Synchronise with Unix build.

Typo correction
When _XOPEN_SOURCE is defined, make sure it's defined to 500. Required in
2005-05-24 03:50:47 +00:00 · 2005-05-24 03:27:18 +00:00 · 2005-05-21 17:39:48 +00:00 · 2005-05-19 22:29:55 +00:00 · 2005-05-17 19:48:42 +00:00 · 2005-05-17 06:57:14 +00:00
183 changed files with 9015 additions and 2883 deletions
--- a/38
+++ b/38
@@ -2,6 +2,44 @@
 OpenSSL CHANGES
 _______________

+ Changes between 0.9.7g and 0.9.7h  [XX xxx XXXX]
+
+  *) Make a new fixed-window mod_exp implementation the default for
+     RSA, DSA, and DH private-key operations so that the sequence of
+     squares and multiplies and the memory access pattern are
+     independent of the particular secret key.  This will mitigate
+     cache-timing and potential related attacks.
+
+     BN_mod_exp_mont_consttime() is the new exponentiation implementation,
+     and this is automatically used by BN_mod_exp_mont() if the new flag
+     BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
+     will use this BN flag for private exponents unless the flag
+     RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
+     DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
+
+     [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
+
+  *) Change the client implementation for SSLv23_method() and
+     SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
+     Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
+     (Previously, the SSL 2.0 backwards compatible Client Hello
+     message format would be used even with SSL_OP_NO_SSLv2.)
+     [Bodo Moeller]
+
+  *) Add support for smime-type MIME parameter in S/MIME messages which some
+     clients need.
+     [Steve Henson]
+
+  *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in
+     a threadsafe manner. Modify rsa code to use new function and add calls
+     to dsa and dh code (which had race conditions before).
+     [Steve Henson]
+
+  *) Include the fixed error library code in the C error file definitions
+     instead of fixing them up at runtime. This keeps the error code
+     structures constant.
+     [Steve Henson]
+
 Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]

  *) Fixes for newer kerberos headers. NB: the casts are needed because
--- a/91
+++ b/91
@@ -177,11 +177,11 @@ my %table=(
 # actually recommend to consider using gcc shared build even with vendor
 # compiler:-)
 #						<appro@fy.chalmers.se>
-"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-amd64.o:::dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-x86_64.o:::dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 #### Solaris x86 with Sun C setups
-"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL::::::::::dlfcn:solaris-shared:-KPIC:-xarch=amd64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL::::::::::dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 #### SPARC Solaris with GNU C setups
 "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -200,17 +200,17 @@ my %table=(

 #### SPARC Solaris with Sun C setups
 # DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
-"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2.
 # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8
 # SC5.0 note: Compiler common patch 107357-01 or later is required!
-"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
+"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
 ####
-"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 #### SPARC Linux setups
 "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
@@ -271,56 +271,56 @@ my %table=(
 #
 #!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 # Since there is mention of this in shlib/hpux10-cc.sh
-"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-Wl,+cdp,../%3a,+cdp,./%3a,+s,+b,\$(INSTALLTOP)/lib -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+cdp,../%3a,+cdp,./%3a,+s,+b,\$(INSTALLTOP)/lib -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux-shared:+Z:+DD64 -b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # 64bit PARISC for GCC without optimization, which seems to make problems.
 # Submitted by <ross.alexander@uk.neceur.com>
-"hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # IA-64 targets
-"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z:-b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with
 # with debugging of the following config.
-"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux64-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z:+DD64 -b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
 # Chris Ruemmler <ruemmler@cup.hp.com>
 # Kevin Steves <ks@hp.se>
-"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+cdp,../%3a,+cdp,./%3a,+s,+b,\$(INSTALLTOP)/lib -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+cdp,../%3a,+cdp,./%3a,+s,+b,\$(INSTALLTOP)/lib -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux-shared:+Z:+DD64 -b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Isn't the line below meaningless? HP-UX cc optimizes for host by default.
 # hpux-parisc1_0-cc with +DAportable flag would make more sense. <appro>
-"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+cdp,../%3a,+cdp,./%3a,+s,+b,\$(INSTALLTOP)/lib -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # HPUX 9.X config.
 # Don't use the bundled cc.  It is broken.  Use HP ANSI C if possible, or
 # egcs.  gcc 2.8.1 is also broken.

-"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown)::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux-cc fails (e.g. during "make test"), try the next one; otherwise,
 # please report your OS and compiler version to the openssl-bugs@openssl.org
 # mailing list.
-"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

-"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux-gcc fails, try this one:
-"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # HPUX 9.X on Motorola 68k platforms with gcc
 "hpux-m68k-gcc",  "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):::BN_LLONG DES_PTR DES_UNROLL:::::::::::::",

 # HPUX 10.X config.  Supports threads.
-"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG):
-"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

-"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux10-gcc fails, try this one:
-"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s,+b,\$(INSTALLTOP)/lib -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # HPUX 11.X from www.globus.org.
 # Only works on PA-RISC 2.0 cpus, and not optimized.  Why?
@@ -411,8 +411,7 @@ my %table=(
 "linux-s390x",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-amd64.o:::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-em64t", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-x86_64.o:::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -530,14 +529,14 @@ my %table=(
 "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",

