509_CINF cinf;
 	X509 x,*x509=NULL;
 
+	if(!sk) return NULL;
+
 	x.cert_info= &cinf;
 	cinf.serialNumber=serial;
 	cinf.issuer=name;
diff --git a/lib/libcrypto/x509/x509_d2.c b/lib/libcrypto/x509/x509_d2.c
index 3e7ec5b4326..753d53eb437 100644
--- a/lib/libcrypto/x509/x509_d2.c
+++ b/lib/libcrypto/x509/x509_d2.c
@@ -57,8 +57,6 @@
  */
 
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
 #include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
@@ -91,13 +89,15 @@ int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
 		{
 		lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
 		if (lookup == NULL) return(0);
-		X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM);
+		if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
+		    return(0);
 		}
 	if (path != NULL)
 		{
 		lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
 		if (lookup == NULL) return(0);
-		X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM);
+		if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
+		    return(0);
 		}
 	if ((path == NULL) && (file == NULL))
 		return(0);
diff --git a/lib/libcrypto/x509/x509_def.c b/lib/libcrypto/x509/x509_def.c
index c4bee715698..e0ac151a768 100644
--- a/lib/libcrypto/x509/x509_def.c
+++ b/lib/libcrypto/x509/x509_def.c
@@ -57,8 +57,6 @@
  */
 
 #include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
 #include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
diff --git a/lib/libcrypto/x509/x509_err.c b/lib/libcrypto/x509/x509_err.c
index 9afd4ccde5f..fdedbdac344 100644
--- a/lib/libcrypto/x509/x509_err.c
+++ b/lib/libcrypto/x509/x509_err.c
@@ -69,15 +69,25 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_BY_FILE_CTRL,0),	"BY_FILE_CTRL"},
 {ERR_PACK(0,X509_F_DIR_CTRL,0),	"DIR_CTRL"},
 {ERR_PACK(0,X509_F_GET_CERT_BY_SUBJECT,0),	"GET_CERT_BY_SUBJECT"},
+{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_DECODE,0),	"NETSCAPE_SPKI_b64_decode"},
+{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_ENCODE,0),	"NETSCAPE_SPKI_b64_encode"},
 {ERR_PACK(0,X509_F_X509V3_ADD_EXT,0),	"X509v3_add_ext"},
+{ERR_PACK(0,X509_F_X509_ADD_ATTR,0),	"X509_ADD_ATTR"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_NID,0),	"X509_ATTRIBUTE_create_by_NID"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,0),	"X509_ATTRIBUTE_create_by_OBJ"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,0),	"X509_ATTRIBUTE_create_by_txt"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_GET0_DATA,0),	"X509_ATTRIBUTE_get0_data"},
+{ERR_PACK(0,X509_F_X509_ATTRIBUTE_SET1_DATA,0),	"X509_ATTRIBUTE_set1_data"},
 {ERR_PACK(0,X509_F_X509_CHECK_PRIVATE_KEY,0),	"X509_check_private_key"},
 {ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_NID,0),	"X509_EXTENSION_create_by_NID"},
 {ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_OBJ,0),	"X509_EXTENSION_create_by_OBJ"},
 {ERR_PACK(0,X509_F_X509_GET_PUBKEY_PARAMETERS,0),	"X509_get_pubkey_parameters"},
+{ERR_PACK(0,X509_F_X509_LOAD_CERT_CRL_FILE,0),	"X509_load_cert_crl_file"},
 {ERR_PACK(0,X509_F_X509_LOAD_CERT_FILE,0),	"X509_load_cert_file"},
 {ERR_PACK(0,X509_F_X509_LOAD_CRL_FILE,0),	"X509_load_crl_file"},
 {ERR_PACK(0,X509_F_X509_NAME_ADD_ENTRY,0),	"X509_NAME_add_entry"},
 {ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_NID,0),	"X509_NAME_ENTRY_create_by_NID"},
+{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,0),	"X509_NAME_ENTRY_create_by_txt"},
 {ERR_PACK(0,X509_F_X509_NAME_ENTRY_SET_OBJECT,0),	"X509_NAME_ENTRY_set_object"},
 {ERR_PACK(0,X509_F_X509_NAME_ONELINE,0),	"X509_NAME_oneline"},
 {ERR_PACK(0,X509_F_X509_NAME_PRINT,0),	"X509_NAME_print"},
@@ -89,7 +99,9 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_X509_REQ_TO_X509,0),	"X509_REQ_to_X509"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_add_cert"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_add_crl"},
+{ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),	"X509_STORE_CTX_purpose_inherit"},
 {ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},
+{ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_add"},
 {ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},
 {0,NULL}
 	};
@@ -97,10 +109,12 @@ static ERR_STRING_DATA X509_str_functs[]=
 static ERR_STRING_DATA X509_str_reasons[]=
 	{
 {X509_R_BAD_X509_FILETYPE                ,"bad x509 filetype"},
+{X509_R_BASE64_DECODE_ERROR              ,"base64 decode error"},
 {X509_R_CANT_CHECK_DH_KEY                ,"cant check dh key"},
 {X509_R_CERT_ALREADY_IN_HASH_TABLE       ,"cert already in hash table"},
 {X509_R_ERR_ASN1_LIB                     ,"err asn1 lib"},
 {X509_R_INVALID_DIRECTORY                ,"invalid directory"},
+{X509_R_INVALID_FIELD_NAME               ,"invalid field name"},
 {X509_R_KEY_TYPE_MISMATCH                ,"key type mismatch"},
 {X509_R_KEY_VALUES_MISMATCH              ,"key values mismatch"},
 {X509_R_LOADING_CERT_DIR                 ,"loading cert dir"},
@@ -111,8 +125,11 @@ static ERR_STRING_DATA X509_str_reasons[]=
 {X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY   ,"unable to get certs public key"},
 {X509_R_UNKNOWN_KEY_TYPE                 ,"unknown key type"},
 {X509_R_UNKNOWN_NID                      ,"unknown nid"},
+{X509_R_UNKNOWN_PURPOSE_ID               ,"unknown purpose id"},
+{X509_R_UNKNOWN_TRUST_ID                 ,"unknown trust id"},
 {X509_R_UNSUPPORTED_ALGORITHM            ,"unsupported algorithm"},
 {X509_R_WRONG_LOOKUP_TYPE                ,"wrong lookup type"},
+{X509_R_WRONG_TYPE                       ,"wrong type"},
 {0,NULL}
 	};
 
diff --git a/lib/libcrypto/x509/x509_ext.c b/lib/libcrypto/x509/x509_ext.c
index f8565a60b20..29559898073 100644
--- a/lib/libcrypto/x509/x509_ext.c
+++ b/lib/libcrypto/x509/x509_ext.c
@@ -63,6 +63,8 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
 
 int X509_CRL_get_ext_count(X509_CRL *x)
 	{
@@ -94,6 +96,11 @@ X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
 	return(X509v3_delete_ext(x->crl->extensions,loc));
 	}
 
+void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
+{
+	return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
+}
+
 int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
 	{
 	return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
@@ -134,6 +141,11 @@ int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
 	return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL);
 	}
 
+void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
+{
+	return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx);
+}
+
 int X509_REVOKED_get_ext_count(X509_REVOKED *x)
 	{
 	return(X509v3_get_ext_count(x->extensions));
@@ -170,5 +182,10 @@ int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
 	return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL);
 	}
 
+void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
+{
+	return X509V3_get_d2i(x->extensions, nid, crit, idx);
+}
+
 IMPLEMENT_STACK_OF(X509_EXTENSION)
 IMPLEMENT_ASN1_SET_OF(X509_EXTENSION)
diff --git a/lib/libcrypto/x509/x509_lu.c b/lib/libcrypto/x509/x509_lu.c
index 18bfecb11ed..a20006d67e2 100644
--- a/lib/libcrypto/x509/x509_lu.c
+++ b/lib/libcrypto/x509/x509_lu.c
@@ -61,8 +61,8 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 
-static STACK *x509_store_meth=NULL;
-static STACK *x509_store_ctx_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_meth=NULL;
 
 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
 	{
@@ -244,7 +244,7 @@ void X509_STORE_free(X509_STORE *vfy)
 		}
 	sk_X509_LOOKUP_free(sk);
 
-	CRYPTO_free_ex_data(x509_store_meth,(char *)vfy,&vfy->ex_data);
+	CRYPTO_free_ex_data(x509_store_meth,vfy,&vfy->ex_data);
 	lh_doall(vfy->certs,cleanup);
 	lh_free(vfy->certs);
 	Free(vfy);
@@ -377,10 +377,24 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type,
 		abort();
 		}
 
-	tmp=(X509_OBJECT *)lh_retrieve(h,(char *)&stmp);
+	tmp=(X509_OBJECT *)lh_retrieve(h,&stmp);
 	return(tmp);
 	}
 
+X509_STORE_CTX *X509_STORE_CTX_new(void)
+{
+	X509_STORE_CTX *ctx;
+	ctx = (X509_STORE_CTX *)Malloc(sizeof(X509_STORE_CTX));
+	if(ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
+	return ctx;
+}
+
+void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
+{
+	X509_STORE_CTX_cleanup(ctx);
+	Free(ctx);
+}
+
 void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	     STACK_OF(X509) *chain)
 	{
@@ -389,6 +403,8 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	ctx->cert=x509;
 	ctx->untrusted=chain;
 	ctx->last_untrusted=0;
+	ctx->purpose=0;
+	ctx->trust=0;
 	ctx->valid=0;
 	ctx->chain=NULL;
 	ctx->depth=9;
@@ -404,7 +420,7 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
 		sk_X509_pop_free(ctx->chain,X509_free);
 		ctx->chain=NULL;
 		}
-	CRYPTO_free_ex_data(x509_store_ctx_meth,(char *)ctx,&(ctx->ex_data));
+	CRYPTO_free_ex_data(x509_store_ctx_meth,ctx,&(ctx->ex_data));
 	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
 	}
 
diff --git a/lib/libcrypto/x509/x509_r2x.c b/lib/libcrypto/x509/x509_r2x.c
index bb4697ae60d..db051033d9b 100644
--- a/lib/libcrypto/x509/x509_r2x.c
+++ b/lib/libcrypto/x509/x509_r2x.c
@@ -82,7 +82,7 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
 
 	if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0)
 		{
-		if ((xi->version=ASN1_INTEGER_new()) == NULL) goto err;
+		if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err;
 		if (!ASN1_INTEGER_set(xi->version,2)) goto err;
 /*		xi->extensions=ri->attributes; <- bad, should not ever be done
 		ri->attributes=NULL; */
diff --git a/lib/libcrypto/x509/x509_req.c b/lib/libcrypto/x509/x509_req.c
index 2ef94decd14..baef8790eb9 100644
--- a/lib/libcrypto/x509/x509_req.c
+++ b/lib/libcrypto/x509/x509_req.c
@@ -66,7 +66,7 @@
 #include <openssl/buffer.h>
 #include <openssl/pem.h>
 
-X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, EVP_MD *md)
+X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 	{
 	X509_REQ *ret;
 	X509_REQ_INFO *ri;
@@ -113,3 +113,166 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
 	return(X509_PUBKEY_get(req->req_info->pubkey));
 	}
 
+/* It seems several organisations had the same idea of including a list of
+ * extensions in a certificate request. There are at least two OIDs that are
+ * used and there may be more: so the list is configurable.
+ */
+
+static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef};
+
+static int *ext_nids = ext_nid_list;
+
+int X509_REQ_extension_nid(int req_nid)
+{
+	int i, nid;
+	for(i = 0; ; i++) {
+		nid = ext_nids[i];
+		if(nid == NID_undef) return 0;
+		else if (req_nid == nid) return 1;
+	}
+}
+
+int *X509_REQ_get_extension_nids(void)
+{
+	return ext_nids;
+}
+	
+void X509_REQ_set_extension_nids(int *nids)
+{
+	ext_nids = nids;
+}
+
+STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
+{
+	X509_ATTRIBUTE *attr;
+	STACK_OF(X509_ATTRIBUTE) *sk;
+	ASN1_TYPE *ext = NULL;
+	int i;
+	unsigned char *p;
+	if ((req == NULL) || (req->req_info == NULL))
+		return(NULL);
+	sk=req->req_info->attributes;
+        if (!sk) return NULL;
+	for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
+		attr = sk_X509_ATTRIBUTE_value(sk, i);
+		if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) {
+			if(attr->set && sk_ASN1_TYPE_num(attr->value.set))
+				ext = sk_ASN1_TYPE_value(attr->value.set, 0);
+			else ext = attr->value.single;
+			break;
+		}
+	}
+	if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL;
+	p = ext->value.sequence->data;
+	return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p,
+			ext->value.sequence->length,
+			d2i_X509_EXTENSION, X509_EXTENSION_free,
+			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
+ * in case we want to create a non standard one.
+ */
+
+int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
+				int nid)
+{
+	unsigned char *p = NULL, *q;
+	long len;
+	ASN1_TYPE *at = NULL;
+	X509_ATTRIBUTE *attr = NULL;
+	if(!(at = ASN1_TYPE_new()) ||
+		!(at->value.sequence = ASN1_STRING_new())) goto err;
+
+	at->type = V_ASN1_SEQUENCE;
+	/* Generate encoding of extensions */
+	len = i2d_ASN1_SET_OF_X509_EXTENSION(exts, NULL, i2d_X509_EXTENSION,
+			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	if(!(p = Malloc(len))) goto err;
+	q = p;
+	i2d_ASN1_SET_OF_X509_EXTENSION(exts, &q, i2d_X509_EXTENSION,
+			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	at->value.sequence->data = p;
+	p = NULL;
+	at->value.sequence->length = len;
+	if(!(attr = X509_ATTRIBUTE_new())) goto err;
+	if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+	if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
+	at = NULL;
+	attr->set = 1;
+	attr->object = OBJ_nid2obj(nid);
+	if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
+	return 1;
+	err:
+	if(p) Free(p);
+	X509_ATTRIBUTE_free(attr);
+	ASN1_TYPE_free(at);
+	return 0;
+}
+/* This is the normal usage: use the "official" OID */
+int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
+{
+	return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
+}
+
+/* Request attribute functions */
+
+int X509_REQ_get_attr_count(const X509_REQ *req)
+{
+	return X509at_get_attr_count(req->req_info->attributes);
+}
+
+int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,
+			  int lastpos)
+{
+	return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
+}
+
+int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
+			  int lastpos)
+{
+	return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
+}
+
+X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
+{
+	return X509at_get_attr(req->req_info->attributes, loc);
+}
+
+X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
+{
+	return X509at_delete_attr(req->req_info->attributes, loc);
+}
+
+int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
+{
+	if(X509at_add1_attr(&req->req_info->attributes, attr)) return 1;
+	return 0;
+}
+
+int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
+			ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len)
+{
+	if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
+				type, bytes, len)) return 1;
+	return 0;
+}
+
+int X509_REQ_add1_attr_by_NID(X509_REQ *req,
+			int nid, int type,
+			unsigned char *bytes, int len)
+{
+	if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
+				type, bytes, len)) return 1;
+	return 0;
+}
+
+int X509_REQ_add1_attr_by_txt(X509_REQ *req,
+			char *attrname, int type,
+			unsigned char *bytes, int len)
+{
+	if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
+				type, bytes, len)) return 1;
+	return 0;
+}
diff --git a/lib/libcrypto/x509/x509_set.c b/lib/libcrypto/x509/x509_set.c
index 5a6f7b414f4..add842d17a9 100644
--- a/lib/libcrypto/x509/x509_set.c
+++ b/lib/libcrypto/x509/x509_set.c
@@ -68,7 +68,7 @@ int X509_set_version(X509 *x, long version)
 	if (x == NULL) return(0);
 	if (x->cert_info->version == NULL)
 		{
-		if ((x->cert_info->version=ASN1_INTEGER_new()) == NULL)
+		if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
 			return(0);
 		}
 	return(ASN1_INTEGER_set(x->cert_info->version,version));
@@ -82,10 +82,10 @@ int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
 	in=x->cert_info->serialNumber;
 	if (in != serial)
 		{
-		in=ASN1_INTEGER_dup(serial);
+		in=M_ASN1_INTEGER_dup(serial);
 		if (in != NULL)
 			{
-			ASN1_INTEGER_free(x->cert_info->serialNumber);
+			M_ASN1_INTEGER_free(x->cert_info->serialNumber);
 			x->cert_info->serialNumber=in;
 			}
 		}
@@ -112,10 +112,10 @@ int X509_set_notBefore(X509 *x, ASN1_UTCTIME *tm)
 	in=x->cert_info->validity->notBefore;
 	if (in != tm)
 		{
-		in=ASN1_UTCTIME_dup(tm);
+		in=M_ASN1_UTCTIME_dup(tm);
 		if (in != NULL)
 			{
-			ASN1_UTCTIME_free(x->cert_info->validity->notBefore);
+			M_ASN1_UTCTIME_free(x->cert_info->validity->notBefore);
 			x->cert_info->validity->notBefore=in;
 			}
 		}
@@ -130,10 +130,10 @@ int X509_set_notAfter(X509 *x, ASN1_UTCTIME *tm)
 	in=x->cert_info->validity->notAfter;
 	if (in != tm)
 		{
-		in=ASN1_UTCTIME_dup(tm);
+		in=M_ASN1_UTCTIME_dup(tm);
 		if (in != NULL)
 			{
-			ASN1_UTCTIME_free(x->cert_info->validity->notAfter);
+			M_ASN1_UTCTIME_free(x->cert_info->validity->notAfter);
 			x->cert_info->validity->notAfter=in;
 			}
 		}
diff --git a/lib/libcrypto/x509/x509_txt.c b/lib/libcrypto/x509/x509_txt.c
index 11a3d2012fb..209cf531913 100644
--- a/lib/libcrypto/x509/x509_txt.c
+++ b/lib/libcrypto/x509/x509_txt.c
@@ -59,7 +59,6 @@
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
-#include <sys/types.h>
 
 #include "cryptlib.h"
 #include <openssl/lhash.h>
@@ -121,6 +120,16 @@ const char *X509_verify_cert_error_string(long n)
 		return("certificate chain too long");
 	case X509_V_ERR_CERT_REVOKED:
 		return("certificate revoked");
+	case X509_V_ERR_INVALID_CA:
+		return ("invalid CA certificate");
+	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+		return ("path length constraint exceeded");
+	case X509_V_ERR_INVALID_PURPOSE:
+		return ("unsupported certificate purpose");
+	case X509_V_ERR_CERT_UNTRUSTED:
+		return ("certificate not trusted");
+	case X509_V_ERR_CERT_REJECTED:
+		return ("certificate rejected");
 	case X509_V_ERR_APPLICATION_VERIFICATION:
 		return("application verification failure");
 	default:
diff --git a/lib/libcrypto/x509/x509_v3.c b/lib/libcrypto/x509/x509_v3.c
index dd2f9f1b177..52887986fe3 100644
--- a/lib/libcrypto/x509/x509_v3.c
+++ b/lib/libcrypto/x509/x509_v3.c
@@ -63,6 +63,7 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 
 int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
 	{
@@ -242,7 +243,7 @@ int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
 	int i;
 
 	if (ex == NULL) return(0);
-	i=ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
+	i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
 	if (!i) return(0);
 	return(1);
 	}
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index c72ee4a3855..4fdff54124c 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -59,23 +59,24 @@
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
-#include <sys/types.h>
-#include <sys/stat.h>
 
-#include <openssl/crypto.h>
 #include "cryptlib.h"
+#include <openssl/crypto.h>
 #include <openssl/lhash.h>
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/objects.h>
 
 static int null_callback(int ok,X509_STORE_CTX *e);
+static int check_chain_purpose(X509_STORE_CTX *ctx);
+static int check_trust(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
 const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
 
-static STACK *x509_store_ctx_method=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
 static int x509_store_ctx_num=0;
 #if 0
 static int x509_store_num=1;
@@ -127,7 +128,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		ctx->last_untrusted=1;
 		}
 
-	/* We use a temporary so we can chop and hack at it */
+	/* We use a temporary STACK so we can chop and hack at it */
 	if (ctx->untrusted != NULL
 	    && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
 		{
@@ -184,17 +185,37 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
 	i=sk_X509_num(ctx->chain);
 	x=sk_X509_value(ctx->chain,i-1);
-	if (X509_NAME_cmp(X509_get_subject_name(x),X509_get_issuer_name(x))
+	xn = X509_get_subject_name(x);
+	if (X509_NAME_cmp(xn,X509_get_issuer_name(x))
 		== 0)
 		{
 		/* we have a self signed certificate */
 		if (sk_X509_num(ctx->chain) == 1)
 			{
-			ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
-			ctx->current_cert=x;
-			ctx->error_depth=i-1;
-			ok=cb(0,ctx);
-			if (!ok) goto end;
+			/* We have a single self signed certificate: see if
+			 * we can find it in the store. We must have an exact
+			 * match to avoid possible impersonation.
+			 */
+			ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
+			if ((ok != X509_LU_X509) || X509_cmp(x, obj.data.x509)) 
+				{
+				ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+				ctx->current_cert=x;
+				ctx->error_depth=i-1;
+				if(ok == X509_LU_X509) X509_OBJECT_free_contents(&obj);
+				ok=cb(0,ctx);
+				if (!ok) goto end;
+				}
+			else 
+				{
+				/* We have a match: replace certificate with store version
+				 * so we get any trust settings.
+				 */
+				X509_free(x);
+				x = obj.data.x509;
+				sk_X509_set(ctx->chain, i - 1, x);
+				ctx->last_untrusted=0;
+				}
 			}
 		else
 			{
@@ -272,6 +293,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		if (!ok) goto end;
 		}
 
+	/* We have the chain complete: now we need to check its purpose */
+	if(ctx->purpose > 0) ok = check_chain_purpose(ctx);
+
+	if(!ok) goto end;
+
+	/* The chain extensions are OK: check trust */
+
+	if(ctx->trust > 0) ok = check_trust(ctx);
+
+	if(!ok) goto end;
+
 	/* We may as well copy down any DSA parameters that are required */
 	X509_get_pubkey_parameters(NULL,ctx->chain);
 
@@ -290,6 +322,71 @@ end:
 	return(ok);
 	}
 
+/* Check a certificate chains extensions for consistency
+ * with the supplied purpose
+ */
+
+static int check_chain_purpose(X509_STORE_CTX *ctx)
+{
+#ifdef NO_CHAIN_VERIFY
+	return 1;
+#else
+	int i, ok=0;
+	X509 *x;
+	int (*cb)();
+	cb=ctx->ctx->verify_cb;
+	if (cb == NULL) cb=null_callback;
+	/* Check all untrusted certificates */
+	for(i = 0; i < ctx->last_untrusted; i++) {
+		x = sk_X509_value(ctx->chain, i);
+		if(!X509_check_purpose(x, ctx->purpose, i)) {
+			if(i) ctx->error = X509_V_ERR_INVALID_CA;
+			else ctx->error = X509_V_ERR_INVALID_PURPOSE;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			ok=cb(0,ctx);
+			if(!ok) goto end;
+		}
+		/* Check pathlen */
+		if((i > 1) && (x->ex_pathlen != -1)
+					&& (i > (x->ex_pathlen + 1))) {
+			ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			ok=cb(0,ctx);
+			if(!ok) goto end;
+		}
+	}
+	ok = 1;
+	end:
+	return(ok);
+#endif
+}
+
+static int check_trust(X509_STORE_CTX *ctx)
+{
+#ifdef NO_CHAIN_VERIFY
+	return 1;
+#else
+	int i, ok;
+	X509 *x;
+	int (*cb)();
+	cb=ctx->ctx->verify_cb;
+	if (cb == NULL) cb=null_callback;
+/* For now just check the last certificate in the chain */
+	i = sk_X509_num(ctx->chain) - 1;
+	x = sk_X509_value(ctx->chain, i);
+	ok = X509_check_trust(x, ctx->trust, 0);
+	if(ok == X509_TRUST_TRUSTED) return 1;
+	ctx->error_depth = sk_X509_num(ctx->chain) - 1;
+	ctx->current_cert = x;
+	if(ok == X509_TRUST_REJECTED) ctx->error = X509_V_ERR_CERT_REJECTED;
+	else ctx->error = X509_V_ERR_CERT_UNTRUSTED;
+	ok = cb(0, ctx);
+	return(ok);
+#endif
+}
+
 static int internal_verify(X509_STORE_CTX *ctx)
 	{
 	int i,ok=0,n;
@@ -439,7 +536,7 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm)
 	atm.length=sizeof(buff2);
 	atm.data=(unsigned char *)buff2;
 
-	X509_gmtime_adj(&atm,-offset);
+	X509_gmtime_adj(&atm,-offset*60);
 
 	i=(buff1[0]-'0')*10+(buff1[1]-'0');
 	if (i < 50) i+=100; /* cf. RFC 2459 */
@@ -525,13 +622,13 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
 
 	X509_OBJECT_up_ref_count(obj);
 
-	r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
+	r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
 	if (r != NULL)
 		{ /* oops, put it back */
-		lh_delete(ctx->certs,(char *)obj);
+		lh_delete(ctx->certs,obj);
 		X509_OBJECT_free_contents(obj);
 		Free(obj);
-		lh_insert(ctx->certs,(char *)r);
+		lh_insert(ctx->certs,r);
 		X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
 		ret=0;
 		}
@@ -560,13 +657,13 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
 
 	X509_OBJECT_up_ref_count(obj);
 
-	r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
+	r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
 	if (r != NULL)
 		{ /* oops, put it back */
-		lh_delete(ctx->certs,(char *)obj);
+		lh_delete(ctx->certs,obj);
 		X509_OBJECT_free_contents(obj);
 		Free(obj);
-		lh_insert(ctx->certs,(char *)r);
+		lh_insert(ctx->certs,r);
 		X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
 		ret=0;
 		}
@@ -576,8 +673,8 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
 	return(ret);	
 	}
 
-int X509_STORE_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	     int (*dup_func)(), void (*free_func)())
+int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
         x509_store_ctx_num++;
         return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
@@ -620,6 +717,19 @@ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
 	return(ctx->chain);
 	}
 
+STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
+	{
+	int i;
+	X509 *x;
+	STACK_OF(X509) *chain;
+	if(!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
+	for(i = 0; i < sk_X509_num(chain); i++) {
+		x = sk_X509_value(chain, i);
+		CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+	}
+	return(chain);
+	}
+
 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
 	{
 	ctx->cert=x;
@@ -630,6 +740,62 @@ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
 	ctx->untrusted=sk;
 	}
 
+int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
+	{
+	return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
+	}
+
+int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
+	{
+	return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
+	}
+
+/* This function is used to set the X509_STORE_CTX purpose and trust
+ * values. This is intended to be used when another structure has its
+ * own trust and purpose values which (if set) will be inherited by
+ * the ctx. If they aren't set then we will usually have a default
+ * purpose in mind which should then be used to set the trust value.
+ * An example of this is SSL use: an SSL structure will have its own
+ * purpose and trust settings which the application can set: if they
+ * aren't set then we use the default of SSL client/server.
+ */
+
+int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+				int purpose, int trust)
+{
+	int idx;
+	/* If purpose not set use default */
+	if(!purpose) purpose = def_purpose;
+	/* If we have a purpose then check it is valid */
+	if(purpose) {
+		idx = X509_PURPOSE_get_by_id(purpose);
+		if(idx == -1) {
+			X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
+						X509_R_UNKNOWN_PURPOSE_ID);
+			return 0;
+		}
+		/* If trust not set then get from purpose default */
+		if(!trust) {
+			X509_PURPOSE *ptmp;
+			ptmp = X509_PURPOSE_get0(idx);
+			trust = ptmp->trust;
+		}
+	}
+	if(trust) {
+		idx = X509_TRUST_get_by_id(trust);
+		if(idx == -1) {
+			X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
+						X509_R_UNKNOWN_TRUST_ID);
+			return 0;
+		}
+	}
+
+	if(purpose) ctx->purpose = purpose;
+	if(trust) ctx->trust = trust;
+	return 1;
+}
+
+
 IMPLEMENT_STACK_OF(X509)
 IMPLEMENT_ASN1_SET_OF(X509)
 
diff --git a/lib/libcrypto/x509/x509_vfy.h b/lib/libcrypto/x509/x509_vfy.h
index ecfd4cf9eda..4637aecedf5 100644
--- a/lib/libcrypto/x509/x509_vfy.h
+++ b/lib/libcrypto/x509/x509_vfy.h
@@ -202,6 +202,8 @@ struct x509_store_state_st      /* X509_STORE_CTX */
 	/* The following are set by the caller */
 	X509 *cert;		/* The cert to check */
 	STACK_OF(X509) *untrusted;	/* chain of X509s - untrusted - passed in */
+	int purpose;		/* purpose to check untrusted certificates */
+	int trust;		/* trust setting to check */
 
 	/* The following is built up */
 	int depth;		/* how far to go looking up certs */
@@ -234,6 +236,7 @@ struct x509_store_state_st      /* X509_STORE_CTX */
 		X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
 
 #define		X509_V_OK					0
+/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
 
 #define		X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT		2
 #define		X509_V_ERR_UNABLE_TO_GET_CRL			3
@@ -257,6 +260,11 @@ struct x509_store_state_st      /* X509_STORE_CTX */
 #define		X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE	21
 #define		X509_V_ERR_CERT_CHAIN_TOO_LONG			22
 #define		X509_V_ERR_CERT_REVOKED				23
+#define		X509_V_ERR_INVALID_CA				24
+#define		X509_V_ERR_PATH_LENGTH_EXCEEDED			25
+#define		X509_V_ERR_INVALID_PURPOSE			26
+#define		X509_V_ERR_CERT_UNTRUSTED			27
+#define		X509_V_ERR_CERT_REJECTED			28
 
 /* The application is not happy */
 #define		X509_V_ERR_APPLICATION_VERIFICATION		50
@@ -284,6 +292,8 @@ void X509_OBJECT_free_contents(X509_OBJECT *a);
 X509_STORE *X509_STORE_new(void );
 void X509_STORE_free(X509_STORE *v);
 
+X509_STORE_CTX *X509_STORE_CTX_new(void);
+void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
 			 X509 *x509, STACK_OF(X509) *chain);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
@@ -305,6 +315,7 @@ int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
 #ifndef NO_STDIO
 int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
 int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
+int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
 #endif
 
 
@@ -327,8 +338,8 @@ int	X509_STORE_load_locations (X509_STORE *ctx,
 int	X509_STORE_set_default_paths(X509_STORE *ctx);
 #endif
 
-int X509_STORE_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	int (*dup_func)(), void (*free_func)());
+int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int	X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx,int idx,void *data);
 void *	X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx);
 int	X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
@@ -336,8 +347,13 @@ void	X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
 int	X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
 X509 *	X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
+STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
 void	X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);
 void	X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);
+int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
+int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
+int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+				int purpose, int trust);
 
 #ifdef  __cplusplus
 }
diff --git a/lib/libcrypto/x509/x509name.c b/lib/libcrypto/x509/x509name.c
index 2a422be3502..cf2382d42c0 100644
--- a/lib/libcrypto/x509/x509name.c
+++ b/lib/libcrypto/x509/x509name.c
@@ -171,6 +171,42 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
 	return(ret);
 	}
 
+int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
+			unsigned char *bytes, int len, int loc, int set)
+{
+	X509_NAME_ENTRY *ne;
+	int ret;
+	ne = X509_NAME_ENTRY_create_by_OBJ(NULL, obj, type, bytes, len);
+	if(!ne) return 0;
+	ret = X509_NAME_add_entry(name, ne, loc, set);
+	X509_NAME_ENTRY_free(ne);
+	return ret;
+}
+
+int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
+			unsigned char *bytes, int len, int loc, int set)
+{
+	X509_NAME_ENTRY *ne;
+	int ret;
+	ne = X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len);
+	if(!ne) return 0;
+	ret = X509_NAME_add_entry(name, ne, loc, set);
+	X509_NAME_ENTRY_free(ne);
+	return ret;
+}
+
+int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
+			unsigned char *bytes, int len, int loc, int set)
+{
+	X509_NAME_ENTRY *ne;
+	int ret;
+	ne = X509_NAME_ENTRY_create_by_txt(NULL, field, type, bytes, len);
+	if(!ne) return 0;
+	ret = X509_NAME_add_entry(name, ne, loc, set);
+	X509_NAME_ENTRY_free(ne);
+	return ret;
+}
+
 /* if set is -1, append to previous set, 0 'a new one', and 1,
  * prepend to the guy we are about to stomp on. */
 int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
@@ -236,10 +272,30 @@ err:
 	return(0);
 	}
 
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
+		char *field, int type, unsigned char *bytes, int len)
+	{
+	ASN1_OBJECT *obj;
+	X509_NAME_ENTRY *nentry;
+
+	obj=OBJ_txt2obj(field, 0);
+	if (obj == NULL)
+		{
+		X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,
+						X509_R_INVALID_FIELD_NAME);
+		ERR_add_error_data(2, "name=", field);
+		return(NULL);
+		}
+	nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
+	ASN1_OBJECT_free(obj);
+	return nentry;
+	}
+
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
 	     int type, unsigned char *bytes, int len)
 	{
 	ASN1_OBJECT *obj;
+	X509_NAME_ENTRY *nentry;
 
 	obj=OBJ_nid2obj(nid);
 	if (obj == NULL)
@@ -247,7 +303,9 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
 		X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID);
 		return(NULL);
 		}
-	return(X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len));
+	nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len);
+	ASN1_OBJECT_free(obj);
+	return nentry;
 	}
 
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
@@ -267,7 +325,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
 		goto err;
 	if (!X509_NAME_ENTRY_set_data(ret,type,bytes,len))
 		goto err;
-	
+
 	if ((ne != NULL) && (*ne == NULL)) *ne=ret;
 	return(ret);
 err:
@@ -294,6 +352,10 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
 	int i;
 
 	if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0);
+	if(type & MBSTRING_FLAG) 
+		return ASN1_STRING_set_by_NID(&ne->value, bytes,
+						len, type,
+					OBJ_obj2nid(ne->object)) ? 1 : 0;
 	if (len < 0) len=strlen((char *)bytes);
 	i=ASN1_STRING_set(ne->value,bytes,len);
 	if (!i) return(0);
diff --git a/lib/libcrypto/x509/x_all.c b/lib/libcrypto/x509/x_all.c
index f2af895df00..d2bf3c8e1c6 100644
--- a/lib/libcrypto/x509/x_all.c
+++ b/lib/libcrypto/x509/x_all.c
@@ -285,10 +285,22 @@ RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
 		(unsigned char **)(rsa)));
 	}
 
+RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
+	{
+	return((RSA *)ASN1_d2i_fp((char *(*)())
+		RSA_new,(char *(*)())d2i_RSA_PUBKEY, (fp),
+		(unsigned char **)(rsa)));
+	}
+
 int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
 	{
 	return(ASN1_i2d_fp(i2d_RSAPublicKey,fp,(unsigned char *)rsa));
 	}
+
+int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
+	{
+	return(ASN1_i2d_fp(i2d_RSA_PUBKEY,fp,(unsigned char *)rsa));
+	}
 #endif
 
 RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
@@ -310,10 +322,22 @@ RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
 		(unsigned char **)(rsa)));
 	}
 
+RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
+	{
+	return((RSA *)ASN1_d2i_bio((char *(*)())
+		RSA_new,(char *(*)())d2i_RSA_PUBKEY, (bp),
+		(unsigned char **)(rsa)));
+	}
+
 int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
 	{
 	return(ASN1_i2d_bio(i2d_RSAPublicKey,bp,(unsigned char *)rsa));
 	}
+
+int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
+	{
+	return(ASN1_i2d_bio(i2d_RSA_PUBKEY,bp,(unsigned char *)rsa));
+	}
 #endif
 
 #ifndef NO_DSA
@@ -329,6 +353,18 @@ int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa)
 	{
 	return(ASN1_i2d_fp(i2d_DSAPrivateKey,fp,(unsigned char *)dsa));
 	}
+
+DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa)
+	{
+	return((DSA *)ASN1_d2i_fp((char *(*)())
+		DSA_new,(char *(*)())d2i_DSA_PUBKEY, (fp),
+		(unsigned char **)(dsa)));
+	}
+
+int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa)
+	{
+	return(ASN1_i2d_fp(i2d_DSA_PUBKEY,fp,(unsigned char *)dsa));
+	}
 #endif
 
 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa)
@@ -342,6 +378,19 @@ int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa)
 	{
 	return(ASN1_i2d_bio(i2d_DSAPrivateKey,bp,(unsigned char *)dsa));
 	}
+
+DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa)
+	{
+	return((DSA *)ASN1_d2i_bio((char *(*)())
+		DSA_new,(char *(*)())d2i_DSA_PUBKEY, (bp),
+		(unsigned char **)(dsa)));
+	}
+
+int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
+	{
+	return(ASN1_i2d_bio(i2d_DSA_PUBKEY,bp,(unsigned char *)dsa));
+	}
+
 #endif
 
 X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn)
@@ -362,19 +411,19 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne)
 		(char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
 	}
 
-int X509_digest(X509 *data, EVP_MD *type, unsigned char *md,
+int X509_digest(X509 *data, const EVP_MD *type, unsigned char *md,
 	     unsigned int *len)
 	{
 	return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
 	}
 
-int X509_NAME_digest(X509_NAME *data, EVP_MD *type, unsigned char *md,
+int X509_NAME_digest(X509_NAME *data, const EVP_MD *type, unsigned char *md,
 	     unsigned int *len)
 	{
 	return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
 	}
 
-int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, EVP_MD *type,
+int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
 	     unsigned char *md, unsigned int *len)
 	{
 	return(ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,
@@ -420,6 +469,29 @@ int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf)
 	{
 	return(ASN1_i2d_fp(i2d_PKCS8_PRIV_KEY_INFO,fp,(unsigned char *)p8inf));
 	}
+
+int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
+	{
+	PKCS8_PRIV_KEY_INFO *p8inf;
+	int ret;
+	p8inf = EVP_PKEY2PKCS8(key);
+	if(!p8inf) return 0;
+	ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf);
+	PKCS8_PRIV_KEY_INFO_free(p8inf);
+	return ret;
+	}
+
+int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey)
+	{
+	return(ASN1_i2d_fp(i2d_PrivateKey,fp,(unsigned char *)pkey));
+	}
+
+EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
+{
+	return((EVP_PKEY *)ASN1_d2i_fp((char *(*)())EVP_PKEY_new,
+		(char *(*)())d2i_AutoPrivateKey, (fp),(unsigned char **)(a)));
+}
+
 #endif
 
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
@@ -435,3 +507,25 @@ int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf)
 	{
 	return(ASN1_i2d_bio(i2d_PKCS8_PRIV_KEY_INFO,bp,(unsigned char *)p8inf));
 	}
+
+int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
+	{
+	PKCS8_PRIV_KEY_INFO *p8inf;
+	int ret;
+	p8inf = EVP_PKEY2PKCS8(key);
+	if(!p8inf) return 0;
+	ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
+	PKCS8_PRIV_KEY_INFO_free(p8inf);
+	return ret;
+	}
+
+int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey)
+	{
+	return(ASN1_i2d_bio(i2d_PrivateKey,bp,(unsigned char *)pkey));
+	}
+
+EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
+	{
+	return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new,
+		(char *(*)())d2i_AutoPrivateKey, (bp),(unsigned char **)(a)));
+	}
diff --git a/lib/libcrypto/x509v3/Makefile.ssl b/lib/libcrypto/x509v3/Makefile.ssl
index 72871edbc1c..1bb746d52d6 100644
--- a/lib/libcrypto/x509v3/Makefile.ssl
+++ b/lib/libcrypto/x509v3/Makefile.ssl
@@ -24,10 +24,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
 v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
-v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c
+v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
-v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o
 
 SRC= $(LIBSRC)
 
@@ -285,6 +285,25 @@ v3_ia5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_ia5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_ia5.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+v3_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_info.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_info.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_info.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
+v3_info.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_info.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_info.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_info.o: ../cryptlib.h
 v3_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 v3_int.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -320,7 +339,7 @@ v3_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h
 v3_pku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 v3_pku.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 v3_pku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -358,6 +377,24 @@ v3_prn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_prn.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_purp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_purp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3_purp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_purp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_purp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_purp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_purp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_purp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_purp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3_skey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 v3_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
diff --git a/lib/libcrypto/x509v3/README b/lib/libcrypto/x509v3/README
index 3b2cc047beb..e69de29bb2d 100644
--- a/lib/libcrypto/x509v3/README
+++ b/lib/libcrypto/x509v3/README
@@ -1,4 +0,0 @@
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-
-This is ***VERY*** new experimental code and is likely to change
-considerably or vanish altogether.
diff --git a/lib/libcrypto/x509v3/v3_akey.c b/lib/libcrypto/x509v3/v3_akey.c
index 4099e6019e3..96c04fe4f57 100644
--- a/lib/libcrypto/x509v3/v3_akey.c
+++ b/lib/libcrypto/x509v3/v3_akey.c
@@ -129,10 +129,10 @@ AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp,
 void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
 {
 	if (a == NULL) return;
-	ASN1_OCTET_STRING_free(a->keyid);
+	M_ASN1_OCTET_STRING_free(a->keyid);
 	sk_GENERAL_NAME_pop_free(a->issuer, GENERAL_NAME_free);
-	ASN1_INTEGER_free (a->serial);
-	Free ((char *)a);
+	M_ASN1_INTEGER_free (a->serial);
+	Free (a);
 }
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
@@ -214,7 +214,7 @@ if(keyid) {
 
 if((issuer && !ikeyid) || (issuer == 2)) {
 	isname = X509_NAME_dup(X509_get_issuer_name(cert));
-	serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+	serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
 	if(!isname || !serial) {
 		X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
 		goto err;
@@ -241,8 +241,8 @@ return akeyid;
 
 err:
 X509_NAME_free(isname);
-ASN1_INTEGER_free(serial);
-ASN1_OCTET_STRING_free(ikeyid);
+M_ASN1_INTEGER_free(serial);
+M_ASN1_OCTET_STRING_free(ikeyid);
 return NULL;
 
 }
diff --git a/lib/libcrypto/x509v3/v3_alt.c b/lib/libcrypto/x509v3/v3_alt.c
index b5e1f8af960..5ccd1e0e3d4 100644
--- a/lib/libcrypto/x509v3/v3_alt.c
+++ b/lib/libcrypto/x509v3/v3_alt.c
@@ -84,7 +84,6 @@ NULL, NULL,
 (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
 (X509V3_EXT_V2I)v2i_issuer_alt,
 NULL, NULL, NULL},
-EXT_END
 };
 
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
@@ -273,7 +272,7 @@ static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
 	while((i = X509_NAME_get_index_by_NID(nm,
 					 NID_pkcs9_emailAddress, i)) > 0) {
 		ne = X509_NAME_get_entry(nm, i);
-		email = ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
+		email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
 		if(!email || !(gen = GENERAL_NAME_new())) {
 			X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
 			goto err;
@@ -293,7 +292,7 @@ static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
 		
 	err:
 	GENERAL_NAME_free(gen);
-	ASN1_IA5STRING_free(email);
+	M_ASN1_IA5STRING_free(email);
 	return 0;
 	
 }
@@ -371,7 +370,7 @@ if(!name_cmp(name, "email")) {
 		goto err;
 	}
 	ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4;
-	if(!(gen->d.ip = ASN1_OCTET_STRING_new()) ||
+	if(!(gen->d.ip = M_ASN1_OCTET_STRING_new()) ||
 		!ASN1_STRING_set(gen->d.ip, ip, 4)) {
 			X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
 			goto err;
@@ -384,7 +383,7 @@ if(!name_cmp(name, "email")) {
 }
 
 if(is_string) {
-	if(!(gen->d.ia5 = ASN1_IA5STRING_new()) ||
+	if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
 		      !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
 				       strlen(value))) {
 		X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
diff --git a/lib/libcrypto/x509v3/v3_bcons.c b/lib/libcrypto/x509v3/v3_bcons.c
index de2f855c35f..1e3edc205f8 100644
--- a/lib/libcrypto/x509v3/v3_bcons.c
+++ b/lib/libcrypto/x509v3/v3_bcons.c
@@ -122,8 +122,8 @@ BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a,
 void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
 {
 	if (a == NULL) return;
-	ASN1_INTEGER_free (a->pathlen);
-	Free ((char *)a);
+	M_ASN1_INTEGER_free (a->pathlen);
+	Free (a);
 }
 
 static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
diff --git a/lib/libcrypto/x509v3/v3_bitst.c b/lib/libcrypto/x509v3/v3_bitst.c
index 9828ba15b3d..0e1167d05cd 100644
--- a/lib/libcrypto/x509v3/v3_bitst.c
+++ b/lib/libcrypto/x509v3/v3_bitst.c
@@ -61,7 +61,6 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static ASN1_BIT_STRING *asn1_bit_string_new(void);
 static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
@@ -97,11 +96,6 @@ static BIT_STRING_BITNAME key_usage_type_table[] = {
 X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
 X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
 
-static ASN1_BIT_STRING *asn1_bit_string_new(void)
-{
-	return ASN1_BIT_STRING_new();
-}
-
 static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 	     ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
 {
@@ -120,7 +114,7 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 	ASN1_BIT_STRING *bs;
 	int i;
 	BIT_STRING_BITNAME *bnam;
-	if(!(bs = ASN1_BIT_STRING_new())) {
+	if(!(bs = M_ASN1_BIT_STRING_new())) {
 		X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
@@ -137,7 +131,7 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 			X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
 					X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
 			X509V3_conf_err(val);
-			ASN1_BIT_STRING_free(bs);
+			M_ASN1_BIT_STRING_free(bs);
 			return NULL;
 		}
 	}
diff --git a/lib/libcrypto/x509v3/v3_conf.c b/lib/libcrypto/x509v3/v3_conf.c
index f19bb3ad841..b2f03010cce 100644
--- a/lib/libcrypto/x509v3/v3_conf.c
+++ b/lib/libcrypto/x509v3/v3_conf.c
@@ -170,13 +170,13 @@ static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
 	if(!(ext_der = Malloc(ext_len))) goto merr;
 	p = ext_der;
 	method->i2d(ext_struc, &p);
-	if(!(ext_oct = ASN1_OCTET_STRING_new())) goto merr;
+	if(!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
 	ext_oct->data = ext_der;
 	ext_oct->length = ext_len;
 	
 	ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
 	if(!ext) goto merr;
-	ASN1_OCTET_STRING_free(ext_oct);
+	M_ASN1_OCTET_STRING_free(ext_oct);
 
 	return ext;
 
@@ -220,7 +220,7 @@ static int v3_check_generic(char **value)
 	return 1;
 }
 
-/* Create a generic extension: for now just handle RAW type */
+/* Create a generic extension: for now just handle DER type */
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
 	     int crit, int type)
 {
@@ -241,7 +241,7 @@ if(!(ext_der = string_to_hex(value, &ext_len))) {
 	goto err;
 }
 
-if(!(oct = ASN1_OCTET_STRING_new())) {
+if(!(oct = M_ASN1_OCTET_STRING_new())) {
 	X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE);
 	goto err;
 }
@@ -254,7 +254,7 @@ extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
 
 err:
 ASN1_OBJECT_free(obj);
-ASN1_OCTET_STRING_free(oct);
+M_ASN1_OCTET_STRING_free(oct);
 if(ext_der) Free(ext_der);
 return extension;
 }
@@ -302,6 +302,30 @@ int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
 	return 1;
 }
 
+/* Add extensions to certificate request */
+
+int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+	     X509_REQ *req)
+{
+	X509_EXTENSION *ext;
+	STACK_OF(X509_EXTENSION) *extlist = NULL;
+	STACK_OF(CONF_VALUE) *nval;
+	CONF_VALUE *val;	
+	int i;
+	if(!(nval = CONF_get_section(conf, section))) return 0;
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+								return 0;
+		if(!extlist) extlist = sk_X509_EXTENSION_new_null();
+		sk_X509_EXTENSION_push(extlist, ext);
+	}
+	if(req) i = X509_REQ_add_extensions(req, extlist);
+	else i = 1;
+	sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
+	return i;
+}
+
 /* Config database functions */
 
 char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
diff --git a/lib/libcrypto/x509v3/v3_cpols.c b/lib/libcrypto/x509v3/v3_cpols.c
index b4d48835451..466713b50d9 100644
--- a/lib/libcrypto/x509v3/v3_cpols.c
+++ b/lib/libcrypto/x509v3/v3_cpols.c
@@ -169,7 +169,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
 			if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
 								 goto merr;
 			qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
-			qual->d.cpsuri = ASN1_IA5STRING_new();
+			qual->d.cpsuri = M_ASN1_IA5STRING_new();
 			if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
 						 strlen(cnf->value))) goto merr;
 		} else if(!name_cmp(cnf->name, "userNotice")) {
@@ -229,7 +229,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
 	for(i = 0; i < sk_CONF_VALUE_num(unot); i++) {
 		cnf = sk_CONF_VALUE_value(unot, i);
 		if(!strcmp(cnf->name, "explicitText")) {
-			not->exptext = ASN1_VISIBLESTRING_new();
+			not->exptext = M_ASN1_VISIBLESTRING_new();
 			if(!ASN1_STRING_set(not->exptext, cnf->value,
 						 strlen(cnf->value))) goto merr;
 		} else if(!strcmp(cnf->name, "organization")) {
@@ -238,8 +238,8 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
 				if(!(nref = NOTICEREF_new())) goto merr;
 				not->noticeref = nref;
 			} else nref = not->noticeref;
-			if(ia5org) nref->organization = ASN1_IA5STRING_new();
-			else nref->organization = ASN1_VISIBLESTRING_new();
+			if(ia5org) nref->organization = M_ASN1_IA5STRING_new();
+			else nref->organization = M_ASN1_VISIBLESTRING_new();
 			if(!ASN1_STRING_set(nref->organization, cnf->value,
 						 strlen(cnf->value))) goto merr;
 		} else if(!strcmp(cnf->name, "noticeNumbers")) {
@@ -538,7 +538,7 @@ void POLICYQUALINFO_free(POLICYQUALINFO *a)
 	if (a == NULL) return;
 	switch(OBJ_obj2nid(a->pqualid)) {
 		case NID_id_qt_cps:
-		ASN1_IA5STRING_free(a->d.cpsuri);
+		M_ASN1_IA5STRING_free(a->d.cpsuri);
 		break;
 
 		case NID_id_qt_unotice:
@@ -596,7 +596,7 @@ void USERNOTICE_free(USERNOTICE *a)
 {
 	if (a == NULL) return;
 	NOTICEREF_free(a->noticeref);
-	DISPLAYTEXT_free(a->exptext);
+	M_DISPLAYTEXT_free(a->exptext);
 	Free (a);
 }
 
@@ -646,7 +646,7 @@ NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp,long length)
 void NOTICEREF_free(NOTICEREF *a)
 {
 	if (a == NULL) return;
-	DISPLAYTEXT_free(a->organization);
+	M_DISPLAYTEXT_free(a->organization);
 	sk_pop_free(a->noticenos, ASN1_STRING_free);
 	Free (a);
 }
diff --git a/lib/libcrypto/x509v3/v3_crld.c b/lib/libcrypto/x509v3/v3_crld.c
index 897ffb63e4a..e459d2595ac 100644
--- a/lib/libcrypto/x509v3/v3_crld.c
+++ b/lib/libcrypto/x509v3/v3_crld.c
@@ -211,20 +211,20 @@ void DIST_POINT_free(DIST_POINT *a)
 {
 	if (a == NULL) return;
 	DIST_POINT_NAME_free(a->distpoint);
-	ASN1_BIT_STRING_free(a->reasons);
+	M_ASN1_BIT_STRING_free(a->reasons);
 	sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free);
-	Free ((char *)a);
+	Free (a);
 }
 
 int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
 {
-	int v = 0;
 	M_ASN1_I2D_vars(a);
 
 	if(a->fullname) {
 		M_ASN1_I2D_len_IMP_opt (a->fullname, i2d_GENERAL_NAMES);
 	} else {
-		M_ASN1_I2D_len_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+		M_ASN1_I2D_len_IMP_SET_opt_type(X509_NAME_ENTRY,
+				a->relativename, i2d_X509_NAME_ENTRY, 1);
 	}
 
 	/* Don't want a SEQUENCE so... */
@@ -234,7 +234,8 @@ int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
 	if(a->fullname) {
 		M_ASN1_I2D_put_IMP_opt (a->fullname, i2d_GENERAL_NAMES, 0);
 	} else {
-		M_ASN1_I2D_put_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+		M_ASN1_I2D_put_IMP_SET_opt_type(X509_NAME_ENTRY,
+				a->relativename, i2d_X509_NAME_ENTRY, 1);
 	}
 	M_ASN1_I2D_finish();
 }
@@ -253,9 +254,9 @@ DIST_POINT_NAME *DIST_POINT_NAME_new(void)
 void DIST_POINT_NAME_free(DIST_POINT_NAME *a)
 {
 	if (a == NULL) return;
-	X509_NAME_free(a->relativename);
+	sk_X509_NAME_ENTRY_pop_free(a->relativename, X509_NAME_ENTRY_free);
 	sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free);
-	Free ((char *)a);
+	Free (a);
 }
 
 DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
@@ -273,7 +274,8 @@ DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
 		M_ASN1_D2I_get_imp(ret->fullname, d2i_GENERAL_NAMES,
 							V_ASN1_SEQUENCE);
 	} else if (tag == (1|V_ASN1_CONTEXT_SPECIFIC)) {
-		M_ASN1_D2I_get_EXP_opt (ret->relativename, d2i_X509_NAME, 1);
+		M_ASN1_D2I_get_IMP_set_opt_type (X509_NAME_ENTRY,
+			ret->relativename, d2i_X509_NAME_ENTRY, X509_NAME_ENTRY_free, 1);
 	} else {
 		c.error = ASN1_R_BAD_TAG;
 		goto err;
diff --git a/lib/libcrypto/x509v3/v3_enum.c b/lib/libcrypto/x509v3/v3_enum.c
index db423548ff0..aecfdc87f82 100644
--- a/lib/libcrypto/x509v3/v3_enum.c
+++ b/lib/libcrypto/x509v3/v3_enum.c
@@ -60,8 +60,6 @@
 #include "cryptlib.h"
 #include <openssl/x509v3.h>
 
-static ASN1_ENUMERATED *asn1_enumerated_new(void);
-
 static ENUMERATED_NAMES crl_reasons[] = {
 {0, "Unspecified", "unspecified"},
 {1, "Key Compromise", "keyCompromise"},
@@ -76,20 +74,15 @@ static ENUMERATED_NAMES crl_reasons[] = {
 
 X509V3_EXT_METHOD v3_crl_reason = { 
 NID_crl_reason, 0,
-(X509V3_EXT_NEW)asn1_enumerated_new,
-(X509V3_EXT_FREE)ASN1_STRING_free,
+(X509V3_EXT_NEW)ASN1_ENUMERATED_new,
+(X509V3_EXT_FREE)ASN1_ENUMERATED_free,
 (X509V3_EXT_D2I)d2i_ASN1_ENUMERATED,
 (X509V3_EXT_I2D)i2d_ASN1_ENUMERATED,
 (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
-(X509V3_EXT_S2I)NULL,
+(X509V3_EXT_S2I)0,
 NULL, NULL, NULL, NULL, crl_reasons};
 
 
-static ASN1_ENUMERATED *asn1_enumerated_new(void)
-{
-	return ASN1_ENUMERATED_new();
-}
-
 char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
 	     ASN1_ENUMERATED *e)
 {
diff --git a/lib/libcrypto/x509v3/v3_genn.c b/lib/libcrypto/x509v3/v3_genn.c
index af716232f8b..894afa7e036 100644
--- a/lib/libcrypto/x509v3/v3_genn.c
+++ b/lib/libcrypto/x509v3/v3_genn.c
@@ -88,12 +88,15 @@ int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **pp)
 
 	switch(a->type) {
 
-		case GEN_OTHERNAME:
 		case GEN_X400:
 		case GEN_EDIPARTY:
 		ret = i2d_ASN1_TYPE(a->d.other, pp);
 		break;
 
+		case GEN_OTHERNAME:
+		ret = i2d_OTHERNAME(a->d.otherName, pp);
+		break;
+
 		case GEN_EMAIL:
 		case GEN_DNS:
 		case GEN_URI:
@@ -137,12 +140,15 @@ GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, unsigned char **pp,
 
 	switch(ret->type) {
 		/* Just put these in a "blob" for now */
-		case GEN_OTHERNAME:
 		case GEN_X400:
 		case GEN_EDIPARTY:
 		M_ASN1_D2I_get_imp(ret->d.other, d2i_ASN1_TYPE,V_ASN1_SEQUENCE);
 		break;
 
+		case GEN_OTHERNAME:
+		M_ASN1_D2I_get_imp(ret->d.otherName, d2i_OTHERNAME,V_ASN1_SEQUENCE);
+		break;
+
 		case GEN_EMAIL:
 		case GEN_DNS:
 		case GEN_URI:
@@ -176,17 +182,20 @@ void GENERAL_NAME_free(GENERAL_NAME *a)
 {
 	if (a == NULL) return;
 	switch(a->type) {
-		case GEN_OTHERNAME:
 		case GEN_X400:
 		case GEN_EDIPARTY:
 		ASN1_TYPE_free(a->d.other);
 		break;
 
+		case GEN_OTHERNAME:
+		OTHERNAME_free(a->d.otherName);
+		break;
+
 		case GEN_EMAIL:
 		case GEN_DNS:
 		case GEN_URI:
 
-		ASN1_IA5STRING_free(a->d.ia5);
+		M_ASN1_IA5STRING_free(a->d.ia5);
 		break;
 
 		case GEN_DIRNAME:
@@ -194,7 +203,7 @@ void GENERAL_NAME_free(GENERAL_NAME *a)
 		break;
 
 		case GEN_IPADD:
-		ASN1_OCTET_STRING_free(a->d.ip);
+		M_ASN1_OCTET_STRING_free(a->d.ip);
 		break;
 	
 		case GEN_RID:
@@ -202,11 +211,11 @@ void GENERAL_NAME_free(GENERAL_NAME *a)
 		break;
 
 	}
-	Free ((char *)a);
+	Free (a);
 }
 
-/* Now the GeneralNames versions: a SEQUENCE OF GeneralName These are needed as
- * an explicit functions.
+/* Now the GeneralNames versions: a SEQUENCE OF GeneralName. These are needed as
+ * explicit functions.
  */
 
 STACK_OF(GENERAL_NAME) *GENERAL_NAMES_new()
@@ -235,3 +244,48 @@ return i2d_ASN1_SET_OF_GENERAL_NAME(a, pp, i2d_GENERAL_NAME, V_ASN1_SEQUENCE,
 IMPLEMENT_STACK_OF(GENERAL_NAME)
 IMPLEMENT_ASN1_SET_OF(GENERAL_NAME)
 
+int i2d_OTHERNAME(OTHERNAME *a, unsigned char **pp)
+{
+	int v = 0;
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len(a->type_id, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_len_EXP_opt(a->value, i2d_ASN1_TYPE, 0, v);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put(a->type_id, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_put_EXP_opt(a->value, i2d_ASN1_TYPE, 0, v);
+
+	M_ASN1_I2D_finish();
+}
+
+OTHERNAME *OTHERNAME_new(void)
+{
+	OTHERNAME *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, OTHERNAME);
+	ret->type_id = OBJ_nid2obj(NID_undef);
+	M_ASN1_New(ret->value, ASN1_TYPE_new);
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_OTHERNAME_NEW);
+}
+
+OTHERNAME *d2i_OTHERNAME(OTHERNAME **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,OTHERNAME *,OTHERNAME_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->type_id, d2i_ASN1_OBJECT);
+	M_ASN1_D2I_get_EXP_opt(ret->value, d2i_ASN1_TYPE, 0);
+	M_ASN1_D2I_Finish(a, OTHERNAME_free, ASN1_F_D2I_OTHERNAME);
+}
+
+void OTHERNAME_free(OTHERNAME *a)
+{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->type_id);
+	ASN1_TYPE_free(a->value);
+	Free (a);
+}
+
diff --git a/lib/libcrypto/x509v3/v3_ia5.c b/lib/libcrypto/x509v3/v3_ia5.c
index 3446c5cd6a6..af3525f33e7 100644
--- a/lib/libcrypto/x509v3/v3_ia5.c
+++ b/lib/libcrypto/x509v3/v3_ia5.c
@@ -63,7 +63,6 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static ASN1_IA5STRING *ia5string_new(void);
 static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
 static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
 X509V3_EXT_METHOD v3_ns_ia5_list[] = { 
@@ -78,11 +77,6 @@ EXT_END
 };
 
 
-static ASN1_IA5STRING *ia5string_new(void)
-{
-	return ASN1_IA5STRING_new();
-}
-
 static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
 	     ASN1_IA5STRING *ia5)
 {
@@ -102,12 +96,15 @@ static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
 		X509V3err(X509V3_F_S2I_ASN1_IA5STRING,X509V3_R_INVALID_NULL_ARGUMENT);
 		return NULL;
 	}
-	if(!(ia5 = ASN1_IA5STRING_new())) goto err;
+	if(!(ia5 = M_ASN1_IA5STRING_new())) goto err;
 	if(!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
 			    strlen(str))) {
-		ASN1_IA5STRING_free(ia5);
+		M_ASN1_IA5STRING_free(ia5);
 		goto err;
 	}
+#ifdef CHARSET_EBCDIC
+        ebcdic2ascii(ia5->data, ia5->data, ia5->length);
+#endif /*CHARSET_EBCDIC*/
 	return ia5;
 	err:
 	X509V3err(X509V3_F_S2I_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
diff --git a/lib/libcrypto/x509v3/v3_int.c b/lib/libcrypto/x509v3/v3_int.c
index 637dd5e1288..63c201e5f40 100644
--- a/lib/libcrypto/x509v3/v3_int.c
+++ b/lib/libcrypto/x509v3/v3_int.c
@@ -60,20 +60,13 @@
 #include "cryptlib.h"
 #include <openssl/x509v3.h>
 
-static ASN1_INTEGER *asn1_integer_new(void);
-
 X509V3_EXT_METHOD v3_crl_num = { 
 NID_crl_number, 0,
-(X509V3_EXT_NEW)asn1_integer_new,
-(X509V3_EXT_FREE)ASN1_STRING_free,
+(X509V3_EXT_NEW)ASN1_INTEGER_new,
+(X509V3_EXT_FREE)ASN1_INTEGER_free,
 (X509V3_EXT_D2I)d2i_ASN1_INTEGER,
 (X509V3_EXT_I2D)i2d_ASN1_INTEGER,
 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-(X509V3_EXT_S2I)NULL,
+(X509V3_EXT_S2I)0,
 NULL, NULL, NULL, NULL, NULL};
 
-
-static ASN1_INTEGER *asn1_integer_new(void)
-{
-	return ASN1_INTEGER_new();
-}
diff --git a/lib/libcrypto/x509v3/v3_lib.c b/lib/libcrypto/x509v3/v3_lib.c
index a0aa5de794d..4242d130a2c 100644
--- a/lib/libcrypto/x509v3/v3_lib.c
+++ b/lib/libcrypto/x509v3/v3_lib.c
@@ -62,6 +62,8 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
+#include "ext_dat.h"
+
 static STACK *ext_list = NULL;
 
 static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b);
@@ -87,10 +89,15 @@ static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b)
 
 X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
 {
-	X509V3_EXT_METHOD tmp;
+	X509V3_EXT_METHOD tmp, *t = &tmp, **ret;
 	int idx;
+	if(nid < 0) return NULL;
 	tmp.ext_nid = nid;
-	if(!ext_list || (tmp.ext_nid < 0) ) return NULL;
+	ret = (X509V3_EXT_METHOD **) OBJ_bsearch((char *)&t,
+			(char *)standard_exts, STANDARD_EXTENSION_COUNT,
+			sizeof(X509V3_EXT_METHOD *), (int (*)())ext_cmp);
+	if(ret) return *ret;
+	if(!ext_list) return NULL;
 	idx = sk_find(ext_list, (char *)&tmp);
 	if(idx == -1) return NULL;
 	return (X509V3_EXT_METHOD *)sk_value(ext_list, idx);
@@ -125,7 +132,7 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from)
 	*tmpext = *ext;
 	tmpext->ext_nid = nid_to;
 	tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
-	return 1;
+	return X509V3_EXT_add(tmpext);
 }
 
 void X509V3_EXT_cleanup(void)
@@ -139,28 +146,12 @@ static void ext_list_free(X509V3_EXT_METHOD *ext)
 	if(ext->ext_flags & X509V3_EXT_DYNAMIC) Free(ext);
 }
 
-extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
-extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet;
-extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
+/* Legacy function: we don't need to add standard extensions
+ * any more because they are now kept in ext_dat.h.
+ */
 
 int X509V3_add_standard_extensions(void)
 {
-	X509V3_EXT_add_list(v3_ns_ia5_list);
-	X509V3_EXT_add_list(v3_alt);
-	X509V3_EXT_add(&v3_bcons);
-	X509V3_EXT_add(&v3_nscert);
-	X509V3_EXT_add(&v3_key_usage);
-	X509V3_EXT_add(&v3_ext_ku);
-	X509V3_EXT_add(&v3_skey_id);
-	X509V3_EXT_add(&v3_akey_id);
-	X509V3_EXT_add(&v3_pkey_usage_period);
-	X509V3_EXT_add(&v3_crl_num);
-	X509V3_EXT_add(&v3_sxnet);
-	X509V3_EXT_add(&v3_crl_reason);
-	X509V3_EXT_add(&v3_cpols);
-	X509V3_EXT_add(&v3_crld);
 	return 1;
 }
 
@@ -175,3 +166,56 @@ void *X509V3_EXT_d2i(X509_EXTENSION *ext)
 	return method->d2i(NULL, &p, ext->value->length);
 }
 
+/* Get critical flag and decoded version of extension from a NID.
+ * The "idx" variable returns the last found extension and can
+ * be used to retrieve multiple extensions of the same NID.
+ * However multiple extensions with the same NID is usually
+ * due to a badly encoded certificate so if idx is NULL we
+ * choke if multiple extensions exist.
+ * The "crit" variable is set to the critical value.
+ * The return value is the decoded extension or NULL on
+ * error. The actual error can have several different causes,
+ * the value of *crit reflects the cause:
+ * >= 0, extension found but not decoded (reflects critical value).
+ * -1 extension not found.
+ * -2 extension occurs more than once.
+ */
+
+void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
+{
+	int lastpos, i;
+	X509_EXTENSION *ex, *found_ex = NULL;
+	if(!x) {
+		if(idx) *idx = -1;
+		if(crit) *crit = -1;
+		return NULL;
+	}
+	if(idx) lastpos = *idx + 1;
+	else lastpos = 0;
+	if(lastpos < 0) lastpos = 0;
+	for(i = lastpos; i < sk_X509_EXTENSION_num(x); i++)
+	{
+		ex = sk_X509_EXTENSION_value(x, i);
+		if(OBJ_obj2nid(ex->object) == nid) {
+			if(idx) {
+				*idx = i;
+				break;
+			} else if(found_ex) {
+				/* Found more than one */
+				if(crit) *crit = -2;
+				return NULL;
+			}
+			found_ex = ex;
+		}
+	}
+	if(found_ex) {
+		/* Found it */
+		if(crit) *crit = found_ex->critical;
+		return X509V3_EXT_d2i(found_ex);
+	}
+	
+	/* Extension not found */
+	if(idx) *idx = -1;
+	if(crit) *crit = -1;
+	return NULL;
+}
diff --git a/lib/libcrypto/x509v3/v3_pku.c b/lib/libcrypto/x509v3/v3_pku.c
index c13e7d8f45b..30a62c6090f 100644
--- a/lib/libcrypto/x509v3/v3_pku.c
+++ b/lib/libcrypto/x509v3/v3_pku.c
@@ -119,9 +119,9 @@ PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a,
 void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
 {
 	if (a == NULL) return;
-	ASN1_GENERALIZEDTIME_free(a->notBefore);
-	ASN1_GENERALIZEDTIME_free(a->notAfter);
-	Free ((char *)a);
+	M_ASN1_GENERALIZEDTIME_free(a->notBefore);
+	M_ASN1_GENERALIZEDTIME_free(a->notAfter);
+	Free (a);
 }
 
 static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
diff --git a/lib/libcrypto/x509v3/v3_prn.c b/lib/libcrypto/x509v3/v3_prn.c
index dc20c6bdba6..bee624c6be9 100644
--- a/lib/libcrypto/x509v3/v3_prn.c
+++ b/lib/libcrypto/x509v3/v3_prn.c
@@ -81,7 +81,15 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
 		nval = sk_CONF_VALUE_value(val, i);
 		if(!nval->name) BIO_puts(out, nval->value);
 		else if(!nval->value) BIO_puts(out, nval->name);
+#ifndef CHARSET_EBCDIC
 		else BIO_printf(out, "%s:%s", nval->name, nval->value);
+#else
+		else {
+			char tmp[10240]; /* 10k is BIO_printf's limit anyway */
+			ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1);
+			BIO_printf(out, "%s:%s", nval->name, tmp);
+		}
+#endif
 		if(ml) BIO_puts(out, "\n");
 	}
 }
@@ -103,7 +111,15 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent)
 			ok = 0;
 			goto err;
 		}
+#ifndef CHARSET_EBCDIC
 		BIO_printf(out, "%*s%s", indent, "", value);
+#else
+		{
+			char tmp[10240]; /* 10k is BIO_printf's limit anyway */
+			ascii2ebcdic(tmp, value, strlen(value)+1);
+			BIO_printf(out, "%*s%s", indent, "", tmp);
+		}
+#endif
 	} else if(method->i2v) {
 		if(!(nval = method->i2v(method, ext_str, NULL))) {
 			ok = 0;
diff --git a/lib/libcrypto/x509v3/v3_skey.c b/lib/libcrypto/x509v3/v3_skey.c
index fb3e36014d6..939845fa8f8 100644
--- a/lib/libcrypto/x509v3/v3_skey.c
+++ b/lib/libcrypto/x509v3/v3_skey.c
@@ -61,24 +61,17 @@
 #include "cryptlib.h"
 #include <openssl/x509v3.h>
 
-static ASN1_OCTET_STRING *octet_string_new(void);
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
 X509V3_EXT_METHOD v3_skey_id = { 
 NID_subject_key_identifier, 0,
-(X509V3_EXT_NEW)octet_string_new,
-(X509V3_EXT_FREE)ASN1_STRING_free,
+(X509V3_EXT_NEW)ASN1_OCTET_STRING_new,
+(X509V3_EXT_FREE)ASN1_OCTET_STRING_free,
 (X509V3_EXT_D2I)d2i_ASN1_OCTET_STRING,
 (X509V3_EXT_I2D)i2d_ASN1_OCTET_STRING,
 (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
 (X509V3_EXT_S2I)s2i_skey_id,
 NULL, NULL, NULL, NULL, NULL};
 
-
-static ASN1_OCTET_STRING *octet_string_new(void)
-{
-	return ASN1_OCTET_STRING_new();
-}
-
 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
 	     ASN1_OCTET_STRING *oct)
 {
@@ -91,13 +84,13 @@ ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
 	ASN1_OCTET_STRING *oct;
 	long length;
 
-	if(!(oct = ASN1_OCTET_STRING_new())) {
+	if(!(oct = M_ASN1_OCTET_STRING_new())) {
 		X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 
 	if(!(oct->data = string_to_hex(str, &length))) {
-		ASN1_OCTET_STRING_free(oct);
+		M_ASN1_OCTET_STRING_free(oct);
 		return NULL;
 	}
 
@@ -118,7 +111,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
 
 	if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
 
-	if(!(oct = ASN1_OCTET_STRING_new())) {
+	if(!(oct = M_ASN1_OCTET_STRING_new())) {
 		X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
@@ -143,7 +136,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
 	EVP_DigestUpdate(&md, pk->data, pk->length);
 	EVP_DigestFinal(&md, pkey_dig, &diglen);
 
-	if(!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
+	if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
 		X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
@@ -151,6 +144,6 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
 	return oct;
 	
 	err:
-	ASN1_OCTET_STRING_free(oct);
+	M_ASN1_OCTET_STRING_free(oct);
 	return NULL;
 }
diff --git a/lib/libcrypto/x509v3/v3_sxnet.c b/lib/libcrypto/x509v3/v3_sxnet.c
index 0687bb4e3d0..20ba8ac8d6b 100644
--- a/lib/libcrypto/x509v3/v3_sxnet.c
+++ b/lib/libcrypto/x509v3/v3_sxnet.c
@@ -111,7 +111,7 @@ SXNET *SXNET_new(void)
 	SXNET *ret=NULL;
 	ASN1_CTX c;
 	M_ASN1_New_Malloc(ret, SXNET);
-	M_ASN1_New(ret->version,ASN1_INTEGER_new);
+	M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
 	M_ASN1_New(ret->ids,sk_SXNETID_new_null);
 	return (ret);
 	M_ASN1_New_Error(ASN1_F_SXNET_NEW);
@@ -130,7 +130,7 @@ SXNET *d2i_SXNET(SXNET **a, unsigned char **pp, long length)
 void SXNET_free(SXNET *a)
 {
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->version);
+	M_ASN1_INTEGER_free(a->version);
 	sk_SXNETID_pop_free(a->ids, SXNETID_free);
 	Free (a);
 }
@@ -156,7 +156,7 @@ SXNETID *SXNETID_new(void)
 	ASN1_CTX c;
 	M_ASN1_New_Malloc(ret, SXNETID);
 	ret->zone = NULL;
-	M_ASN1_New(ret->user,ASN1_OCTET_STRING_new);
+	M_ASN1_New(ret->user,M_ASN1_OCTET_STRING_new);
 	return (ret);
 	M_ASN1_New_Error(ASN1_F_SXNETID_NEW);
 }
@@ -174,8 +174,8 @@ SXNETID *d2i_SXNETID(SXNETID **a, unsigned char **pp, long length)
 void SXNETID_free(SXNETID *a)
 {
 	if (a == NULL) return;
-	ASN1_INTEGER_free(a->zone);
-	ASN1_OCTET_STRING_free(a->user);
+	M_ASN1_INTEGER_free(a->zone);
+	M_ASN1_OCTET_STRING_free(a->user);
 	Free (a);
 }
 
@@ -193,7 +193,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
 		tmp = i2s_ASN1_INTEGER(NULL, id->zone);
 		BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
 		Free(tmp);
-		ASN1_OCTET_STRING_print(out, id->user);
+		M_ASN1_OCTET_STRING_print(out, id->user);
 	}
 	return 1;
 }
@@ -244,9 +244,9 @@ int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
 	     int userlen)
 {
 	ASN1_INTEGER *izone = NULL;
-	if(!(izone = ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+	if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
 		X509V3err(X509V3_F_SXNET_ADD_ID_ULONG,ERR_R_MALLOC_FAILURE);
-		ASN1_INTEGER_free(izone);
+		M_ASN1_INTEGER_free(izone);
 		return 0;
 	}
 	return SXNET_add_id_INTEGER(psx, izone, user, userlen);
@@ -285,7 +285,7 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
 	if(!(id = SXNETID_new())) goto err;
 	if(userlen == -1) userlen = strlen(user);
 		
-	if(!ASN1_OCTET_STRING_set(id->user, user, userlen)) goto err;
+	if(!M_ASN1_OCTET_STRING_set(id->user, user, userlen)) goto err;
 	if(!sk_SXNETID_push(sx->ids, id)) goto err;
 	id->zone = zone;
 	return 1;
@@ -307,7 +307,7 @@ ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone)
 		return NULL;
 	}
 	oct = SXNET_get_id_INTEGER(sx, izone);
-	ASN1_INTEGER_free(izone);
+	M_ASN1_INTEGER_free(izone);
 	return oct;
 }
 
@@ -315,13 +315,13 @@ ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
 {
 	ASN1_INTEGER *izone = NULL;
 	ASN1_OCTET_STRING *oct;
-	if(!(izone = ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+	if(!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
 		X509V3err(X509V3_F_SXNET_GET_ID_ULONG,ERR_R_MALLOC_FAILURE);
-		ASN1_INTEGER_free(izone);
+		M_ASN1_INTEGER_free(izone);
 		return NULL;
 	}
 	oct = SXNET_get_id_INTEGER(sx, izone);
-	ASN1_INTEGER_free(izone);
+	M_ASN1_INTEGER_free(izone);
 	return oct;
 }
 
@@ -331,7 +331,7 @@ ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
 	int i;
 	for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
 		id = sk_SXNETID_value(sx->ids, i);
-		if(!ASN1_INTEGER_cmp(id->zone, zone)) return id->user;
+		if(!M_ASN1_INTEGER_cmp(id->zone, zone)) return id->user;
 	}
 	return NULL;
 }
diff --git a/lib/libcrypto/x509v3/v3_utl.c b/lib/libcrypto/x509v3/v3_utl.c
index 40f71c71b4f..4c2c4a94839 100644
--- a/lib/libcrypto/x509v3/v3_utl.c
+++ b/lib/libcrypto/x509v3/v3_utl.c
@@ -104,7 +104,7 @@ void X509V3_conf_free(CONF_VALUE *conf)
 	if(conf->name) Free(conf->name);
 	if(conf->value) Free(conf->value);
 	if(conf->section) Free(conf->section);
-	Free((char *)conf);
+	Free(conf);
 }
 
 int X509V3_add_value_bool(const char *name, int asn1_bool,
diff --git a/lib/libcrypto/x509v3/v3err.c b/lib/libcrypto/x509v3/v3err.c
index 50efa8d99d8..b7d4e350c43 100644
--- a/lib/libcrypto/x509v3/v3err.c
+++ b/lib/libcrypto/x509v3/v3err.c
@@ -72,6 +72,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),	"hex_to_string"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),	"i2s_ASN1_ENUMERATED"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),	"i2s_ASN1_INTEGER"},
+{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0),	"I2V_AUTHORITY_INFO_ACCESS"},
 {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0),	"NOTICE_SECTION"},
 {ERR_PACK(0,X509V3_F_NREF_NOS,0),	"NREF_NOS"},
 {ERR_PACK(0,X509V3_F_POLICY_SECTION,0),	"POLICY_SECTION"},
@@ -87,6 +88,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_SXNET_ADD_ID_ULONG,0),	"SXNET_add_id_ulong"},
 {ERR_PACK(0,X509V3_F_SXNET_GET_ID_ASC,0),	"SXNET_get_id_asc"},
 {ERR_PACK(0,X509V3_F_SXNET_GET_ID_ULONG,0),	"SXNET_get_id_ulong"},
+{ERR_PACK(0,X509V3_F_V2I_ACCESS_DESCRIPTION,0),	"V2I_ACCESS_DESCRIPTION"},
 {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),	"V2I_ASN1_BIT_STRING"},
 {ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),	"V2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),	"V2I_BASIC_CONSTRAINTS"},
@@ -102,6 +104,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_X509V3_EXT_I2D,0),	"X509V3_EXT_i2d"},
 {ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),	"X509V3_get_value_bool"},
 {ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),	"X509V3_parse_list"},
+{ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0),	"X509_PURPOSE_add"},
 {0,NULL}
 	};
 
@@ -132,6 +135,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_OPTION                 ,"invalid option"},
 {X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
 {X509V3_R_INVALID_SECTION                ,"invalid section"},
+{X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
 {X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
 {X509V3_R_MISSING_VALUE                  ,"missing value"},
 {X509V3_R_NEED_ORGANIZATION_AND_NUMBERS  ,"need organization and numbers"},
diff --git a/lib/libcrypto/x509v3/x509v3.h b/lib/libcrypto/x509v3/x509v3.h
index 4eb04a5a89c..fe01755797b 100644
--- a/lib/libcrypto/x509v3/x509v3.h
+++ b/lib/libcrypto/x509v3/x509v3.h
@@ -136,12 +136,6 @@ typedef struct v3_ext_ctx X509V3_CTX;
 #define X509V3_EXT_CTX_DEP	0x2
 #define X509V3_EXT_MULTILINE	0x4
 
-typedef struct BIT_STRING_BITNAME_st {
-int bitnum;
-const char *lname;
-const char *sname;
-} BIT_STRING_BITNAME;
-
 typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
 
 typedef struct BASIC_CONSTRAINTS_st {
@@ -155,6 +149,11 @@ ASN1_GENERALIZEDTIME *notBefore;
 ASN1_GENERALIZEDTIME *notAfter;
 } PKEY_USAGE_PERIOD;
 
+typedef struct otherName_st {
+ASN1_OBJECT *type_id;
+ASN1_TYPE *value;
+} OTHERNAME;
+
 typedef struct GENERAL_NAME_st {
 
 #define GEN_OTHERNAME	(0|V_ASN1_CONTEXT_SPECIFIC)
@@ -174,17 +173,26 @@ union {
 	ASN1_OCTET_STRING *ip; /* iPAddress */
 	X509_NAME *dirn;		/* dirn */
 	ASN1_OBJECT *rid; /* registeredID */
-	ASN1_TYPE *other; /* otherName, ediPartyName, x400Address */
+	OTHERNAME *otherName; /* otherName */
+	ASN1_TYPE *other; /* ediPartyName, x400Address */
 } d;
 } GENERAL_NAME;
 
+typedef struct ACCESS_DESCRIPTION_st {
+ASN1_OBJECT *method;
+GENERAL_NAME *location;
+} ACCESS_DESCRIPTION;
+
 DECLARE_STACK_OF(GENERAL_NAME)
 DECLARE_ASN1_SET_OF(GENERAL_NAME)
 
+DECLARE_STACK_OF(ACCESS_DESCRIPTION)
+DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION)
+
 typedef struct DIST_POINT_NAME_st {
 /* NB: this is a CHOICE type and only one of these should be set */
 STACK_OF(GENERAL_NAME) *fullname;
-X509_NAME *relativename;
+STACK_OF(X509_NAME_ENTRY) *relativename;
 } DIST_POINT_NAME;
 
 typedef struct DIST_POINT_st {
@@ -255,8 +263,8 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define X509V3_set_ctx_nodb(ctx) ctx->db = NULL;
 