 # MinGW
-"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:-D_WINDLL:-mno-cygwin:.dll",
+"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_out_asm}:win32:cygwin-shared:-D_WINDLL:-mno-cygwin:.dll.a",

 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",

 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:cygwin-shared:-D_WINDLL::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:cygwin-shared:-D_WINDLL::.dll.a",

 # DJGPP
 "DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM=\"/dev/urandom\\x24\":::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
@@ -563,7 +562,7 @@ my %table=(

 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/osx_ppc32.o::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/osx_ppc32.o:::::::::dlfcn:darwin-shared:-fPIC -fno-common::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

 ##### A/UX
@@ -969,6 +968,7 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/]
 print "IsWindows=$IsWindows\n";

 my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
+for (@fields) { s/%([\dA-Fa-f]{2})/chr(hex($1))/eg; }
 my $cc = $fields[$idx_cc];
 my $cflags = $fields[$idx_cflags];
 my $unistd = $fields[$idx_unistd];
@@ -1027,7 +1027,7 @@ else
 			if $withargs{"krb5-dir"} eq "";
 		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
 			"/lib -lgssapi -lkrb5 -lcom_err"
-			if $withargs{"krb5-lib"} eq "";
+			if $withargs{"krb5-lib"} eq "" && !$IsWindows;
 		$cflags="-DKRB5_HEIMDAL $cflags";
 		}
 	if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]/)
@@ -1036,7 +1036,7 @@ else
 			if $withargs{"krb5-dir"} eq "";
 		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
 			"/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto"
-			if $withargs{"krb5-lib"} eq "";
+			if $withargs{"krb5-lib"} eq "" && !$IsWindows;
 		$cflags="-DKRB5_MIT $cflags";
 		$withargs{"krb5-flavor"} =~ s/^[Mm][Ii][Tt][._-]*//;
 		if ($withargs{"krb5-flavor"} =~ /^1[._-]*[01]/)
@@ -1055,7 +1055,7 @@ else
 			}
 		}
 	$withargs{"krb5-lib"} .= " -lresolv"
-		if ("$lresolv" ne "");
+		if ("$lresolv" ne "" && !$IsWindows);
 	$withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include"
 		if $withargs{"krb5-include"} eq "" &&
 		   $withargs{"krb5-dir"} ne "";
@@ -1174,16 +1174,22 @@ if ($ranlib eq "")
 $bn_obj = $bn_asm unless $bn_obj ne "";

 my $fips_des_obj;
+my $fips_aes_obj;
 my $fips_sha1_obj;
 if ($fips)
 	{
-	if ($des_obj =~ /\-elf\.o$/ && $no_shared) # FIPS DES module is not PIC
+	if ($des_obj =~ /\-elf\.o$/)
 		{
 		$fips_des_obj='asm/fips-dx86-elf.o';
 		$openssl_other_defines.="#define OPENSSL_FIPS_DES_ASM\n";
+		$fips_aes_obj='asm/fips-ax86-elf.o';
+		$openssl_other_defines.="#define OPENSSL_FIPS_AES_ASM\n";
 		}
-	else {	$fips_des_obj=$fips_des_enc;  }
-	$fips_sha1_obj='asm/sx86-elf.o' if ($sha1_obj =~ /\-elf\.o$/);
+	else	{
+		$fips_des_obj=$fips_des_enc;
+		$fips_aes_obj='fips_aes_core.o';
+		}
+	$fips_sha1_obj='asm/fips-sx86-elf.o' if ($sha1_obj =~ /\-elf\.o$/);
 	$des_obj=$sha1_obj="";
 	$openssl_other_defines.="#define OPENSSL_FIPS\n";
 	}
@@ -1287,6 +1293,7 @@ while (<IN>)
 	s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
 	s/^DES_ENC=.*$/DES_ENC= $des_obj/;
 	s/^FIPS_DES_ENC=.*$/FIPS_DES_ENC= $fips_des_obj/;
+	s/^FIPS_AES_ENC=.*$/FIPS_AES_ENC= $fips_aes_obj/;
 	s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
 	s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/;
 	s/^RC4_ENC=.*$/RC4_ENC= $rc4_obj/;
@@ -1654,12 +1661,13 @@ sub print_table_entry
 	{
 	my $target = shift;

+	my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
+	for (@fields) { s/%([\dA-Fa-f]{2})/chr(hex($1))/eg; }
 	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags,
 	my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj,
 	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
 	my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,
-	my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags)=
-	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
+	my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags)=@fields;
 			
 	print <<EOF

@@ -1702,6 +1710,7 @@ sub test_sanity
 	foreach $target (sort keys %table)
 		{
 		@fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
+		for (@fields) { s/%([\dA-Fa-f]{2})/chr(hex($1))/eg; }

 		if ($fields[$idx_dso_scheme-1] =~ /^(dl|dlfcn|win32|vms)$/)
 			{
--- a/2
+++ b/2
@@ -12,7 +12,7 @@
  ---------------