 #define EXT_BITSTRING(nid, table) { nid, 0, \
-			(X509V3_EXT_NEW)asn1_bit_string_new, \
-			(X509V3_EXT_FREE)ASN1_STRING_free, \
+			(X509V3_EXT_NEW)ASN1_BIT_STRING_new, \
+			(X509V3_EXT_FREE)ASN1_BIT_STRING_free, \
 			(X509V3_EXT_D2I)d2i_ASN1_BIT_STRING, \
 			(X509V3_EXT_I2D)i2d_ASN1_BIT_STRING, \
 			NULL, NULL, \
@@ -266,8 +274,8 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 			(char *)table}
 
 #define EXT_IA5STRING(nid) { nid, 0, \
-			(X509V3_EXT_NEW)ia5string_new, \
-			(X509V3_EXT_FREE)ASN1_STRING_free, \
+			(X509V3_EXT_NEW)ASN1_IA5STRING_new, \
+			(X509V3_EXT_FREE)ASN1_IA5STRING_free, \
 			(X509V3_EXT_D2I)d2i_ASN1_IA5STRING, \
 			(X509V3_EXT_I2D)i2d_ASN1_IA5STRING, \
 			(X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
@@ -279,6 +287,69 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 			 NULL, NULL, NULL, NULL, \
 			 NULL}
 
+
+/* X509_PURPOSE stuff */
+
+#define EXFLAG_BCONS		0x1
+#define EXFLAG_KUSAGE		0x2
+#define EXFLAG_XKUSAGE		0x4
+#define EXFLAG_NSCERT		0x8
+
+#define EXFLAG_CA		0x10
+#define EXFLAG_SS		0x20
+#define EXFLAG_V1		0x40
+#define EXFLAG_INVALID		0x80
+#define EXFLAG_SET		0x100
+
+#define KU_DIGITAL_SIGNATURE	0x0080
+#define KU_NON_REPUDIATION	0x0040
+#define KU_KEY_ENCIPHERMENT	0x0020
+#define KU_DATA_ENCIPHERMENT	0x0010
+#define KU_KEY_AGREEMENT	0x0008
+#define KU_KEY_CERT_SIGN	0x0004
+#define KU_CRL_SIGN		0x0002
+#define KU_ENCIPHER_ONLY	0x0001
+#define KU_DECIPHER_ONLY	0x8000
+
+#define NS_SSL_CLIENT		0x80
+#define NS_SSL_SERVER		0x40
+#define NS_SMIME		0x20
+#define NS_OBJSIGN		0x10
+#define NS_SSL_CA		0x04
+#define NS_SMIME_CA		0x02
+#define NS_OBJSIGN_CA		0x01
+
+#define XKU_SSL_SERVER		0x1	
+#define XKU_SSL_CLIENT		0x2
+#define XKU_SMIME		0x4
+#define XKU_CODE_SIGN		0x8
+#define XKU_SGC			0x10
+
+#define X509_PURPOSE_DYNAMIC	0x1
+#define X509_PURPOSE_DYNAMIC_NAME	0x2
+
+typedef struct x509_purpose_st {
+	int purpose;
+	int trust;		/* Default trust ID */
+	int flags;
+	int (*check_purpose)(struct x509_purpose_st *, X509 *, int);
+	char *name;
+	char *sname;
+	void *usr_data;
+} X509_PURPOSE;
+
+#define X509_PURPOSE_SSL_CLIENT		1
+#define X509_PURPOSE_SSL_SERVER		2
+#define X509_PURPOSE_NS_SSL_SERVER	3
+#define X509_PURPOSE_SMIME_SIGN		4
+#define X509_PURPOSE_SMIME_ENCRYPT	5
+#define X509_PURPOSE_CRL_SIGN		6
+
+#define X509_PURPOSE_MIN		1
+#define X509_PURPOSE_MAX		6
+
+DECLARE_STACK_OF(X509_PURPOSE)
+
 void ERR_load_X509V3_strings(void);
 int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **pp);
 BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, unsigned char **pp, long length);
@@ -328,6 +399,11 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
 STACK_OF(GENERAL_NAME) *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
 				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 
+int i2d_OTHERNAME(OTHERNAME *a, unsigned char **pp);
+OTHERNAME *OTHERNAME_new(void);
+OTHERNAME *d2i_OTHERNAME(OTHERNAME **a, unsigned char **pp, long length);
+void OTHERNAME_free(OTHERNAME *a);
+
 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
 ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
 
@@ -380,12 +456,27 @@ void DIST_POINT_NAME_free(DIST_POINT_NAME *a);
 DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
              long length);
 
+int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **pp);
+ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void);
+void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a);
+ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, unsigned char **pp,
+             long length);
+
+STACK_OF(ACCESS_DESCRIPTION) *AUTHORITY_INFO_ACCESS_new(void);
+void AUTHORITY_INFO_ACCESS_free(STACK_OF(ACCESS_DESCRIPTION) *a);
+STACK_OF(ACCESS_DESCRIPTION) *d2i_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) **a,
+					 unsigned char **pp, long length);
+int i2d_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) *a, unsigned char **pp);
+
+
+
 #ifdef HEADER_CONF_H
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
 void X509V3_conf_free(CONF_VALUE *val);
 X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value);
 X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
 int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
+int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
 int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
 int X509V3_add_value_bool_nf(char *name, int asn1_bool,
 						STACK_OF(CONF_VALUE) **extlist);
@@ -423,6 +514,8 @@ X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
 int X509V3_add_standard_extensions(void);
 STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line);
 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
+void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
+
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
 
 char *hex_to_string(unsigned char *buffer, long len);
@@ -434,6 +527,20 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
 int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent);
 int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 
+int X509_check_purpose(X509 *x, int id, int ca);
+int X509_PURPOSE_get_count(void);
+X509_PURPOSE * X509_PURPOSE_get0(int idx);
+int X509_PURPOSE_get_by_sname(char *sname);
+int X509_PURPOSE_get_by_id(int id);
+int X509_PURPOSE_add(int id, int trust, int flags,
+			int (*ck)(X509_PURPOSE *, X509 *, int),
+				char *name, char *sname, void *arg);
+char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
+char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
+int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
+void X509_PURPOSE_cleanup(void);
+int X509_PURPOSE_get_id(X509_PURPOSE *);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -449,6 +556,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 #define X509V3_F_HEX_TO_STRING				 111
 #define X509V3_F_I2S_ASN1_ENUMERATED			 121
 #define X509V3_F_I2S_ASN1_INTEGER			 120
+#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS		 138
 #define X509V3_F_NOTICE_SECTION				 132
 #define X509V3_F_NREF_NOS				 133
 #define X509V3_F_POLICY_SECTION				 131
@@ -464,6 +572,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 #define X509V3_F_SXNET_ADD_ID_ULONG			 127
 #define X509V3_F_SXNET_GET_ID_ASC			 128
 #define X509V3_F_SXNET_GET_ID_ULONG			 129
+#define X509V3_F_V2I_ACCESS_DESCRIPTION			 139
 #define X509V3_F_V2I_ASN1_BIT_STRING			 101
 #define X509V3_F_V2I_AUTHORITY_KEYID			 119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
@@ -479,6 +588,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 #define X509V3_F_X509V3_EXT_I2D				 136
 #define X509V3_F_X509V3_GET_VALUE_BOOL			 110
 #define X509V3_F_X509V3_PARSE_LIST			 109
+#define X509V3_F_X509_PURPOSE_ADD			 137
 
 /* Reason codes. */
 #define X509V3_R_BAD_IP_ADDRESS				 118
@@ -506,6 +616,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 #define X509V3_R_INVALID_OPTION				 138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER		 134
 #define X509V3_R_INVALID_SECTION			 135
+#define X509V3_R_INVALID_SYNTAX				 143
 #define X509V3_R_ISSUER_DECODE_ERROR			 126
 #define X509V3_R_MISSING_VALUE				 124
 #define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS		 142
diff --git a/lib/libssl/LICENSE b/lib/libssl/LICENSE
index b9e18d5e7bf..bdd5f7bdd09 100644
--- a/lib/libssl/LICENSE
+++ b/lib/libssl/LICENSE
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/lib/libssl/bio_ssl.c b/lib/libssl/bio_ssl.c
index f62cde4e5d5..d73c41adcdc 100644
--- a/lib/libssl/bio_ssl.c
+++ b/lib/libssl/bio_ssl.c
@@ -71,6 +71,7 @@ static int ssl_puts(BIO *h,char *str);
 static long ssl_ctrl(BIO *h,int cmd,long arg1,char *arg2);
 static int ssl_new(BIO *h);
 static int ssl_free(BIO *data);
+static long ssl_callback_ctrl(BIO *h,int cmd,void (*fp)());
 typedef struct bio_ssl_st
 	{
 	SSL *ssl; /* The ssl handle :-) */
@@ -92,6 +93,7 @@ static BIO_METHOD methods_sslp=
 	ssl_ctrl,
 	ssl_new,
 	ssl_free,
+	ssl_callback_ctrl,
 	};
 
 BIO_METHOD *BIO_f_ssl(void)
@@ -444,7 +446,14 @@ static long ssl_ctrl(BIO *b, int cmd, long num, char *ptr)
 		ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
 		break;
 	case BIO_CTRL_SET_CALLBACK:
-		SSL_set_info_callback(ssl,(void (*)())ptr);
+		{
+#if 0 /* FIXME: Should this be used?  -- Richard Levitte */
+		BIOerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		ret = -1;
+#else
+		ret=0;
+#endif
+		}
 		break;
 	case BIO_CTRL_GET_CALLBACK:
 		{
@@ -461,6 +470,28 @@ static long ssl_ctrl(BIO *b, int cmd, long num, char *ptr)
 	return(ret);
 	}
 
+static long ssl_callback_ctrl(BIO *b, int cmd, void (*fp)())
+	{
+	SSL *ssl;
+	BIO_SSL *bs;
+	long ret=1;
+
+	bs=(BIO_SSL *)b->ptr;
+	ssl=bs->ssl;
+	switch (cmd)
+		{
+	case BIO_CTRL_SET_CALLBACK:
+		{
+		SSL_set_info_callback(ssl,fp);
+		}
+		break;
+	default:
+		ret=BIO_callback_ctrl(ssl->rbio,cmd,fp);
+		break;
+		}
+	return(ret);
+	}
+
 static int ssl_puts(BIO *bp, char *str)
 	{
 	int n,ret;
diff --git a/lib/libssl/doc/openssl.cnf b/lib/libssl/doc/openssl.cnf
index d70dd25622b..dbe8cbefe0e 100644
--- a/lib/libssl/doc/openssl.cnf
+++ b/lib/libssl/doc/openssl.cnf
@@ -3,8 +3,13 @@
 # This is mostly being used for generation of certificate requests.
 #
 
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
 RANDFILE		= $ENV::HOME/.rnd
-oid_file		= $ENV::HOME/.oid
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
 
 # To use this configuration file with the "-extfile" option of the
@@ -86,6 +91,22 @@ distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
 countryName_default		= AU
@@ -170,8 +191,16 @@ authorityKeyIdentifier=keyid,issuer:always
 #nsCaPolicyUrl
 #nsSslServerName
 
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
 [ v3_ca ]
 
+
 # Extensions for a typical CA
 
 
@@ -200,10 +229,11 @@ basicConstraints = CA:true
 # Copy issuer details
 # issuerAltName=issuer:copy
 
-# RAW DER hex encoding of an extension: beware experts only!
-# 1.2.3.5=RAW:02:03
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
 # You can even override a supported extension:
-# basicConstraints= critical, RAW:30:03:01:01:FF
+# basicConstraints= critical, DER:30:03:01:01:FF
 
 [ crl_ext ]
 
diff --git a/lib/libssl/doc/openssl.txt b/lib/libssl/doc/openssl.txt
index 91b85e5f14c..880eace4da8 100644
--- a/lib/libssl/doc/openssl.txt
+++ b/lib/libssl/doc/openssl.txt
@@ -1,53 +1,12 @@
 
 This is some preliminary documentation for OpenSSL.
 
-==============================================================================
-                            BUFFER Library
-==============================================================================
-
-The buffer library handles simple character arrays. Buffers are used for
-various purposes in the library, most notably memory BIOs.
-
-The library uses the BUF_MEM structure defined in buffer.h:
-
-typedef struct buf_mem_st
-{
-        int length;     /* current number of bytes */
-        char *data;
-        int max;        /* size of buffer */
-} BUF_MEM;
-
-'length' is the current size of the buffer in bytes, 'max' is the amount of
-memory allocated to the buffer. There are three functions which handle these
-and one "miscellaneous" function.
-
-BUF_MEM *BUF_MEM_new()
-
-This allocates a new buffer of zero size. Returns the buffer or NULL on error.
-
-void BUF_MEM_free(BUF_MEM *a)
-
-This frees up an already existing buffer. The data is zeroed before freeing
-up in case the buffer contains sensitive data.
-
-int BUF_MEM_grow(BUF_MEM *str, int len)
-
-This changes the size of an already existing buffer. It returns zero on error
-or the new size (i.e. 'len'). Any data already in the buffer is preserved if
-it increases in size.
-
-char * BUF_strdup(char *str)
+Contents:
 
-This is the previously mentioned strdup function: like the standard library
-strdup() it copies a null terminated string into a block of allocated memory
-and returns a pointer to the allocated block.
+ OpenSSL X509V3 extension configuration
+ X509V3 Extension code: programmers guide
+ PKCS#12 Library
 
-Unlike the standard C library strdup() this function uses Malloc() and so
-should be used in preference to the standard library strdup() because it can
-be used for memory leak checking or replacing the malloc() function.
-
-The memory allocated from BUF_strdup() should be freed up using the Free()
-function.
 
 ==============================================================================
                OpenSSL X509V3 extension configuration
@@ -188,7 +147,7 @@ email.1=steve@here
 email.2=steve@there
 
 This is because the configuration file code cannot handle the same name
-occurring twice in the same extension.
+occurring twice in the same section.
 
 The syntax of raw extensions is governed by the extension code: it can
 for example contain data in multiple sections. The correct syntax to
@@ -315,6 +274,41 @@ TRUE. An end user certificate MUST NOT have the CA value set to true.
 According to PKIX recommendations it should exclude the extension entirely,
 however some software may require CA set to FALSE for end entity certificates.
 
+Extended Key Usage.
+
+This extensions consists of a list of usages.
+
+These can either be object short names of the dotted numerical form of OIDs.
+While any OID can be used only certain values make sense. In particular the
+following PKIX, NS and MS values are meaningful:
+
+Value			Meaning
+-----			-------
+serverAuth		SSL/TLS Web Server Authentication.
+clientAuth		SSL/TLS Web Client Authentication.
+codeSigning		Code signing.
+emailProtection		E-mail Protection (S/MIME).
+timeStamping		Trusted Timestamping
+msCodeInd		Microsoft Individual Code Signing (authenticode)
+msCodeCom		Microsoft Commercial Code Signing (authenticode)
+msCTLSign		Microsoft Trust List Signing
+msSGC			Microsoft Server Gated Crypto
+msEFS			Microsoft Encrypted File System
+nsSGC			Netscape Server Gated Crypto
+
+For example, under IE5 a CA can be used for any purpose: by including a list
+of the above usages the CA can be restricted to only authorised uses.
+
+Note: software packages may place additional interpretations on certificate 
+use, in particular some usages may only work for selected CAs. Don't for example
+expect just including msSGC or nsSGC will automatically mean that a certificate
+can be used for SGC ("step up" encryption) otherwise anyone could use it.
+
+Examples:
+
+extendedKeyUsage=critical,codeSigning,1.2.3.4
+extendedKeyUsage=nsSGC,msSGC
+
 Subject Key Identifier.
 
 This is really a string extension and can take two possible values. Either
@@ -459,16 +453,16 @@ extension in a human or machine readable form.
 
 1. Initialisation and cleanup.
 
-X509V3_add_standard_extensions();
-
-This function should be called before any other extension code. It adds support
-for some common PKIX and Netscape extensions. Additional custom extensions can
-be added as well (see later).
+No special initialisation is needed before calling the extension functions.
+You used to have to call X509V3_add_standard_extensions(); but this is no longer
+required and this function no longer does anything.
 
 void X509V3_EXT_cleanup(void);
 
-This function should be called last to cleanup the extension code. After this
-call no other extension calls should be made.
+This function should be called to cleanup the extension code if any custom
+extensions have been added. If no custom extensions have been added then this
+call does nothing. After this call all custom extension code is freed up but
+you can still use the standard extensions.
 
 2. Printing and parsing extensions.
 
@@ -512,7 +506,7 @@ or CRL is due to be signed. Both return 0 on error on non zero for success.
 In each case 'conf' is the LHASH pointer of the configuration file to use
 and 'section' is the section containing the extension details.
 
-See the 'context functions' section for a description of the ctx paramater.
+See the 'context functions' section for a description of the ctx parameter.
 
 
 X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
@@ -531,7 +525,7 @@ takes the NID of the extension rather than its name.
 For example to produce basicConstraints with the CA flag and a path length of
 10:
 
-x = X509V3_EXT_conf_nid(NULL, NULL, NID_basicConstraints, "CA:TRUE,pathlen:10");
+x = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,"CA:TRUE,pathlen:10");
 
 
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
@@ -659,7 +653,7 @@ The same as above but for an unsigned character value.
 int X509V3_add_value_bool(const char *name, int asn1_bool,
 						STACK_OF(CONF_VALUE) **extlist);
 
-This adds either "TRUE" or "FALSE" depending on the value of 'ans1_bool'
+This adds either "TRUE" or "FALSE" depending on the value of 'asn1_bool'
 
 int X509V3_add_value_bool_nf(char *name, int asn1_bool,
 						STACK_OF(CONF_VALUE) **extlist);
@@ -686,7 +680,7 @@ Multi value extensions are passed a STACK_OF(CONF_VALUE) name and value pairs
 or return a STACK_OF(CONF_VALUE).
 
 Raw extensions are just passed a BIO or a value and it is the extensions
-responsiblity to handle all the necessary printing.
+responsibility to handle all the necessary printing.
 
 There are two ways to add an extension. One is simply as an alias to an already
 existing extension. An alias is an extension that is identical in ASN1 structure
@@ -811,7 +805,7 @@ int i2r(struct v3_ext_method *method, void *ext, BIO *out, int indent);
 
 This function is passed the internal extension structure in the ext parameter
 and sends out a human readable version of the extension to out. The 'indent'
-paremeter should be noted to determine the necessary amount of indentation
+parameter should be noted to determine the necessary amount of indentation
 needed on the output.
 
 void * r2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
@@ -882,7 +876,7 @@ d2i_PKCS12_fp(fp, p12)
 
 This is the same but for a FILE pointer.
 
-3. Parsing and creation functions.
+3. High level functions.
 
 3.1 Parsing with PKCS12_parse().
 
@@ -920,6 +914,14 @@ p12 = PKCS12_create(pass, "My Certificate", pkey, cert, NULL, 0,0,0,0,0);
 i2d_PKCS12_fp(fp, p12);
 PKCS12_free(p12);
 
+3.3 Changing a PKCS#12 structure password.
+
+int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
+
+This changes the password of an already existing PKCS#12 structure. oldpass
+is the old password and newpass is the new one. An error occurs if the old
+password is incorrect.
+
 LOW LEVEL FUNCTIONS.
 
 In some cases the high level functions do not provide the necessary
diff --git a/lib/libssl/s23_clnt.c b/lib/libssl/s23_clnt.c
index 299d2ae5d28..aaedf6a9bbc 100644
--- a/lib/libssl/s23_clnt.c
+++ b/lib/libssl/s23_clnt.c
@@ -68,8 +68,10 @@ static int ssl23_client_hello(SSL *s);
 static int ssl23_get_server_hello(SSL *s);
 static SSL_METHOD *ssl23_get_client_method(int ver)
 	{
+#ifndef NO_SSL2
 	if (ver == SSL2_VERSION)
 		return(SSLv2_client_method());
+#endif
 	if (ver == SSL3_VERSION)
 		return(SSLv3_client_method());
 	else if (ver == TLS1_VERSION)
@@ -102,7 +104,7 @@ int ssl23_connect(SSL *s)
 	int ret= -1;
 	int new_state,state;
 
-	RAND_seed(&Time,sizeof(Time));
+	RAND_add(&Time,sizeof(Time),0);
 	ERR_clear_error();
 	clear_sys_error();
 
@@ -222,7 +224,7 @@ static int ssl23_client_hello(SSL *s)
 #endif
 
 		p=s->s3->client_random;
-		RAND_bytes(p,SSL3_RANDOM_SIZE);
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE);
 
 		/* Do the message type and length last */
 		d= &(buf[2]);
@@ -283,7 +285,7 @@ static int ssl23_client_hello(SSL *s)
 			i=ch_len;
 		s2n(i,d);
 		memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-		RAND_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+		RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
 		memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
 		p+=i;
 
@@ -307,7 +309,7 @@ static int ssl23_get_server_hello(SSL *s)
 	{
 	char buf[8];
 	unsigned char *p;
-	int i,ch_len;
+	int i;
 	int n;
 
 	n=ssl23_read_bytes(s,7);
@@ -320,9 +322,14 @@ static int ssl23_get_server_hello(SSL *s)
 	if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
 		(p[5] == 0x00) && (p[6] == 0x02))
 		{
+#ifdef NO_SSL2
+		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+		goto err;
+#else
 		/* we are talking sslv2 */
 		/* we need to clean up the SSLv3 setup and put in the
 		 * sslv2 stuff. */
+		int ch_len;
 
 		if (s->options & SSL_OP_NO_SSLv2)
 			{
@@ -375,6 +382,7 @@ static int ssl23_get_server_hello(SSL *s)
 
 		s->method=SSLv2_client_method();
 		s->handshake_func=s->method->ssl_connect;
+#endif
 		}
 	else if ((p[0] == SSL3_RT_HANDSHAKE) &&
 		 (p[1] == SSL3_VERSION_MAJOR) &&
diff --git a/lib/libssl/s23_lib.c b/lib/libssl/s23_lib.c
index 822a3958372..dded7a19c5a 100644
--- a/lib/libssl/s23_lib.c
+++ b/lib/libssl/s23_lib.c
@@ -67,7 +67,7 @@ static int ssl23_write(SSL *s, const void *buf, int len);
 static long ssl23_default_timeout(void );
 static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
 static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
-char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT;
+const char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT;
 
 static SSL_METHOD SSLv23_data= {
 	TLS1_VERSION,
@@ -92,6 +92,9 @@ static SSL_METHOD SSLv23_data= {
 	ssl_bad_method,
 	ssl23_default_timeout,
 	&ssl3_undef_enc_method,
+	ssl_undefined_function,
+	ssl3_callback_ctrl,
+	ssl3_ctx_callback_ctrl,
 	};
 
 static long ssl23_default_timeout(void)
@@ -106,7 +109,11 @@ SSL_METHOD *sslv23_base_method(void)
 
 static int ssl23_num_ciphers(void)
 	{
-	return(ssl3_num_ciphers()+ssl2_num_ciphers());
+	return(ssl3_num_ciphers()
+#ifndef NO_SSL2
+	       + ssl2_num_ciphers()
+#endif
+	    );
 	}
 
 static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
@@ -116,7 +123,11 @@ static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
 	if (u < uu)
 		return(ssl3_get_cipher(u));
 	else
+#ifndef NO_SSL2
 		return(ssl2_get_cipher(u-uu));
+#else
+		return(NULL);
+#endif
 	}
 
 /* This function needs to check if the ciphers required are actually
@@ -132,8 +143,10 @@ static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
 		((unsigned long)p[1]<<8L)|(unsigned long)p[2];
 	c.id=id;
 	cp=ssl3_get_cipher_by_char(p);
+#ifndef NO_SSL2
 	if (cp == NULL)
 		cp=ssl2_get_cipher_by_char(p);
+#endif
 	return(cp);
 	}
 
diff --git a/lib/libssl/s23_pkt.c b/lib/libssl/s23_pkt.c
index 8370ea508c7..f45e1ce3d80 100644
--- a/lib/libssl/s23_pkt.c
+++ b/lib/libssl/s23_pkt.c
@@ -89,7 +89,7 @@ int ssl23_write_bytes(SSL *s)
 		}
 	}
 
-/* only return when we have read 'n' bytes */
+/* return regularly only when we have read (at least) 'n' bytes */
 int ssl23_read_bytes(SSL *s, int n)
 	{
 	unsigned char *p;
diff --git a/lib/libssl/s23_srvr.c b/lib/libssl/s23_srvr.c
index e4122f2d78d..6a3bbb10b95 100644
--- a/lib/libssl/s23_srvr.c
+++ b/lib/libssl/s23_srvr.c
@@ -67,8 +67,10 @@ static SSL_METHOD *ssl23_get_server_method(int ver);
 int ssl23_get_client_hello(SSL *s);
 static SSL_METHOD *ssl23_get_server_method(int ver)
 	{
+#ifndef NO_SSL2
 	if (ver == SSL2_VERSION)
 		return(SSLv2_server_method());
+#endif
 	if (ver == SSL3_VERSION)
 		return(SSLv3_server_method());
 	else if (ver == TLS1_VERSION)
@@ -101,7 +103,7 @@ int ssl23_accept(SSL *s)
 	int ret= -1;
 	int new_state,state;
 
-	RAND_seed(&Time,sizeof(Time));
+	RAND_add(&Time,sizeof(Time),0);
 	ERR_clear_error();
 	clear_sys_error();
 
@@ -186,23 +188,39 @@ end:
 
 int ssl23_get_client_hello(SSL *s)
 	{
-	char buf_space[8];
+	char buf_space[11]; /* Request this many bytes in initial read.
+	                     * We can detect SSL 3.0/TLS 1.0 Client Hellos
+	                     * ('type == 3') correctly only when the following
+	                     * is in a single record, which is not guaranteed by
+	                     * the protocol specification:
+	                     * Byte  Content
+	                     *  0     type            \
+	                     *  1/2   version          > record header
+	                     *  3/4   length          /
+	                     *  5     msg_type        \
+	                     *  6-8   length           > Client Hello message
+	                     *  9/10  client_version  /
+	                     */
 	char *buf= &(buf_space[0]);
 	unsigned char *p,*d,*dd;
 	unsigned int i;
 	unsigned int csl,sil,cl;
-	int n=0,j,tls1=0;
-	int type=0,use_sslv2_strong=0;
+	int n=0,j;
+	int type=0;
 	int v[2];
+#ifndef NO_RSA
+	int use_sslv2_strong=0;
+#endif
 
-	/* read the initial header */
-	v[0]=v[1]=0;
 	if (s->state ==	SSL23_ST_SR_CLNT_HELLO_A)
 		{
+		/* read the initial header */
+		v[0]=v[1]=0;
+
 		if (!ssl3_setup_buffers(s)) goto err;
 
-		n=ssl23_read_bytes(s,7);
-		if (n != 7) return(n); /* n == -1 || n == 0 */
+		n=ssl23_read_bytes(s, sizeof buf_space);
+		if (n != sizeof buf_space) return(n); /* n == -1 || n == 0 */
 
 		p=s->packet;
 
@@ -210,7 +228,9 @@ int ssl23_get_client_hello(SSL *s)
 
 		if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO))
 			{
-			/* SSLv2 header */
+			/*
+			 * SSLv2 header
+			 */
 			if ((p[3] == 0x00) && (p[4] == 0x02))
 				{
 				v[0]=p[3]; v[1]=p[4];
@@ -226,11 +246,14 @@ int ssl23_get_client_hello(SSL *s)
 					{
 					if (!(s->options & SSL_OP_NO_TLSv1))
 						{
-						tls1=1;
+						s->version=TLS1_VERSION;
+						/* type=2; */ /* done later to survive restarts */
 						s->state=SSL23_ST_SR_CLNT_HELLO_B;
 						}
 					else if (!(s->options & SSL_OP_NO_SSLv3))
 						{
+						s->version=SSL3_VERSION;
+						/* type=2; */
 						s->state=SSL23_ST_SR_CLNT_HELLO_B;
 						}
 					else if (!(s->options & SSL_OP_NO_SSLv2))
@@ -239,12 +262,26 @@ int ssl23_get_client_hello(SSL *s)
 						}
 					}
 				else if (!(s->options & SSL_OP_NO_SSLv3))
+					{
+					s->version=SSL3_VERSION;
+					/* type=2; */
 					s->state=SSL23_ST_SR_CLNT_HELLO_B;
+					}
 				else if (!(s->options & SSL_OP_NO_SSLv2))
 					type=1;
 
 				if (s->options & SSL_OP_NON_EXPORT_FIRST)
+					/* Not only utterly confusing, but broken
+					 * ('fractured programming'?) -- the details
+					 * of this block nearly make it work
+					 * as intended in this environment, but on one
+					 * of the fine points (w.r.t. restarts) it fails.
+					 * The obvious fix would be even more devastating
+					 * to program structure; if you want the functionality,
+					 * throw this away and implement it in a way
+					 * that makes sense */
 					{
+#if 0
 					STACK_OF(SSL_CIPHER) *sk;
 					SSL_CIPHER *c;
 					int ne2,ne3;
@@ -294,27 +331,51 @@ int ssl23_get_client_hello(SSL *s)
 							goto next_bit;
 							}
 						}
+#else
+					SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_OPTION);
+					goto err;
+#endif
 					}
 				}
 			}
 		else if ((p[0] == SSL3_RT_HANDSHAKE) &&
 			 (p[1] == SSL3_VERSION_MAJOR) &&
-			 (p[5] == SSL3_MT_CLIENT_HELLO))
+			 (p[5] == SSL3_MT_CLIENT_HELLO) &&
+			 ((p[3] == 0 && p[4] < 5 /* silly record length? */)
+				|| (p[9] == p[1])))
 			{
-			v[0]=p[1]; v[1]=p[2];
-			/* true SSLv3 or tls1 */
-			if (p[2] >= TLS1_VERSION_MINOR)
+			/*
+			 * SSLv3 or tls1 header
+			 */
+			
+			v[0]=p[1]; /* major version */
+			/* We must look at client_version inside the Client Hello message
+			 * to get the correct minor version: */
+			v[1]=p[10];
+			/* However if we have only a pathologically small fragment of the
+			 * Client Hello message, we simply use the version from the
+			 * record header -- this is incorrect but unlikely to fail in
+			 * practice */
+			if (p[3] == 0 && p[4] < 6)
+				v[1]=p[2];
+			if (v[1] >= TLS1_VERSION_MINOR)
 				{
 				if (!(s->options & SSL_OP_NO_TLSv1))
 					{
+					s->version=TLS1_VERSION;
 					type=3;
-					tls1=1;
 					}
 				else if (!(s->options & SSL_OP_NO_SSLv3))
+					{
+					s->version=SSL3_VERSION;
 					type=3;
+					}
 				}
 			else if (!(s->options & SSL_OP_NO_SSLv3))
+				{
+				s->version=SSL3_VERSION;
 				type=3;
+				}
 			}
 		else if ((strncmp("GET ", (char *)p,4) == 0) ||
 			 (strncmp("POST ",(char *)p,5) == 0) ||
@@ -331,12 +392,16 @@ int ssl23_get_client_hello(SSL *s)
 			}
 		}
 
-next_bit:
 	if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
 		{
-		/* we have a SSLv3/TLSv1 in a SSLv2 header */
+		/* we have SSLv3/TLSv1 in an SSLv2 header
+		 * (other cases skip this state) */
+
 		type=2;
 		p=s->packet;
+		v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
+		v[1] = p[4];
+
 		n=((p[0]&0x7f)<<8)|p[1];
 		if (n > (1024*4))
 			{
@@ -361,14 +426,11 @@ next_bit:
 			goto err;
 			}
 
-		*(d++)=SSL3_VERSION_MAJOR;
-		if (tls1)
-			*(d++)=TLS1_VERSION_MINOR;
-		else
-			*(d++)=SSL3_VERSION_MINOR;
+		*(d++) = SSL3_VERSION_MAJOR; /* == v[0] */
+		*(d++) = v[1];
 
 		/* lets populate the random area */
-		/* get the chalenge_length */
+		/* get the challenge_length */
 		i=(cl > SSL3_RANDOM_SIZE)?SSL3_RANDOM_SIZE:cl;
 		memset(d,0,SSL3_RANDOM_SIZE);
 		memcpy(&(d[SSL3_RANDOM_SIZE-i]),&(p[csl+sil]),i);
@@ -402,8 +464,15 @@ next_bit:
 		s->s3->tmp.message_size=i;
 		}
 
+	/* imaginary new state (for program structure): */
+	/* s->state = SSL23_SR_CLNT_HELLO_C */
+
 	if (type == 1)
 		{
+#ifdef NO_SSL2
+		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+		goto err;
+#else
 		/* we are talking sslv2 */
 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
 		 * sslv2 stuff. */
@@ -431,7 +500,7 @@ next_bit:
 		else
 			s->s2->ssl2_rollback=1;
 
-		/* setup the 5 bytes we have read so we get them from
+		/* setup the n bytes we have read so we get them from
 		 * the sslv2 buffer */
 		s->rstate=SSL_ST_READ_HEADER;
 		s->packet_length=n;
@@ -442,11 +511,12 @@ next_bit:
 
 		s->method=SSLv2_server_method();
 		s->handshake_func=s->method->ssl_accept;
+#endif
 		}
 
 	if ((type == 2) || (type == 3))
 		{
-		/* we have SSLv3/TLSv1 */
+		/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
 
 		if (!ssl_init_wbio_buffer(s,1)) goto err;
 
@@ -471,17 +541,13 @@ next_bit:
 			s->s3->rbuf.offset=0;
 			}
 
-		if (tls1)
-			{
-			s->version=TLS1_VERSION;
-			s->method=TLSv1_server_method();
-			}
+		if (s->version == TLS1_VERSION)
+			s->method = TLSv1_server_method();
 		else
-			{
-			s->version=SSL3_VERSION;
-			s->method=SSLv3_server_method();
-			}
+			s->method = SSLv3_server_method();
+#if 0 /* ssl3_get_client_hello does this */
 		s->client_version=(v[0]<<8)|v[1];
+#endif
 		s->handshake_func=s->method->ssl_accept;
 		}
 	
@@ -500,4 +566,3 @@ err:
 	if (buf != buf_space) Free(buf);
 	return(-1);
 	}
-
diff --git a/lib/libssl/s3_both.c b/lib/libssl/s3_both.c
index f3f27715d57..03e0c38770b 100644
--- a/lib/libssl/s3_both.c
+++ b/lib/libssl/s3_both.c
@@ -55,7 +55,61 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
+#include <string.h>
 #include <stdio.h>
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
@@ -64,8 +118,27 @@
 #include <openssl/x509.h>
 #include "ssl_locl.h"
 
-int ssl3_send_finished(SSL *s, int a, int b, unsigned char *sender,
-	     int slen)
+/* send s->init_buf in records of type 'type' */
+int ssl3_do_write(SSL *s, int type)
+	{
+	int ret;
+
+	ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
+	                     s->init_num);
+	if (ret < 0) return(-1);
+	if (type == SSL3_RT_HANDSHAKE)
+		/* should not be done for 'Hello Request's, but in that case
+		 * we'll ignore the result anyway */
+		ssl3_finish_mac(s,(unsigned char *)&s->init_buf->data[s->init_off],ret);
+	
+	if (ret == s->init_num)
+		return(1);
+	s->init_off+=ret;
+	s->init_num-=ret;
+	return(0);
+	}
+
+int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
 	{
 	unsigned char *p,*d;
 	int i;
@@ -79,7 +152,9 @@ int ssl3_send_finished(SSL *s, int a, int b, unsigned char *sender,
 		i=s->method->ssl3_enc->final_finish_mac(s,
 			&(s->s3->finish_dgst1),
 			&(s->s3->finish_dgst2),
-			sender,slen,p);
+			sender,slen,s->s3->tmp.finish_md);
+		s->s3->tmp.finish_md_len = i;
+		memcpy(p, s->s3->tmp.finish_md, i);
 		p+=i;
 		l=i;
 
@@ -109,7 +184,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
 	unsigned char *p;
 
 	/* the mac has already been generated when we received the
-	 * change cipher spec message and is in s->s3->tmp.in_dgst[12]
+	 * change cipher spec message and is in s->s3->tmp.peer_finish_md
 	 */ 
 
 	n=ssl3_get_message(s,
@@ -121,7 +196,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
 
 	if (!ok) return((int)n);
 
-	/* If this occurs if we has missed a message */
+	/* If this occurs, we have missed a message */
 	if (!s->s3->change_cipher_spec)
 		{
 		al=SSL_AD_UNEXPECTED_MESSAGE;
@@ -130,9 +205,8 @@ int ssl3_get_finished(SSL *s, int a, int b)
 		}
 	s->s3->change_cipher_spec=0;
 
-	p=(unsigned char *)s->init_buf->data;
-
-	i=s->method->ssl3_enc->finish_mac_length;
+	p = (unsigned char *)s->init_buf->data;
+	i = s->s3->tmp.peer_finish_md_len;
 
 	if (i != n)
 		{
@@ -141,7 +215,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
 		goto f_err;
 		}
 
-	if (memcmp(  p,    (char *)&(s->s3->tmp.finish_md[0]),i) != 0)
+	if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
 		{
 		al=SSL_AD_DECRYPT_ERROR;
 		SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
@@ -255,6 +329,11 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
 	return(l);
 	}
 
+/* Obtain handshake message of message type 'mt' (any if mt == -1),
+ * maximum acceptable body length 'max'.
+ * The first four bytes (msg_type and length) are read in state 'st1',
+ * the body is read in state 'stn'.
+ */
 long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 	{
 	unsigned char *p;
@@ -277,15 +356,38 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 
 	p=(unsigned char *)s->init_buf->data;
 
-	if (s->state == st1)
+	if (s->state == st1) /* s->init_num < 4 */
 		{
-		i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
-				  4-s->init_num);
-		if (i < (4-s->init_num))
+		int skip_message;
+
+		do
 			{
-			*ok=0;
-			return(ssl3_part_read(s,i));
+			while (s->init_num < 4)
+				{
+				i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
+					4 - s->init_num);
+				if (i <= 0)
+					{
+					s->rwstate=SSL_READING;
+					*ok = 0;
+					return i;
+					}
+				s->init_num+=i;
+				}
+			
+			skip_message = 0;
+			if (!s->server)
+				if (p[0] == SSL3_MT_HELLO_REQUEST)
+					/* The server may always send 'Hello Request' messages --
+					 * we are doing a handshake anyway now, so ignore them
+					 * if their format is correct. Does not count for
+					 * 'Finished' MAC. */
+					if (p[1] == 0 && p[2] == 0 &&p[3] == 0)
+						skip_message = 1;
 			}
+		while (skip_message);
+
+		/* s->init_num == 4 */
 
 		if ((mt >= 0) && (*p != mt))
 			{
@@ -293,6 +395,20 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
 			goto f_err;
 			}
+		if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&
+					(st1 == SSL3_ST_SR_CERT_A) &&
+					(stn == SSL3_ST_SR_CERT_B))
+			{
+			/* At this point we have got an MS SGC second client
+			 * hello (maybe we should always allow the client to
+			 * start a new handshake?). We need to restart the mac.
+			 * Don't increment {num,total}_renegotiations because
+			 * we have not completed the handshake. */
+			ssl3_init_finished_mac(s);
+			}
+
+		ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 4);
+			
 		s->s3->tmp.message_type= *(p++);
 
 		n2l3(p,l);
@@ -316,17 +432,21 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 	/* next state (stn) */
 	p=(unsigned char *)s->init_buf->data;
 	n=s->s3->tmp.message_size;
-	if (n > 0)
+	while (n > 0)
 		{
 		i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n);
-		if (i != (int)n)
+		if (i <= 0)
 			{
-			*ok=0;
-			return(ssl3_part_read(s,i));
+			s->rwstate=SSL_READING;
+			*ok = 0;
+			return i;
 			}
+		s->init_num += i;
+		n -= i;
 		}
+	ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num);
 	*ok=1;
-	return(n);
+	return s->init_num;
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
@@ -447,7 +567,7 @@ int ssl3_setup_buffers(SSL *s)
 			extra=SSL3_RT_MAX_EXTRA;
 		else
 			extra=0;
-		if ((p=(unsigned char *)Malloc(SSL3_RT_MAX_PACKET_SIZE+extra))
+		if ((p=Malloc(SSL3_RT_MAX_PACKET_SIZE+extra))
 			== NULL)
 			goto err;
 		s->s3->rbuf.buf=p;
@@ -455,7 +575,7 @@ int ssl3_setup_buffers(SSL *s)
 
 	if (s->s3->wbuf.buf == NULL)
 		{
-		if ((p=(unsigned char *)Malloc(SSL3_RT_MAX_PACKET_SIZE))
+		if ((p=Malloc(SSL3_RT_MAX_PACKET_SIZE))
 			== NULL)
 			goto err;
 		s->s3->wbuf.buf=p;
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index d3e6b4d1e58..279d2c01983 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -110,7 +110,7 @@ int ssl3_connect(SSL *s)
 	int ret= -1;
 	int new_state,state,skip=0;;
 
-	RAND_seed(&Time,sizeof(Time));
+	RAND_add(&Time,sizeof(Time),0);
 	ERR_clear_error();
 	clear_sys_error();
 
@@ -325,8 +325,8 @@ int ssl3_connect(SSL *s)
 		case SSL3_ST_CW_FINISHED_B:
 			ret=ssl3_send_finished(s,
 				SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
-				s->method->ssl3_enc->client_finished,
-				s->method->ssl3_enc->client_finished_len);
+				s->method->ssl3_enc->client_finished_label,
+				s->method->ssl3_enc->client_finished_label_len);
 			if (ret <= 0) goto end;
 			s->state=SSL3_ST_CW_FLUSH;
 