 /* ====================================================================
- * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/Makefile.org
+++ b/Makefile.org
@@ -102,6 +102,7 @@ PROCESSOR=
 # Set DES_ENC to des_enc.o if you want to use the C version
 #There are 4 x86 assember options.
 FIPS_DES_ENC= des_enc.o fcrypt_b.o
+FIPS_AES_ENC= fips_aes_core.o
 DES_ENC= asm/dx86-out.o asm/yx86-out.o
 #DES_ENC= des_enc.o fcrypt_b.o          # C
 #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
@@ -186,7 +187,7 @@ SDIRS=  objects \
 	buffer bio stack lhash rand err \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5

-FDIRS=	sha1 rand des aes dsa rsa dh
+FDIRS=	sha1 rand des aes dsa rsa dh hmac

 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
@@ -237,7 +238,7 @@ sub_all:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
@@ -248,7 +249,7 @@ sub_target:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making $(TARGET) in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TARGET='$(TARGET)' sub_target ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TARGET='$(TARGET)' sub_target ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
@@ -309,7 +310,7 @@ do_gnu-shared:
 		-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
-		-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
+		-Wl,--no-whole-archive $$libs ${EX_LIBS} ) || exit 1; \
 	libs="-l$$i $$libs"; \
 	done

@@ -321,7 +322,8 @@ do_darwin-shared:
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
-	( set -x; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
+	( set -x; ${CC} ${SHARED_LDFLAGS}
+		--verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
 		lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \
 		-install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \
@@ -338,7 +340,7 @@ do_cygwin-shared:
 	[ "$(PLATFORM)" = "mingw" ] && shlib=$${i}eay32.dll; \
 	[ -f apps/$$shlib ] && rm apps/$$shlib; \
 	[ -f test/$$shlib ] && rm test/$$shlib; \
-	base=;  [ $$i = "crypto" ] && base=-Wl,--image-base,0xFE00000; \
+	base=;  [ $$i = "crypto" ] && base=-Wl,--image-base,0x61200000; \
 	( set -x; ${CC} ${SHARED_LDFLAGS} \
 		-shared $$base -o $$shlib \
 		-Wl,-Bsymbolic \
@@ -361,7 +363,7 @@ do_alpha-osf1-shared:
 		( set -x; ${CC} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
+			-all lib$$i.a -none $$libs ${EX_LIBS} ) || exit 1; \
 		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -380,7 +382,7 @@ do_tru64-shared:
 		( set -x; ${CC} ${SHARED_LDFLAGS} \
 			-shared -msym -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
+			-all lib$$i.a -none $$libs ${EX_LIBS} ) || exit 1; \
 		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -400,7 +402,7 @@ do_tru64-shared-rpath:
 			-shared -msym -o lib$$i.so \
 			-rpath  ${INSTALLTOP}/lib \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
+			-all lib$$i.a -none $$libs ${EX_LIBS} ) || exit 1; \
 		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -418,12 +420,12 @@ do_solaris-shared:
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
 		  MINUSZ='-z '; \
 		  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
+		  set -x; ${CC} ${SHARED_LDFLAGS} \
 			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-Bsymbolic \
 			$${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
-			$$libs ${EX_LIBS} -lc ) || exit 1; \
+			$$libs ${EX_LIBS} ) || exit 1; \
 		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -491,21 +493,12 @@ do_irix-shared:
 		  set -x; ${CC} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			$${WHOLELIB} $$libs ${EX_LIBS} -lc) || exit 1; \
+			$${WHOLELIB} $$libs ${EX_LIBS}) || exit 1; \
 		libs="-l$$i $$libs"; \
 		done; \
 	fi

 # This assumes that GNU utilities are *not* used
-# HP-UX includes the full pathname of libs we depend on, so we would get
-# ./libcrypto (with ./ as path information) compiled into libssl, hence
-# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
-# anyway.
-# The object modules are loaded from lib$i.a using the undocumented -Fl
-# option.
-#
-# WARNING: Until DSO is fixed to support a search path, we support SHLIB_PATH
-#          by temporarily specifying "+s"!
 #
 do_hpux-shared:
 	for i in ${SHLIBDIRS}; do \
@@ -518,38 +511,11 @@ do_hpux-shared:
 		shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	fi; \
 	[ -f $$shlib ] && rm -f $$shlib; \
-	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		+vnocompatwarnings \
-		-b -z +s \
-		-o $$shlib +h $$shlib \
-		-Fl lib$$i.a -ldld -lc ) || exit 1; \
-	chmod a=rx $$shlib; \
-	done
-
-# This assumes that GNU utilities are *not* used
-# HP-UX includes the full pathname of libs we depend on, so we would get
-# ./libcrypto (with ./ as path information) compiled into libssl, hence
-# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
-# anyway.
-#
-# HP-UX in 64bit mode has "+s" enabled by default; it will search for
-# shared libraries along LD_LIBRARY_PATH _and_ SHLIB_PATH.
-#
-do_hpux64-shared:
-	for i in ${SHLIBDIRS}; do \
-	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-		libs="$(LIBKRB5) $$libs"; \
-	fi; \
-	if expr $(PLATFORM) : '.*ia64' > /dev/null; then \
-		shlib=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
-	else \
-		shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
-	fi; \
-	[ -f $$shlib ] && rm -f $$shlib; \
-	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		-b -z \
-		-o $$shlib +h $$shlib \
-		+forceload lib$$i.a -ldl -lc ) || exit 1; \
+	ALLSYMSFLAGS='-Wl,-Fl'; \
+	expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
+	( set -x; ${CC} ${SHARED_LDFLAGS} \
+		-Wl,-B,symbolic,+vnocompatwarnings,-z,+h,$$shlib \
+		-o $$shlib $$ALLSYMSFLAGS lib$$i.a -ldld ) || exit 1; \
 	chmod a=rx $$shlib; \
 	done