@@ -466,7 +466,7 @@ static int ssl3_client_hello(SSL *s)
 		p=s->s3->client_random;
 		Time=time(NULL);			/* Time */
 		l2n(Time,p);
-		RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
 
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
@@ -1053,15 +1053,15 @@ static int ssl3_get_key_exchange(SSL *s)
 				q+=i;
 				j+=i;
 				}
-			i=RSA_public_decrypt((int)n,p,p,pkey->pkey.rsa,
-				RSA_PKCS1_PADDING);
-			if (i <= 0)
+			i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
+								pkey->pkey.rsa);
+			if (i < 0)
 				{
 				al=SSL_AD_DECRYPT_ERROR;
 				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
 				goto f_err;
 				}
-			if ((j != i) || (memcmp(p,md_buf,i) != 0))
+			if (i == 0)
 				{
 				/* bad signature */
 				al=SSL_AD_DECRYPT_ERROR;
@@ -1225,7 +1225,7 @@ fclose(out);
 
 		if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
 			{
-			/* If netscape tollerance is on, ignore errors */
+			/* If netscape tolerance is on, ignore errors */
 			if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
 				goto cont;
 			else
@@ -1258,7 +1258,7 @@ cont:
 		ERR_clear_error();
 		}
 
-	/* we should setup a certficate to return.... */
+	/* we should setup a certificate to return.... */
 	s->s3->tmp.cert_req=1;
 	s->s3->tmp.ctype_num=ctype_num;
 	if (s->s3->tmp.ca_names != NULL)
@@ -1341,7 +1341,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
 				
 			tmp_buf[0]=s->client_version>>8;
 			tmp_buf[1]=s->client_version&0xff;
-			RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+			if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
+					goto err;
 
 			s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
 
@@ -1460,7 +1461,7 @@ static int ssl3_send_client_verify(SSL *s)
 	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
 	EVP_PKEY *pkey;
 #ifndef NO_RSA
-	int i=0;
+	unsigned u=0;
 #endif
 	unsigned long n;
 #ifndef NO_DSA
@@ -1481,17 +1482,15 @@ static int ssl3_send_client_verify(SSL *s)
 			{
 			s->method->ssl3_enc->cert_verify_mac(s,
 				&(s->s3->finish_dgst1),&(data[0]));
-			i=RSA_private_encrypt(
-				MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
-				data,&(p[2]),pkey->pkey.rsa,
-				RSA_PKCS1_PADDING);
-			if (i <= 0)
+			if (RSA_sign(NID_md5_sha1, data,
+					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
+					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
 				{
 				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
 				goto err;
 				}
-			s2n(i,p);
-			n=i+2;
+			s2n(u,p);
+			n=u+2;
 			}
 		else
 #endif
@@ -1689,13 +1688,13 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
 #endif
 #endif
 
-	if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP))
+	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
 		{
 #ifndef NO_RSA
 		if (algs & SSL_kRSA)
 			{
 			if (rsa == NULL
-			    || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs))
+			    || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
 				{
 				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
 				goto f_err;
@@ -1707,7 +1706,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
 			if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
 			    {
 			    if (dh == NULL
-				|| DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs))
+				|| DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
 				{
 				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
 				goto f_err;
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index aeff6b5c5bc..c4b49aaedf4 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -75,18 +75,26 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	SSL3_TXT_RSA_NULL_MD5,
 	SSL3_CK_RSA_NULL_MD5,
-	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
+	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	0,
 	0,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 02 */
 	{
 	1,
 	SSL3_TXT_RSA_NULL_SHA,
 	SSL3_CK_RSA_NULL_SHA,
-	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+	SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	0,
 	0,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 
 /* anon DH */
@@ -95,45 +103,65 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	SSL3_TXT_ADH_RC4_40_MD5,
 	SSL3_CK_ADH_RC4_40_MD5,
-	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
+	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
 	0,
+	40,
+	128,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 18 */
 	{
 	1,
 	SSL3_TXT_ADH_RC4_128_MD5,
 	SSL3_CK_ADH_RC4_128_MD5,
-	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
+	SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+	SSL_NOT_EXP,
 	0,
+	128,
+	128,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 19 */
 	{
 	1,
 	SSL3_TXT_ADH_DES_40_CBC_SHA,
 	SSL3_CK_ADH_DES_40_CBC_SHA,
-	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+	SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
 	0,
+	40,
+	128,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 1A */
 	{
 	1,
 	SSL3_TXT_ADH_DES_64_CBC_SHA,
 	SSL3_CK_ADH_DES_64_CBC_SHA,
-	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+	SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
 	0,
+	56,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 1B */
 	{
 	1,
 	SSL3_TXT_ADH_DES_192_CBC_SHA,
 	SSL3_CK_ADH_DES_192_CBC_SHA,
-	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+	SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
 	0,
+	168,
+	168,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 
 /* RSA again */
@@ -142,72 +170,104 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	SSL3_TXT_RSA_RC4_40_MD5,
 	SSL3_CK_RSA_RC4_40_MD5,
-	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
+	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
 	0,
+	40,
+	128,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 04 */
 	{
 	1,
 	SSL3_TXT_RSA_RC4_128_MD5,
 	SSL3_CK_RSA_RC4_128_MD5,
-	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
+	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_MEDIUM,
 	0,
+	128,
+	128,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 05 */
 	{
 	1,
 	SSL3_TXT_RSA_RC4_128_SHA,
 	SSL3_CK_RSA_RC4_128_SHA,
-	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
+	SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_MEDIUM,
 	0,
+	128,
+	128,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 06 */
 	{
 	1,
 	SSL3_TXT_RSA_RC2_40_MD5,
 	SSL3_CK_RSA_RC2_40_MD5,
-	SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
+	SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
 	0,
+	40,
+	128,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 07 */
 	{
 	1,
 	SSL3_TXT_RSA_IDEA_128_SHA,
 	SSL3_CK_RSA_IDEA_128_SHA,
-	SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
+	SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_MEDIUM,
 	0,
+	128,
+	128,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 08 */
 	{
 	1,
 	SSL3_TXT_RSA_DES_40_CBC_SHA,
 	SSL3_CK_RSA_DES_40_CBC_SHA,
-	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+	SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
 	0,
+	40,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 09 */
 	{
 	1,
 	SSL3_TXT_RSA_DES_64_CBC_SHA,
 	SSL3_CK_RSA_DES_64_CBC_SHA,
-	SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+	SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
+	56,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 0A */
 	{
 	1,
 	SSL3_TXT_RSA_DES_192_CBC3_SHA,
 	SSL3_CK_RSA_DES_192_CBC3_SHA,
-	SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+	SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
+	168,
+	168,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 
 /*  The DH ciphers */
@@ -216,54 +276,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	0,
 	SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
 	SSL3_CK_DH_DSS_DES_40_CBC_SHA,
-	SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+	SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
 	0,
+	40,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 0C */
 	{
 	0,
 	SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
 	SSL3_CK_DH_DSS_DES_64_CBC_SHA,
-	SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+	SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
+	56,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 0D */
 	{
 	0,
 	SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
 	SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
-	SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+	SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
+	168,
+	168,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 0E */
 	{
 	0,
 	SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
 	SSL3_CK_DH_RSA_DES_40_CBC_SHA,
-	SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+	SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
 	0,
+	40,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 0F */
 	{
 	0,
 	SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
 	SSL3_CK_DH_RSA_DES_64_CBC_SHA,
-	SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+	SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
+	56,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 10 */
 	{
 	0,
 	SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
 	SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
-	SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+	SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
+	168,
+	168,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 
 /* The Ephemeral DH ciphers */
@@ -272,54 +356,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
 	SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
-	SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+	SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
 	0,
+	40,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 12 */
 	{
 	1,
 	SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
 	SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
-	SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+	SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
+	56,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 13 */
 	{
 	1,
 	SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
 	SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
-	SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+	SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
+	168,
+	168,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 14 */
 	{
 	1,
 	SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
 	SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
-	SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+	SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
+	SSL_EXPORT|SSL_EXP40,
 	0,
+	40,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 15 */
 	{
 	1,
 	SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
 	SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
-	SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+	SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_LOW,
 	0,
+	56,
+	56,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 /* Cipher 16 */
 	{
 	1,
 	SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
 	SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
-	SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+	SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP|SSL_HIGH,
 	0,
+	168,
+	168,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 
 /* Fortezza */
@@ -328,9 +436,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	0,
 	SSL3_TXT_FZA_DMS_NULL_SHA,
 	SSL3_CK_FZA_DMS_NULL_SHA,
-	SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+	SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	0,
 	0,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 
 /* Cipher 1D */
@@ -338,9 +450,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	0,
 	SSL3_TXT_FZA_DMS_FZA_SHA,
 	SSL3_CK_FZA_DMS_FZA_SHA,
-	SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+	SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
+	0,
+	0,
 	0,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 
 /* Cipher 1E */
@@ -348,9 +464,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	0,
 	SSL3_TXT_FZA_DMS_RC4_SHA,
 	SSL3_CK_FZA_DMS_RC4_SHA,
-	SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+	SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_SSLV3,
+	SSL_NOT_EXP,
 	0,
+	128,
+	128,
 	SSL_ALL_CIPHERS,
+	SSL_ALL_STRENGTHS,
 	},
 
 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
@@ -360,54 +480,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    1,
 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
 	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
-	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP56|SSL_TLSV1,
+	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
 	    0,
-	    SSL_ALL_CIPHERS
+	    56,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
 	    },
 	/* Cipher 61 */
 	    {
 	    1,
 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
 	    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-	    SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP56|SSL_TLSV1,
+	    SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
 	    0,
-	    SSL_ALL_CIPHERS
+	    56,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
 	    },
 	/* Cipher 62 */
 	    {
 	    1,
 	    TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
 	    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+	    SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
 	    0,
-	    SSL_ALL_CIPHERS
+	    56,
+	    56,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
 	    },
 	/* Cipher 63 */
 	    {
 	    1,
 	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
 	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+	    SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
 	    0,
-	    SSL_ALL_CIPHERS
+	    56,
+	    56,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
 	    },
 	/* Cipher 64 */
 	    {
 	    1,
 	    TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
 	    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
-	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+	    SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
 	    0,
-	    SSL_ALL_CIPHERS
+	    56,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
 	    },
 	/* Cipher 65 */
 	    {
 	    1,
 	    TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
 	    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
+	    SSL_EXPORT|SSL_EXP56,
 	    0,
-	    SSL_ALL_CIPHERS
+	    56,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS,
 	    },
 	/* Cipher 66 */
 	    {
@@ -415,8 +559,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
 	    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
 	    SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
+	    SSL_NOT_EXP,
 	    0,
-	    SSL_ALL_CIPHERS
+	    128,
+	    128,
+	    SSL_ALL_CIPHERS,
+	    SSL_ALL_STRENGTHS
 	    },
 #endif
 
@@ -460,6 +608,9 @@ static SSL_METHOD SSLv3_data= {
 	ssl_bad_method,
 	ssl3_default_timeout,
 	&SSLv3_enc_data,
+	ssl_undefined_function,
+	ssl3_callback_ctrl,
+	ssl3_ctx_callback_ctrl,
 	};
 
 static long ssl3_default_timeout(void)
@@ -495,19 +646,12 @@ int ssl3_pending(SSL *s)
 
 int ssl3_new(SSL *s)
 	{
-	SSL3_CTX *s3;
+	SSL3_STATE *s3;
 
-	if ((s3=(SSL3_CTX *)Malloc(sizeof(SSL3_CTX))) == NULL) goto err;
-	memset(s3,0,sizeof(SSL3_CTX));
+	if ((s3=Malloc(sizeof *s3)) == NULL) goto err;
+	memset(s3,0,sizeof *s3);
 
 	s->s3=s3;
-	/*
-	s->s3->tmp.ca_names=NULL;
-	s->s3->tmp.key_block=NULL;
-	s->s3->tmp.key_block_length=0;
-	s->s3->rbuf.buf=NULL;
-	s->s3->wbuf.buf=NULL;
-	*/
 
 	s->method->ssl_clear(s);
 	return(1);
@@ -533,7 +677,7 @@ void ssl3_free(SSL *s)
 #endif
 	if (s->s3->tmp.ca_names != NULL)
 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
-	memset(s->s3,0,sizeof(SSL3_CTX));
+	memset(s->s3,0,sizeof *s->s3);
 	Free(s->s3);
 	s->s3=NULL;
 	}
@@ -551,11 +695,15 @@ void ssl3_clear(SSL *s)
 		Free(s->s3->rrec.comp);
 		s->s3->rrec.comp=NULL;
 		}
+#ifndef NO_DH
+	if (s->s3->tmp.dh != NULL)
+		DH_free(s->s3->tmp.dh);
+#endif
 
 	rp=s->s3->rbuf.buf;
 	wp=s->s3->wbuf.buf;
 
-	memset(s->s3,0,sizeof(SSL3_CTX));
+	memset(s->s3,0,sizeof *s->s3);
 	if (rp != NULL) s->s3->rbuf.buf=rp;
 	if (wp != NULL) s->s3->wbuf.buf=wp;
 
@@ -638,7 +786,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
 		}
 		break;
 	case SSL_CTRL_SET_TMP_RSA_CB:
-		s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))parg;
+		{
+		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(ret);
+		}
 		break;
 #endif
 #ifndef NO_DH
@@ -665,7 +816,54 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
 		}
 		break;
 	case SSL_CTRL_SET_TMP_DH_CB:
-		s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))parg;
+		{
+		SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(ret);
+		}
+		break;
+#endif
+	default:
+		break;
+		}
+	return(ret);
+	}
+
+long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
+	{
+	int ret=0;
+
+#if !defined(NO_DSA) || !defined(NO_RSA)
+	if (
+#ifndef NO_RSA
+	    cmd == SSL_CTRL_SET_TMP_RSA_CB ||
+#endif
+#ifndef NO_DSA
+	    cmd == SSL_CTRL_SET_TMP_DH_CB ||
+#endif
+		0)
+		{
+		if (!ssl_cert_inst(&s->cert))
+		    	{
+			SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
+			return(0);
+			}
+		}
+#endif
+
+	switch (cmd)
+		{
+#ifndef NO_RSA
+	case SSL_CTRL_SET_TMP_RSA_CB:
+		{
+		s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
+		}
+		break;
+#endif
+#ifndef NO_DH
+	case SSL_CTRL_SET_TMP_DH_CB:
+		{
+		s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
+		}
 		break;
 #endif
 	default:
@@ -721,7 +919,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
 		}
 		/* break; */
 	case SSL_CTRL_SET_TMP_RSA_CB:
-		cert->rsa_tmp_cb=(RSA *(*)(SSL *, int, int))parg;
+		{
+		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(0);
+		}
 		break;
 #endif
 #ifndef NO_DH
@@ -748,7 +949,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
 		}
 		/*break; */
 	case SSL_CTRL_SET_TMP_DH_CB:
-		cert->dh_tmp_cb=(DH *(*)(SSL *, int, int))parg;
+		{
+		SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return(0);
+		}
 		break;
 #endif
 	/* A Thawte special :-) */
@@ -767,6 +971,34 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
 	return(1);
 	}
 
+long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+	{
+	CERT *cert;
+
+	cert=ctx->cert;
+
+	switch (cmd)
+		{
+#ifndef NO_RSA
+	case SSL_CTRL_SET_TMP_RSA_CB:
+		{
+		cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
+		}
+		break;
+#endif
+#ifndef NO_DH
+	case SSL_CTRL_SET_TMP_DH_CB:
+		{
+		cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
+		}
+		break;
+#endif
+	default:
+		return(0);
+		}
+	return(1);
+	}
+
 /* This function needs to check if the ciphers required are actually
  * available */
 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
@@ -819,21 +1051,6 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
 	return(2);
 	}
 
-int ssl3_part_read(SSL *s, int i)
-	{
-	s->rwstate=SSL_READING;
-
-	if (i < 0)
-		{
-		return(i);
-		}
-	else
-		{
-		s->init_num+=i;
-		return(0);
-		}
-	}
-
 SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
 	     STACK_OF(SSL_CIPHER) *pref)
 	{
@@ -865,7 +1082,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
 		emask=cert->export_mask;
 			
 		alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
-		if (SSL_IS_EXPORT(c->algorithms))
+		if (SSL_C_IS_EXPORT(c))
 			{
 			ok=((alg & emask) == alg)?1:0;
 #ifdef CIPHER_DEBUG
@@ -1034,8 +1251,12 @@ int ssl3_read(SSL *s, void *buf, int len)
 	ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
 	if ((ret == -1) && (s->s3->in_read_app_data == 0))
 		{
-		ERR_get_error(); /* clear the error */
-		s->s3->in_read_app_data=0;
+		/* ssl3_read_bytes decided to call s->handshake_func, which
+		 * called ssl3_read_bytes to read handshake data.
+		 * However, ssl3_read_bytes actually found application data
+		 * and thinks that application data makes sense here (signalled
+		 * by resetting 'in_read_app_data', strangely); so disable
+		 * handshake processing and try to read application data again. */
 		s->in_handshake++;
 		ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
 		s->in_handshake--;
@@ -1092,7 +1313,7 @@ int ssl3_renegotiate_check(SSL *s)
 			{
 /*
 if we are the server, and we have sent a 'RENEGOTIATE' message, we
-need to go to SSL_ST_ACCEPT.
+need to go to SSL_ST_ACCEPT.
 */
 			/* SSL_ST_ACCEPT */
 			s->state=SSL_ST_RENEGOTIATE;
diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c
index 7893d03123d..eb965310d9b 100644
--- a/lib/libssl/s3_pkt.c
+++ b/lib/libssl/s3_pkt.c
@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <errno.h>
@@ -71,104 +124,98 @@ static int ssl3_get_record(SSL *s);
 static int do_compress(SSL *ssl);
 static int do_uncompress(SSL *ssl);
 static int do_change_cipher_spec(SSL *ssl);
+
+/* used only by ssl3_get_record */
 static int ssl3_read_n(SSL *s, int n, int max, int extend)
 	{
+	/* If extend == 0, obtain new n-byte packet; if extend == 1, increase
+	 * packet by another n bytes.
+	 * The packet will be in the sub-array of s->s3->rbuf.buf specified
+	 * by s->packet and s->packet_length.
+	 * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
+	 * [plus s->packet_length bytes if extend == 1].)
+	 */
 	int i,off,newb;
 
-	/* if there is stuff still in the buffer from a previous read,
-	 * and there is more than we want, take some. */
+	if (!extend)
+		{
+		/* start with empty packet ... */
+		if (s->s3->rbuf.left == 0)
+			s->s3->rbuf.offset = 0;
+		s->packet = s->s3->rbuf.buf + s->s3->rbuf.offset;
+		s->packet_length = 0;
+		/* ... now we can act as if 'extend' was set */
+		}
+
+	/* if there is enough in the buffer from a previous read, take some */
 	if (s->s3->rbuf.left >= (int)n)
 		{
-		if (extend)
-			s->packet_length+=n;
-		else
-			{
-			s->packet= &(s->s3->rbuf.buf[s->s3->rbuf.offset]);
-			s->packet_length=n;
-			}
+		s->packet_length+=n;
 		s->s3->rbuf.left-=n;
 		s->s3->rbuf.offset+=n;
 		return(n);
 		}
 
 	/* else we need to read more data */
-	if (!s->read_ahead) max=n;
-	if (max > SSL3_RT_MAX_PACKET_SIZE)
-		max=SSL3_RT_MAX_PACKET_SIZE;
-
-	/* First check if there is some left or we want to extend */
-	off=0;
-	if (	(s->s3->rbuf.left != 0) ||
-		((s->packet_length != 0) && extend))
-		{
-		newb=s->s3->rbuf.left;
-		if (extend)
-			{
-			/* Copy bytes back to the front of the buffer 
-			 * Take the bytes already pointed to by 'packet'
-			 * and take the extra ones on the end. */
-			off=s->packet_length;
-			if (s->packet != s->s3->rbuf.buf)
-				memcpy(s->s3->rbuf.buf,s->packet,newb+off);
-			}
-		else if (s->s3->rbuf.offset != 0)
-			{ /* so the data is not at the start of the buffer */
-			memcpy(s->s3->rbuf.buf,
-				&(s->s3->rbuf.buf[s->s3->rbuf.offset]),newb);
-			s->s3->rbuf.offset=0;
-			}
+	if (!s->read_ahead)
+		max=n;
 
-		s->s3->rbuf.left=0;
+	{
+		/* avoid buffer overflow */
+		int max_max = SSL3_RT_MAX_PACKET_SIZE - s->packet_length;
+		if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+			max_max += SSL3_RT_MAX_EXTRA;
+		if (max > max_max)
+			max = max_max;
+	}
+	if (n > max) /* does not happen */
+		{
+		SSLerr(SSL_F_SSL3_READ_N,SSL_R_INTERNAL_ERROR);
+		return -1;
 		}
-	else
-		newb=0;
 
-	/* So we now have 'newb' bytes at the front of 
-	 * s->s3->rbuf.buf and need to read some more in on the end
-	 * We start reading into the buffer at 's->s3->rbuf.offset'
-	 */
-	s->packet=s->s3->rbuf.buf;
+	off = s->packet_length;
+	newb = s->s3->rbuf.left;
+	/* Move any available bytes to front of buffer:
+	 * 'off' bytes already pointed to by 'packet',
+	 * 'newb' extra ones at the end */
+	if (s->packet != s->s3->rbuf.buf)
+		{
+		/*  off > 0 */
+		memmove(s->s3->rbuf.buf, s->packet, off+newb);
+		s->packet = s->s3->rbuf.buf;
+		}
 
 	while (newb < n)
 		{
+		/* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need
+		 * to read in more until we have off+n (up to off+max if possible) */
+
 		clear_sys_error();
 		if (s->rbio != NULL)
 			{
 			s->rwstate=SSL_READING;
-			i=BIO_read(s->rbio,
-				(char *)&(s->s3->rbuf.buf[off+newb]),
-				max-newb);
+			i=BIO_read(s->rbio,	&(s->s3->rbuf.buf[off+newb]), max-newb);
 			}
 		else
 			{
 			SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
-			i= -1;
+			i = -1;
 			}
 
 		if (i <= 0)
 			{
-			s->s3->rbuf.left+=newb;
+			s->s3->rbuf.left = newb;
 			return(i);
 			}
 		newb+=i;
 		}
 
-	/* record used data read */
-	if (newb > n)
-		{
-		s->s3->rbuf.offset=n+off;
-		s->s3->rbuf.left=newb-n;
-		}
-	else
-		{
-		s->s3->rbuf.offset=0;
-		s->s3->rbuf.left=0;
-		}
-
-	if (extend)
-		s->packet_length+=n;
-	else
-		s->packet_length+=n;
+	/* done reading, now the book-keeping */
+	s->s3->rbuf.offset = off + n;
+	s->s3->rbuf.left = newb - n;
+	s->packet_length += n;
+	s->rwstate=SSL_NOTHING;
 	return(n);
 	}
 
@@ -176,15 +223,15 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
  * When it finishes, one packet has been decoded and can be found in
- * ssl->s3->rrec.type	- is the type of record
- * ssl->s3->rrec.data, 	- data
+ * ssl->s3->rrec.type    - is the type of record
+ * ssl->s3->rrec.data, 	 - data
  * ssl->s3->rrec.length, - number of bytes
  */
+/* used only by ssl3_read_bytes */
 static int ssl3_get_record(SSL *s)
 	{
 	int ssl_major,ssl_minor,al;
 	int n,i,ret= -1;
-	SSL3_BUFFER *rb;
 	SSL3_RECORD *rr;
 	SSL_SESSION *sess;
 	unsigned char *p;
@@ -194,7 +241,6 @@ static int ssl3_get_record(SSL *s)
 	int clear=0,extra;
 
 	rr= &(s->s3->rrec);
-	rb= &(s->s3->rbuf);
 	sess=s->session;
 
 	if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
@@ -253,27 +299,26 @@ again:
 			goto f_err;
 			}
 
-		s->rstate=SSL_ST_READ_BODY;
+		/* now s->rstate == SSL_ST_READ_BODY */
 		}
 
-	/* get and decode the data */
-	if (s->rstate == SSL_ST_READ_BODY)
+	/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
+
+	if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
 		{
-		if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
-			{
-			i=rr->length;
-			/*-(s->packet_length-SSL3_RT_HEADER_LENGTH); */
-			n=ssl3_read_n(s,i,i,1);
-			if (n <= 0) return(n); /* error or non-blocking io */
-			}
-		s->rstate=SSL_ST_READ_HEADER;
+		/* now s->packet_length == SSL3_RT_HEADER_LENGTH */
+		i=rr->length;
+		n=ssl3_read_n(s,i,i,1);
+		if (n <= 0) return(n); /* error or non-blocking io */
+		/* now n == rr->length,
+		 * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
 		}
 
-	/* At this point, we have the data in s->packet and there should be
-	 * s->packet_length bytes, we must not 'overrun' this buffer :-)
-	 * One of the following functions will copy the data from the
-	 * s->packet buffer */
+	s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
 
+	/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
+	 * and we have that many bytes in s->packet
+	 */
 	rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
 
 	/* ok, we can now read from 's->packet' data into 'rr'
@@ -283,13 +328,10 @@ again:
 	 * When the data is 'copied' into the rr->data buffer,
 	 * rr->input will be pointed at the new buffer */ 
 
-	/* Set the state for the following operations */
-	s->rstate=SSL_ST_READ_HEADER;
-
 	/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
 	 * rr->length bytes of encrypted compressed stuff. */
 
-	/* check is not needed I belive */
+	/* check is not needed I believe */
 	if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
 		{
 		al=SSL_AD_RECORD_OVERFLOW;
@@ -326,7 +368,7 @@ printf("\n");
 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
 			goto f_err;
 			}
-		/* check MAC for rr->input' */
+		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
 		if (rr->length < mac_size)
 			{
 			al=SSL_AD_DECODE_ERROR;
@@ -426,12 +468,12 @@ static int do_compress(SSL *ssl)
 	return(1);
 	}
 
-/* Call this to write data
+/* Call this to write data in records of type 'type'
  * It will return <= 0 if not all data has been sent or non-blocking IO.
  */
-int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len)
+int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 	{
-	const unsigned char *buf=_buf;
+	const unsigned char *buf=buf_;
 	unsigned int tot,n,nw;
 	int i;
 
@@ -457,7 +499,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len)
 			nw=SSL3_RT_MAX_PLAIN_LENGTH;
 		else
 			nw=n;
-			
+
 		i=do_ssl3_write(s,type,&(buf[tot]),nw);
 		if (i <= 0)
 			{
@@ -465,9 +507,6 @@ int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len)
 			return(i);
 			}
 
-		if (type == SSL3_RT_HANDSHAKE)
-			ssl3_finish_mac(s,&(buf[tot]),i);
-
 		if ((i == (int)n) ||
 			(type == SSL3_RT_APPLICATION_DATA &&
 			 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
@@ -503,8 +542,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 		/* if it went, fall through and send more stuff */
 		}
 
-	if (len <= 0) return(len);
-	
+	if (len == 0) return(len);
+
 	wr= &(s->s3->wrec);
 	wb= &(s->s3->wbuf);
 	sess=s->session;
@@ -527,11 +566,11 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
 	*(p++)=(s->version>>8);
 	*(p++)=s->version&0xff;
-	
+
 	/* record where we are to write out packet length */
 	plen=p; 
 	p+=2;
-	
+
 	/* lets setup the record stuff. */
 	wr->data=p;
 	wr->length=(int)len;
@@ -638,19 +677,75 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
 		}
 	}
 
+/* Return up to 'len' payload bytes received in 'type' records.
+ * 'type' is one of the following:
+ *
+ *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
+ *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
+ *   -  0 (during a shutdown, no data has to be returned)
+ *
+ * If we don't have stored data to work from, read a SSL/TLS record first
+ * (possibly multiple records if we still don't have anything to return).
+ *
+ * This function must handle any surprises the peer may have for us, such as
+ * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
+ * a surprise, but handled as if it were), or renegotiation requests.
+ * Also if record payloads contain fragments too small to process, we store
+ * them until there is enough for the respective protocol (the record protocol
+ * may use arbitrary fragmentation and even interleaving):
+ *     Change cipher spec protocol
+ *             just 1 byte needed, no need for keeping anything stored
+ *     Alert protocol
+ *             2 bytes needed (AlertLevel, AlertDescription)
+ *     Handshake protocol
+ *             4 bytes needed (HandshakeType, uint24 length) -- we just have
+ *             to detect unexpected Client Hello and Hello Request messages
+ *             here, anything else is handled by higher layers
+ *     Application data protocol
+ *             none of our business
+ */
 int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
 	{
-	int al,i,j,n,ret;
+	int al,i,j,ret;
+	unsigned int n;
 	SSL3_RECORD *rr;
 	void (*cb)()=NULL;
-	BIO *bio;
 
-	if (s->s3->rbuf.buf == NULL) /* Not initialize yet */
+	if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
 		if (!ssl3_setup_buffers(s))
 			return(-1);
 
+	if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type)
+		{
+		SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
+		return -1;
+		}
+
+	if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
+		/* (partially) satisfy request from storage */
+		{
+		unsigned char *src = s->s3->handshake_fragment;
+		unsigned char *dst = buf;
+		unsigned int k;
+
+		n = 0;
+		while ((len > 0) && (s->s3->handshake_fragment_len > 0))
+			{
+			*dst++ = *src++;
+			len--; s->s3->handshake_fragment_len--;
+			n++;
+			}
+		/* move any remaining fragment bytes: */
+		for (k = 0; k < s->s3->handshake_fragment_len; k++)
+			s->s3->handshake_fragment[k] = *src++;
+		return n;
+	}
+
+	/* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
+
 	if (!s->in_handshake && SSL_in_init(s))
 		{
+		/* type == SSL3_RT_APPLICATION_DATA */
 		i=s->handshake_func(s);
 		if (i < 0) return(i);
 		if (i == 0)
@@ -662,11 +757,11 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
 start:
 	s->rwstate=SSL_NOTHING;
 
-	/* s->s3->rrec.type	- is the type of record
-	 * s->s3->rrec.data, 	- data
-	 * s->s3->rrec.off, 	- ofset into 'data' for next read
-	 * s->s3->rrec.length,	- number of bytes. */
-	rr= &(s->s3->rrec);
+	/* s->s3->rrec.type	    - is the type of record
+	 * s->s3->rrec.data,    - data
+	 * s->s3->rrec.off,     - offset into 'data' for next read
+	 * s->s3->rrec.length,  - number of bytes. */
+	rr = &(s->s3->rrec);
 
 	/* get new packet */
 	if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
@@ -677,7 +772,9 @@ start:
 
 	/* we now have a packet which can be read and processed */
 
-	if (s->s3->change_cipher_spec && (rr->type != SSL3_RT_HANDSHAKE))
+	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+	                               * reset by ssl3_get_finished */
+		&& (rr->type != SSL3_RT_HANDSHAKE))
 		{
 		al=SSL_AD_UNEXPECTED_MESSAGE;
 		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
@@ -692,16 +789,98 @@ start:
 		return(0);
 		}
 
-	/* Check for an incoming 'Client Request' message */
-	if ((rr->type == SSL3_RT_HANDSHAKE) && (rr->length == 4) &&
-		(rr->data[0] == SSL3_MT_CLIENT_REQUEST) &&
+
+	if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
+		{
+		/* make sure that we are not getting application data when we
+		 * are doing a handshake for the first time */
+		if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
+			(s->enc_read_ctx == NULL))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
+			goto f_err;
+			}
+
+		if (len <= 0) return(len);
+
+		if ((unsigned int)len > rr->length)
+			n = rr->length;
+		else
+			n = (unsigned int)len;
+
+		memcpy(buf,&(rr->data[rr->off]),n);
+		rr->length-=n;
+		rr->off+=n;
+		if (rr->length == 0)
+			{
+			s->rstate=SSL_ST_READ_HEADER;
+			rr->off=0;
+			}
+		return(n);
+		}
+
+
+	/* If we get here, then type != rr->type; if we have a handshake
+	 * message, then it was unexpected (Hello Request or Client Hello). */
+
+	/* In case of record types for which we have 'fragment' storage,
+	 * fill that so that we can process the data at a fixed place.
+	 */
+		{
+		unsigned int dest_maxlen = 0;
+		unsigned char *dest = NULL;
+		unsigned int *dest_len = NULL;
+
+		if (rr->type == SSL3_RT_HANDSHAKE)
+			{
+			dest_maxlen = sizeof s->s3->handshake_fragment;
+			dest = s->s3->handshake_fragment;
+			dest_len = &s->s3->handshake_fragment_len;
+			}
+		else if (rr->type == SSL3_RT_ALERT)
+			{
+			dest_maxlen = sizeof s->s3->alert_fragment;
+			dest = s->s3->alert_fragment;
+			dest_len = &s->s3->alert_fragment_len;
+			}
+
+		if (dest_maxlen > 0)
+			{
+			n = dest_maxlen - *dest_len; /* available space in 'dest' */
+			if (rr->length < n)
+				n = rr->length; /* available bytes */
+
+			/* now move 'n' bytes: */
+			while (n-- > 0)
+				{
+				dest[(*dest_len)++] = rr->data[rr->off++];
+				rr->length--;
+				}
+
+			if (*dest_len < dest_maxlen)
+				goto start; /* fragment was too small */
+			}
+		}
+
+	/* s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
+	 * s->s3->alert_fragment_len == 2      iff  rr->type == SSL3_RT_ALERT.
+	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
+
+	/* If we are a client, check for an incoming 'Hello Request': */
+	if ((!s->server) &&
+		(s->s3->handshake_fragment_len >= 4) &&
+		(s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
 		(s->session != NULL) && (s->session->cipher != NULL))
 		{
-		if ((rr->data[1] != 0) || (rr->data[2] != 0) ||
-			(rr->data[3] != 0))
+		s->s3->handshake_fragment_len = 0;
+
+		if ((s->s3->handshake_fragment[1] != 0) ||
+			(s->s3->handshake_fragment[2] != 0) ||
+			(s->s3->handshake_fragment[3] != 0))
 			{
 			al=SSL_AD_DECODE_ERROR;
-			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CLIENT_REQUEST);
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
 			goto err;
 			}
 
@@ -712,220 +891,209 @@ start:
 			ssl3_renegotiate(s);
 			if (ssl3_renegotiate_check(s))
 				{
-				n=s->handshake_func(s);
-				if (n < 0) return(n);
-				if (n == 0)
+				i=s->handshake_func(s);
+				if (i < 0) return(i);
+				if (i == 0)
 					{
 					SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
 					return(-1);
 					}
+
+				if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+					{
+					BIO *bio;
+					/* In the case where we try to read application data
+					 * the first time, but we trigger an SSL handshake, we
+					 * return -1 with the retry option set.  I do this
+					 * otherwise renegotiation can cause nasty problems 
+					 * in the blocking world */ /* ? */
+					s->rwstate=SSL_READING;
+					bio=SSL_get_rbio(s);
+					BIO_clear_retry_flags(bio);
+					BIO_set_retry_read(bio);
+					return(-1);
+					}
 				}
 			}
-		rr->length=0;
-/* ZZZ */	goto start;
+		/* we either finished a handshake or ignored the request,
+		 * now try again to obtain the (application) data we were asked for */
+		goto start;
 		}
 
-	/* if it is not the type we want, or we have shutdown and want
-	 * the peer shutdown */
-	if ((rr->type != type) || (s->shutdown & SSL_SENT_SHUTDOWN))
+	if (s->s3->alert_fragment_len >= 2)
 		{
-		if (rr->type == SSL3_RT_ALERT)
-			{
-			if ((rr->length != 2) || (rr->off != 0))
-				{
-				al=SSL_AD_DECODE_ERROR;
-				SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_ALERT_RECORD);
-				goto f_err;
-				}
+		int alert_level = s->s3->alert_fragment[0];
+		int alert_descr = s->s3->alert_fragment[1];
 
-			i=rr->data[0];
-			n=rr->data[1];
+		s->s3->alert_fragment_len = 0;
 
-			/* clear from buffer */
-			rr->length=0;
-
-			if (s->info_callback != NULL)
-				cb=s->info_callback;
-			else if (s->ctx->info_callback != NULL)
-				cb=s->ctx->info_callback;
+		if (s->info_callback != NULL)
+			cb=s->info_callback;
+		else if (s->ctx->info_callback != NULL)
+			cb=s->ctx->info_callback;
 
-			if (cb != NULL)
-				{
-				j=(i<<8)|n;
-				cb(s,SSL_CB_READ_ALERT,j);
-				}
+		if (cb != NULL)
+			{
+			j = (alert_level << 8) | alert_descr;
+			cb(s, SSL_CB_READ_ALERT, j);
+			}
 
-			if (i == 1)
-				{
-				s->s3->warn_alert=n;
-				if (n == SSL_AD_CLOSE_NOTIFY)
-					{
-					s->shutdown|=SSL_RECEIVED_SHUTDOWN;
-					return(0);
-					}
-				}
-			else if (i == 2)
+		if (alert_level == 1) /* warning */
+			{
+			s->s3->warn_alert = alert_descr;
+			if (alert_descr == SSL_AD_CLOSE_NOTIFY)
 				{
-				char tmp[16];
-
-				s->rwstate=SSL_NOTHING;
-				s->s3->fatal_alert=n;
-				SSLerr(SSL_F_SSL3_READ_BYTES,
-					SSL_AD_REASON_OFFSET+n);
-				sprintf(tmp,"%d",n);
-				ERR_add_error_data(2,"SSL alert number ",tmp);
-				s->shutdown|=SSL_RECEIVED_SHUTDOWN;
-				SSL_CTX_remove_session(s->ctx,s->session);
+				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
 				return(0);
 				}
-			else
-				{
-				al=SSL_AD_ILLEGAL_PARAMETER;
-				SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
-				goto f_err;
-				}
-
-			rr->length=0;
-			goto start;
 			}
-
-		if (s->shutdown & SSL_SENT_SHUTDOWN)
+		else if (alert_level == 2) /* fatal */
 			{
+			char tmp[16];
+
 			s->rwstate=SSL_NOTHING;
-			rr->length=0;
+			s->s3->fatal_alert = alert_descr;
+			SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+			sprintf(tmp,"%d",alert_descr);
+			ERR_add_error_data(2,"SSL alert number ",tmp);
+			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
+			SSL_CTX_remove_session(s->ctx,s->session);
 			return(0);
 			}
-
-		if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
+		else
 			{
-			if (	(rr->length != 1) || (rr->off != 0) ||
-				(rr->data[0] != SSL3_MT_CCS))
-				{
-				i=SSL_AD_ILLEGAL_PARAMETER;
-				SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-				goto err;
-				}
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
+			goto f_err;
+			}
 
-			rr->length=0;
-			s->s3->change_cipher_spec=1;
-			if (!do_change_cipher_spec(s))
-				goto err;
-			else
-				goto start;
+		goto start;
+		}
+
+	if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
+		{
+		s->rwstate=SSL_NOTHING;
+		rr->length=0;
+		return(0);
+		}
+
+	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
+		{
+		/* 'Change Cipher Spec' is just a single byte, so we know
+		 * exactly what the record payload has to look like */
+		if (	(rr->length != 1) || (rr->off != 0) ||
+			(rr->data[0] != SSL3_MT_CCS))
+			{
+			i=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+			goto err;
 			}
 
-		/* else we have a handshake */
-		if ((rr->type == SSL3_RT_HANDSHAKE) &&
-			!s->in_handshake)
+		rr->length=0;
+		s->s3->change_cipher_spec=1;
+		if (!do_change_cipher_spec(s))
+			goto err;
+		else
+			goto start;
+		}
+
+	/* Unexpected handshake message (Client Hello, or protocol violation) */
+	if ((s->s3->handshake_fragment_len >= 4) &&	!s->in_handshake)
+		{
+		if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
+			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
 			{
-			if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
-				!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
-				{
-				s->state=SSL_ST_BEFORE|(s->server)
-						?SSL_ST_ACCEPT
-						:SSL_ST_CONNECT;
-				s->new_session=1;
-				}
-			n=s->handshake_func(s);
-			if (n < 0) return(n);
-			if (n == 0)
-				{
-				SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-				return(-1);
-				}
+#if 0 /* worked only because C operator preferences are not as expected (and
+       * because this is not really needed for clients except for detecting
+       * protocol violations): */
+			s->state=SSL_ST_BEFORE|(s->server)
+				?SSL_ST_ACCEPT
+				:SSL_ST_CONNECT;
+#else
+			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
+#endif
+			s->new_session=1;
+			}
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
 
+		if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+			{
+			BIO *bio;
 			/* In the case where we try to read application data
 			 * the first time, but we trigger an SSL handshake, we
 			 * return -1 with the retry option set.  I do this
 			 * otherwise renegotiation can cause nasty problems 
-			 * in the non-blocking world */
-
+			 * in the blocking world */ /* ? */
 			s->rwstate=SSL_READING;
 			bio=SSL_get_rbio(s);
 			BIO_clear_retry_flags(bio);
 			BIO_set_retry_read(bio);
 			return(-1);
 			}
+		goto start;
+		}
 