--- a/27
+++ b/27
@@ -1,5 +1,5 @@

- OpenSSL 0.9.7g 11 April 2005
+ OpenSSL 0.9.7h-dev XX xxx XXXX

 Copyright (c) 1998-2005 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -14,13 +14,13 @@
 protocols as well as a full-strength general purpose cryptography library.
 The project is managed by a worldwide community of volunteers that use the
 Internet to communicate, plan, and develop the OpenSSL toolkit and its
- related documentation. 
+ related documentation.

 OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
 and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
 OpenSSL license plus the SSLeay license) situation, which basically means
 that you are free to get and use it for commercial and non-commercial
- purposes as long as you fulfill the conditions of both licenses. 
+ purposes as long as you fulfill the conditions of both licenses.

 OVERVIEW
 --------
@@ -53,11 +53,11 @@
        MDC2 message digest. A DES based hash that is popular on smart cards.

     Public Key
-        RSA encryption/decryption/generation.  
+        RSA encryption/decryption/generation.
            There is no limit on the number of bits.
-        DSA encryption/decryption/generation.   
+        DSA encryption/decryption/generation.
            There is no limit on the number of bits.
-        Diffie-Hellman key-exchange/key generation.  
+        Diffie-Hellman key-exchange/key generation.
            There is no limit on the number of bits.

     X.509v3 certificates
@@ -80,16 +80,16 @@
        A simple stack.
        A Configuration loader that uses a format similar to MS .ini files.

- openssl: 
+ openssl:
     A command line tool that can be used for:
        Creation of RSA, DH and DSA key parameters
-        Creation of X.509 certificates, CSRs and CRLs 
+        Creation of X.509 certificates, CSRs and CRLs
        Calculation of Message Digests
        Encryption and Decryption with Ciphers
        SSL/TLS Client and Server Tests
        Handling of S/MIME signed or encrypted mail

-        
+
 PATENTS
 -------

@@ -104,13 +104,15 @@
 licensing conditions. Their web page is http://www.rsasecurity.com/.

 RC4 is a trademark of RSA Security, so use of this label should perhaps
- only be used with RSA Security's permission. 
+ only be used with RSA Security's permission.

 The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
 Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They
 should be contacted if that algorithm is to be used; their web page is
 http://www.ascom.ch/.

+ The MDC2 algorithm is patented by IBM.
+
 INSTALLATION
 ------------

@@ -129,7 +131,7 @@
 or application author.  We try to collect those in doc/PROBLEMS, with current
 thoughts on how they should be solved in a future of OpenSSL.

- SUPPORT 
+ SUPPORT
 -------

 If you have any problems with OpenSSL then please take the following steps
@@ -138,7 +140,7 @@
    - Download the current snapshot from ftp://ftp.openssl.org/snapshot/
      to see if the problem has already been addressed
    - Remove ASM versions of libraries
-    - Remove compiler optimisation flags 
+    - Remove compiler optimisation flags

 If you wish to report a bug then please include the following information in
 any bug report:
@@ -191,3 +193,4 @@
 # ./Configure dist; make clean
 # cd ..
 # diff -ur openssl-orig openssl-work > mydiffs.patch
+
--- a/153
+++ b/153
@@ -96,7 +96,7 @@ $dso_scheme   = dlfcn
 $shared_target= cygwin-shared
 $shared_cflag = -D_WINDLL
 $shared_ldflag = 
-$shared_extension = .dll
+$shared_extension = .dll.a
 $ranlib       = 
 $arflags      = 