-		switch (rr->type)
-			{
-		default:
+	switch (rr->type)
+		{
+	default:
 #ifndef NO_TLS
-			/* TLS just ignores unknown message types */
-			if (s->version == TLS1_VERSION)
-				{
-				goto start;
-				}
+		/* TLS just ignores unknown message types */
+		if (s->version == TLS1_VERSION)
+			{
+			goto start;
+			}
 #endif
-		case SSL3_RT_CHANGE_CIPHER_SPEC:
-		case SSL3_RT_ALERT:
-		case SSL3_RT_HANDSHAKE:
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+		goto f_err;
+	case SSL3_RT_CHANGE_CIPHER_SPEC:
+	case SSL3_RT_ALERT:
+	case SSL3_RT_HANDSHAKE:
+		/* we already handled all of these, with the possible exception
+		 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
+		 * should not happen when type != rr->type */
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_INTERNAL_ERROR);
+		goto f_err;
+	case SSL3_RT_APPLICATION_DATA:
+		/* At this point, we were expecting handshake data,
+		 * but have application data.  If the library was
+		 * running inside ssl3_read() (i.e. in_read_app_data
+		 * is set) and it makes sense to read application data
+		 * at this point (session renegotiation not yet started),
+		 * we will indulge it.
+		 */
+		if (s->s3->in_read_app_data &&
+			(s->s3->total_renegotiations != 0) &&
+			((
+				(s->state & SSL_ST_CONNECT) &&
+				(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
+				(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
+				) || (
+					(s->state & SSL_ST_ACCEPT) &&
+					(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
+					(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
+					)
+				))
+			{
+			s->s3->in_read_app_data=0;
+			return(-1);
+			}
+		else
+			{
 			al=SSL_AD_UNEXPECTED_MESSAGE;
 			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
 			goto f_err;
-		case SSL3_RT_APPLICATION_DATA:
-			/* At this point, we were expecting something else,
-			 * but have application data.  What we do is set the
-			 * error, and return -1.  On the way out, if the
-			 * library was running inside ssl3_read() and it makes
-			 * sense to read application data at this point, we
-			 * will indulge it.  This will mostly happen during
-			 * session renegotiation.
-			 */
-			if (s->s3->in_read_app_data &&
-				(s->s3->total_renegotiations != 0) &&
-				((
-				  (s->state & SSL_ST_CONNECT) &&
-				  (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
-				  (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
-				 ) || (
-				  (s->state & SSL_ST_ACCEPT) &&
-				  (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
-				  (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
-				 )
-				))
-				{
-				s->s3->in_read_app_data=0;
-				return(-1);
-				}
-			else
-				{
-				al=SSL_AD_UNEXPECTED_MESSAGE;
-				SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
-				goto f_err;
-				}
 			}
 		}
+	/* not reached */
 
-	/* make sure that we are not getting application data when we
-	 * are doing a handshake for the first time */
-	if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
-		(s->enc_read_ctx == NULL))
-		{
-		al=SSL_AD_UNEXPECTED_MESSAGE;
-		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
-		goto f_err;
-		}
-
-	if (len <= 0) return(len);
-
-	if ((unsigned int)len > rr->length)
-		n=rr->length;
-	else
-		n=len;
-
-	memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
-	rr->length-=n;
-	rr->off+=n;
-	if (rr->length <= 0)
-		{
-		s->rstate=SSL_ST_READ_HEADER;
-		rr->off=0;
-		}
-
-	if (type == SSL3_RT_HANDSHAKE)
-		ssl3_finish_mac(s,buf,n);
-	return(n);
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
@@ -935,7 +1103,7 @@ err:
 static int do_change_cipher_spec(SSL *s)
 	{
 	int i;
-	unsigned char *sender;
+	const char *sender;
 	int slen;
 
 	if (s->state & SSL_ST_ACCEPT)
@@ -957,37 +1125,23 @@ static int do_change_cipher_spec(SSL *s)
 	 * the finished message */
 	if (s->state & SSL_ST_CONNECT)
 		{
-		sender=s->method->ssl3_enc->server_finished;
-		slen=s->method->ssl3_enc->server_finished_len;
+		sender=s->method->ssl3_enc->server_finished_label;
+		slen=s->method->ssl3_enc->server_finished_label_len;
 		}
 	else
 		{
-		sender=s->method->ssl3_enc->client_finished;
-		slen=s->method->ssl3_enc->client_finished_len;
+		sender=s->method->ssl3_enc->client_finished_label;
+		slen=s->method->ssl3_enc->client_finished_label_len;
 		}
 
-	s->method->ssl3_enc->final_finish_mac(s,
+	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
 		&(s->s3->finish_dgst1),
 		&(s->s3->finish_dgst2),
-		sender,slen,&(s->s3->tmp.finish_md[0]));
+		sender,slen,s->s3->tmp.peer_finish_md);
 
 	return(1);
 	}
 
-int ssl3_do_write(SSL *s, int type)
-	{
-	int ret;
-
-	ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
-			     s->init_num);
-	if (ret == s->init_num)
-		return(1);
-	if (ret < 0) return(-1);
-	s->init_off+=ret;
-	s->init_num-=ret;
-	return(0);
-	}
-
 void ssl3_send_alert(SSL *s, int level, int desc)
 	{
 	/* Map tls/ssl alert value to correct one */
@@ -1029,7 +1183,7 @@ int ssl3_dispatch_alert(SSL *s)
 			cb=s->info_callback;
 		else if (s->ctx->info_callback != NULL)
 			cb=s->ctx->info_callback;
-		
+
 		if (cb != NULL)
 			{
 			j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
@@ -1038,4 +1192,3 @@ int ssl3_dispatch_alert(SSL *s)
 		}
 	return(i);
 	}
-
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index e003d883574..90806e2d99b 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -57,6 +57,8 @@
  */
 
 #define REUSE_CIPHER_BUG
+#define NETSCAPE_HANG_BUG
+
 
 #include <stdio.h>
 #include <openssl/buffer.h>
@@ -70,13 +72,14 @@
 
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
+static int ssl3_check_client_hello(SSL *s);
 static int ssl3_send_server_hello(SSL *s);
 static int ssl3_send_server_key_exchange(SSL *s);
 static int ssl3_send_certificate_request(SSL *s);
 static int ssl3_send_server_done(SSL *s);
-static int ssl3_get_cert_verify(SSL *s);
 static int ssl3_get_client_key_exchange(SSL *s);
 static int ssl3_get_client_certificate(SSL *s);
+static int ssl3_get_cert_verify(SSL *s);
 static int ssl3_send_hello_request(SSL *s);
 
 static SSL_METHOD *ssl3_get_server_method(int ver)
@@ -112,7 +115,7 @@ int ssl3_accept(SSL *s)
 	int ret= -1;
 	int new_state,state,skip=0;
 
-	RAND_seed(&Time,sizeof(Time));
+	RAND_add(&Time,sizeof(Time),0);
 	ERR_clear_error();
 	clear_sys_error();
 
@@ -151,7 +154,6 @@ int ssl3_accept(SSL *s)
 
 			if ((s->version>>8) != 3)
 				abort();
-			/* s->version=SSL3_VERSION; */
 			s->type=SSL_ST_ACCEPT;
 
 			if (s->init_buf == NULL)
@@ -184,8 +186,8 @@ int ssl3_accept(SSL *s)
 
 			if (s->state != SSL_ST_RENEGOTIATE)
 				{
-				s->state=SSL3_ST_SR_CLNT_HELLO_A;
 				ssl3_init_finished_mac(s);
+				s->state=SSL3_ST_SR_CLNT_HELLO_A;
 				s->ctx->stats.sess_accept++;
 				}
 			else
@@ -268,8 +270,8 @@ int ssl3_accept(SSL *s)
 			    || (l & (SSL_DH|SSL_kFZA))
 			    || ((l & SSL_kRSA)
 				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
-				    || (SSL_IS_EXPORT(l)
-					&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
+				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
+					&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
 					)
 				    )
 				)
@@ -287,9 +289,19 @@ int ssl3_accept(SSL *s)
 
 		case SSL3_ST_SW_CERT_REQ_A:
 		case SSL3_ST_SW_CERT_REQ_B:
-			if (!(s->verify_mode & SSL_VERIFY_PEER) ||
+			if (/* don't request cert unless asked for it: */
+				!(s->verify_mode & SSL_VERIFY_PEER) ||
+				/* if SSL_VERIFY_CLIENT_ONCE is set,
+				 * don't request cert during re-negotiation: */
 				((s->session->peer != NULL) &&
-				 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
+				 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
+				/* never request cert in anonymous ciphersuites
+				 * (see section "Certificate request" in SSL 3 drafts
+				 * and in RFC 2246): */
+				((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
+				 /* ... except when the application insists on verification
+				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
+				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
 				{
 				/* no cert request */
 				skip=1;
@@ -301,7 +313,12 @@ int ssl3_accept(SSL *s)
 				s->s3->tmp.cert_request=1;
 				ret=ssl3_send_certificate_request(s);
 				if (ret <= 0) goto end;
+#ifndef NETSCAPE_HANG_BUG
 				s->state=SSL3_ST_SW_SRVR_DONE_A;
+#else
+				s->state=SSL3_ST_SW_FLUSH;
+				s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
+#endif
 				s->init_num=0;
 				}
 			break;
@@ -331,12 +348,20 @@ int ssl3_accept(SSL *s)
 
 		case SSL3_ST_SR_CERT_A:
 		case SSL3_ST_SR_CERT_B:
-			/* could be sent for a DH cert, even if we
-			 * have not asked for it :-) */
-			ret=ssl3_get_client_certificate(s);
-			if (ret <= 0) goto end;
-			s->init_num=0;
-			s->state=SSL3_ST_SR_KEY_EXCH_A;
+			/* Check for second client hello (MS SGC) */
+			ret = ssl3_check_client_hello(s);
+			if (ret <= 0)
+				goto end;
+			if (ret == 2)
+				s->state = SSL3_ST_SR_CLNT_HELLO_C;
+			else {
+				/* could be sent for a DH cert, even if we
+				 * have not asked for it :-) */
+				ret=ssl3_get_client_certificate(s);
+				if (ret <= 0) goto end;
+				s->init_num=0;
+				s->state=SSL3_ST_SR_KEY_EXCH_A;
+			}
 			break;
 
 		case SSL3_ST_SR_KEY_EXCH_A:
@@ -350,10 +375,10 @@ int ssl3_accept(SSL *s)
 			 * a client cert, it can be verified */ 
 			s->method->ssl3_enc->cert_verify_mac(s,
 				&(s->s3->finish_dgst1),
-				&(s->s3->tmp.finish_md[0]));
+				&(s->s3->tmp.cert_verify_md[0]));
 			s->method->ssl3_enc->cert_verify_mac(s,
 				&(s->s3->finish_dgst2),
-				&(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]));
+				&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
 
 			break;
 
@@ -407,8 +432,8 @@ int ssl3_accept(SSL *s)
 		case SSL3_ST_SW_FINISHED_B:
 			ret=ssl3_send_finished(s,
 				SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
-				s->method->ssl3_enc->server_finished,
-				s->method->ssl3_enc->server_finished_len);
+				s->method->ssl3_enc->server_finished_label,
+				s->method->ssl3_enc->server_finished_label_len);
 			if (ret <= 0) goto end;
 			s->state=SSL3_ST_SW_FLUSH;
 			if (s->hit)
@@ -485,7 +510,7 @@ static int ssl3_send_hello_request(SSL *s)
 	if (s->state == SSL3_ST_SW_HELLO_REQ_A)
 		{
 		p=(unsigned char *)s->init_buf->data;
-		*(p++)=SSL3_MT_CLIENT_REQUEST;
+		*(p++)=SSL3_MT_HELLO_REQUEST;
 		*(p++)=0;
 		*(p++)=0;
 		*(p++)=0;
@@ -500,6 +525,37 @@ static int ssl3_send_hello_request(SSL *s)
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 	}
 
+static int ssl3_check_client_hello(SSL *s)
+	{
+	int ok;
+	long n;
+
+	n=ssl3_get_message(s,
+		SSL3_ST_SR_CERT_A,
+		SSL3_ST_SR_CERT_B,
+		-1,
+		SSL3_RT_MAX_PLAIN_LENGTH,
+		&ok);
+	if (!ok) return((int)n);
+	s->s3->tmp.reuse_message = 1;
+	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
+		{
+		/* Throw away what we have done so far in the current handshake,
+		 * which will now be aborted. (A full SSL_clear would be too much.)
+		 * I hope that tmp.dh is the only thing that may need to be cleared
+		 * when a handshake is not completed ... */
+#ifndef NO_DH
+		if (s->s3->tmp.dh != NULL)
+			{
+			DH_free(s->s3->tmp.dh);
+			s->s3->tmp.dh = NULL;
+			}
+#endif
+		return 2;
+		}
+	return 1;
+}
+
 static int ssl3_get_client_hello(SSL *s)
 	{
 	int i,j,ok,al,ret= -1;
@@ -531,10 +587,9 @@ static int ssl3_get_client_hello(SSL *s)
 	if (!ok) return((int)n);
 	d=p=(unsigned char *)s->init_buf->data;
 
-	/* The version number has already been checked in ssl3_get_message.
-	 * I a native TLSv1/SSLv3 method, the match must be correct except
-	 * perhaps for the first message */
-/*	s->client_version=(((int)p[0])<<8)|(int)p[1]; */
+	/* use version from inside client hello, not from record header
+	 * (may differ: see RFC 2246, Appendix E, second paragraph) */
+	s->client_version=(((int)p[0])<<8)|(int)p[1];
 	p+=2;
 
 	/* load the client random */
@@ -754,7 +809,7 @@ static int ssl3_get_client_hello(SSL *s)
 	 * compression		- basically ignored right now
 	 * ssl version is set	- sslv3
 	 * s->session		- The ssl session has been setup.
-	 * s->hit		- sesson reuse flag
+	 * s->hit		- session reuse flag
 	 * s->tmp.new_cipher	- the new cipher to use.
 	 */
 
@@ -782,7 +837,7 @@ static int ssl3_send_server_hello(SSL *s)
 		p=s->s3->server_random;
 		Time=time(NULL);			/* Time */
 		l2n(Time,p);
-		RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
 
@@ -866,9 +921,10 @@ static int ssl3_send_server_key_exchange(SSL *s)
 	int j,num;
 	RSA *rsa;
 	unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
+	unsigned int u;
 #endif
 #ifndef NO_DH
-	DH *dh,*dhp;
+	DH *dh=NULL,*dhp;
 #endif
 	EVP_PKEY *pkey;
 	unsigned char *p,*d;
@@ -899,6 +955,12 @@ static int ssl3_send_server_key_exchange(SSL *s)
 				rsa=s->cert->rsa_tmp_cb(s,
 				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
 				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+				if(rsa == NULL)
+				{
+					al=SSL_AD_HANDSHAKE_FAILURE;
+					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
+					goto f_err;
+				}
 				CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
 				cert->rsa_tmp=rsa;
 				}
@@ -928,6 +990,14 @@ static int ssl3_send_server_key_exchange(SSL *s)
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
 				goto f_err;
 				}
+
+			if (s->s3->tmp.dh != NULL)
+				{
+				DH_free(dh);
+				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR);
+				goto err;
+				}
+
 			if ((dh=DHparams_dup(dhp)) == NULL)
 				{
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
@@ -1027,15 +1097,14 @@ static int ssl3_send_server_key_exchange(SSL *s)
 					q+=i;
 					j+=i;
 					}
-				i=RSA_private_encrypt(j,md_buf,&(p[2]),
-					pkey->pkey.rsa,RSA_PKCS1_PADDING);
-				if (i <= 0)
+				if (RSA_sign(NID_md5_sha1, md_buf, j,
+					&(p[2]), &u, pkey->pkey.rsa) <= 0)
 					{
 					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
 					goto err;
 					}
-				s2n(i,p);
-				n+=i+2;
+				s2n(u,p);
+				n+=u+2;
 				}
 			else
 #endif
@@ -1075,7 +1144,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
 		s->init_off=0;
 		}
 
-	/* SSL3_ST_SW_KEY_EXCH_B */
+	s->state = SSL3_ST_SW_KEY_EXCH_B;
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -1152,6 +1221,17 @@ static int ssl3_send_certificate_request(SSL *s)
 
 		s->init_num=n+4;
 		s->init_off=0;
+#ifdef NETSCAPE_HANG_BUG
+		p=(unsigned char *)s->init_buf->data + s->init_num;
+
+		/* do the header */
+		*(p++)=SSL3_MT_SERVER_DONE;
+		*(p++)=0;
+		*(p++)=0;
+		*(p++)=0;
+		s->init_num += 4;
+#endif
+
 		}
 
 	/* SSL3_ST_SW_CERT_REQ_B */
@@ -1239,31 +1319,6 @@ static int ssl3_get_client_key_exchange(SSL *s)
 
 		i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
 
-#if 1
-		/* If a bad decrypt, use a random master key */
-		if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
-			((p[0] != (s->client_version>>8)) ||
-			 (p[1] != (s->client_version & 0xff))))
-			{
-			int bad=1;
-
-			if ((i == SSL_MAX_MASTER_KEY_LENGTH) &&
-				(p[0] == (s->version>>8)) &&
-				(p[1] == 0))
-				{
-				if (s->options & SSL_OP_TLS_ROLLBACK_BUG)
-					bad=0;
-				}
-			if (bad)
-				{
-				p[0]=(s->version>>8);
-				p[1]=(s->version & 0xff);
-				RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
-				i=SSL_MAX_MASTER_KEY_LENGTH;
-				}
-			/* else, an SSLeay bug, ssl only server, tls client */
-			}
-#else
 		if (i != SSL_MAX_MASTER_KEY_LENGTH)
 			{
 			al=SSL_AD_DECODE_ERROR;
@@ -1271,13 +1326,12 @@ static int ssl3_get_client_key_exchange(SSL *s)
 			goto f_err;
 			}
 
-		if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff)))
+		if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff)))
 			{
 			al=SSL_AD_DECODE_ERROR;
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
 			goto f_err;
 			}
-#endif
 
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
@@ -1450,16 +1504,16 @@ static int ssl3_get_cert_verify(SSL *s)
 #ifndef NO_RSA 
 	if (pkey->type == EVP_PKEY_RSA)
 		{
-		i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING);
+		i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
+			MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 
+							pkey->pkey.rsa);
 		if (i < 0)
 			{
 			al=SSL_AD_DECRYPT_ERROR;
 			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
 			goto f_err;
 			}
-		if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) ||
-			memcmp(&(s->s3->tmp.finish_md[0]),p,
-				MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
+		if (i == 0)
 			{
 			al=SSL_AD_DECRYPT_ERROR;
 			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
@@ -1472,7 +1526,7 @@ static int ssl3_get_cert_verify(SSL *s)
 		if (pkey->type == EVP_PKEY_DSA)
 		{
 		j=DSA_verify(pkey->save_type,
-			&(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]),
+			&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
 			SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
 		if (j <= 0)
 			{
@@ -1532,7 +1586,7 @@ static int ssl3_get_client_certificate(SSL *s)
 			al=SSL_AD_HANDSHAKE_FAILURE;
 			goto f_err;
 			}
-		/* If tls asked for a client cert we must return a 0 list */
+		/* If tls asked for a client cert, the client must return a 0 list */
 		if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
@@ -1628,6 +1682,7 @@ static int ssl3_get_client_certificate(SSL *s)
 	if (s->session->peer != NULL) /* This should not be needed */
 		X509_free(s->session->peer);
 	s->session->peer=sk_X509_shift(sk);
+	s->session->verify_result = s->verify_result;
 
 	/* With the current implementation, sess_cert will always be NULL
 	 * when we arrive here. */
diff --git a/lib/libssl/shlib_version b/lib/libssl/shlib_version
index b52599a164f..ba5a3fee584 100644
--- a/lib/libssl/shlib_version
+++ b/lib/libssl/shlib_version
@@ -1,2 +1,2 @@
 major=2
-minor=0
+minor=2
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index fbe4f667fa1..f29f7753474 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -123,8 +123,9 @@ extern "C" {
 #define SSL_TXT_MD5		"MD5"
 #define SSL_TXT_SHA1		"SHA1"
 #define SSL_TXT_SHA		"SHA"
-#define SSL_TXT_EXP40		"EXP"
+#define SSL_TXT_EXP		"EXP"
 #define SSL_TXT_EXPORT		"EXPORT"
+#define SSL_TXT_EXP40		"EXPORT40"
 #define SSL_TXT_EXP56		"EXPORT56"
 #define SSL_TXT_SSLV2		"SSLv2"
 #define SSL_TXT_SSLV3		"SSLv3"
@@ -133,12 +134,7 @@ extern "C" {
 
 /* 'DEFAULT' at the start of the cipher list insert the following string
  * in addition to this being the default cipher string */
-#ifndef NO_RSA
-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
-#else
-#define SSL_ALLOW_ADH
-#define SSL_DEFAULT_CIPHER_LIST	"HIGH:MEDIUM:LOW:ADH+3DES:ADH+RC4:ADH+DES:+EXP"
-#endif
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN	1
@@ -151,6 +147,10 @@ extern "C" {
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
+#if (defined(NO_RSA) || defined(NO_MD5)) && !defined(NO_SSL2)
+#define NO_SSL2
+#endif
+
 #define SSL_FILETYPE_ASN1	X509_FILETYPE_ASN1
 #define SSL_FILETYPE_PEM	X509_FILETYPE_PEM
 
@@ -166,8 +166,12 @@ typedef struct ssl_cipher_st
 	const char *name;		/* text name */
 	unsigned long id;		/* id, 4 bytes, first is version */
 	unsigned long algorithms;	/* what ciphers are used */
+	unsigned long algo_strength;	/* strength and export flags */
 	unsigned long algorithm2;	/* Extra flags */
+	int strength_bits;		/* Number of bits really used */
+	int alg_bits;			/* Number of bits for algorithm */
 	unsigned long mask;		/* used for matching */
+	unsigned long mask_strength;	/* also used for matching */
 	} SSL_CIPHER;
 
 DECLARE_STACK_OF(SSL_CIPHER)
@@ -201,6 +205,8 @@ typedef struct ssl_method_st
 	long (*get_timeout)(void);
 	struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
 	int (*ssl_version)();
+	long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)());
+	long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)());
 	} SSL_METHOD;
 
 /* Lets make this into an ASN.1 type structure as follows
@@ -215,7 +221,8 @@ typedef struct ssl_method_st
  *	Timeout [ 2 ] EXPLICIT	INTEGER,	-- optional Timeout ins seconds
  *	Peer [ 3 ] EXPLICIT	X509,		-- optional Peer Certificate
  *	Session_ID_context [ 4 ] EXPLICIT OCTET_STRING,   -- the Session ID context
- *	Compression [5] IMPLICIT ASN1_OBJECT	-- compression OID XXXXX
+ *	Verify_result [ 5 ] EXPLICIT INTEGER    -- X509_V_... code for `Peer'
+ *	Compression [6] IMPLICIT ASN1_OBJECT	-- compression OID XXXXX
  *	}
  * Look in ssl/ssl_asn1.c for more details
  * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
@@ -249,6 +256,9 @@ typedef struct ssl_session_st
 	 * (the latter is not enough as sess_cert is not retained
 	 * in the external representation of sessions, see ssl_asn1.c). */
 	X509 *peer;
+	/* when app_verify_callback accepts a session where the peer's certificate
+	 * is not ok, we must remember the error for session reuse: */
+	long verify_result; /* only for servers */
 
 	int references;
 	long timeout;
@@ -291,6 +301,7 @@ typedef struct ssl_session_st
 #define SSL_OP_PKCS1_CHECK_1				0x08000000L
 #define SSL_OP_PKCS1_CHECK_2				0x10000000L
 #define SSL_OP_NETSCAPE_CA_DN_BUG			0x20000000L
+/* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */
 #define SSL_OP_NON_EXPORT_FIRST 			0x40000000L
 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG		0x80000000L
 #define SSL_OP_ALL					0x000FFFFFL
@@ -355,9 +366,9 @@ struct ssl_ctx_st
 	STACK_OF(SSL_CIPHER) *cipher_list_by_id;
 
 	struct x509_store_st /* X509_STORE */ *cert_store;
-	struct lhash_st /* LHASH */ *sessions;	/* a set of SSL_SESSION's */
+	struct lhash_st /* LHASH */ *sessions;	/* a set of SSL_SESSIONs */
 	/* Most session-ids that will be cached, default is
-	 * SSL_SESSION_CACHE_SIZE_DEFAULT. 0 is unlimited. */
+	 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
 	unsigned long session_cache_size;
 	struct ssl_session_st *session_cache_head;
 	struct ssl_session_st *session_cache_tail;
@@ -424,6 +435,9 @@ struct ssl_ctx_st
 /**/	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
 /**/	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
 
+	int purpose;		/* Purpose setting */
+	int trust;		/* Trust setting */
+
 	/* Default password callback. */
 /**/	pem_password_cb *default_passwd_callback;
 
@@ -433,7 +447,7 @@ struct ssl_ctx_st
 	/* get client cert callback */
 /**/	int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
 
-	/* what we put in client requests */
+	/* what we put in client cert requests */
 	STACK_OF(X509_NAME) *client_CA;
 
 /**/	int quiet_shutdown;
@@ -458,6 +472,7 @@ struct ssl_ctx_st
  * defined, this will still get called. */
 #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP	0x0100
 
+  struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
 #define SSL_CTX_sess_number(ctx) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
 #define SSL_CTX_sess_connect(ctx) \
@@ -564,17 +579,21 @@ struct ssl_st
 	unsigned char *packet;
 	unsigned int packet_length;
 
-	struct ssl2_ctx_st *s2;	/* SSLv2 variables */
-	struct ssl3_ctx_st *s3;	/* SSLv3 variables */
+	struct ssl2_state_st *s2; /* SSLv2 variables */
+	struct ssl3_state_st *s3; /* SSLv3 variables */
 
-	int read_ahead;		/* Read as many input bytes as possible */
+	int read_ahead;		/* Read as many input bytes as possible
+	               	 	 * (for non-blocking reads) */
 	int hit;		/* reusing a previous session */
 
+	int purpose;		/* Purpose setting */
+	int trust;		/* Trust setting */
+
 	/* crypto */
 	STACK_OF(SSL_CIPHER) *cipher_list;
 	STACK_OF(SSL_CIPHER) *cipher_list_by_id;
 
-	/* These are the ones being used, the ones is SSL_SESSION are
+	/* These are the ones being used, the ones in SSL_SESSION are
 	 * the ones to be 'copied' into these ones */
 
 	EVP_CIPHER_CTX *enc_read_ctx;		/* cryptographic state */
@@ -634,7 +653,7 @@ struct ssl_st
 	unsigned long mode; /* API behaviour */
 	int first_packet;
 	int client_version;	/* what was passed, used for
-				 * SSLv3/TLS rolback check */
+				 * SSLv3/TLS rollback check */
 	};
 
 #include <openssl/ssl2.h>
@@ -642,7 +661,7 @@ struct ssl_st
 #include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
 #include <openssl/ssl23.h>
 
-/* compatablity */
+/* compatibility */
 #define SSL_set_app_data(s,arg)		(SSL_set_ex_data(s,0,(char *)arg))
 #define SSL_get_app_data(s)		(SSL_get_ex_data(s,0))
 #define SSL_SESSION_set_app_data(s,a)	(SSL_SESSION_set_ex_data(s,0,(char *)a))
@@ -651,7 +670,7 @@ struct ssl_st
 #define SSL_CTX_set_app_data(ctx,arg)	(SSL_CTX_set_ex_data(ctx,0,(char *)arg))
 
 /* The following are the possible values for ssl->state are are
- * used to indicate where we are upto in the SSL connection establishment.
+ * used to indicate where we are up to in the SSL connection establishment.
  * The macros that follow are about the only things you should need to use
  * and even then, only when using non-blocking IO.
  * It can also be useful to work out where you were when the connection
@@ -693,6 +712,13 @@ struct ssl_st
 #define SSL_ST_READ_BODY			0xF1
 #define SSL_ST_READ_DONE			0xF2
 
+/* Obtain latest Finished message
+ *   -- that we sent (SSL_get_finished)
+ *   -- that we expected from peer (SSL_get_peer_finished).
+ * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
+size_t SSL_get_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
+
 /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
  * are 'ored' with SSL_VERIFY_PEER if they are desired */
 #define SSL_VERIFY_NONE			0x00
@@ -700,9 +726,10 @@ struct ssl_st
 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT	0x02
 #define SSL_VERIFY_CLIENT_ONCE		0x04
 
+#define OpenSSL_add_ssl_algorithms()	SSL_library_init()
 #define SSLeay_add_ssl_algorithms()	SSL_library_init()
 
-/* this is for backward compatablility */
+/* this is for backward compatibility */
 #if 0 /* NEW_SSLEAY */
 #define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
 #define SSL_set_pref_cipher(c,n)	SSL_set_cipher_list(c,n)
@@ -710,7 +737,7 @@ struct ssl_st
 #define SSL_remove_session(a,b)		SSL_CTX_remove_session((a),(b))
 #define SSL_flush_sessions(a,b)		SSL_CTX_flush_sessions((a),(b))
 #endif
-/* More backward compatablity */
+/* More backward compatibility */
 #define SSL_get_cipher(s) \
 		SSL_CIPHER_get_name(SSL_get_current_cipher(s))
 #define SSL_get_cipher_bits(s,np) \
@@ -762,11 +789,11 @@ struct ssl_st
 #define SSL_AD_ACCESS_DENIED		TLS1_AD_ACCESS_DENIED	/* fatal */
 #define SSL_AD_DECODE_ERROR		TLS1_AD_DECODE_ERROR	/* fatal */
 #define SSL_AD_DECRYPT_ERROR		TLS1_AD_DECRYPT_ERROR
-#define SSL_AD_EXPORT_RESTRICION	TLS1_AD_EXPORT_RESTRICION/* fatal */
+#define SSL_AD_EXPORT_RESTRICTION	TLS1_AD_EXPORT_RESTRICTION/* fatal */
 #define SSL_AD_PROTOCOL_VERSION		TLS1_AD_PROTOCOL_VERSION /* fatal */
 #define SSL_AD_INSUFFICIENT_SECURITY	TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
 #define SSL_AD_INTERNAL_ERROR		TLS1_AD_INTERNAL_ERROR	/* fatal */
-#define SSL_AD_USER_CANCLED		TLS1_AD_USER_CANCLED
+#define SSL_AD_USER_CANCELLED		TLS1_AD_USER_CANCELLED
 #define SSL_AD_NO_RENEGOTIATION		TLS1_AD_NO_RENEGOTIATION
 
 #define SSL_ERROR_NONE			0
@@ -867,7 +894,7 @@ void BIO_ssl_shutdown(BIO *ssl_bio);
 
 #endif
 
-int	SSL_CTX_set_cipher_list(SSL_CTX *,char *str);
+int	SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
 SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
 void	SSL_CTX_free(SSL_CTX *);
 long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
@@ -899,7 +926,7 @@ void	SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
 BIO *	SSL_get_rbio(SSL *s);
 BIO *	SSL_get_wbio(SSL *s);
 #endif
-int	SSL_set_cipher_list(SSL *s, char *str);
+int	SSL_set_cipher_list(SSL *s, const char *str);
 void	SSL_set_read_ahead(SSL *s, int yes);
 int	SSL_get_verify_mode(SSL *s);
 int	SSL_get_verify_depth(SSL *s);
@@ -998,6 +1025,12 @@ int	SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
 SSL *	SSL_new(SSL_CTX *ctx);
 int	SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
 				   unsigned int sid_ctx_len);
+
+int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
+int SSL_set_purpose(SSL *s, int purpose);
+int SSL_CTX_set_trust(SSL_CTX *s, int trust);
+int SSL_set_trust(SSL *s, int trust);
+
 void	SSL_free(SSL *ssl);
 int 	SSL_accept(SSL *ssl);
 int 	SSL_connect(SSL *ssl);
@@ -1005,10 +1038,12 @@ int 	SSL_read(SSL *ssl,char *buf,int num);
 int 	SSL_peek(SSL *ssl,char *buf,int num);
 int 	SSL_write(SSL *ssl,const char *buf,int num);
 long	SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
+long	SSL_callback_ctrl(SSL *, int, void (*)());
 long	SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg);
+long	SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
 
 int	SSL_get_error(SSL *s,int ret_code);
-char *	SSL_get_version(SSL *s);
+const char *SSL_get_version(SSL *s);
 
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
@@ -1074,7 +1109,9 @@ int SSL_version(SSL *ssl);
 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
 	const char *CApath);
+#define SSL_get0_session SSL_get_session /* just peek at pointer */
 SSL_SESSION *SSL_get_session(SSL *ssl);
+SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
 SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
 void SSL_set_info_callback(SSL *ssl,void (*cb)());
 void (*SSL_get_info_callback(SSL *ssl))();
@@ -1085,18 +1122,18 @@ long SSL_get_verify_result(SSL *ssl);
 
 int SSL_set_ex_data(SSL *ssl,int idx,void *data);
 void *SSL_get_ex_data(SSL *ssl,int idx);
-int SSL_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	int (*dup_func)(), void (*free_func)());
+int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 
 int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
 void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
-int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	int (*dup_func)(), void (*free_func)());
+int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 
 int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
 void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
-int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	int (*dup_func)(), void (*free_func)());
+int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 
 int SSL_get_ex_data_X509_STORE_CTX_idx(void );
 
@@ -1219,13 +1256,18 @@ int SSL_COMP_add_compression_method(int id,char *cm);
 #define SSL_F_SSL_CERT_INSTANTIATE			 214
 #define SSL_F_SSL_CERT_NEW				 162
 #define SSL_F_SSL_CHECK_PRIVATE_KEY			 163
+#define SSL_F_SSL_CIPHER_PROCESS_RULESTR		 230
+#define SSL_F_SSL_CIPHER_STRENGTH_SORT			 231
 #define SSL_F_SSL_CLEAR					 164
 #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD		 165
 #define SSL_F_SSL_CREATE_CIPHER_LIST			 166
+#define SSL_F_SSL_CTRL					 232
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY			 168
 #define SSL_F_SSL_CTX_NEW				 169
+#define SSL_F_SSL_CTX_SET_PURPOSE			 226
 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT		 219
 #define SSL_F_SSL_CTX_SET_SSL_VERSION			 170
+#define SSL_F_SSL_CTX_SET_TRUST				 229
 #define SSL_F_SSL_CTX_USE_CERTIFICATE			 171
 #define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1		 172
 #define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE	 220
@@ -1253,9 +1295,11 @@ int SSL_COMP_add_compression_method(int id,char *cm);
 #define SSL_F_SSL_SET_CERT				 191
 #define SSL_F_SSL_SET_FD				 192
 #define SSL_F_SSL_SET_PKEY				 193
+#define SSL_F_SSL_SET_PURPOSE				 227
 #define SSL_F_SSL_SET_RFD				 194
 #define SSL_F_SSL_SET_SESSION				 195
 #define SSL_F_SSL_SET_SESSION_ID_CONTEXT		 218
+#define SSL_F_SSL_SET_TRUST				 228
 #define SSL_F_SSL_SET_WFD				 196
 #define SSL_F_SSL_SHUTDOWN				 224
 #define SSL_F_SSL_UNDEFINED_FUNCTION			 197
@@ -1282,7 +1326,6 @@ int SSL_COMP_add_compression_method(int id,char *cm);
 #define SSL_R_BAD_AUTHENTICATION_TYPE			 102
 #define SSL_R_BAD_CHANGE_CIPHER_SPEC			 103
 #define SSL_R_BAD_CHECKSUM				 104
-#define SSL_R_BAD_CLIENT_REQUEST			 105
 #define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK		 106
 #define SSL_R_BAD_DECOMPRESSION				 107
 #define SSL_R_BAD_DH_G_LENGTH				 108
@@ -1290,6 +1333,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
 #define SSL_R_BAD_DH_P_LENGTH				 110
 #define SSL_R_BAD_DIGEST_LENGTH				 111
 #define SSL_R_BAD_DSA_SIGNATURE				 112
+#define SSL_R_BAD_HELLO_REQUEST				 105
 #define SSL_R_BAD_LENGTH				 271
 #define SSL_R_BAD_MAC_DECODE				 113
 #define SSL_R_BAD_MESSAGE_TYPE				 114
@@ -1329,6 +1373,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG		 148
 #define SSL_R_DIGEST_CHECK_FAILED			 149
 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 150
+#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY		 1092
 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST		 151
 #define SSL_R_EXCESSIVE_MESSAGE_SIZE			 152
 #define SSL_R_EXTRA_DATA_IN_MESSAGE			 153
@@ -1337,6 +1382,9 @@ int SSL_COMP_add_compression_method(int id,char *cm);
 #define SSL_R_HTTP_REQUEST				 156
 #define SSL_R_INTERNAL_ERROR				 157
 #define SSL_R_INVALID_CHALLENGE_LENGTH			 158
+#define SSL_R_INVALID_COMMAND				 280
+#define SSL_R_INVALID_PURPOSE				 278
+#define SSL_R_INVALID_TRUST				 279
 #define SSL_R_LENGTH_MISMATCH				 159
 #define SSL_R_LENGTH_TOO_SHORT				 160
 #define SSL_R_LIBRARY_BUG				 274
@@ -1429,14 +1477,14 @@ int SSL_COMP_add_compression_method(int id,char *cm);
 #define SSL_R_TLSV1_ALERT_DECODE_ERROR			 1050
 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED		 1021
 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR			 1051
-#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICION		 1060
+#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION		 1060
 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY		 1071
 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR		 1080
 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION		 1100
 #define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION		 1070
 #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW		 1022
 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA			 1048
-#define SSL_R_TLSV1_ALERT_USER_CANCLED			 1090
+#define SSL_R_TLSV1_ALERT_USER_CANCELLED		 1090
 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER	 232
 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
 #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG	 234
@@ -1464,6 +1512,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
 #define SSL_R_UNKNOWN_STATE				 255
 #define SSL_R_UNSUPPORTED_CIPHER			 256
 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257
+#define SSL_R_UNSUPPORTED_OPTION			 1091
 #define SSL_R_UNSUPPORTED_PROTOCOL			 258
 #define SSL_R_UNSUPPORTED_SSL_VERSION			 259
 #define SSL_R_WRITE_BIO_NOT_SET				 260
diff --git a/lib/libssl/ssl2.h b/lib/libssl/ssl2.h
index d7f24ac1b4e..01d41c88c57 100644
--- a/lib/libssl/ssl2.h
+++ b/lib/libssl/ssl2.h
@@ -151,7 +151,7 @@ extern "C" {
 #define  CERT		char
 #endif
 
-typedef struct ssl2_ctx_st
+typedef struct ssl2_state_st
 	{
 	int three_byte_header;
 	int clear_text;		/* clear text */
@@ -214,7 +214,7 @@ typedef struct ssl2_ctx_st
 		unsigned int clen;
 		unsigned int rlen;
 		} tmp;
-	} SSL2_CTX;
+	} SSL2_STATE;
 
 /* SSLv2 */
 /* client */
diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h
index 2a9714fc19b..f616763830e 100644
--- a/lib/libssl/ssl3.h
+++ b/lib/libssl/ssl3.h
@@ -158,24 +158,8 @@ extern "C" {
 #define SSL3_RT_MAX_PACKET_SIZE		(SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
 #define SSL3_RT_MAX_DATA_SIZE			(1024*1024)
 
-/* the states that a SSL3_RECORD can be in
- * For SSL_read it goes
- * rbuf->ENCODED	-> read 
- * ENCODED		-> we need to decode everything - call decode_record
- */
- 
-#define SSL3_RS_BLANK			1
-#define SSL3_RS_DATA
-
-#define SSL3_RS_ENCODED			2
-#define SSL3_RS_READ_MORE		3
-#define SSL3_RS_WRITE_MORE
-#define SSL3_RS_PLAIN			3
-#define SSL3_RS_PART_READ		4
-#define SSL3_RS_PART_WRITE		5
-
-#define SSL3_MD_CLIENT_FINISHED_CONST	{0x43,0x4C,0x4E,0x54}
-#define SSL3_MD_SERVER_FINISHED_CONST	{0x53,0x52,0x56,0x52}
+#define SSL3_MD_CLIENT_FINISHED_CONST	"\x43\x4C\x4E\x54"
+#define SSL3_MD_SERVER_FINISHED_CONST	"\x53\x52\x56\x52"
 
 #define SSL3_VERSION			0x0300
 #define SSL3_VERSION_MAJOR		0x03
@@ -204,22 +188,20 @@ extern "C" {
 
 typedef struct ssl3_record_st
 	{
-/*r */	int type;		/* type of record */
-/*  */	/*int state;*/		/* any data in it? */
-/*rw*/	unsigned int length;	/* How many bytes available */
-/*r */	unsigned int off;	/* read/write offset into 'buf' */
-/*rw*/	unsigned char *data;	/* pointer to the record data */
-/*rw*/	unsigned char *input;	/* where the decode bytes are */
-/*r */	unsigned char *comp;	/* only used with decompression - malloc()ed */
+/*r */	int type;               /* type of record */
+/*rw*/	unsigned int length;    /* How many bytes available */
+/*r */	unsigned int off;       /* read/write offset into 'buf' */
+/*rw*/	unsigned char *data;    /* pointer to the record data */
+/*rw*/	unsigned char *input;   /* where the decode bytes are */
+/*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
 	} SSL3_RECORD;
 
 typedef struct ssl3_buffer_st
 	{
-/*r */	int total;		/* used in non-blocking writes */
-/*r */	int wanted;		/* how many more bytes we need */
-/*rw*/	int left;		/* how many bytes left */
-/*rw*/	int offset;		/* where to 'copy from' */
-/*rw*/	unsigned char *buf;	/* SSL3_RT_MAX_PACKET_SIZE bytes */
+	unsigned char *buf;	/* SSL3_RT_MAX_PACKET_SIZE bytes (more if
+	                   	 * SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER is set) */
+	int offset;		/* where to 'copy from' */
+	int left;		/* how many bytes left */
 	} SSL3_BUFFER;
 