@@ -1427,7 +1427,7 @@ $arflags      =

 *** darwin-ppc-cc
 $cc           = cc
-$cflags       = -O3 -fomit-frame-pointer -fno-common -DB_ENDIAN
+$cflags       = -O3 -fomit-frame-pointer -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = MACOSX
@@ -1442,9 +1442,9 @@ $cast_obj     =
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
-$dso_scheme   = 
+$dso_scheme   = dlfcn
 $shared_target= darwin-shared
-$shared_cflag = -fPIC
+$shared_cflag = -fPIC -fno-common
 $shared_ldflag = 
 $shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
 $ranlib       = 
@@ -1895,7 +1895,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = 
+$shared_ldflag = -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -1945,7 +1945,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = 
+$shared_ldflag = -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2231,7 +2231,7 @@ $cflags       = -DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2245,7 +2245,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2256,7 +2256,7 @@ $cflags       = -DB_ENDIAN -DBN_DIV2W -O3
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2270,7 +2270,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = 
+$shared_ldflag = -shared
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2281,7 +2281,7 @@ $cflags       = -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2295,7 +2295,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2306,7 +2306,7 @@ $cflags       = -DB_ENDIAN -DBN_DIV2W -O3
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2320,7 +2320,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = 
+$shared_ldflag = -shared
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2331,7 +2331,7 @@ $cflags       = -Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -ldl
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldl
 $bn_ops       = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = asm/ia64-cpp.o
 $des_obj      = 
@@ -2345,7 +2345,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = -b
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2381,7 +2381,7 @@ $cflags       = +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD3
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+cdp,../:,+cdp,./:,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = 
 $des_obj      = 
@@ -2395,7 +2395,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2406,7 +2406,7 @@ $cflags       = -Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY
 $unistd       = 
 $thread_cflag = 
 $sys_id       = 
-$lflags       = -ldld
+$lflags       = -Wl,+cdp,../:,+cdp,./:,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2420,7 +2420,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2431,7 +2431,7 @@ $cflags       = -O3 -DB_ENDIAN -DBN_DIV2W
 $unistd       = 
 $thread_cflag = 
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+cdp,../:,+cdp,./:,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2445,7 +2445,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = 
+$shared_ldflag = -shared
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2456,7 +2456,7 @@ $cflags       = +DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -D
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+cdp,../:,+cdp,./:,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = 
 $des_obj      = 
@@ -2470,7 +2470,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2481,7 +2481,7 @@ $cflags       = +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -D
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+cdp,../:,+cdp,./:,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = asm/pa-risc2.o
 $des_obj      = 
@@ -2495,7 +2495,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2506,7 +2506,7 @@ $cflags       = -DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2520,7 +2520,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2531,7 +2531,7 @@ $cflags       = -DB_ENDIAN -DBN_DIV2W -O3
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2545,7 +2545,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = 
+$shared_ldflag = -shared
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2556,7 +2556,7 @@ $cflags       = -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2570,7 +2570,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2581,7 +2581,7 @@ $cflags       = -DB_ENDIAN -DBN_DIV2W -O3
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -Wl,+s -ldld
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldld
 $bn_ops       = BN_LLONG DES_PTR DES_UNROLL DES_RISC1
 $bn_obj       = 
 $des_obj      = 
@@ -2595,7 +2595,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = 
+$shared_ldflag = -shared
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2606,7 +2606,7 @@ $cflags       = -Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -ldl
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = asm/ia64-cpp.o
 $des_obj      = 
@@ -2618,9 +2618,9 @@ $rc4_obj      = asm/rc4-ia64.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
-$shared_target= hpux64-shared
+$shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = +DD64 -b
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2631,7 +2631,7 @@ $cflags       = -Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -ldl
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = 
 $des_obj      = 
@@ -2643,9 +2643,9 @@ $rc4_obj      =
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
-$shared_target= hpux64-shared
+$shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = +DD64 -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2656,7 +2656,7 @@ $cflags       = -DB_ENDIAN -DMD32_XARRAY
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -ldl
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = 
 $des_obj      = 
@@ -2668,9 +2668,9 @@ $rc4_obj      =
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
-$shared_target= hpux64-shared
+$shared_target= hpux-shared
 $shared_cflag = -fpic
-$shared_ldflag = 
+$shared_ldflag = -shared
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2681,7 +2681,7 @@ $cflags       = +DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XAR
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -ldl
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = asm/pa-risc2W.o
 $des_obj      = 
@@ -2693,9 +2693,9 @@ $rc4_obj      =
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
-$shared_target= hpux64-shared
+$shared_target= hpux-shared
 $shared_cflag = +Z
-$shared_ldflag = 
+$shared_ldflag = +DD64 -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2706,7 +2706,7 @@ $cflags       = -O3 -DB_ENDIAN -DMD32_XARRAY
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -ldl
+$lflags       = -Wl,+s,+b,$(INSTALLTOP)/lib -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = asm/pa-risc2W.o
 $des_obj      = 
@@ -2718,9 +2718,9 @@ $rc4_obj      =
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
-$shared_target= hpux64-shared
-$shared_cflag = -fpic
-$shared_ldflag = 
+$shared_target= hpux-shared
+$shared_cflag = -fPIC
+$shared_ldflag = -shared
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -3075,31 +3075,6 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

-*** linux-em64t
-$cc           = gcc
-$cflags       = -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int
-$unistd       = 
-$thread_cflag = -D_REENTRANT
-$sys_id       = 
-$lflags       = -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL
-$bn_obj       = asm/x86_64-gcc.o
-$des_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = dlfcn
-$shared_target= linux-shared
-$shared_cflag = -fPIC
-$shared_ldflag = -m64
-$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$ranlib       = 
-$arflags      = 
-
 *** linux-ia64
 $cc           = gcc
 $cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
@@ -3507,14 +3482,14 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL
 $bn_obj       = asm/x86_64-gcc.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
-$rc4_obj      = asm/rc4-amd64.o
+$rc4_obj      = asm/rc4-x86_64.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
@@ -3552,12 +3527,12 @@ $arflags      =

 *** mingw
 $cc           = gcc
-$cflags       = -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall
+$cflags       = -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall -D_WIN32_WINNT=0x333
 $unistd       = 
 $thread_cflag = 
 $sys_id       = MINGW32
 $lflags       = -lwsock32 -lgdi32
-$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT EXPORT_VAR_AS_FN
 $bn_obj       = asm/bn86-out.o asm/co86-out.o
 $des_obj      = asm/dx86-out.o asm/yx86-out.o
 $bf_obj       = asm/bx86-out.o
@@ -3571,7 +3546,7 @@ $dso_scheme   = win32
 $shared_target= cygwin-shared
 $shared_cflag = -D_WINDLL
 $shared_ldflag = -mno-cygwin
-$shared_extension = .dll
+$shared_extension = .dll.a
 $ranlib       = 
 $arflags      = 

@@ -3870,7 +3845,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = 
+$shared_ldflag = -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -3895,7 +3870,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = 
+$shared_ldflag = -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -3995,7 +3970,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = 
+$shared_ldflag = -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -4070,7 +4045,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = 
+$shared_ldflag = -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -4120,7 +4095,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = -xarch=v9
+$shared_ldflag = -xarch=v9 -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = /usr/ccs/bin/ar rs
 $arflags      = 
@@ -4182,7 +4157,7 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -lsocket -lnsl -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
@@ -4195,7 +4170,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = -xarch=amd64
+$shared_ldflag = -xarch=amd64 -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -4207,14 +4182,14 @@ $unistd       =
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -lsocket -lnsl -ldl
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL
 $bn_obj       = asm/x86_64-gcc.o
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
-$rc4_obj      = asm/rc4-amd64.o
+$rc4_obj      = asm/rc4-x86_64.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -143,7 +143,7 @@ $(DLIBCRYPTO):

 $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(EXE)
-	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+	if [ "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
 	  set -x; $${CC:-$(CC)} -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
 	elif [ -z "$(SHARED_LIBS)" ]; then \
 	  set -x; $${CC:-$(CC)} -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -387,11 +387,15 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-pre") == 0)
 			{
 			argc--; argv++;
+			if (argc == 0)
+				goto skip_arg_loop;
 			sk_push(pre_cmds,*argv);
 			}
 		else if (strcmp(*argv,"-post") == 0)
 			{
 			argc--; argv++;
+			if (argc == 0)
+				goto skip_arg_loop;
 			sk_push(post_cmds,*argv);
 			}
 		else if ((strncmp(*argv,"-h",2) == 0) ||
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -250,8 +250,6 @@ int main(int Argc, char *Argv[])
 			EXIT(1);
 		}
 		in_FIPS_mode = 1;
-		if (getenv("OPENSSL_FIPS_MD5"))
-			FIPS_allow_md5(1);
 		}
 #endif
 	if (bio_err == NULL)
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1706,7 +1706,7 @@ show_res:
 				k,rsa_bits[k],rsa_results[k][0],
 				rsa_results[k][1]);
 		else
-			fprintf(stdout,"rsa %4u bits %8.4fs %8.4fs %8.1f %8.1f\n",
+			fprintf(stdout,"rsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
 				rsa_bits[k],rsa_results[k][0],rsa_results[k][1],
 				1.0/rsa_results[k][0],1.0/rsa_results[k][1]);
 		}
@@ -1725,7 +1725,7 @@ show_res:
 			fprintf(stdout,"+F3:%u:%u:%f:%f\n",
 				k,dsa_bits[k],dsa_results[k][0],dsa_results[k][1]);
 		else
-			fprintf(stdout,"dsa %4u bits %8.4fs %8.4fs %8.1f %8.1f\n",
+			fprintf(stdout,"dsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
 				dsa_bits[k],dsa_results[k][0],dsa_results[k][1],
 				1.0/dsa_results[k][0],1.0/dsa_results[k][1]);
 		}
--- a/crypto/aes/aes_cbc.c
+++ b/crypto/aes/aes_cbc.c
@@ -59,6 +59,7 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"