 #define SSL3_CT_RSA_SIGN			1
@@ -236,34 +218,7 @@ typedef struct ssl3_buffer_st
 #define SSL3_FLAGS_POP_BUFFER			0x0004
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 
-#if 0
-#define AD_CLOSE_NOTIFY			0
-#define AD_UNEXPECTED_MESSAGE		1
-#define AD_BAD_RECORD_MAC		2
-#define AD_DECRYPTION_FAILED		3
-#define AD_RECORD_OVERFLOW		4
-#define AD_DECOMPRESSION_FAILURE	5	/* fatal */
-#define AD_HANDSHAKE_FAILURE		6	/* fatal */
-#define AD_NO_CERTIFICATE		7	/* Not under TLS */
-#define AD_BAD_CERTIFICATE		8
-#define AD_UNSUPPORTED_CERTIFICATE	9
-#define AD_CERTIFICATE_REVOKED		10	
-#define AD_CERTIFICATE_EXPIRED		11
-#define AD_CERTIFICATE_UNKNOWN		12
-#define AD_ILLEGAL_PARAMETER		13	/* fatal */
-#define AD_UNKNOWN_CA			14	/* fatal */
-#define AD_ACCESS_DENIED		15	/* fatal */
-#define AD_DECODE_ERROR			16	/* fatal */
-#define AD_DECRYPT_ERROR		17
-#define AD_EXPORT_RESTRICION		18	/* fatal */
-#define AD_PROTOCOL_VERSION		19	/* fatal */
-#define AD_INSUFFICIENT_SECURITY	20	/* fatal */
-#define AD_INTERNAL_ERROR		21	/* fatal */
-#define AD_USER_CANCLED			22
-#define AD_NO_RENEGOTIATION		23
-#endif
-
-typedef struct ssl3_ctx_st
+typedef struct ssl3_state_st
 	{
 	long flags;
 	int delay_buf_pop_ret;
@@ -278,10 +233,16 @@ typedef struct ssl3_ctx_st
 
 	SSL3_BUFFER rbuf;	/* read IO goes into here */
 	SSL3_BUFFER wbuf;	/* write IO goes into here */
+
 	SSL3_RECORD rrec;	/* each decoded record goes in here */
 	SSL3_RECORD wrec;	/* goes out from here */
-				/* Used by ssl3_read_n to point
-				 * to input data packet */
+
+	/* storage for Alert/Handshake protocol data received but not
+	 * yet processed by ssl3_read_bytes: */
+	unsigned char alert_fragment[2];
+	unsigned int alert_fragment_len;
+	unsigned char handshake_fragment[4];
+	unsigned int handshake_fragment_len;
 
 	/* partial write - check the numbers match */
 	unsigned int wnum;	/* number of bytes sent so far */
@@ -300,7 +261,7 @@ typedef struct ssl3_ctx_st
 
 	int warn_alert;
 	int fatal_alert;
-	/* we alow one fatal and one warning alert to be outstanding,
+	/* we allow one fatal and one warning alert to be outstanding,
 	 * send close alert via the warning alert */
 	int alert_dispatch;
 	unsigned char send_alert[2];
@@ -314,8 +275,14 @@ typedef struct ssl3_ctx_st
 	int in_read_app_data;
 
 	struct	{
-		/* Actually only needs to be 16+20 for SSLv3 and 12 for TLS */
+		/* actually only needs to be 16+20 */
+		unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
+
+		/* actually only need to be 16+20 for SSLv3 and 12 for TLS */
 		unsigned char finish_md[EVP_MAX_MD_SIZE*2];
+		int finish_md_len;
+		unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
+		int peer_finish_md_len;
 		
 		unsigned long message_size;
 		int message_type;
@@ -351,7 +318,7 @@ typedef struct ssl3_ctx_st
 		int cert_request;
 		} tmp;
 
-	} SSL3_CTX;
+	} SSL3_STATE;
 
 /* SSLv3 */
 /*client */
@@ -429,7 +396,7 @@ typedef struct ssl3_ctx_st
 #define SSL3_ST_SW_FINISHED_A		(0x1E0|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_FINISHED_B		(0x1E1|SSL_ST_ACCEPT)
 
-#define SSL3_MT_CLIENT_REQUEST			0
+#define SSL3_MT_HELLO_REQUEST			0
 #define SSL3_MT_CLIENT_HELLO			1
 #define SSL3_MT_SERVER_HELLO			2
 #define SSL3_MT_CERTIFICATE			11
diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c
index 0f6a0884e4a..e77cdddfd3f 100644
--- a/lib/libssl/ssl_asn1.c
+++ b/lib/libssl/ssl_asn1.c
@@ -60,6 +60,7 @@
 #include <stdlib.h>
 #include <openssl/asn1_mac.h>
 #include <openssl/objects.h>
+#include <openssl/x509.h>
 #include "ssl_locl.h"
 
 typedef struct ssl_session_asn1_st
@@ -73,14 +74,15 @@ typedef struct ssl_session_asn1_st
 	ASN1_OCTET_STRING key_arg;
 	ASN1_INTEGER time;
 	ASN1_INTEGER timeout;
+	ASN1_INTEGER verify_result;
 	} SSL_SESSION_ASN1;
 
 int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 	{
 #define LSIZE2 (sizeof(long)*2)
-	int v1=0,v2=0,v3=0,v4=0;
+	int v1=0,v2=0,v3=0,v4=0,v5=0;
 	unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
-	unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2];
+	unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
 	long l;
 	SSL_SESSION_ASN1 a;
 	M_ASN1_I2D_vars(in);
@@ -89,7 +91,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 		return(0);
 
 	/* Note that I cheat in the following 2 assignments.  I know
-	 * that if the ASN1_INTERGER passed to ASN1_INTEGER_set
+	 * that if the ASN1_INTEGER passed to ASN1_INTEGER_set
 	 * is > sizeof(long)+1, the buffer will not be re-Malloc()ed.
 	 * This is a bit evil but makes things simple, no dynamic allocation
 	 * to clean up :-) */
@@ -156,6 +158,14 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 		ASN1_INTEGER_set(&(a.timeout),in->timeout);
 		}
 
+	if (in->verify_result != X509_V_OK)
+		{
+		a.verify_result.length=LSIZE2;
+		a.verify_result.type=V_ASN1_INTEGER;
+		a.verify_result.data=ibuf5;
+		ASN1_INTEGER_set(&a.verify_result,in->verify_result);
+		}
+
 	M_ASN1_I2D_len(&(a.version),		i2d_ASN1_INTEGER);
 	M_ASN1_I2D_len(&(a.ssl_version),	i2d_ASN1_INTEGER);
 	M_ASN1_I2D_len(&(a.cipher),		i2d_ASN1_OCTET_STRING);
@@ -170,6 +180,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 	if (in->peer != NULL)
 		M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
 	M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
+	if (in->verify_result != X509_V_OK)
+		M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
 
 	M_ASN1_I2D_seq_total();
 
@@ -188,7 +200,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 		M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
 	M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
 			       v4);
-
+	if (in->verify_result != X509_V_OK)
+		M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
 	M_ASN1_I2D_finish();
 	}
 
@@ -322,6 +335,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
 	else
 	    ret->sid_ctx_length=0;
 
+	ai.length=0;
+	M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5);
+	if (ai.data != NULL)
+		{
+		ret->verify_result=ASN1_INTEGER_get(aip);
+		Free(ai.data); ai.data=NULL; ai.length=0;
+		}
+	else
+		ret->verify_result=X509_V_OK;
+
 	M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
 	}
-
diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c
index 6d2511f76c2..48f247ceaca 100644
--- a/lib/libssl/ssl_cert.c
+++ b/lib/libssl/ssl_cert.c
@@ -105,17 +105,26 @@
  */
 
 #include <stdio.h>
-#include <sys/types.h>
-#if !defined(WIN32) && !defined(VSM) && !defined(NeXT)
+
+#include "openssl/e_os.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X)
 #include <dirent.h>
 #endif
+
 #ifdef NeXT
 #include <sys/dir.h>
 #define dirent direct
 #endif
+
 #include <openssl/objects.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
+#include <openssl/x509v3.h>
 #include "ssl_locl.h"
 
 int SSL_get_ex_data_X509_STORE_CTX_idx(void)
@@ -422,8 +431,16 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 	X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
 	if (SSL_get_verify_depth(s) >= 0)
 		X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
-		(char *)s);
+	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
+	/* We need to set the verify purpose. The purpose can be determined by
+	 * the context: if its a server it will verify SSL client certificates
+	 * or vice versa.
+         */
+
+	if(s->server) i = X509_PURPOSE_SSL_CLIENT;
+	else i = X509_PURPOSE_SSL_SERVER;
+
+	X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
 
 	if (s->ctx->app_verify_callback != NULL)
 		i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
@@ -534,7 +551,7 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
 	return(add_client_CA(&(ctx->client_CA),x));
 	}
 
-static int name_cmp(X509_NAME **a,X509_NAME **b)
+static int xname_cmp(X509_NAME **a,X509_NAME **b)
 	{
 	return(X509_NAME_cmp(*a,*b));
 	}
@@ -556,7 +573,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
 	STACK_OF(X509_NAME) *ret,*sk;
 
 	ret=sk_X509_NAME_new(NULL);
-	sk=sk_X509_NAME_new(name_cmp);
+	sk=sk_X509_NAME_new(xname_cmp);
 
 	in=BIO_new(BIO_s_file_internal());
 
@@ -617,7 +634,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
     int ret=1;
     int (*oldcmp)(X509_NAME **a, X509_NAME **b);
 
-    oldcmp=sk_X509_NAME_set_cmp_func(stack,name_cmp);
+    oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
 
     in=BIO_new(BIO_s_file_internal());
 
@@ -671,6 +688,7 @@ err:
 
 #ifndef WIN32
 #ifndef VMS			/* XXXX This may be fixed in the future */
+#ifndef MAC_OS_pre_X
 
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 				       const char *dir)
@@ -714,3 +732,4 @@ err:
 
 #endif
 #endif
+#endif
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c
index 4c2989c47a3..1cbc2886e92 100644
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -83,24 +83,11 @@ static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
 	NULL,NULL,
 	};
 
-typedef struct cipher_sort_st
-	{
-	SSL_CIPHER *cipher;
-	int pref;
-	} CIPHER_SORT;
-
 #define CIPHER_ADD	1
 #define CIPHER_KILL	2
 #define CIPHER_DEL	3
 #define CIPHER_ORD	4
-
-typedef struct cipher_choice_st
-	{
-	int type;
-	unsigned long algorithms;
-	unsigned long mask;
-	long top;
-	} CIPHER_CHOICE;
+#define CIPHER_SPECIAL	5
 
 typedef struct cipher_order_st
 	{
@@ -110,59 +97,55 @@ typedef struct cipher_order_st
 	struct cipher_order_st *next,*prev;
 	} CIPHER_ORDER;
 
-static SSL_CIPHER cipher_aliases[]={
+static const SSL_CIPHER cipher_aliases[]={
 	/* Don't include eNULL unless specifically enabled */
-	{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, 0,SSL_ALL}, /* must be first */
-	{0,SSL_TXT_kRSA,0,SSL_kRSA,  0,SSL_MKEY_MASK},
-	{0,SSL_TXT_kDHr,0,SSL_kDHr,  0,SSL_MKEY_MASK},
-	{0,SSL_TXT_kDHd,0,SSL_kDHd,  0,SSL_MKEY_MASK},
-	{0,SSL_TXT_kEDH,0,SSL_kEDH,  0,SSL_MKEY_MASK},
-	{0,SSL_TXT_kFZA,0,SSL_kFZA,  0,SSL_MKEY_MASK},
-	{0,SSL_TXT_DH,	0,SSL_DH,    0,SSL_MKEY_MASK},
-	{0,SSL_TXT_EDH,	0,SSL_EDH,   0,SSL_MKEY_MASK|SSL_AUTH_MASK},
-
-	{0,SSL_TXT_aRSA,0,SSL_aRSA,  0,SSL_AUTH_MASK},
-	{0,SSL_TXT_aDSS,0,SSL_aDSS,  0,SSL_AUTH_MASK},
-	{0,SSL_TXT_aFZA,0,SSL_aFZA,  0,SSL_AUTH_MASK},
-	{0,SSL_TXT_aNULL,0,SSL_aNULL,0,SSL_AUTH_MASK},
-	{0,SSL_TXT_aDH, 0,SSL_aDH,   0,SSL_AUTH_MASK},
-	{0,SSL_TXT_DSS,	0,SSL_DSS,   0,SSL_AUTH_MASK},
-
-	{0,SSL_TXT_DES,	0,SSL_DES,   0,SSL_ENC_MASK},
-	{0,SSL_TXT_3DES,0,SSL_3DES,  0,SSL_ENC_MASK},
-	{0,SSL_TXT_RC4,	0,SSL_RC4,   0,SSL_ENC_MASK},
-	{0,SSL_TXT_RC2,	0,SSL_RC2,   0,SSL_ENC_MASK},
-	{0,SSL_TXT_IDEA,0,SSL_IDEA,  0,SSL_ENC_MASK},
-	{0,SSL_TXT_eNULL,0,SSL_eNULL,0,SSL_ENC_MASK},
-	{0,SSL_TXT_eFZA,0,SSL_eFZA,  0,SSL_ENC_MASK},
-
-	{0,SSL_TXT_MD5,	0,SSL_MD5,   0,SSL_MAC_MASK},
-	{0,SSL_TXT_SHA1,0,SSL_SHA1,  0,SSL_MAC_MASK},
-	{0,SSL_TXT_SHA,	0,SSL_SHA,   0,SSL_MAC_MASK},
-
-	{0,SSL_TXT_NULL,0,SSL_NULL,  0,SSL_ENC_MASK},
-	{0,SSL_TXT_RSA,	0,SSL_RSA,   0,SSL_AUTH_MASK|SSL_MKEY_MASK},
-	{0,SSL_TXT_ADH,	0,SSL_ADH,   0,SSL_AUTH_MASK|SSL_MKEY_MASK},
-	{0,SSL_TXT_FZA,	0,SSL_FZA,   0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK},
-
-	{0,SSL_TXT_EXP40, 0,SSL_EXP40, 0,SSL_EXP_MASK},
-	{0,SSL_TXT_EXPORT,0,SSL_EXP40, 0,SSL_EXP_MASK},
-	{0,SSL_TXT_EXP56, 0,SSL_EXP56, 0,SSL_EXP_MASK},
-	{0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,SSL_SSL_MASK},
-	{0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,SSL_SSL_MASK},
-	{0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,SSL_SSL_MASK},
-	{0,SSL_TXT_LOW,   0,SSL_LOW,   0,SSL_STRONG_MASK},
-	{0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK},
-	{0,SSL_TXT_HIGH,  0,SSL_HIGH,  0,SSL_STRONG_MASK},
+	{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
+	{0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_kDHd,0,SSL_kDHd,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_kEDH,0,SSL_kEDH,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_kFZA,0,SSL_kFZA,  0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_DH,	0,SSL_DH,    0,0,0,0,SSL_MKEY_MASK,0},
+	{0,SSL_TXT_EDH,	0,SSL_EDH,   0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
+
+	{0,SSL_TXT_aRSA,0,SSL_aRSA,  0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_aDSS,0,SSL_aDSS,  0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_aFZA,0,SSL_aFZA,  0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_aDH, 0,SSL_aDH,   0,0,0,0,SSL_AUTH_MASK,0},
+	{0,SSL_TXT_DSS,	0,SSL_DSS,   0,0,0,0,SSL_AUTH_MASK,0},
+
+	{0,SSL_TXT_DES,	0,SSL_DES,   0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_3DES,0,SSL_3DES,  0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_RC4,	0,SSL_RC4,   0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_RC2,	0,SSL_RC2,   0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_IDEA,0,SSL_IDEA,  0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_eFZA,0,SSL_eFZA,  0,0,0,0,SSL_ENC_MASK,0},
+
+	{0,SSL_TXT_MD5,	0,SSL_MD5,   0,0,0,0,SSL_MAC_MASK,0},
+	{0,SSL_TXT_SHA1,0,SSL_SHA1,  0,0,0,0,SSL_MAC_MASK,0},
+	{0,SSL_TXT_SHA,	0,SSL_SHA,   0,0,0,0,SSL_MAC_MASK,0},
+
+	{0,SSL_TXT_NULL,0,SSL_NULL,  0,0,0,0,SSL_ENC_MASK,0},
+	{0,SSL_TXT_RSA,	0,SSL_RSA,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
+	{0,SSL_TXT_ADH,	0,SSL_ADH,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
+	{0,SSL_TXT_FZA,	0,SSL_FZA,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
+
+	{0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
+	{0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0},
+	{0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0},
+
+	{0,SSL_TXT_EXP   ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
+	{0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
+	{0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK},
+	{0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK},
+	{0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
+	{0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
+	{0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
 	};
 
 static int init_ciphers=1;
-static void load_ciphers();
-
-static int cmp_by_name(SSL_CIPHER **a, SSL_CIPHER **b)
-	{
-	return(strcmp((*a)->name,(*b)->name));
-	}
 
 static void load_ciphers(void)
 	{
@@ -294,170 +277,320 @@ static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
 	*tail=curr;
 	}
 
-STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
-		STACK_OF(SSL_CIPHER) **cipher_list,
-		STACK_OF(SSL_CIPHER) **cipher_list_by_id,
-		char *str)
+static unsigned long ssl_cipher_get_disabled(void)
 	{
-	SSL_CIPHER *c;
-	char *l;
-	STACK_OF(SSL_CIPHER) *ret=NULL,*ok=NULL;
-#define CL_BUF	40
-	char buf[CL_BUF];
-	char *tmp_str=NULL;
-	unsigned long mask,algorithms,ma;
-	char *start;
-	int i,j,k,num=0,ch,multi;
-	unsigned long al;
-	STACK *ca_list=NULL;
-	int current_x,num_x;
-	CIPHER_CHOICE *ops=NULL;
-	CIPHER_ORDER *list=NULL,*head=NULL,*tail=NULL,*curr,*tail2,*curr2;
-	int list_num;
-	int type;
-	SSL_CIPHER c_tmp,*cp;
-
-	if (str == NULL) return(NULL);
-
-	if (strncmp(str,"DEFAULT",7) == 0)
-		{
-		i=strlen(str)+2+strlen(SSL_DEFAULT_CIPHER_LIST);
-		if ((tmp_str=Malloc(i)) == NULL)
-			{
-			SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
-			goto err;
-			}
-		strcpy(tmp_str,SSL_DEFAULT_CIPHER_LIST);
-		strcat(tmp_str,":");
-		strcat(tmp_str,&(str[7]));
-		str=tmp_str;
-		}
-	if (init_ciphers) load_ciphers();
-
-	num=ssl_method->num_ciphers();
-
-	if ((ret=sk_SSL_CIPHER_new(NULL)) == NULL) goto err;
-	if ((ca_list=(STACK *)sk_new(cmp_by_name)) == NULL) goto err;
+	unsigned long mask;
 
-	mask =SSL_kFZA;
+	mask = SSL_kFZA;
 #ifdef NO_RSA
-	mask|=SSL_aRSA|SSL_kRSA;
+	mask |= SSL_aRSA|SSL_kRSA;
 #endif
 #ifdef NO_DSA
-	mask|=SSL_aDSS;
+	mask |= SSL_aDSS;
 #endif
 #ifdef NO_DH
-	mask|=SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
+	mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
 #endif
 
 #ifdef SSL_FORBID_ENULL
-	mask|=SSL_eNULL;
+	mask |= SSL_eNULL;
 #endif
 
-	mask|=(ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL)?SSL_DES :0;
-	mask|=(ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL)?SSL_3DES:0;
-	mask|=(ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL)?SSL_RC4 :0;
-	mask|=(ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL)?SSL_RC2 :0;
-	mask|=(ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL)?SSL_IDEA:0;
-	mask|=(ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL)?SSL_eFZA:0;
+	mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
+	mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
+	mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
+	mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
+	mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
+	mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
+
+	mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
+	mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
 
-	mask|=(ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL)?SSL_MD5 :0;
-	mask|=(ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL)?SSL_SHA1:0;
+	return(mask);
+	}
+
+static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
+		int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list,
+		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
+	{
+	int i, list_num;
+	SSL_CIPHER *c;
 
-	if ((list=(CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER)*num)) == NULL)
-		goto err;
+	/*
+	 * We have num_of_ciphers descriptions compiled in, depending on the
+	 * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
+	 * These will later be sorted in a linked list with at most num
+	 * entries.
+	 */
 
 	/* Get the initial list of ciphers */
-	list_num=0;
-	for (i=0; i<num; i++)
+	list_num = 0;	/* actual count of ciphers */
+	for (i = 0; i < num_of_ciphers; i++)
 		{
-		c=ssl_method->get_cipher((unsigned int)i);
+		c = ssl_method->get_cipher(i);
 		/* drop those that use any of that is not available */
 		if ((c != NULL) && c->valid && !(c->algorithms & mask))
 			{
-			list[list_num].cipher=c;
-			list[list_num].next=NULL;
-			list[list_num].prev=NULL;
-			list[list_num].active=0;
+			list[list_num].cipher = c;
+			list[list_num].next = NULL;
+			list[list_num].prev = NULL;
+			list[list_num].active = 0;
 			list_num++;
+			/*
 			if (!sk_push(ca_list,(char *)c)) goto err;
+			*/
 			}
 		}
-	
-	for (i=1; i<list_num-1; i++)
+
+	/*
+	 * Prepare linked list from list entries
+	 */	
+	for (i = 1; i < list_num - 1; i++)
 		{
-		list[i].prev= &(list[i-1]);
-		list[i].next= &(list[i+1]);
+		list[i].prev = &(list[i-1]);
+		list[i].next = &(list[i+1]);
 		}
 	if (list_num > 0)
 		{
-		head= &(list[0]);
-		head->prev=NULL;
-		head->next= &(list[1]);
-		tail= &(list[list_num-1]);
-		tail->prev= &(list[list_num-2]);
-		tail->next=NULL;
+		(*head_p) = &(list[0]);
+		(*head_p)->prev = NULL;
+		(*head_p)->next = &(list[1]);
+		(*tail_p) = &(list[list_num - 1]);
+		(*tail_p)->prev = &(list[list_num - 2]);
+		(*tail_p)->next = NULL;
 		}
+	}
 
-	/* special case */
-	cipher_aliases[0].algorithms &= ~mask;
+static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
+			int num_of_group_aliases, unsigned long mask,
+			CIPHER_ORDER *head)
+	{
+	CIPHER_ORDER *ciph_curr;
+	SSL_CIPHER **ca_curr;
+	int i;
 
-	/* get the aliases */
-	k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER);
-	for (j=0; j<k; j++)
+	/*
+	 * First, add the real ciphers as already collected
+	 */
+	ciph_curr = head;
+	ca_curr = ca_list;
+	while (ciph_curr != NULL)
 		{
-		al=cipher_aliases[j].algorithms;
-		/* Drop those that are not relevent */
-		if ((al & mask) == al) continue;
-		if (!sk_push(ca_list,(char *)&(cipher_aliases[j]))) goto err;
+		*ca_curr = ciph_curr->cipher;
+		ca_curr++;
+		ciph_curr = ciph_curr->next;
 		}
 
-	/* ca_list now holds a 'stack' of SSL_CIPHERS, some real, some
-	 * 'aliases' */
+	/*
+	 * Now we add the available ones from the cipher_aliases[] table.
+	 * They represent either an algorithm, that must be fully
+	 * supported (not match any bit in mask) or represent a cipher
+	 * strength value (will be added in any case because algorithms=0).
+	 */
+	for (i = 0; i < num_of_group_aliases; i++)
+		{
+		if ((i == 0) ||		/* always fetch "ALL" */
+		    !(cipher_aliases[i].algorithms & mask))
+			{
+			*ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
+			ca_curr++;
+			}
+		}
 
-	/* how many parameters are there? */
-	num=1;
-	for (l=str; *l; l++)
-		if (ITEM_SEP(*l))
-			num++;
-	ops=(CIPHER_CHOICE *)Malloc(sizeof(CIPHER_CHOICE)*num);
-	if (ops == NULL) goto err;
-	memset(ops,0,sizeof(CIPHER_CHOICE)*num);
+	*ca_curr = NULL;	/* end of list */
+	}
 
-	/* we now parse the input string and create our operations */
-	l=str;
-	i=0;
-	current_x=0;
+static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
+		unsigned long algo_strength, unsigned long mask_strength,
+		int rule, int strength_bits, CIPHER_ORDER *list,
+		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
+	{
+	CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
+	SSL_CIPHER *cp;
+	unsigned long ma, ma_s;
 
+#ifdef CIPHER_DEBUG
+	printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n",
+		rule, algorithms, mask, algo_strength, mask_strength,
+		strength_bits);
+#endif
+
+	curr = head = *head_p;
+	curr2 = head;
+	tail2 = tail = *tail_p;
 	for (;;)
 		{
-		ch= *l;
+		if ((curr == NULL) || (curr == tail2)) break;
+		curr = curr2;
+		curr2 = curr->next;
+
+		cp = curr->cipher;
+
+		/*
+		 * Selection criteria is either the number of strength_bits
+		 * or the algorithm used.
+		 */
+		if (strength_bits == -1)
+			{
+			ma = mask & cp->algorithms;
+			ma_s = mask_strength & cp->algo_strength;
+
+#ifdef CIPHER_DEBUG
+			printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength);
+			printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength);
+#endif
+			/*
+			 * Select: if none of the mask bit was met from the
+			 * cipher or not all of the bits were met, the
+			 * selection does not apply.
+			 */
+			if (((ma == 0) && (ma_s == 0)) ||
+			    ((ma & algorithms) != ma) ||
+			    ((ma_s & algo_strength) != ma_s))
+				continue; /* does not apply */
+			}
+		else if (strength_bits != cp->strength_bits)
+			continue;	/* does not apply */
+
+#ifdef CIPHER_DEBUG
+		printf("Action = %d\n", rule);
+#endif
+
+		/* add the cipher if it has not been added yet. */
+		if (rule == CIPHER_ADD)
+			{
+			if (!curr->active)
+				{
+				ll_append_tail(&head, curr, &tail);
+				curr->active = 1;
+				}
+			}
+		/* Move the added cipher to this location */
+		else if (rule == CIPHER_ORD)
+			{
+			if (curr->active)
+				{
+				ll_append_tail(&head, curr, &tail);
+				}
+			}
+		else if	(rule == CIPHER_DEL)
+			curr->active = 0;
+		else if (rule == CIPHER_KILL)
+			{
+			if (head == curr)
+				head = curr->next;
+			else
+				curr->prev->next = curr->next;
+			if (tail == curr)
+				tail = curr->prev;
+			curr->active = 0;
+			if (curr->next != NULL)
+				curr->next->prev = curr->prev;
+			if (curr->prev != NULL)
+				curr->prev->next = curr->next;
+			curr->next = NULL;
+			curr->prev = NULL;
+			}
+		}
+
+	*head_p = head;
+	*tail_p = tail;
+	}
+
+static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p,
+				     CIPHER_ORDER **tail_p)
+	{
+	int max_strength_bits, i, *number_uses;
+	CIPHER_ORDER *curr;
+
+	/*
+	 * This routine sorts the ciphers with descending strength. The sorting
+	 * must keep the pre-sorted sequence, so we apply the normal sorting
+	 * routine as '+' movement to the end of the list.
+	 */
+	max_strength_bits = 0;
+	curr = *head_p;
+	while (curr != NULL)
+		{
+		if (curr->active &&
+		    (curr->cipher->strength_bits > max_strength_bits))
+		    max_strength_bits = curr->cipher->strength_bits;
+		curr = curr->next;
+		}
+
+	number_uses = Malloc((max_strength_bits + 1) * sizeof(int));
+	if (!number_uses)
+	{
+		SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
+		return(0);
+	}
+	memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
+
+	/*
+	 * Now find the strength_bits values actually used
+	 */
+	curr = *head_p;
+	while (curr != NULL)
+		{
+		if (curr->active)
+			number_uses[curr->cipher->strength_bits]++;
+		curr = curr->next;
+		}
+	/*
+	 * Go through the list of used strength_bits values in descending
+	 * order.
+	 */
+	for (i = max_strength_bits; i >= 0; i--)
+		if (number_uses[i] > 0)
+			ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
+					list, head_p, tail_p);
+
+	Free(number_uses);
+	return(1);
+	}
 
-		if (ch == '\0') break;
+static int ssl_cipher_process_rulestr(const char *rule_str,
+		CIPHER_ORDER *list, CIPHER_ORDER **head_p,
+		CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
+	{
+	unsigned long algorithms, mask, algo_strength, mask_strength;
+	const char *l, *start, *buf;
+	int j, multi, found, rule, retval, ok, buflen;
+	char ch;
+
+	retval = 1;
+	l = rule_str;
+	for (;;)
+		{
+		ch = *l;
 
+		if (ch == '\0')
+			break;		/* done */
 		if (ch == '-')
-			{ j=CIPHER_DEL; l++; }
+			{ rule = CIPHER_DEL; l++; }
 		else if (ch == '+')
-			{ j=CIPHER_ORD; l++; }
+			{ rule = CIPHER_ORD; l++; }
 		else if (ch == '!')
-			{ j=CIPHER_KILL; l++; }
-		else	
-			{ j=CIPHER_ADD; }
+			{ rule = CIPHER_KILL; l++; }
+		else if (ch == '@')
+			{ rule = CIPHER_SPECIAL; l++; }
+		else
+			{ rule = CIPHER_ADD; }
 
 		if (ITEM_SEP(ch))
 			{
 			l++;
 			continue;
 			}
-		ops[current_x].type=j;
-		ops[current_x].algorithms=0;
-		ops[current_x].mask=0;
+
+		algorithms = mask = algo_strength = mask_strength = 0;
 
 		start=l;
 		for (;;)
 			{
-			ch= *l;
-			i=0;
+			ch = *l;
+			buf = l;
+			buflen = 0;
 #ifndef CHARSET_EBCDIC
 			while (	((ch >= 'A') && (ch <= 'Z')) ||
 				((ch >= '0') && (ch <= '9')) ||
@@ -467,12 +600,28 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
 			while (	isalnum(ch) || (ch == '-'))
 #endif
 				 {
-				 buf[i]=ch;
-				 ch= *(++l);
-				 i++;
-				 if (i >= (CL_BUF-2)) break;
+				 ch = *(++l);
+				 buflen++;
 				 }
-			buf[i]='\0';
+
+			if (buflen == 0)
+				{
+				/*
+				 * We hit something, we cannot deal with,
+				 * it is no command or separator nor
+				 * alphanumeric, so we call this an error.
+				 */
+				SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+				       SSL_R_INVALID_COMMAND);
+				retval = found = 0;
+				l++;
+				break;
+				}
+
+			if (rule == CIPHER_SPECIAL)
+				{
+				break;	/* special treatment */
+				}
 
 			/* check for multi-part specification */
 			if (ch == '+')
@@ -483,133 +632,237 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
 			else
 				multi=0;
 
-			c_tmp.name=buf;
-			j=sk_find(ca_list,(char *)&c_tmp);
-			if (j < 0)
-				goto end_loop;
+			/*
+			 * Now search for the name in the ca_list. Be careful
+			 * with the strncmp, because the "buflen" limitation
+			 * will make the rule "ADH:SOME" and the cipher
+			 * "ADH-MY-CIPHER" look like a match for buflen=3.
+			 * So additionally check, whether the cipher name found
+			 * has the correct length. We can save a strlen() call,
+			 * just checking for the '\0' at the right place is
+			 * sufficient, we have to strncmp() anyway.
+			 */
+			 j = found = 0;
+			 while (ca_list[j])
+				{
+				if ((ca_list[j]->name[buflen] == '\0') &&
+				    !strncmp(buf, ca_list[j]->name, buflen))
+					{
+					found = 1;
+					break;
+					}
+				else
+					j++;
+				}
+			if (!found)
+				break;	/* ignore this entry */
+
+			algorithms |= ca_list[j]->algorithms;
+			mask |= ca_list[j]->mask;
+			algo_strength |= ca_list[j]->algo_strength;
+			mask_strength |= ca_list[j]->mask_strength;
 
-			cp=(SSL_CIPHER *)sk_value(ca_list,j);
-			ops[current_x].algorithms|=cp->algorithms;
-			/* We add the SSL_SSL_MASK so we can match the
-			 * SSLv2 and SSLv3 versions of RC4-MD5 */
-			ops[current_x].mask|=cp->mask;
 			if (!multi) break;
 			}
-		current_x++;
-		if (ch == '\0') break;
-end_loop:
-		/* Make sure we scan until the next valid start point */
-		while ((*l != '\0') && ITEM_SEP(*l))
-			l++;
+
+			/*
+			 * Ok, we have the rule, now apply it
+			 */
+			if (rule == CIPHER_SPECIAL)
+				{	/* special command */
+				ok = 0;
+				if ((buflen == 8) &&
+					!strncmp(buf, "STRENGTH", 8))
+					ok = ssl_cipher_strength_sort(list,
+							head_p, tail_p);
+				else
+					SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+						SSL_R_INVALID_COMMAND);
+				if (ok == 0)
+					retval = 0;
+				/*
+				 * We do not support any "multi" options
+				 * together with "@", so throw away the
+				 * rest of the command, if any left, until
+				 * end or ':' is found.
+				 */
+				while ((*l != '\0') && ITEM_SEP(*l))
+					l++;
+				}
+			else if (found)
+				{
+				ssl_cipher_apply_rule(algorithms, mask,
+					algo_strength, mask_strength, rule, -1,
+					list, head_p, tail_p);
+				}
+			else
+				{
+				while ((*l != '\0') && ITEM_SEP(*l))
+					l++;
+				}
+			if (*l == '\0') break; /* done */
 		}
 
-	num_x=current_x;
-	current_x=0;
+	return(retval);
+	}
 
-	/* We will now process the list of ciphers, once for each category, to
-	 * decide what we should do with it. */
-	for (j=0; j<num_x; j++)
+STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+		STACK_OF(SSL_CIPHER) **cipher_list,
+		STACK_OF(SSL_CIPHER) **cipher_list_by_id,
+		const char *rule_str)
+	{
+	int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
+	unsigned long disabled_mask;
+	STACK_OF(SSL_CIPHER) *cipherstack;
+	const char *rule_p;
+	CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr;
+	SSL_CIPHER **ca_list = NULL;
+
+	/*
+	 * Return with error if nothing to do.
+	 */
+	if (rule_str == NULL) return(NULL);
+
+	if (init_ciphers) load_ciphers();
+
+	/*
+	 * To reduce the work to do we only want to process the compiled
+	 * in algorithms, so we first get the mask of disabled ciphers.
+	 */
+	disabled_mask = ssl_cipher_get_disabled();
+
+	/*
+	 * Now we have to collect the available ciphers from the compiled
+	 * in ciphers. We cannot get more than the number compiled in, so
+	 * it is used for allocation.
+	 */
+	num_of_ciphers = ssl_method->num_ciphers();
+	list = (CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
+	if (list == NULL)
 		{
-		algorithms=ops[j].algorithms;
-		type=ops[j].type;
-		mask=ops[j].mask;
+		SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+		return(NULL);	/* Failure */
+		}
 
-		curr=head;
-		curr2=head;
-		tail2=tail;
-		for (;;)
-			{
-			if ((curr == NULL) || (curr == tail2)) break;
-			curr=curr2;
-			curr2=curr->next;
+	ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
+				   list, &head, &tail);
+
+	/*
+	 * We also need cipher aliases for selecting based on the rule_str.
+	 * There might be two types of entries in the rule_str: 1) names
+	 * of ciphers themselves 2) aliases for groups of ciphers.
+	 * For 1) we need the available ciphers and for 2) the cipher
+	 * groups of cipher_aliases added together in one list (otherwise
+	 * we would be happy with just the cipher_aliases table).
+	 */
+	num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
+	num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
+	ca_list =
+		(SSL_CIPHER **)Malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
+	if (ca_list == NULL)
+		{
+		Free(list);
+		SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+		return(NULL);	/* Failure */
+		}
+	ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask,
+				   head);
+
+	/*
+	 * If the rule_string begins with DEFAULT, apply the default rule
+	 * before using the (possibly available) additional rules.
+	 */
+	ok = 1;
+	rule_p = rule_str;
+	if (strncmp(rule_str,"DEFAULT",7) == 0)
+		{
+		ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
+			list, &head, &tail, ca_list);
+		rule_p += 7;
+		if (*rule_p == ':')
+			rule_p++;
+		}
 
-			cp=curr->cipher;
-			ma=mask & cp->algorithms;
-			if ((ma == 0) || ((ma & algorithms) != ma))
-				{
-				/* does not apply */
-				continue;
-				}
+	if (ok && (strlen(rule_p) > 0))
+		ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail,
+						ca_list);
 
-			/* add the cipher if it has not been added yet. */
-			if (type == CIPHER_ADD)
-				{
-				if (!curr->active)
-					{
-					ll_append_tail(&head,curr,&tail);
-					curr->active=1;
-					}
-				}
-			/* Move the added cipher to this location */
-			else if (type == CIPHER_ORD)
-				{
-				if (curr->active)
-					{
-					ll_append_tail(&head,curr,&tail);
-					}
-				}
-			else if	(type == CIPHER_DEL)
-				curr->active=0;
-			if (type == CIPHER_KILL)
-				{
-				if (head == curr)
-					head=curr->next;
-				else
-					curr->prev->next=curr->next;
-				if (tail == curr)
-					tail=curr->prev;
-				curr->active=0;
-				if (curr->next != NULL)
-					curr->next->prev=curr->prev;
-				if (curr->prev != NULL)
-					curr->prev->next=curr->next;
-				curr->next=NULL;
-				curr->prev=NULL;
-				}
-			}
+	Free(ca_list);	/* Not needed anymore */
+
+	if (!ok)
+		{	/* Rule processing failure */
+		Free(list);
+		return(NULL);
+		}
+	/*
+	 * Allocate new "cipherstack" for the result, return with error
+	 * if we cannot get one.
+	 */
+	if ((cipherstack = sk_SSL_CIPHER_new(NULL)) == NULL)
+		{
+		Free(list);
+		return(NULL);
 		}
 
-	for (curr=head; curr != NULL; curr=curr->next)
+	/*
+	 * The cipher selection for the list is done. The ciphers are added
+	 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
+	 */
+	for (curr = head; curr != NULL; curr = curr->next)
 		{
 		if (curr->active)
 			{
-			sk_SSL_CIPHER_push(ret,curr->cipher);
+			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
 			printf("<%s>\n",curr->cipher->name);
 #endif
 			}
 		}
-
+	Free(list);	/* Not needed any longer */
+
+	/*
+	 * The following passage is a little bit odd. If pointer variables
+	 * were supplied to hold STACK_OF(SSL_CIPHER) return information,
+	 * the old memory pointed to is free()ed. Then, however, the
+	 * cipher_list entry will be assigned just a copy of the returned
+	 * cipher stack. For cipher_list_by_id a copy of the cipher stack
+	 * will be created. See next comment...
+	 */
 	if (cipher_list != NULL)
 		{
 		if (*cipher_list != NULL)
 			sk_SSL_CIPHER_free(*cipher_list);
-		*cipher_list=ret;
+		*cipher_list = cipherstack;
 		}
 
 	if (cipher_list_by_id != NULL)
 		{
 		if (*cipher_list_by_id != NULL)
 			sk_SSL_CIPHER_free(*cipher_list_by_id);
-		*cipher_list_by_id=sk_SSL_CIPHER_dup(ret);
+		*cipher_list_by_id = sk_SSL_CIPHER_dup(cipherstack);
 		}
 
+	/*
+	 * Now it is getting really strange. If something failed during
+	 * the previous pointer assignment or if one of the pointers was
+	 * not requested, the error condition is met. That might be
+	 * discussable. The strange thing is however that in this case
+	 * the memory "ret" pointed to is "free()ed" and hence the pointer
+	 * cipher_list becomes wild. The memory reserved for
+	 * cipher_list_by_id however is not "free()ed" and stays intact.
+	 */
 	if (	(cipher_list_by_id == NULL) ||
 		(*cipher_list_by_id == NULL) ||
 		(cipher_list == NULL) ||
 		(*cipher_list == NULL))
-		goto err;
+		{
+		sk_SSL_CIPHER_free(cipherstack);
+		return(NULL);
+		}
+
 	sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
 