+#if !defined(OPENSSL_FIPS_AES_ASM)
 void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 		     const unsigned long length, const AES_KEY *key,
 		     unsigned char *ivec, const int enc) {
@@ -129,3 +130,4 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 		}
 	}
 }
+#endif
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -962,6 +962,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_DUP					 111
 #define ASN1_F_ASN1_ENUMERATED_SET			 112
 #define ASN1_F_ASN1_ENUMERATED_TO_BN			 113
+#define ASN1_F_ASN1_FIND_END				 182
 #define ASN1_F_ASN1_GENERALIZEDTIME_SET			 178
 #define ASN1_F_ASN1_GET_OBJECT				 114
 #define ASN1_F_ASN1_HEADER_NEW				 115
@@ -1075,6 +1076,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_MISSING_SECOND_NUMBER			 138
 #define ASN1_R_MSTRING_NOT_UNIVERSAL			 139
 #define ASN1_R_MSTRING_WRONG_TAG			 140
+#define ASN1_R_NESTED_ASN1_STRING			 174
 #define ASN1_R_NON_HEX_CHARACTERS			 141
 #define ASN1_R_NOT_ENOUGH_DATA				 142
 #define ASN1_R_NO_MATCHING_CHOICE_TYPE			 143
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,169 +64,175 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ASN1,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ASN1,0,reason)
+
 static ERR_STRING_DATA ASN1_str_functs[]=
 	{
-{ERR_PACK(0,ASN1_F_A2D_ASN1_OBJECT,0),	"a2d_ASN1_OBJECT"},
-{ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0),	"a2i_ASN1_ENUMERATED"},
-{ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0),	"a2i_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0),	"a2i_ASN1_STRING"},
-{ERR_PACK(0,ASN1_F_ASN1_BIT_STRING_SET_BIT,0),	"ASN1_BIT_STRING_set_bit"},
-{ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0),	"ASN1_CHECK_TLEN"},
-{ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0),	"ASN1_COLLATE_PRIMITIVE"},
-{ERR_PACK(0,ASN1_F_ASN1_COLLECT,0),	"ASN1_COLLECT"},
-{ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0),	"ASN1_d2i_bio"},
-{ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0),	"ASN1_D2I_EX_PRIMITIVE"},
-{ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0),	"ASN1_d2i_fp"},
-{ERR_PACK(0,ASN1_F_ASN1_DIGEST,0),	"ASN1_digest"},
-{ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0),	"ASN1_DO_ADB"},
-{ERR_PACK(0,ASN1_F_ASN1_DUP,0),	"ASN1_dup"},
-{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0),	"ASN1_ENUMERATED_set"},
-{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0),	"ASN1_ENUMERATED_to_BN"},
-{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_SET,0),	"ASN1_GENERALIZEDTIME_set"},
-{ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0),	"ASN1_get_object"},
-{ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0),	"ASN1_HEADER_new"},
-{ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0),	"ASN1_i2d_bio"},
-{ERR_PACK(0,ASN1_F_ASN1_I2D_FP,0),	"ASN1_i2d_fp"},
-{ERR_PACK(0,ASN1_F_ASN1_INTEGER_SET,0),	"ASN1_INTEGER_set"},
-{ERR_PACK(0,ASN1_F_ASN1_INTEGER_TO_BN,0),	"ASN1_INTEGER_to_BN"},
-{ERR_PACK(0,ASN1_F_ASN1_ITEM_EX_D2I,0),	"ASN1_ITEM_EX_D2I"},
-{ERR_PACK(0,ASN1_F_ASN1_ITEM_NEW,0),	"ASN1_item_new"},
-{ERR_PACK(0,ASN1_F_ASN1_MBSTRING_COPY,0),	"ASN1_mbstring_copy"},
-{ERR_PACK(0,ASN1_F_ASN1_OBJECT_NEW,0),	"ASN1_OBJECT_new"},
-{ERR_PACK(0,ASN1_F_ASN1_PACK_STRING,0),	"ASN1_pack_string"},
-{ERR_PACK(0,ASN1_F_ASN1_PBE_SET,0),	"ASN1_PBE_SET"},
-{ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0),	"ASN1_seq_pack"},
-{ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0),	"ASN1_seq_unpack"},
-{ERR_PACK(0,ASN1_F_ASN1_SIGN,0),	"ASN1_sign"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_SET,0),	"ASN1_STRING_set"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),	"ASN1_STRING_TABLE_add"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),	"ASN1_STRING_type_new"},
-{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),	"ASN1_TEMPLATE_D2I"},
-{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0),	"ASN1_TEMPLATE_EX_D2I"},
-{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0),	"ASN1_TEMPLATE_NEW"},
-{ERR_PACK(0,ASN1_F_ASN1_TIME_SET,0),	"ASN1_TIME_set"},
-{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),	"ASN1_TYPE_get_int_octetstring"},
-{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),	"ASN1_TYPE_get_octetstring"},
-{ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),	"ASN1_unpack_string"},
-{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_SET,0),	"ASN1_UTCTIME_set"},
-{ERR_PACK(0,ASN1_F_ASN1_VERIFY,0),	"ASN1_verify"},
-{ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0),	"BN_to_ASN1_ENUMERATED"},