-	ok=ret;
-	ret=NULL;
-err:
-	if (tmp_str) Free(tmp_str);
-	if (ops != NULL) Free(ops);
-	if (ret != NULL) sk_SSL_CIPHER_free(ret);
-	if (ca_list != NULL) sk_free(ca_list);
-	if (list != NULL) Free(list);
-	return(ok);
+	return(cipherstack);
 	}
 
 char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
@@ -617,15 +870,16 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
 	int is_export,pkl,kl;
 	char *ver,*exp;
 	char *kx,*au,*enc,*mac;
-	unsigned long alg,alg2;
+	unsigned long alg,alg2,alg_s;
 	static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
 	
 	alg=cipher->algorithms;
+	alg_s=cipher->algo_strength;
 	alg2=cipher->algorithm2;
 
-	is_export=SSL_IS_EXPORT(alg);
-	pkl=SSL_EXPORT_PKEYLENGTH(alg);
-	kl=SSL_EXPORT_KEYLENGTH(alg);
+	is_export=SSL_C_IS_EXPORT(cipher);
+	pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
+	kl=SSL_C_EXPORT_KEYLENGTH(cipher);
 	exp=is_export?" export":"";
 
 	if (alg & SSL_SSLV2)
@@ -752,37 +1006,16 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
 	return("(NONE)");
 	}
 
-/* number of bits for symetric cipher */
+/* number of bits for symmetric cipher */
 int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
 	{
-	int ret=0,a=0;
-	const EVP_CIPHER *enc;
-	const EVP_MD *md;
-	SSL_SESSION ss;
+	int ret=0;
 
 	if (c != NULL)
 		{
-		ss.cipher=c;
-		if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL))
-			return(0);
-
-		a=EVP_CIPHER_key_length(enc)*8;
-
-		if (SSL_C_IS_EXPORT(c))
-			{
-			ret=SSL_C_EXPORT_KEYLENGTH(c)*8;
-			}
-		else
-			{
-			if (c->algorithm2 & SSL2_CF_8_BYTE_ENC)
-				ret=64;
-			else
-				ret=a;
-			}
+		if (alg_bits != NULL) *alg_bits = c->alg_bits;
+		ret = c->strength_bits;
 		}
-
-	if (alg_bits != NULL) *alg_bits=a;
-	
 	return(ret);
 	}
 
diff --git a/lib/libssl/ssl_err.c b/lib/libssl/ssl_err.c
index 3ddc805b537..5618e34a308 100644
--- a/lib/libssl/ssl_err.c
+++ b/lib/libssl/ssl_err.c
@@ -135,13 +135,18 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_PACK(0,SSL_F_SSL_CERT_INSTANTIATE,0),	"SSL_CERT_INSTANTIATE"},
 {ERR_PACK(0,SSL_F_SSL_CERT_NEW,0),	"SSL_CERT_NEW"},
 {ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0),	"SSL_check_private_key"},
+{ERR_PACK(0,SSL_F_SSL_CIPHER_PROCESS_RULESTR,0),	"SSL_CIPHER_PROCESS_RULESTR"},
+{ERR_PACK(0,SSL_F_SSL_CIPHER_STRENGTH_SORT,0),	"SSL_CIPHER_STRENGTH_SORT"},
 {ERR_PACK(0,SSL_F_SSL_CLEAR,0),	"SSL_clear"},
 {ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0),	"SSL_COMP_add_compression_method"},
 {ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0),	"SSL_CREATE_CIPHER_LIST"},
+{ERR_PACK(0,SSL_F_SSL_CTRL,0),	"SSL_ctrl"},
 {ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0),	"SSL_CTX_check_private_key"},
 {ERR_PACK(0,SSL_F_SSL_CTX_NEW,0),	"SSL_CTX_new"},
+{ERR_PACK(0,SSL_F_SSL_CTX_SET_PURPOSE,0),	"SSL_CTX_set_purpose"},
 {ERR_PACK(0,SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,0),	"SSL_CTX_set_session_id_context"},
 {ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0),	"SSL_CTX_set_ssl_version"},
+{ERR_PACK(0,SSL_F_SSL_CTX_SET_TRUST,0),	"SSL_CTX_set_trust"},
 {ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE,0),	"SSL_CTX_use_certificate"},
 {ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,0),	"SSL_CTX_use_certificate_ASN1"},
 {ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,0),	"SSL_CTX_use_certificate_chain_file"},
@@ -169,9 +174,11 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_PACK(0,SSL_F_SSL_SET_CERT,0),	"SSL_SET_CERT"},
 {ERR_PACK(0,SSL_F_SSL_SET_FD,0),	"SSL_set_fd"},
 {ERR_PACK(0,SSL_F_SSL_SET_PKEY,0),	"SSL_SET_PKEY"},
+{ERR_PACK(0,SSL_F_SSL_SET_PURPOSE,0),	"SSL_set_purpose"},
 {ERR_PACK(0,SSL_F_SSL_SET_RFD,0),	"SSL_set_rfd"},
 {ERR_PACK(0,SSL_F_SSL_SET_SESSION,0),	"SSL_set_session"},
 {ERR_PACK(0,SSL_F_SSL_SET_SESSION_ID_CONTEXT,0),	"SSL_set_session_id_context"},
+{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0),	"SSL_set_trust"},
 {ERR_PACK(0,SSL_F_SSL_SET_WFD,0),	"SSL_set_wfd"},
 {ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0),	"SSL_shutdown"},
 {ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0),	"SSL_UNDEFINED_FUNCTION"},
@@ -201,7 +208,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_BAD_AUTHENTICATION_TYPE           ,"bad authentication type"},
 {SSL_R_BAD_CHANGE_CIPHER_SPEC            ,"bad change cipher spec"},
 {SSL_R_BAD_CHECKSUM                      ,"bad checksum"},
-{SSL_R_BAD_CLIENT_REQUEST                ,"bad client request"},
 {SSL_R_BAD_DATA_RETURNED_BY_CALLBACK     ,"bad data returned by callback"},
 {SSL_R_BAD_DECOMPRESSION                 ,"bad decompression"},
 {SSL_R_BAD_DH_G_LENGTH                   ,"bad dh g length"},
@@ -209,6 +215,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_BAD_DH_P_LENGTH                   ,"bad dh p length"},
 {SSL_R_BAD_DIGEST_LENGTH                 ,"bad digest length"},
 {SSL_R_BAD_DSA_SIGNATURE                 ,"bad dsa signature"},
+{SSL_R_BAD_HELLO_REQUEST                 ,"bad hello request"},
 {SSL_R_BAD_LENGTH                        ,"bad length"},
 {SSL_R_BAD_MAC_DECODE                    ,"bad mac decode"},
 {SSL_R_BAD_MESSAGE_TYPE                  ,"bad message type"},
@@ -248,6 +255,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG   ,"dh public value length is wrong"},
 {SSL_R_DIGEST_CHECK_FAILED               ,"digest check failed"},
 {SSL_R_ENCRYPTED_LENGTH_TOO_LONG         ,"encrypted length too long"},
+{SSL_R_ERROR_GENERATING_TMP_RSA_KEY      ,"error generating tmp rsa key"},
 {SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST     ,"error in received cipher list"},
 {SSL_R_EXCESSIVE_MESSAGE_SIZE            ,"excessive message size"},
 {SSL_R_EXTRA_DATA_IN_MESSAGE             ,"extra data in message"},
@@ -256,6 +264,9 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_HTTP_REQUEST                      ,"http request"},
 {SSL_R_INTERNAL_ERROR                    ,"internal error"},
 {SSL_R_INVALID_CHALLENGE_LENGTH          ,"invalid challenge length"},
+{SSL_R_INVALID_COMMAND                   ,"invalid command"},
+{SSL_R_INVALID_PURPOSE                   ,"invalid purpose"},
+{SSL_R_INVALID_TRUST                     ,"invalid trust"},
 {SSL_R_LENGTH_MISMATCH                   ,"length mismatch"},
 {SSL_R_LENGTH_TOO_SHORT                  ,"length too short"},
 {SSL_R_LIBRARY_BUG                       ,"library bug"},
@@ -348,14 +359,14 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_TLSV1_ALERT_DECODE_ERROR          ,"tlsv1 alert decode error"},
 {SSL_R_TLSV1_ALERT_DECRYPTION_FAILED     ,"tlsv1 alert decryption failed"},
 {SSL_R_TLSV1_ALERT_DECRYPT_ERROR         ,"tlsv1 alert decrypt error"},
-{SSL_R_TLSV1_ALERT_EXPORT_RESTRICION     ,"tlsv1 alert export restricion"},
+{SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION    ,"tlsv1 alert export restriction"},
 {SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY ,"tlsv1 alert insufficient security"},
 {SSL_R_TLSV1_ALERT_INTERNAL_ERROR        ,"tlsv1 alert internal error"},
 {SSL_R_TLSV1_ALERT_NO_RENEGOTIATION      ,"tlsv1 alert no renegotiation"},
 {SSL_R_TLSV1_ALERT_PROTOCOL_VERSION      ,"tlsv1 alert protocol version"},
 {SSL_R_TLSV1_ALERT_RECORD_OVERFLOW       ,"tlsv1 alert record overflow"},
 {SSL_R_TLSV1_ALERT_UNKNOWN_CA            ,"tlsv1 alert unknown ca"},
-{SSL_R_TLSV1_ALERT_USER_CANCLED          ,"tlsv1 alert user cancled"},
+{SSL_R_TLSV1_ALERT_USER_CANCELLED        ,"tlsv1 alert user cancelled"},
 {SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"},
 {SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"},
 {SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"},
@@ -383,6 +394,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_UNKNOWN_STATE                     ,"unknown state"},
 {SSL_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
 {SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM ,"unsupported compression algorithm"},
+{SSL_R_UNSUPPORTED_OPTION                ,"unsupported option"},
 {SSL_R_UNSUPPORTED_PROTOCOL              ,"unsupported protocol"},
 {SSL_R_UNSUPPORTED_SSL_VERSION           ,"unsupported ssl version"},
 {SSL_R_WRITE_BIO_NOT_SET                 ,"write bio not set"},
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index e192fc4cac3..3109708480b 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -61,22 +61,24 @@
 #include <stdio.h>
 #include <openssl/objects.h>
 #include <openssl/lhash.h>
+#include <openssl/x509v3.h>
 #include "ssl_locl.h"
 
-char *SSL_version_str=OPENSSL_VERSION_TEXT;
+const char *SSL_version_str=OPENSSL_VERSION_TEXT;
 
-static STACK *ssl_meth=NULL;
-static STACK *ssl_ctx_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL;
 static int ssl_meth_num=0;
 static int ssl_ctx_meth_num=0;
 
 OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
+	/* evil casts, but these functions are only called if there's a library bug */
+	(int (*)(SSL *,int))ssl_undefined_function,
+	(int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
 	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl_undefined_function,
+	(int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
+	(int (*)(SSL*, int))ssl_undefined_function,
+	(int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
 	};
 
 int SSL_clear(SSL *s)
@@ -93,10 +95,17 @@ int SSL_clear(SSL *s)
 	s->hit=0;
 	s->shutdown=0;
 
-#if 0
+#if 0 /* Disabled since version 1.10 of this file (early return not
+       * needed because SSL_clear is not called when doing renegotiation) */
 	/* This is set if we are doing dynamic renegotiation so keep
 	 * the old cipher.  It is sort of a SSL_clear_lite :-) */
 	if (s->new_session) return(1);
+#else
+	if (s->new_session)
+		{
+		SSLerr(SSL_F_SSL_CLEAR,SSL_R_INTERNAL_ERROR);
+		return 0;
+		}
 #endif
 
 	state=s->state; /* Keep to check if we throw away the session-id */
@@ -201,6 +210,8 @@ SSL *SSL_new(SSL_CTX *ctx)
 	s->verify_mode=ctx->verify_mode;
 	s->verify_depth=ctx->verify_depth;
 	s->verify_callback=ctx->default_verify_callback;
+	s->purpose = ctx->purpose;
+	s->trust = ctx->trust;
 	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
 	s->ctx=ctx;
 
@@ -218,7 +229,7 @@ SSL *SSL_new(SSL_CTX *ctx)
 	s->mode=ctx->mode;
 	SSL_clear(s);
 
-	CRYPTO_new_ex_data(ssl_meth,(char *)s,&s->ex_data);
+	CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data);
 
 	return(s);
 err:
@@ -262,6 +273,46 @@ int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
     return 1;
     }
 
+int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
+{
+	if(X509_PURPOSE_get_by_id(purpose) == -1) {
+		SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
+		return 0;
+	}
+	s->purpose = purpose;
+	return 1;
+}
+
+int SSL_set_purpose(SSL *s, int purpose)
+{
+	if(X509_PURPOSE_get_by_id(purpose) == -1) {
+		SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
+		return 0;
+	}
+	s->purpose = purpose;
+	return 1;
+}
+	
+int SSL_CTX_set_trust(SSL_CTX *s, int trust)
+{
+	if(X509_TRUST_get_by_id(trust) == -1) {
+		SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST);
+		return 0;
+	}
+	s->trust = trust;
+	return 1;
+}
+
+int SSL_set_trust(SSL *s, int trust)
+{
+	if(X509_TRUST_get_by_id(trust) == -1) {
+		SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST);
+		return 0;
+	}
+	s->trust = trust;
+	return 1;
+}
+
 void SSL_free(SSL *s)
 	{
 	int i;
@@ -324,7 +375,7 @@ void SSL_free(SSL *s)
 
 	if (s->method != NULL) s->method->ssl_free(s);
 
-	Free((char *)s);
+	Free(s);
 	}
 
 void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
@@ -433,6 +484,38 @@ err:
 	}
 #endif
 
+
+/* return length of latest Finished message we sent, copy to 'buf' */
+size_t SSL_get_finished(SSL *s, void *buf, size_t count)
+	{
+	size_t ret = 0;
+	
+	if (s->s3 != NULL)
+		{
+		ret = s->s3->tmp.finish_md_len;
+		if (count > ret)
+			count = ret;
+		memcpy(buf, s->s3->tmp.finish_md, count);
+		}
+	return ret;
+	}
+
+/* return length of latest Finished message we expected, copy to 'buf' */
+size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
+	{
+	size_t ret = 0;
+	
+	if (s->s3 != NULL)
+		{
+		ret = s->s3->tmp.peer_finish_md_len;
+		if (count > ret)
+			count = ret;
+		memcpy(buf, s->s3->tmp.peer_finish_md, count);
+		}
+	return ret;
+	}
+
+
 int SSL_get_verify_mode(SSL *s)
 	{
 	return(s->verify_mode);
@@ -706,6 +789,20 @@ long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
 		}
 	}
 
+long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
+	{
+	switch(cmd)
+		{
+	default:
+		return(s->method->ssl_callback_ctrl(s,cmd,fp));
+		}
+	}
+
+struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx)
+	{
+	return ctx->sessions;
+	}
+
 long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg)
 	{
 	long l;
@@ -765,6 +862,15 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg)
 		}
 	}
 
+long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+	{
+	switch(cmd)
+		{
+	default:
+		return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
+		}
+	}
+
 int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b)
 	{
 	long l;
@@ -834,8 +940,8 @@ const char *SSL_get_cipher_list(SSL *s,int n)
 	return(c->name);
 	}
 
-/** specify the ciphers to be used by defaut by the SSL_CTX */
-int SSL_CTX_set_cipher_list(SSL_CTX *ctx,char *str)
+/** specify the ciphers to be used by default by the SSL_CTX */
+int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
 	{
 	STACK_OF(SSL_CIPHER) *sk;
 	
@@ -846,7 +952,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx,char *str)
 	}
 
 /** specify the ciphers to be used by the SSL */
-int SSL_set_cipher_list(SSL *s,char *str)
+int SSL_set_cipher_list(SSL *s,const char *str)
 	{
 	STACK_OF(SSL_CIPHER) *sk;
 	
@@ -1127,7 +1233,7 @@ void SSL_CTX_free(SSL_CTX *a)
 		sk_X509_pop_free(a->extra_certs,X509_free);
 	if (a->comp_methods != NULL)
 		sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
-	Free((char *)a);
+	Free(a);
 	}
 
 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
@@ -1254,10 +1360,8 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 		emask|=SSL_aDSS;
 		}
 
-#ifdef SSL_ALLOW_ADH
 	mask|=SSL_aNULL;
 	emask|=SSL_aNULL;
-#endif
 
 	c->mask=mask;
 	c->export_mask=emask;
@@ -1274,7 +1378,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
 	c=s->cert;
 	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
 	alg=s->s3->tmp.new_cipher->algorithms;
-	is_export=SSL_IS_EXPORT(alg);
+	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
 	mask=is_export?c->export_mask:c->mask;
 	kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
 
@@ -1527,7 +1631,7 @@ SSL_METHOD *ssl_bad_method(int ver)
 	return(NULL);
 	}
 
-char *SSL_get_version(SSL *s)
+const char *SSL_get_version(SSL *s)
 	{
 	if (s->version == TLS1_VERSION)
 		return("TLSv1");
@@ -1831,8 +1935,8 @@ long SSL_get_verify_result(SSL *ssl)
 	return(ssl->verify_result);
 	}
 
-int SSL_get_ex_new_index(long argl,char *argp,int (*new_func)(),
-			 int (*dup_func)(),void (*free_func)())
+int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
+			 CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
 	{
 	ssl_meth_num++;
 	return(CRYPTO_get_ex_new_index(ssl_meth_num-1,
@@ -1849,8 +1953,8 @@ void *SSL_get_ex_data(SSL *s,int idx)
 	return(CRYPTO_get_ex_data(&s->ex_data,idx));
 	}
 
-int SSL_CTX_get_ex_new_index(long argl,char *argp,int (*new_func)(),
-			     int (*dup_func)(),void (*free_func)())
+int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
+			     CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
 	{
 	ssl_ctx_meth_num++;
 	return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1,
@@ -1899,13 +2003,16 @@ int SSL_want(SSL *s)
 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
 							  int is_export,
 							  int keylength))
-    { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); }
-#endif
+    {
+    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    }
 
-#ifndef NO_RSA
-void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,int is_export,
-							  int keylength))
-    { SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); }
+void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
+						  int is_export,
+						  int keylength))
+    {
+    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+    }
 #endif
 
 #ifdef DOXYGEN
@@ -1932,11 +2039,15 @@ RSA *cb(SSL *ssl,int is_export,int keylength)
 #ifndef NO_DH
 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
 							int keylength))
-    { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh); }
+    {
+    SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+    }
 
 void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
-							int keylength))
-    { SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh); }
+						int keylength))
+    {
+    SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+    }
 #endif
 
 #if defined(_WINDLL) && defined(WIN16)
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 0bfd57db326..9a52bab254a 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -155,6 +155,19 @@
 #define DEC32(a)	((a)=((a)-1)&0xffffffffL)
 #define MAX_MAC_SIZE	20 /* up from 16 for SSLv3 */
 
+/*
+ * Define the Bitmasks for SSL_CIPHER.algorithms.
+ * This bits are used packed as dense as possible. If new methods/ciphers
+ * etc will be added, the bits a likely to change, so this information
+ * is for internal library use only, even though SSL_CIPHER.algorithms
+ * can be publicly accessed.
+ * Use the according functions for cipher management instead.
+ *
+ * The bit mask handling in the selection and sorting scheme in
+ * ssl_create_cipher_list() has only limited capabilities, reflecting
+ * that the different entities within are mutually exclusive:
+ * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
+ */
 #define SSL_MKEY_MASK		0x0000001FL
 #define SSL_kRSA		0x00000001L /* RSA key exchange */
 #define SSL_kDHr		0x00000002L /* DH cert RSA CA cert */
@@ -191,36 +204,75 @@
 #define SSL_SHA1		0x00040000L
 #define SSL_SHA			(SSL_SHA1)
 
-#define SSL_EXP_MASK		0x00300000L
-#define SSL_EXP40		0x00100000L
-#define SSL_NOT_EXP		0x00200000L
-#define SSL_EXP56		0x00300000L
-#define SSL_IS_EXPORT(a)	((a)&SSL_EXP40)
-#define SSL_IS_EXPORT56(a)	(((a)&SSL_EXP_MASK) == SSL_EXP56)
-#define SSL_IS_EXPORT40(a)	(((a)&SSL_EXP_MASK) == SSL_EXP40)
-#define SSL_C_IS_EXPORT(c)	SSL_IS_EXPORT((c)->algorithms)
-#define SSL_C_IS_EXPORT56(c)	SSL_IS_EXPORT56((c)->algorithms)
-#define SSL_C_IS_EXPORT40(c)	SSL_IS_EXPORT40((c)->algorithms)
-#define SSL_EXPORT_KEYLENGTH(a)	(SSL_IS_EXPORT40(a) ? 5 : \
+#define SSL_SSL_MASK		0x00180000L
+#define SSL_SSLV2		0x00080000L
+#define SSL_SSLV3		0x00100000L
+#define SSL_TLSV1		SSL_SSLV3	/* for now */
+
+/* we have used 001fffff - 11 bits left to go */
+
+/*
+ * Export and cipher strength information. For each cipher we have to decide
+ * whether it is exportable or not. This information is likely to change
+ * over time, since the export control rules are no static technical issue.
+ *
+ * Independent of the export flag the cipher strength is sorted into classes.
+ * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
+ * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
+ * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
+ * since SSL_EXP64 could be similar to SSL_LOW.
+ * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
+ * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
+ * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
+ * be possible.
+ */
+#define SSL_EXP_MASK		0x00000003L
+#define SSL_NOT_EXP		0x00000001L
+#define SSL_EXPORT		0x00000002L
+
+#define SSL_STRONG_MASK		0x0000007cL
+#define SSL_EXP40		0x00000004L
+#define SSL_MICRO		(SSL_EXP40)
+#define SSL_EXP56		0x00000008L
+#define SSL_MINI		(SSL_EXP56)
+#define SSL_LOW			0x00000010L
+#define SSL_MEDIUM		0x00000020L
+#define SSL_HIGH		0x00000040L
+
+/* we have used 0000007f - 25 bits left to go */
+
+/*
+ * Macros to check the export status and cipher strength for export ciphers.
+ * Even though the macros for EXPORT and EXPORT40/56 have similar names,
+ * their meaning is different:
+ * *_EXPORT macros check the 'exportable' status.
+ * *_EXPORT40/56 macros are used to check whether a certain cipher strength
+ *          is given.
+ * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
+ * algorithm structure element to be passed (algorithms, algo_strength) and no
+ * typechecking can be done as they are all of type unsigned long, their
+ * direct usage is discouraged.
+ * Use the SSL_C_* macros instead.
+ */
+#define SSL_IS_EXPORT(a)	((a)&SSL_EXPORT)
+#define SSL_IS_EXPORT56(a)	((a)&SSL_EXP56)
+#define SSL_IS_EXPORT40(a)	((a)&SSL_EXP40)
+#define SSL_C_IS_EXPORT(c)	SSL_IS_EXPORT((c)->algo_strength)
+#define SSL_C_IS_EXPORT56(c)	SSL_IS_EXPORT56((c)->algo_strength)
+#define SSL_C_IS_EXPORT40(c)	SSL_IS_EXPORT40((c)->algo_strength)
+
+#define SSL_EXPORT_KEYLENGTH(a,s)	(SSL_IS_EXPORT40(s) ? 5 : \
 				 ((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
 #define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
-#define SSL_C_EXPORT_KEYLENGTH(c)	SSL_EXPORT_KEYLENGTH((c)->algorithms)
-#define SSL_C_EXPORT_PKEYLENGTH(c)	SSL_EXPORT_PKEYLENGTH((c)->algorithms)
-
-#define SSL_SSL_MASK		0x00c00000L
-#define SSL_SSLV2		0x00400000L
-#define SSL_SSLV3		0x00800000L
-#define SSL_TLSV1		SSL_SSLV3	/* for now */
+#define SSL_C_EXPORT_KEYLENGTH(c)	SSL_EXPORT_KEYLENGTH((c)->algorithms, \
+				(c)->algo_strength)
+#define SSL_C_EXPORT_PKEYLENGTH(c)	SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
 
-#define SSL_STRONG_MASK		0x07000000L
-#define SSL_LOW			0x01000000L
-#define SSL_MEDIUM		0x02000000L
-#define SSL_HIGH		0x04000000L
 
-/* we have used 0fffffff - 4 bits left to go */
 #define SSL_ALL			0xffffffffL
 #define SSL_ALL_CIPHERS		(SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
-				SSL_MAC_MASK|SSL_EXP_MASK)
+				SSL_MAC_MASK)
+#define SSL_ALL_STRENGTHS	(SSL_EXP_MASK|SSL_STRONG_MASK)
 
 /* Mostly for SSLv3 */
 #define SSL_PKEY_RSA_ENC	0
@@ -254,9 +306,9 @@ typedef struct cert_st
 	{
 	/* Current active set */
 	CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
-					 * Probably it would make more sense to store
-					 * an index, not a pointer. */
-
+			 * Probably it would make more sense to store
+			 * an index, not a pointer. */
+ 
 	/* The following masks are for the key and auth
 	 * algorithms that are supported by the certs below */
 	int valid;
@@ -319,28 +371,28 @@ typedef struct sess_cert_st
 
 /* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
  * It is a bit of a mess of functions, but hell, think of it as
- * an opaque strucute :-) */
+ * an opaque structure :-) */
 typedef struct ssl3_enc_method
 	{
-	int (*enc)();
-	int (*mac)();
-	int (*setup_key_block)();
-	int (*generate_master_secret)();
-	int (*change_cipher_state)();
-	int (*final_finish_mac)();
+	int (*enc)(SSL *, int);
+	int (*mac)(SSL *, unsigned char *, int);
+	int (*setup_key_block)(SSL *);
+	int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
+	int (*change_cipher_state)(SSL *, int);
+	int (*final_finish_mac)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char *, int, unsigned char *);
 	int finish_mac_length;
-	int (*cert_verify_mac)();
-	unsigned char client_finished[20];
-	int client_finished_len;
-	unsigned char server_finished[20];
-	int server_finished_len;
-	int (*alert_value)();
+	int (*cert_verify_mac)(SSL *, EVP_MD_CTX *, unsigned char *);
+	const char *client_finished_label;
+	int client_finished_label_len;
+	const char *server_finished_label;
+	int server_finished_label_len;
+	int (*alert_value)(int);
 	} SSL3_ENC_METHOD;
 
 /* Used for holding the relevant compression methods loaded into SSL_CTX */
 typedef struct ssl3_comp_st
 	{
-	int comp_id;	/* The identifer byte for this compression type */
+	int comp_id;	/* The identifier byte for this compression type */
 	char *name;	/* Text name used for the compression type */
 	COMP_METHOD *method; /* The method :-) */
 	} SSL3_COMP;
@@ -376,10 +428,10 @@ int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp);
 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 					       STACK_OF(SSL_CIPHER) **skp);
 int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p);
-STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *meth,
+STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
 					     STACK_OF(SSL_CIPHER) **pref,
 					     STACK_OF(SSL_CIPHER) **sorted,
-					     char *str);
+					     const char *rule_str);
 void ssl_update_cache(SSL *s, int mode);
 int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md,
 		       SSL_COMP **comp);
@@ -416,6 +468,8 @@ int	ssl2_shutdown(SSL *s);
 void	ssl2_clear(SSL *s);
 long	ssl2_ctrl(SSL *s,int cmd, long larg, char *parg);
 long	ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
+long	ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
+long	ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
 int	ssl2_pending(SSL *s);
 
 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
@@ -433,17 +487,16 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out,
 	unsigned char *p, int len);
 int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
 long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
-int ssl3_send_finished(SSL *s, int a, int b, unsigned char *sender,int slen);
+int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
 int ssl3_num_ciphers(void);
 SSL_CIPHER *ssl3_get_cipher(unsigned int u);
 int ssl3_renegotiate(SSL *ssl); 
 int ssl3_renegotiate_check(SSL *ssl); 
 int ssl3_dispatch_alert(SSL *s);
 int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len);
-int ssl3_part_read(SSL *s, int i);
 int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
-int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1,EVP_MD_CTX *ctx2,
-	unsigned char *sender, int slen,unsigned char *p);
+int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
+	const char *sender, int slen,unsigned char *p);
 int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
 int ssl3_enc(SSL *s, int send_data);
@@ -463,6 +516,8 @@ int	ssl3_shutdown(SSL *s);
 void	ssl3_clear(SSL *s);
 long	ssl3_ctrl(SSL *s,int cmd, long larg, char *parg);
 long	ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
+long	ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
+long	ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
 int	ssl3_pending(SSL *s);
 
 int ssl23_accept(SSL *s);
@@ -474,6 +529,7 @@ int tls1_new(SSL *s);
 void tls1_free(SSL *s);
 void tls1_clear(SSL *s);
 long tls1_ctrl(SSL *s,int cmd, long larg, char *parg);
+long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)());
 SSL_METHOD *tlsv1_base_method(void );
 
 int ssl_init_wbio_buffer(SSL *s, int push);
@@ -483,7 +539,7 @@ int tls1_change_cipher_state(SSL *s, int which);
 int tls1_setup_key_block(SSL *s);
 int tls1_enc(SSL *s, int snd);
 int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
-	unsigned char *str, int slen, unsigned char *p);
+	const char *str, int slen, unsigned char *p);
 int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
 int tls1_mac(SSL *ssl, unsigned char *md, int snd);
 int tls1_generate_master_secret(SSL *s, unsigned char *out,
diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c
index 681499f08aa..9e01f727532 100644
--- a/lib/libssl/ssl_sess.c
+++ b/lib/libssl/ssl_sess.c
@@ -65,15 +65,31 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
 static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
 static int ssl_session_num=0;
-static STACK *ssl_session_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_session_meth=NULL;
 
 SSL_SESSION *SSL_get_session(SSL *ssl)
+/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
 	{
 	return(ssl->session);
 	}
 
-int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-	     int (*dup_func)(), void (*free_func)())
+SSL_SESSION *SSL_get1_session(SSL *ssl)
+/* variant of SSL_get_session: caller really gets something */
+	{
+	SSL_SESSION *sess;
+	/* Need to lock this all up rather than just use CRYPTO_add so that
+	 * somebody doesn't free ssl->session between when we check it's
+	 * non-null and when we up the reference count. */
+	CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+	sess = ssl->session;
+	if(sess)
+		sess->references++;
+	CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+	return(sess);
+	}
+
+int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
 	{
 	ssl_session_num++;
 	return(CRYPTO_get_ex_new_index(ssl_session_num-1,
@@ -103,13 +119,14 @@ SSL_SESSION *SSL_SESSION_new(void)
 		}
 	memset(ss,0,sizeof(SSL_SESSION));
 
+	ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
 	ss->references=1;
 	ss->timeout=60*5+4; /* 5 minute timeout by default */
 	ss->time=time(NULL);
 	ss->prev=NULL;
 	ss->next=NULL;
 	ss->compress_meth=0;
-	CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
+	CRYPTO_new_ex_data(ssl_session_meth,ss,&ss->ex_data);
 	return(ss);
 	}
 
@@ -161,15 +178,20 @@ int ssl_get_new_session(SSL *s, int session)
 			{
 			SSL_SESSION *r;
 
-			RAND_bytes(ss->session_id,ss->session_id_length);
+			RAND_pseudo_bytes(ss->session_id,ss->session_id_length);
 			CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-			r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,
-				(char *)ss);
+			r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions, ss);
 			CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
 			if (r == NULL) break;
 			/* else - woops a session_id match */
-			/* XXX should also check external cache!
-			 * (But the probability of a collision is negligible, anyway...) */
+			/* XXX We should also check the external cache --
+			 * but the probability of a collision is negligible, and
+			 * we could not prevent the concurrent creation of sessions
+			 * with identical IDs since we currently don't have means
+			 * to atomically check whether a session ID already exists
+			 * and make a reservation for it if it does not
+			 * (this problem applies to the internal cache as well).
+			 */
 			}
 		}
 	else
@@ -181,6 +203,7 @@ int ssl_get_new_session(SSL *s, int session)
 	ss->sid_ctx_length=s->sid_ctx_length;
 	s->session=ss;
 	ss->ssl_version=s->version;
+	ss->verify_result = X509_V_OK;
 
 	return(1);
 	}
@@ -192,7 +215,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 	SSL_SESSION *ret=NULL,data;
 	int fatal = 0;
 
-	/* conn_init();*/
 	data.ssl_version=s->version;
 	data.session_id_length=len;
 	if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
@@ -202,7 +224,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
 		{
 		CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-		ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data);
+		ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
 		if (ret != NULL)
 		    /* don't allow other threads to steal it: */
 		    CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
@@ -311,6 +333,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 	if (s->session != NULL)
 		SSL_SESSION_free(s->session);
 	s->session=ret;
+	s->verify_result = s->session->verify_result;
 	return(1);
 
  err:
@@ -327,27 +350,47 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
 	int ret=0;
 	SSL_SESSION *s;
 
-	/* conn_init(); */
+	/* add just 1 reference count for the SSL_CTX's session cache
+	 * even though it has two ways of access: each session is in a
+	 * doubly linked list and an lhash */
 	CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
+	/* if session c is in already in cache, we take back the increment later */
 
 	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-	s=(SSL_SESSION *)lh_insert(ctx->sessions,(char *)c);
+	s=(SSL_SESSION *)lh_insert(ctx->sessions,c);
 	
-	/* Put on the end of the queue unless it is already in the cache */
+	/* s != NULL iff we already had a session with the given PID.
+	 * In this case, s == c should hold (then we did not really modify
+	 * ctx->sessions), or we're in trouble. */
+	if (s != NULL && s != c)
+		{
+		/* We *are* in trouble ... */
+		SSL_SESSION_list_remove(ctx,s);
+		SSL_SESSION_free(s);
+		/* ... so pretend the other session did not exist in cache
+		 * (we cannot handle two SSL_SESSION structures with identical
+		 * session ID in the same cache, which could happen e.g. when
+		 * two threads concurrently obtain the same session from an external
+		 * cache) */
+		s = NULL;
+		}
+
+ 	/* Put at the head of the queue unless it is already in the cache */
 	if (s == NULL)
 		SSL_SESSION_list_add(ctx,c);
 
-	/* If the same session if is being 're-added', Free the old
-	 * one when the last person stops using it.
-	 * This will also work if it is alread in the cache.
-	 * The references will go up and then down :-) */
 	if (s != NULL)
 		{
-		SSL_SESSION_free(s);
+		/* existing cache entry -- decrement previously incremented reference
+		 * count because it already takes into account the cache */
+
+		SSL_SESSION_free(s); /* s == c */
 		ret=0;
 		}
 	else
 		{
+		/* new cache entry -- remove old ones if cache has become too large */
+		
 		ret=1;
 
 		if (SSL_CTX_sess_get_cache_size(ctx) > 0)
@@ -380,7 +423,7 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
 	if ((c != NULL) && (c->session_id_length != 0))
 		{
 		if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-		r=(SSL_SESSION *)lh_delete(ctx->sessions,(char *)c);
+		r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
 		if (r != NULL)
 			{
 			ret=1;
@@ -422,7 +465,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 		}
 #endif
 
-	CRYPTO_free_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
+	CRYPTO_free_ex_data(ssl_session_meth,ss,&ss->ex_data);
 
 	memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
 	memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
@@ -541,7 +584,7 @@ static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
 		{
 		/* The reason we don't call SSL_CTX_remove_session() is to
 		 * save on locking overhead */
-		lh_delete(p->cache,(char *)s);
+		lh_delete(p->cache,s);
 		SSL_SESSION_list_remove(p->ctx,s);
 		s->not_resumable=1;
 		if (p->ctx->remove_session_cb != NULL)
@@ -562,7 +605,7 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
 	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
 	i=tp.cache->down_load;
 	tp.cache->down_load=0;
-	lh_doall_arg(tp.cache,(void (*)())timeout,(char *)&tp);
+	lh_doall_arg(tp.cache,(void (*)())timeout,&tp);
 	tp.cache->down_load=i;
 	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
 	}
diff --git a/lib/libssl/ssl_stat.c b/lib/libssl/ssl_stat.c
index 3eca4ee6017..8e12461f3b8 100644
--- a/lib/libssl/ssl_stat.c
+++ b/lib/libssl/ssl_stat.c
@@ -183,7 +183,7 @@ case SSL3_ST_SR_CERT_VRFY_B:	str="SSLv3 read certificate verify B"; break;
 #endif
 
 #if !defined(NO_SSL2) && !defined(NO_SSL3)
-/* SSLv2/v3 compatablitity states */
+/* SSLv2/v3 compatibility states */
 /* client */
 case SSL23_ST_CW_CLNT_HELLO_A:	str="SSLv2/v3 write client hello A"; break;
 case SSL23_ST_CW_CLNT_HELLO_B:	str="SSLv2/v3 write client hello B"; break;
@@ -331,7 +331,7 @@ case SSL3_ST_SR_CERT_VRFY_B:			str="3RCV_B"; break;
 #endif
 
 #if !defined(NO_SSL2) && !defined(NO_SSL3)
-/* SSLv2/v3 compatablitity states */
+/* SSLv2/v3 compatibility states */
 /* client */
 case SSL23_ST_CW_CLNT_HELLO_A:			str="23WCHA"; break;
 case SSL23_ST_CW_CLNT_HELLO_B:			str="23WCHB"; break;
@@ -402,7 +402,7 @@ char *SSL_alert_desc_string_long(int value)
 		str="close notify";
 		break;
 	case SSL3_AD_UNEXPECTED_MESSAGE:
-		str="unexected_message";
+		str="unexpected_message";
 		break;
 	case SSL3_AD_BAD_RECORD_MAC:
 		str="bad record mac";
@@ -429,7 +429,7 @@ char *SSL_alert_desc_string_long(int value)
 		str="certificate expired";
 		break;
 	case SSL3_AD_CERTIFICATE_UNKNOWN:
-		str="certifcate unknown";
+		str="certificate unknown";
 		break;
 	case SSL3_AD_ILLEGAL_PARAMETER:
 		str="illegal parameter";
diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c
index ca67a98d896..7e27857bcfc 100644
--- a/lib/libssl/ssl_txt.c
+++ b/lib/libssl/ssl_txt.c
@@ -112,7 +112,7 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
 		sprintf(str,"%02X",x->session_id[i]);
 		if (BIO_puts(bp,str) <= 0) goto err;
 		}
-	if (BIO_puts(bp,"\nSession-ID-ctx: ") <= 0) goto err;
+	if (BIO_puts(bp,"\n    Session-ID-ctx: ") <= 0) goto err;
 	for (i=0; i<x->sid_ctx_length; i++)
 		{
 		sprintf(str,"%02X",x->sid_ctx[i]);
@@ -163,6 +163,11 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
 		if (BIO_puts(bp,str) <= 0) goto err;
 		}
 	if (BIO_puts(bp,"\n") <= 0) goto err;
+
+	if (BIO_puts(bp, "    Verify return code ") <= 0) goto err;
+	sprintf(str, "%ld (%s)\n", x->verify_result, 
+			X509_verify_cert_error_string(x->verify_result));
+	if (BIO_puts(bp,str) <= 0) goto err;
 		
 	return(1);
 err:
diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c
index 914b7434987..279e45db5dd 100644
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c
@@ -494,7 +494,7 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
 	}
 
 int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
-	     unsigned char *str, int slen, unsigned char *out)
+	     const char *str, int slen, unsigned char *out)
 	{
 	unsigned int i;
 	EVP_MD_CTX ctx;
@@ -621,11 +621,11 @@ int tls1_alert_code(int code)
 	case SSL_AD_ACCESS_DENIED:	return(TLS1_AD_ACCESS_DENIED);
 	case SSL_AD_DECODE_ERROR:	return(TLS1_AD_DECODE_ERROR);
 	case SSL_AD_DECRYPT_ERROR:	return(TLS1_AD_DECRYPT_ERROR);
-	case SSL_AD_EXPORT_RESTRICION:	return(TLS1_AD_EXPORT_RESTRICION);
+	case SSL_AD_EXPORT_RESTRICTION:	return(TLS1_AD_EXPORT_RESTRICTION);
 	case SSL_AD_PROTOCOL_VERSION:	return(TLS1_AD_PROTOCOL_VERSION);
 	case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
 	case SSL_AD_INTERNAL_ERROR:	return(TLS1_AD_INTERNAL_ERROR);
-	case SSL_AD_USER_CANCLED:	return(TLS1_AD_USER_CANCLED);
+	case SSL_AD_USER_CANCELLED:	return(TLS1_AD_USER_CANCELLED);
 	case SSL_AD_NO_RENEGOTIATION:	return(TLS1_AD_NO_RENEGOTIATION);
 	default:			return(-1);
 		}
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index ddf5c15799e..ca6c03d5af1 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -60,13 +60,9 @@
 #include <openssl/objects.h>
 #include "ssl_locl.h"
 
-char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
+const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
 
-#ifndef NO_PROTO
 static long tls1_default_timeout(void);
-#else
-static long tls1_default_timeout();
-#endif
 
 static SSL3_ENC_METHOD TLSv1_enc_data={
 	tls1_enc,
@@ -105,6 +101,9 @@ static SSL_METHOD TLSv1_data= {
 	ssl_bad_method,
 	tls1_default_timeout,
 	&TLSv1_enc_data,
+	ssl_undefined_function,
+	ssl3_callback_ctrl,
+	ssl3_ctx_callback_ctrl,
 	};
 
 static long tls1_default_timeout(void)
@@ -142,4 +141,9 @@ long tls1_ctrl(SSL *s, int cmd, long larg, char *parg)
 	{
 	return(0);
 	}
+
+long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)())
+	{
+	return(0);
+	}
 #endif
diff --git a/lib/libssl/test/Makefile.ssl b/lib/libssl/test/Makefile.ssl
index ea865201286..dbb523bf15f 100644
--- a/lib/libssl/test/Makefile.ssl
+++ b/lib/libssl/test/Makefile.ssl
@@ -13,6 +13,7 @@ INSTALLTOP=	/usr/local/ssl
 MAKEFILE=	Makefile.ssl
 MAKE=		make -f $(MAKEFILE)
 MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+PERL=		perl
 
 PEX_LIBS=
 EX_LIBS= #-lnsl -lsocket
@@ -50,7 +51,7 @@ DHTEST=		dhtest
 DSATEST=	dsatest
 METHTEST=	methtest
 SSLTEST=	ssltest
-RSATEST=	rsa_oaep_test
+RSATEST=	rsa_test
 
 EXE=	$(BNTEST) $(IDEATEST) $(MD2TEST)  $(MD5TEST) $(HMACTEST) \
 	$(RC2TEST) $(RC4TEST) $(RC5TEST) \
@@ -98,9 +99,9 @@ tags:
 
 tests:	exe apps \
 	test_des test_idea test_sha test_md5 test_hmac test_md2 test_mdc2 \
-	test_rc2 test_rc4 test_rc5 test_bf test_cast \
+	test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast \
 	test_rand test_bn test_enc test_x509 test_rsa test_crl test_sid \
-	test_reqgen test_req test_pkcs7 test_verify test_dh test_dsa \
+	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
 	test_ss test_ssl test_ca
 
 apps:
@@ -180,9 +181,10 @@ test_pkcs7:
 
 test_bn:
 	@echo starting big number library test, could take a while...
-	@(./$(BNTEST)|bc) | awk '{ \
-if ($$0 != "0") {print "error"; exit(1); } \
-if (((NR+1)%64) == 0) print NR+1," tests done"; }'
+	@./$(BNTEST) >tmp.bntest
+	@echo quit >>tmp.bntest
+	@echo "running bc"
+	@bc tmp.bntest 2>&1 | $(PERL) -e 'while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"'
 	@echo 'test a^b%c implementations'
 	./$(EXPTEST)
 
@@ -192,14 +194,15 @@ test_verify:
 	../apps/openssl verify -CApath ../certs ../certs/*.pem
 
 test_dh:
-	@echo "Generate as set of DH parameters"
+	@echo "Generate a set of DH parameters"
 	./$(DHTEST)
 
 test_dsa:
-	@echo "Generate as set of DSA parameters"
+	@echo "Generate a set of DSA parameters"
 	./$(DSATEST)
+	./$(DSATEST) -app2_1
 
-test_reqgen:
+test_gen:
 	@echo "Generate and verify a certificate request"
 	@sh ./testgen
 
@@ -226,7 +229,7 @@ dclean:
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log
+	rm -f .rnd tmp.bntest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log
 
 $(DLIBSSL):
 	(cd ../ssl; $(MAKE))
@@ -325,16 +328,19 @@ destest.o: ../include/openssl/opensslconf.h
 dhtest.o: ../include/openssl/bio.h ../include/openssl/bn.h
 dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 dhtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 dhtest.o: ../include/openssl/stack.h
 dsatest.o: ../include/openssl/bio.h ../include/openssl/bn.h
 dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 dsatest.o: ../include/openssl/dsa.h ../include/openssl/err.h
 dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-dsatest.o: ../include/openssl/rand.h ../include/openssl/stack.h
+dsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+dsatest.o: ../include/openssl/stack.h
 exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h
 exptest.o: ../include/openssl/crypto.h ../include/openssl/err.h
 exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-exptest.o: ../include/openssl/rand.h ../include/openssl/stack.h
+exptest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+exptest.o: ../include/openssl/stack.h
 hmactest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 hmactest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
 hmactest.o: ../include/openssl/cast.h ../include/openssl/crypto.h
@@ -359,11 +365,12 @@ rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h
 rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h
 rc5test.o: ../include/openssl/rc5.h
 rmdtest.o: ../include/openssl/ripemd.h
-rsa_oaep_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-rsa_oaep_test.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-rsa_oaep_test.o: ../include/openssl/err.h ../include/openssl/opensslconf.h
-rsa_oaep_test.o: ../include/openssl/opensslv.h ../include/openssl/rsa.h
-rsa_oaep_test.o: ../include/openssl/stack.h
+rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h
+rsa_test.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+rsa_test.o: ../include/openssl/err.h ../include/openssl/opensslconf.h
+rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
+rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rsa_test.o: ../include/openssl/stack.h
 sha1test.o: ../include/openssl/sha.h
 shatest.o: ../include/openssl/sha.h
 ssltest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
@@ -378,11 +385,12 @@ ssltest.o: ../include/openssl/md2.h ../include/openssl/md5.h
 ssltest.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
 ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ssltest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ssltest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ssltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssltest.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssltest.o: ../include/openssl/stack.h ../include/openssl/tls1.h
-ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+ssltest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssltest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssltest.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssltest.o: ../include/openssl/x509_vfy.h
diff --git a/lib/libssl/test/dsa-ca.pem b/lib/libssl/test/dsa-ca.pem
index 9eb08f3ddd4..e69de29bb2d 100644
--- a/lib/libssl/test/dsa-ca.pem
+++ b/lib/libssl/test/dsa-ca.pem
@@ -1,43 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,C5B6C7CC9E1FE2C0
-
-svCXBcBRhMuU22UXOfiKZA+thmz6KYXpt1Yg5Rd+TYQcQ1MdvNy0B0tkP1SxzDq0
-Xh1eMeTML9/9/0rKakgNXXXbpi5RB8t6BmwRSyej89F7nn1mtR3qzoyPRpp15SDl
-Tn67C+2v+HDF3MFk88hiNCYkNbcmi7TWvChsl8N1r7wdZwtIox56yXdgxw6ZIpa/
-par0oUCzN7fiavPgCWz1kfPNSaBQSdxwH7TZi5tMHAr0J3C7a7QRnZfE09R59Uqr
-zslrq+ndIw1BZAxoY0SlBu+iFOVaBVlwToC4AsHkv7j7l8ITtr7f42YbBa44D9TO
-uOhONmkk/v3Fso4RaOEzdKZC+hnmmzvHs6TiTWm6yzJgSFwyOUK0eGmKEeVxpcH5
-rUOlHOwzen+FFtocZDZAfdFnb7QY7L/boQvyA5A+ZbRG4DUpmBQeQsSaICHM5Rxx
-1QaLF413VNPXTLPbW0ilSc2H8x2iZTIVKfd33oSO6NhXPtSYQgfecEF4BvNHY5c4
-HovjT4mckbK95bcBzoCHu43vuSQkmZzdYo/ydSZt6zoPavbBLueTpgSbdXiDi827
-MVqOsYxGCb+kez0FoDSTgw==
------END DSA PRIVATE KEY-----
------BEGIN CERTIFICATE REQUEST-----
-MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
-ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
-ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
-sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
-rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
-cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
-bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
-CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
-F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
-vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
-AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
-3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
-AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
------END CERTIFICATE REQUEST-----
------BEGIN CERTIFICATE-----
-MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
-CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
-CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
-ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
-AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
-ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
-MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
-MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
-C1Q=
------END CERTIFICATE-----
-
diff --git a/lib/libssl/test/dsa-pca.pem b/lib/libssl/test/dsa-pca.pem
index e3641ad47e6..e69de29bb2d 100644
--- a/lib/libssl/test/dsa-pca.pem
+++ b/lib/libssl/test/dsa-pca.pem
@@ -1,49 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,F80EEEBEEA7386C4
-
-GZ9zgFcHOlnhPoiSbVi/yXc9mGoj44A6IveD4UlpSEUt6Xbse3Fr0KHIUyQ3oGnS
-mClKoAp/eOTb5Frhto85SzdsxYtac+X1v5XwdzAMy2KowHVk1N8A5jmE2OlkNPNt
-of132MNlo2cyIRYaa35PPYBGNCmUm7YcYS8O90YtkrQZZTf4+2C4kllhMcdkQwkr
-FWSWC8YOQ7w0LHb4cX1FejHHom9Nd/0PN3vn3UyySvfOqoR7nbXkrpHXmPIr0hxX
-RcF0aXcV/CzZ1/nfXWQf4o3+oD0T22SDoVcZY60IzI0oIc3pNCbDV3uKNmgekrFd
-qOUJ+QW8oWp7oefRx62iBfIeC8DZunohMXaWAQCU0sLQOR4yEdeUCnzCSywe0bG1
-diD0KYaEe+Yub1BQH4aLsBgDjardgpJRTQLq0DUvw0/QGO1irKTJzegEDNVBKrVn
-V4AHOKT1CUKqvGNRP1UnccUDTF6miOAtaj/qpzra7sSk7dkGBvIEeFoAg84kfh9h
-hVvF1YyzC9bwZepruoqoUwke/WdNIR5ymOVZ/4Liw0JdIOcq+atbdRX08niqIRkf
-dsZrUj4leo3zdefYUQ7w4N2Ns37yDFq7
------END DSA PRIVATE KEY-----
------BEGIN CERTIFICATE REQUEST-----
-MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
-ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
-MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
-lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
-Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
-5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
-aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
-kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
-QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
-6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
-yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
-z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
-nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
------END CERTIFICATE REQUEST-----
------BEGIN CERTIFICATE-----
-MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
-CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
-CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
-ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
-ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
-R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
-JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
-BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
-mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
-VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
-uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
-umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
-29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
-AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
-5rKUjNBhSg==
------END CERTIFICATE-----
-
diff --git a/lib/libssl/test/maketests.com b/lib/libssl/test/maketests.com
index e4b052e6887..1246d9a077e 100644
--- a/lib/libssl/test/maketests.com
+++ b/lib/libssl/test/maketests.com
@@ -147,7 +147,7 @@ $ TEST_FILES = "BNTEST,IDEATEST,MD2TEST,MD5TEST,HMACTEST,"+ -
 	       "RC2TEST,RC4TEST,RC5TEST,"+ -
 	       "DESTEST,SHATEST,SHA1TEST,MDC2TEST,RMDTEST,"+ -
 	       "RANDTEST,DHTEST,"+ -
-	       "BFTEST,CASTTEST,SSLTEST,EXPTEST,DSATEST,RSA_OAEP_TEST"
+	       "BFTEST,CASTTEST,SSLTEST,EXPTEST,DSATEST,RSA_TEST"
 $ TCPIP_PROGRAMS = ",,"
 $ IF COMPILER .EQS. "VAXC" THEN -
      TCPIP_PROGRAMS = ",SSLTEST,"
@@ -730,12 +730,36 @@ $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
 $ CCDEFS = "VMS=1,TCPIP_TYPE_''P4'"
+$ IF F$TRNLNM("OPENSSL_NO_ASM") THEN CCDEFS = CCDEFS + ",NO_ASM"
+$ IF F$TRNLNM("OPENSSL_NO_RSA") THEN CCDEFS = CCDEFS + ",NO_RSA"
+$ IF F$TRNLNM("OPENSSL_NO_DSA") THEN CCDEFS = CCDEFS + ",NO_DSA"
+$ IF F$TRNLNM("OPENSSL_NO_DH") THEN CCDEFS = CCDEFS + ",NO_DH"
+$ IF F$TRNLNM("OPENSSL_NO_MD2") THEN CCDEFS = CCDEFS + ",NO_MD2"
+$ IF F$TRNLNM("OPENSSL_NO_MD5") THEN CCDEFS = CCDEFS + ",NO_MD5"
+$ IF F$TRNLNM("OPENSSL_NO_RIPEMD") THEN CCDEFS = CCDEFS + ",NO_RIPEMD"
+$ IF F$TRNLNM("OPENSSL_NO_SHA") THEN CCDEFS = CCDEFS + ",NO_SHA"
+$ IF F$TRNLNM("OPENSSL_NO_SHA0") THEN CCDEFS = CCDEFS + ",NO_SHA0"
+$ IF F$TRNLNM("OPENSSL_NO_SHA1") THEN CCDEFS = CCDEFS + ",NO_SHA1"
+$ IF F$TRNLNM("OPENSSL_NO_DES")
+$ THEN
+$   CCDEFS = CCDEFS + ",NO_DES,NO_MDC2"
+$ ELSE
+$   IF F$TRNLNM("OPENSSL_NO_MDC2") THEN CCDEFS = CCDEFS + ",NO_MDC2"
+$ ENDIF
+$ IF F$TRNLNM("OPENSSL_NO_RC2") THEN CCDEFS = CCDEFS + ",NO_RC2"
+$ IF F$TRNLNM("OPENSSL_NO_RC4") THEN CCDEFS = CCDEFS + ",NO_RC4"
+$ IF F$TRNLNM("OPENSSL_NO_RC5") THEN CCDEFS = CCDEFS + ",NO_RC5"
+$ IF F$TRNLNM("OPENSSL_NO_IDEA") THEN CCDEFS = CCDEFS + ",NO_IDEA"
+$ IF F$TRNLNM("OPENSSL_NO_BF") THEN CCDEFS = CCDEFS + ",NO_BF"
+$ IF F$TRNLNM("OPENSSL_NO_CAST") THEN CCDEFS = CCDEFS + ",NO_CAST"
+$ IF F$TRNLNM("OPENSSL_NO_HMAC") THEN CCDEFS = CCDEFS + ",NO_HMAC"
+$ IF F$TRNLNM("OPENSSL_NO_SSL2") THEN CCDEFS = CCDEFS + ",NO_SSL2"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = ""
+$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
-	CCDISABLEWARNINGS = USER_CCDISABLEWARNINGS
+	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
diff --git a/lib/libssl/test/rsa_test.c b/lib/libssl/test/rsa_test.c
new file mode 100644
index 00000000000..e5ae0c1f698
--- /dev/null
+++ b/lib/libssl/test/rsa_test.c
@@ -0,0 +1,314 @@
+/* test vectors from p1ovect1.txt */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#ifdef NO_RSA
+int main(int argc, char *argv[])
+{
+    printf("No RSA support\n");
+    return(0);
+}
+#else
+#include <openssl/rsa.h>
+
+#define SetKey \
+  key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
+  key->e = BN_bin2bn(e, sizeof(e)-1, key->e); \
+  key->d = BN_bin2bn(d, sizeof(d)-1, key->d); \
+  key->p = BN_bin2bn(p, sizeof(p)-1, key->p); \
+  key->q = BN_bin2bn(q, sizeof(q)-1, key->q); \
+  key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1); \
+  key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1); \
+  key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp); \
+  memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
+  return (sizeof(ctext_ex) - 1);
+
+static int key1(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
+"\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
+"\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
+"\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
+"\xF5";
+
+    static unsigned char e[] = "\x11";
+
+    static unsigned char d[] =
+"\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
+"\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
+"\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
+"\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
+
+    static unsigned char p[] =
+"\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
+"\x0D";
+    
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+"\x89";
+
+    static unsigned char dmp1[] =
+"\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
+"\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
+
+    static unsigned char dmq1[] =
+"\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
+"\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
+"\x51";
+
+    static unsigned char iqmp[] =
+"\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
+"\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
+
+    static unsigned char ctext_ex[] =
+"\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89"
+"\x2b\xfb\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52"
+"\x33\x89\x5c\x74\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44"
+"\xb0\x05\xc3\x9e\xd8\x27\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
+
+    SetKey;
+    }
+
+static int key2(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8"
+"\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26"
+"\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8"
+"\x34\x77\xCF";
+
+    static unsigned char e[] = "\x3";
+
+    static unsigned char d[] =
+"\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2"
+"\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41"
+"\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21"
+"\xE5\xEB";
+
+    static unsigned char p[] =
+"\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92"
+"\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91";
+
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F";
+    
+    static unsigned char dmp1[] =
+"\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61"
+"\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B";
+
+    static unsigned char dmq1[] =
+"\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90"
+"\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F";
+
+    static unsigned char iqmp[] =
+"\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13"
+"\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D";
+
+    static unsigned char ctext_ex[] =
+"\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a"
+"\x8b\x40\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4"
+"\x17\x53\x03\x29\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52"
+"\x62\x51";
+
+    SetKey;
+    }
+
+static int key3(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
+"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
+"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
+"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
+"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
+"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
+"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
+"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
+"\xCB";
+
+    static unsigned char e[] = "\x11";
+
+    static unsigned char d[] =
+"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
+"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
+"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
+"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
+"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
+"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
+"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
+"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
+"\xC1";
+
+    static unsigned char p[] =
+"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
+"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
+"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
+"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
+"\x99";
+
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
+"\x03";
+
+    static unsigned char dmp1[] =
+"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
+"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
+"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
+"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
+
+    static unsigned char dmq1[] =
+"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
+"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
+"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
+"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
+    
+    static unsigned char iqmp[] =
+"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
+"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
+"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
+"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
+"\xF7";
+
+    static unsigned char ctext_ex[] =
+"\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7"
+"\x90\xc4\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce"
+"\xf0\xc4\x36\x6f\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3"
+"\xf2\xf1\x92\xdb\xea\xca\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06"
+"\x69\xac\x22\xe9\xf3\xa7\x85\x2e\x3c\x15\xd9\x13\xca\xb0\xb8\x86"
+"\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49\x54\x61\x03\x46\xf4\xd4"
+"\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a\x1f\xc4\x02\x6a"
+"\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20\x2f\xb1";
+
+    SetKey;
+    }
+
+static int pad_unknown(void)
+{
+    unsigned long l;
+    while ((l = ERR_get_error()) != 0)
+      if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE)
+	return(1);
+    return(0);
+}
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+int main(int argc, char *argv[])
+    {
+    int err=0;
+    int v;
+    RSA *key;
+    unsigned char ptext[256];
+    unsigned char ctext[256];
+    static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
+    unsigned char ctext_ex[256];
+    int plen;
+    int clen = 0;
+    int num;
+
+    RAND_seed(rnd_seed, sizeof rnd_seed); /* or OAEP may fail */
+
+    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+	
+    plen = sizeof(ptext_ex) - 1;
+
+    for (v = 0; v < 3; v++)
+	{
+	key = RSA_new();
+	switch (v) {
+    case 0:
+	clen = key1(key, ctext_ex);
+	break;
+    case 1:
+	clen = key2(key, ctext_ex);
+	break;
+    case 2:
+	clen = key3(key, ctext_ex);
+	break;
+	}
+
+	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+				 RSA_PKCS1_PADDING);
+	if (num != clen)
+	    {
+	    printf("PKCS#1 v1.5 encryption failed!\n");
+	    err=1;
+	    goto oaep;
+	    }
+  
+	num = RSA_private_decrypt(num, ctext, ptext, key,
+				  RSA_PKCS1_PADDING);
+	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+	    {
+	    printf("PKCS#1 v1.5 decryption failed!\n");
+	    err=1;
+	    }
+	else
+	    printf("PKCS #1 v1.5 encryption/decryption ok\n");
+
+    oaep:
+	ERR_clear_error();
+	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+				 RSA_PKCS1_OAEP_PADDING);
+	if (num == -1 && pad_unknown())
+	    {
+	    printf("No OAEP support\n");
+	    goto next;
+	    }
+	if (num != clen)
+	    {
+	    printf("OAEP encryption failed!\n");
+	    err=1;
+	    goto next;
+	    }
+  
+	num = RSA_private_decrypt(num, ctext, ptext, key,
+				  RSA_PKCS1_OAEP_PADDING);
+	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+	    {
+	    printf("OAEP decryption (encrypted data) failed!\n");
+	    err=1;
+	    }
+	else if (memcmp(ctext, ctext_ex, num) == 0)
+	    {
+	    printf("OAEP test vector %d passed!\n", v);
+	    goto next;
+	    }
+    
+	/* Different ciphertexts (rsa_oaep.c without -DPKCS_TESTVECT).
+	   Try decrypting ctext_ex */
+
+	num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
+				  RSA_PKCS1_OAEP_PADDING);
+
+	if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+	    {
+	    printf("OAEP decryption (test vector data) failed!\n");
+	    err=1;
+	    }
+	else
+	    printf("OAEP encryption/decryption ok\n");
+    next:
+	RSA_free(key);
+	}
+
+    ERR_remove_state(0);
+
+    CRYPTO_mem_leaks_fp(stdout);
+
+    return err;
+    }
+#endif
diff --git a/lib/libssl/test/tcrl.com b/lib/libssl/test/tcrl.com
index cef21467bb6..2e6ab2814d8 100644
--- a/lib/libssl/test/tcrl.com
+++ b/lib/libssl/test/tcrl.com
@@ -10,6 +10,9 @@ $	t := testcrl.pem
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing CRL conversions"
+$	if f$search("fff.*") .nes "" then delete fff.*;*
+$	if f$search("ff.*") .nes "" then delete ff.*;*
+$	if f$search("f.*") .nes "" then delete f.*;*
 $	copy 't' fff.p
 $
 $	write sys$output "p -> d"
@@ -52,27 +55,27 @@ $	write sys$output "p -> p"
 $	'cmd' -in f.p -inform p -outform p -out ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: fff.p f.p
+$	backup/compare fff.p f.p
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p1
+$	backup/compare fff.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: fff.p ff.p2
+$!	backup/compare fff.p ff.p2
 $!	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p3
+$	backup/compare fff.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$!	difference/output=nl: f.t ff.t1
+$!	backup/compare f.t ff.t1
 $!	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.t ff.t2
+$!	backup/compare f.t ff.t2
 $!	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.t ff.t3
+$!	backup/compare f.t ff.t3
 $!	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: f.p ff.p1
+$	backup/compare f.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.p ff.p2
+$!	backup/compare f.p ff.p2
 $!	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.p ff.p3
+$	backup/compare f.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
 $	delete f.*;*,ff.*;*,fff.*;*
diff --git a/lib/libssl/test/testca.com b/lib/libssl/test/testca.com
index ea75479cd5a..c670f2bf5f7 100644
--- a/lib/libssl/test/testca.com
+++ b/lib/libssl/test/testca.com
@@ -40,7 +40,9 @@ $
 $	set noon
 $	call deltree [.demoCA]*.*
 $	set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) demoCA.dir;*
-$	delete demoCA.dir;*,newcert.pem;*,newreq.pem;*
+$	delete demoCA.dir;*
+$	if f$search("newcert.pem") .nes. "" then delete newcert.pem;*
+$	if f$search("newcert.pem") .nes. "" then delete newreq.pem;*
 $	set on
 $!	#usage: CA -newcert|-newreq|-newca|-sign|-verify
 $
diff --git a/lib/libssl/test/testenc.com b/lib/libssl/test/testenc.com
index 0756e8badaa..3b66f2e0d06 100644
--- a/lib/libssl/test/testenc.com
+++ b/lib/libssl/test/testenc.com
@@ -8,19 +8,23 @@ $	testsrc := makefile.ssl
 $	test := p.txt
 $	cmd := mcr 'exe_dir'openssl
 $
+$	if f$search(test) .nes. "" then delete 'test';*
 $	copy 'testsrc' 'test'
 $
+$	if f$search(test+"-cipher") .nes. "" then delete 'test'-cipher;*
+$	if f$search(test+"-clear") .nes. "" then delete 'test'-clear;*
+$
 $	write sys$output "cat"
 $	'cmd' enc -in 'test' -out 'test'-cipher
 $	'cmd' enc -in 'test'-cipher -out 'test'-clear
-$	difference/output=nl: 'test' 'test'-clear
+$	backup/compare 'test' 'test'-clear
 $	if $severity .ne. 1 then exit 3
 $	delete 'test'-cipher;*,'test'-clear;*
 $
 $	write sys$output "base64"
 $	'cmd' enc -a -e -in 'test' -out 'test'-cipher
 $	'cmd' enc -a -d -in 'test'-cipher -out 'test'-clear
-$	difference/output=nl: 'test' 'test'-clear
+$	backup/compare 'test' 'test'-clear
 $	if $severity .ne. 1 then exit 3
 $	delete 'test'-cipher;*,'test'-clear;*
 $
@@ -30,16 +34,22 @@ $	open/read f 'test'-cipher-commands
 $ loop_cipher_commands:
 $	read/end=loop_cipher_commands_end f i
 $	write sys$output i
+$
+$	if f$search(test+"-"+i+"-cipher") .nes. "" then -
+		delete 'test'-'i'-cipher;*
+$	if f$search(test+"-"+i+"-clear") .nes. "" then -
+		delete 'test'-'i'-clear;*
+$
 $	'cmd' 'i' -bufsize 113 -e -k test -in 'test' -out 'test'-'i'-cipher
 $	'cmd' 'i' -bufsize 157 -d -k test -in 'test'-'i'-cipher -out 'test'-'i'-clear
-$	difference/output=nl: 'test' 'test'-'i'-clear
+$	backup/compare 'test' 'test'-'i'-clear
 $	if $severity .ne. 1 then exit 3
 $	delete 'test'-'i'-cipher;*,'test'-'i'-clear;*
 $
 $	write sys$output i," base64"
 $	'cmd' 'i' -bufsize 113 -a -e -k test -in 'test' -out 'test'-'i'-cipher
 $	'cmd' 'i' -bufsize 157 -a -d -k test -in 'test'-'i'-cipher -out 'test'-'i'-clear
-$	difference/output=nl: 'test' 'test'-'i'-clear
+$	backup/compare 'test' 'test'-'i'-clear
 $	if $severity .ne. 1 then exit 3
 $	delete 'test'-'i'-cipher;*,'test'-'i'-clear;*
 $
diff --git a/lib/libssl/test/testgen b/lib/libssl/test/testgen
index 3534f5821f0..c5f61b582be 100644
--- a/lib/libssl/test/testgen
+++ b/lib/libssl/test/testgen
@@ -15,6 +15,8 @@ echo "There should be a 2 sequences of .'s and some +'s."
 echo "There should not be more that at most 80 per line"
 echo "This could take some time."
 
+echo "string to make the random number generator think it has entropy" >> ./.rnd
+
 ../apps/openssl req -config test.cnf -new -out testreq.pem
 if [ $? != 0 ]; then
 echo problems creating request
diff --git a/lib/libssl/test/testgen.com b/lib/libssl/test/testgen.com
index ec302f524a4..0e9029371a3 100644
--- a/lib/libssl/test/testgen.com
+++ b/lib/libssl/test/testgen.com
@@ -20,6 +20,11 @@ $	write sys$output "There should be a 2 sequences of .'s and some +'s."
 $	write sys$output "There should not be more that at most 80 per line"
 $	write sys$output "This could take some time."
 $
+$	append/new nl: .rnd
+$	open/append random_file .rnd
+$	write random_file "string to make the random number generator think it has entropy"
+$	close random_file
+$
 $	mcr 'exe_dir'openssl req -config test.cnf -new -out testreq.pem
 $	if $severity .ne. 1
 $	then
diff --git a/lib/libssl/test/tests.com b/lib/libssl/test/tests.com
index 147b8aa8389..040dafab8dc 100644
--- a/lib/libssl/test/tests.com
+++ b/lib/libssl/test/tests.com
@@ -20,9 +20,9 @@ $	    tests = p1
 $	else
 $	    tests := -
 	test_des,test_idea,test_sha,test_md5,test_hmac,test_md2,test_mdc2,-
-	test_rc2,test_rc4,test_rc5,test_bf,test_cast,-
+	test_rmd,test_rc2,test_rc4,test_rc5,test_bf,test_cast,-
 	test_rand,test_bn,test_enc,test_x509,test_rsa,test_crl,test_sid,-
-	test_reqgen,test_req,test_pkcs7,test_verify,test_dh,test_dsa,-
+	test_gen,test_req,test_pkcs7,test_verify,test_dh,test_dsa,-
 	test_ss,test_ssl,test_ca
 $	endif
 $	tests = f$edit(tests,"COLLAPSE")
@@ -48,7 +48,7 @@ $	DHTEST :=	dhtest
 $	DSATEST :=	dsatest
 $	METHTEST :=	methtest
 $	SSLTEST :=	ssltest
-$	RSATEST :=	rsa_oaep_test
+$	RSATEST :=	rsa_test
 $
 $	tests_i = 0
 $ loop_tests:
@@ -151,9 +151,7 @@ RECORD
 $	create/fdl=bntest-vms.fdl bntest-vms.sh
 $	open/append foo bntest-vms.sh
 $	type/output=foo: sys$input:
-<< __FOO__ bc | awk '{ \
-if ($$0 != "0") {print "error"; exit(1); } \
-if (((NR+1)%64) == 0) print NR+1," tests done"; }'
+<< __FOO__ bc | perl -e 'while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $1";} elsif (!/^0$/) {die "\nFailed! bc: $_";} print STDERR "."; $i++;} print STDERR "\n$i tests passed\n"'
 $	define/user sys$output bntest-vms.tmp
 $	mcr 'texe_dir''bntest'
 $	copy bntest-vms.tmp foo:
@@ -173,14 +171,14 @@ $	write sys$output "There are definitly a few expired certificates"
 $	@tverify.com
 $	goto loop_tests
 $ test_dh:
-$	write sys$output "Generate as set of DH parameters"
+$	write sys$output "Generate a set of DH parameters"
 $	mcr 'texe_dir''dhtest'
 $	goto loop_tests
 $ test_dsa:
-$	write sys$output "Generate as set of DSA parameters"
+$	write sys$output "Generate a set of DSA parameters"
 $	mcr 'texe_dir''dsatest'
 $	goto loop_tests
-$ test_reqgen:
+$ test_gen:
 $	write sys$output "Generate and verify a certificate request"
 $	@testgen.com
 $	goto loop_tests
diff --git a/lib/libssl/test/testssl b/lib/libssl/test/testssl
index 255ae5e9768..a88e290c577 100644
--- a/lib/libssl/test/testssl
+++ b/lib/libssl/test/testssl
@@ -63,6 +63,12 @@ echo test sslv3 with both client and server authentication via BIO pair
 echo test sslv2/sslv3 via BIO pair
 ./ssltest || exit 1
 
+echo test sslv2/sslv3 w/o DHE via BIO pair
+./ssltest -bio_pair -no_dhe || exit 1
+
+echo test sslv2/sslv3 with 1024bit DHE
+./ssltest -bio_pair -dhe1024 -v || exit 1
+
 echo test sslv2/sslv3 with server authentication
 ./ssltest -bio_pair -server_auth -CApath ../certs || exit 1
 
diff --git a/lib/libssl/test/testssl.com b/lib/libssl/test/testssl.com
index 93a9aef8026..0b4b0a0ad3c 100644
--- a/lib/libssl/test/testssl.com
+++ b/lib/libssl/test/testssl.com
@@ -58,6 +58,10 @@ $	write sys$output "test sslv2 via BIO pair"
 $	mcr 'exe_dir'ssltest -bio_pair -ssl2 
 $	if $severity .ne. 1 then goto exit3
 $
+$	write sys$output "test sslv2/sslv3 with 1024 bit DHE via BIO pair"
+$	mcr 'exe_dir'ssltest -bio_pair -dhe1024 -v
+$	if $severity .ne. 1 then goto exit3
+$
 $	write sys$output "test sslv2 with server authentication via BIO pair"
 $	mcr 'exe_dir'ssltest -bio_pair -ssl2 -server_auth "-CAfile" certs.tmp 
 $	if $severity .ne. 1 then goto exit3
@@ -90,6 +94,10 @@ $	write sys$output "test sslv2/sslv3 via BIO pair"
 $	mcr 'exe_dir'ssltest 
 $	if $severity .ne. 1 then goto exit3
 $
+$	write sys$output "test sslv2/sslv3 w/o DHE via BIO pair"
+$	mcr 'exe_dir'ssltest -bio_pair -no_dhe
+$	if $severity .ne. 1 then goto exit3
+$
 $	write sys$output "test sslv2/sslv3 with server authentication"
 $	mcr 'exe_dir'ssltest -bio_pair -server_auth "-CAfile" certs.tmp 
 $	if $severity .ne. 1 then goto exit3
diff --git a/lib/libssl/test/tpkcs7.com b/lib/libssl/test/tpkcs7.com
index 5ed920ac345..9e345937c6e 100644
--- a/lib/libssl/test/tpkcs7.com
+++ b/lib/libssl/test/tpkcs7.com
@@ -10,6 +10,9 @@ $	t := testp7.pem
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing PKCS7 conversions"
+$	if f$search("fff.*") .nes "" then delete fff.*;*
+$	if f$search("ff.*") .nes "" then delete ff.*;*
+$	if f$search("f.*") .nes "" then delete f.*;*
 $	copy 't' fff.p
 $
 $	write sys$output "p -> d"
@@ -34,16 +37,16 @@ $	write sys$output "p -> p"
 $	'cmd' -in f.p -inform p -outform p -out ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: fff.p f.p
+$	backup/compare fff.p f.p
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p1
+$	backup/compare fff.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p3
+$	backup/compare fff.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: f.p ff.p1
+$	backup/compare f.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.p ff.p3
+$	backup/compare f.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
 $	delete f.*;*,ff.*;*,fff.*;*
diff --git a/lib/libssl/test/tpkcs7d.com b/lib/libssl/test/tpkcs7d.com
index 08d33eaa690..7d4f8794a4c 100644
--- a/lib/libssl/test/tpkcs7d.com
+++ b/lib/libssl/test/tpkcs7d.com
@@ -10,6 +10,9 @@ $	t := pkcs7-1.pem
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing PKCS7 conversions (2)"
+$	if f$search("fff.*") .nes "" then delete fff.*;*
+$	if f$search("ff.*") .nes "" then delete ff.*;*
+$	if f$search("f.*") .nes "" then delete f.*;*
 $	copy 't' fff.p
 $
 $	write sys$output "p -> d"
@@ -34,9 +37,9 @@ $	write sys$output "p -> p"
 $	'cmd' -in f.p -inform p -outform p -out ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: f.p ff.p1
+$	backup/compare f.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.p ff.p3
+$	backup/compare f.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
 $	delete f.*;*,ff.*;*,fff.*;*
diff --git a/lib/libssl/test/treq.com b/lib/libssl/test/treq.com
index 9eb1d26f6e3..22c22c3aa9e 100644
--- a/lib/libssl/test/treq.com
+++ b/lib/libssl/test/treq.com
@@ -10,6 +10,9 @@ $	t := testreq.pem
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing req conversions"
+$	if f$search("fff.*") .nes "" then delete fff.*;*
+$	if f$search("ff.*") .nes "" then delete ff.*;*
+$	if f$search("f.*") .nes "" then delete f.*;*
 $	copy 't' fff.p
 $
 $	write sys$output "p -> d"
@@ -52,27 +55,27 @@ $	write sys$output "p -> p"
 $	'cmd' -in f.p -inform p -outform p -out ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: fff.p f.p
+$	backup/compare fff.p f.p
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p1
+$	backup/compare fff.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: fff.p ff.p2
+$!	backup/compare fff.p ff.p2
 $!	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p3
+$	backup/compare fff.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$!	difference/output=nl: f.t ff.t1
+$!	backup/compare f.t ff.t1
 $!	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.t ff.t2
+$!	backup/compare f.t ff.t2
 $!	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.t ff.t3
+$!	backup/compare f.t ff.t3
 $!	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: f.p ff.p1
+$	backup/compare f.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.p ff.p2
+$!	backup/compare f.p ff.p2
 $!	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.p ff.p3
+$	backup/compare f.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
 $	delete f.*;*,ff.*;*,fff.*;*
diff --git a/lib/libssl/test/trsa.com b/lib/libssl/test/trsa.com
index 9c9083d02b8..28add5eefd0 100644
--- a/lib/libssl/test/trsa.com
+++ b/lib/libssl/test/trsa.com
@@ -10,6 +10,9 @@ $	t := testrsa.pem
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing RSA conversions"
+$	if f$search("fff.*") .nes "" then delete fff.*;*
+$	if f$search("ff.*") .nes "" then delete ff.*;*
+$	if f$search("f.*") .nes "" then delete f.*;*
 $	copy 't' fff.p
 $
 $	write sys$output "p -> d"
@@ -52,27 +55,27 @@ $	write sys$output "p -> p"
 $	'cmd' -in f.p -inform p -outform p -out ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: fff.p f.p
+$	backup/compare fff.p f.p
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p1
+$	backup/compare fff.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: fff.p ff.p2
+$!	backup/compare fff.p ff.p2
 $!	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p3
+$	backup/compare fff.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$!	difference/output=nl: f.t ff.t1
+$!	backup/compare f.t ff.t1
 $!	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.t ff.t2
+$!	backup/compare f.t ff.t2
 $!	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.t ff.t3
+$!	backup/compare f.t ff.t3
 $!	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: f.p ff.p1
+$	backup/compare f.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.p ff.p2
+$!	backup/compare f.p ff.p2
 $!	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.p ff.p3
+$	backup/compare f.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
 $	delete f.*;*,ff.*;*,fff.*;*
diff --git a/lib/libssl/test/tsid.com b/lib/libssl/test/tsid.com
index 28d83e5c4ed..bde23f9bb97 100644
--- a/lib/libssl/test/tsid.com
+++ b/lib/libssl/test/tsid.com
@@ -10,6 +10,9 @@ $	t := testsid.pem
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing session-id conversions"
+$	if f$search("fff.*") .nes "" then delete fff.*;*
+$	if f$search("ff.*") .nes "" then delete ff.*;*
+$	if f$search("f.*") .nes "" then delete f.*;*
 $	copy 't' fff.p
 $
 $	write sys$output "p -> d"
@@ -52,27 +55,27 @@ $	write sys$output "p -> p"
 $	'cmd' -in f.p -inform p -outform p -out ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: fff.p f.p
+$	backup/compare fff.p f.p
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p1
+$	backup/compare fff.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: fff.p ff.p2
+$!	backup/compare fff.p ff.p2
 $!	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p3
+$	backup/compare fff.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$!	difference/output=nl: f.t ff.t1
+$!	backup/compare f.t ff.t1
 $!	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.t ff.t2
+$!	backup/compare f.t ff.t2
 $!	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.t ff.t3
+$!	backup/compare f.t ff.t3
 $!	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: f.p ff.p1
+$	backup/compare f.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$!	difference/output=nl: f.p ff.p2
+$!	backup/compare f.p ff.p2
 $!	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.p ff.p3
+$	backup/compare f.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
 $	delete f.*;*,ff.*;*,fff.*;*
diff --git a/lib/libssl/test/tx509.com b/lib/libssl/test/tx509.com
index bbcf0a384b3..985969c566f 100644
--- a/lib/libssl/test/tx509.com
+++ b/lib/libssl/test/tx509.com
@@ -10,6 +10,9 @@ $	t := testx509.pem
 $	if p1 .nes. "" then t = p1
 $
 $	write sys$output "testing X509 conversions"
+$	if f$search("fff.*") .nes "" then delete fff.*;*
+$	if f$search("ff.*") .nes "" then delete ff.*;*
+$	if f$search("f.*") .nes "" then delete f.*;*
 $	copy 't' fff.p
 $
 $	write sys$output "p -> d"
@@ -52,27 +55,27 @@ $	write sys$output "p -> p"
 $	'cmd' -in f.p -inform p -outform p -out ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: fff.p f.p
+$	backup/compare fff.p f.p
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p1
+$	backup/compare fff.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p2
+$	backup/compare fff.p ff.p2
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: fff.p ff.p3
+$	backup/compare fff.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: f.n ff.n1
+$	backup/compare f.n ff.n1
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.n ff.n2
+$	backup/compare f.n ff.n2
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.n ff.n3
+$	backup/compare f.n ff.n3
 $	if $severity .ne. 1 then exit 3
 $
-$	difference/output=nl: f.p ff.p1
+$	backup/compare f.p ff.p1
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.p ff.p2
+$	backup/compare f.p ff.p2
 $	if $severity .ne. 1 then exit 3
-$	difference/output=nl: f.p ff.p3
+$	backup/compare f.p ff.p3
 $	if $severity .ne. 1 then exit 3
 $
 $	delete f.*;*,ff.*;*,fff.*;*
diff --git a/lib/libssl/tls1.h b/lib/libssl/tls1.h
index a931efa936a..6e2b06d34f7 100644
--- a/lib/libssl/tls1.h
+++ b/lib/libssl/tls1.h
@@ -65,7 +65,7 @@
 extern "C" {
 #endif
 
-#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	0
+#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	1
 
 #define TLS1_VERSION			0x0301
 #define TLS1_VERSION_MAJOR		0x03
@@ -77,11 +77,11 @@ extern "C" {
 #define TLS1_AD_ACCESS_DENIED		49	/* fatal */
 #define TLS1_AD_DECODE_ERROR		50	/* fatal */
 #define TLS1_AD_DECRYPT_ERROR		51
-#define TLS1_AD_EXPORT_RESTRICION	60	/* fatal */
+#define TLS1_AD_EXPORT_RESTRICTION	60	/* fatal */
 #define TLS1_AD_PROTOCOL_VERSION	70	/* fatal */
 #define TLS1_AD_INSUFFICIENT_SECURITY	71	/* fatal */
 #define TLS1_AD_INTERNAL_ERROR		80	/* fatal */
-#define TLS1_AD_USER_CANCLED		90
+#define TLS1_AD_USER_CANCELLED		90
 #define TLS1_AD_NO_RENEGOTIATION	100
 
 #define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5		0x03000060