-{ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0),	"BN_to_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_COLLECT_DATA,0),	"COLLECT_DATA"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BIT_STRING,0),	"D2I_ASN1_BIT_STRING"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BOOLEAN,0),	"d2i_ASN1_BOOLEAN"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BYTES,0),	"d2i_ASN1_bytes"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_GENERALIZEDTIME,0),	"D2I_ASN1_GENERALIZEDTIME"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_HEADER,0),	"d2i_ASN1_HEADER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_INTEGER,0),	"D2I_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_OBJECT,0),	"d2i_ASN1_OBJECT"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_SET,0),	"d2i_ASN1_SET"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_TYPE_BYTES,0),	"d2i_ASN1_type_bytes"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_UINTEGER,0),	"d2i_ASN1_UINTEGER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_UTCTIME,0),	"D2I_ASN1_UTCTIME"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA,0),	"d2i_Netscape_RSA"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA_2,0),	"D2I_NETSCAPE_RSA_2"},
-{ERR_PACK(0,ASN1_F_D2I_PRIVATEKEY,0),	"d2i_PrivateKey"},
-{ERR_PACK(0,ASN1_F_D2I_PUBLICKEY,0),	"d2i_PublicKey"},
-{ERR_PACK(0,ASN1_F_D2I_X509,0),	"D2I_X509"},
-{ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),	"D2I_X509_CINF"},
-{ERR_PACK(0,ASN1_F_D2I_X509_NAME,0),	"D2I_X509_NAME"},
-{ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),	"d2i_X509_PKEY"},
-{ERR_PACK(0,ASN1_F_I2D_ASN1_SET,0),	"i2d_ASN1_SET"},
-{ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),	"I2D_ASN1_TIME"},
-{ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),	"i2d_DSA_PUBKEY"},
-{ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0),	"i2d_Netscape_RSA"},
-{ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),	"i2d_PrivateKey"},
-{ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),	"i2d_PublicKey"},
-{ERR_PACK(0,ASN1_F_I2D_RSA_PUBKEY,0),	"i2d_RSA_PUBKEY"},
-{ERR_PACK(0,ASN1_F_LONG_C2I,0),	"LONG_C2I"},
-{ERR_PACK(0,ASN1_F_OID_MODULE_INIT,0),	"OID_MODULE_INIT"},
-{ERR_PACK(0,ASN1_F_PKCS5_PBE2_SET,0),	"PKCS5_pbe2_set"},
-{ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),	"X509_CINF_NEW"},
-{ERR_PACK(0,ASN1_F_X509_CRL_ADD0_REVOKED,0),	"X509_CRL_add0_revoked"},
-{ERR_PACK(0,ASN1_F_X509_INFO_NEW,0),	"X509_INFO_new"},
-{ERR_PACK(0,ASN1_F_X509_NAME_NEW,0),	"X509_NAME_NEW"},
-{ERR_PACK(0,ASN1_F_X509_NEW,0),	"X509_NEW"},
-{ERR_PACK(0,ASN1_F_X509_PKEY_NEW,0),	"X509_PKEY_new"},
+{ERR_FUNC(ASN1_F_A2D_ASN1_OBJECT),	"a2d_ASN1_OBJECT"},
+{ERR_FUNC(ASN1_F_A2I_ASN1_ENUMERATED),	"a2i_ASN1_ENUMERATED"},
+{ERR_FUNC(ASN1_F_A2I_ASN1_INTEGER),	"a2i_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_A2I_ASN1_STRING),	"a2i_ASN1_STRING"},
+{ERR_FUNC(ASN1_F_ASN1_BIT_STRING_SET_BIT),	"ASN1_BIT_STRING_set_bit"},
+{ERR_FUNC(ASN1_F_ASN1_CHECK_TLEN),	"ASN1_CHECK_TLEN"},
+{ERR_FUNC(ASN1_F_ASN1_COLLATE_PRIMITIVE),	"ASN1_COLLATE_PRIMITIVE"},
+{ERR_FUNC(ASN1_F_ASN1_COLLECT),	"ASN1_COLLECT"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_BIO),	"ASN1_d2i_bio"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_EX_PRIMITIVE),	"ASN1_D2I_EX_PRIMITIVE"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_FP),	"ASN1_d2i_fp"},
+{ERR_FUNC(ASN1_F_ASN1_DIGEST),	"ASN1_digest"},
+{ERR_FUNC(ASN1_F_ASN1_DO_ADB),	"ASN1_DO_ADB"},
+{ERR_FUNC(ASN1_F_ASN1_DUP),	"ASN1_dup"},
+{ERR_FUNC(ASN1_F_ASN1_ENUMERATED_SET),	"ASN1_ENUMERATED_set"},
+{ERR_FUNC(ASN1_F_ASN1_ENUMERATED_TO_BN),	"ASN1_ENUMERATED_to_BN"},
+{ERR_FUNC(ASN1_F_ASN1_FIND_END),	"ASN1_FIND_END"},
+{ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_SET),	"ASN1_GENERALIZEDTIME_set"},
+{ERR_FUNC(ASN1_F_ASN1_GET_OBJECT),	"ASN1_get_object"},
+{ERR_FUNC(ASN1_F_ASN1_HEADER_NEW),	"ASN1_HEADER_new"},
+{ERR_FUNC(ASN1_F_ASN1_I2D_BIO),	"ASN1_i2d_bio"},
+{ERR_FUNC(ASN1_F_ASN1_I2D_FP),	"ASN1_i2d_fp"},
+{ERR_FUNC(ASN1_F_ASN1_INTEGER_SET),	"ASN1_INTEGER_set"},
+{ERR_FUNC(ASN1_F_ASN1_INTEGER_TO_BN),	"ASN1_INTEGER_to_BN"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I),	"ASN1_ITEM_EX_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_NEW),	"ASN1_item_new"},
+{ERR_FUNC(ASN1_F_ASN1_MBSTRING_COPY),	"ASN1_mbstring_copy"},
+{ERR_FUNC(ASN1_F_ASN1_OBJECT_NEW),	"ASN1_OBJECT_new"},
+{ERR_FUNC(ASN1_F_ASN1_PACK_STRING),	"ASN1_pack_string"},
+{ERR_FUNC(ASN1_F_ASN1_PBE_SET),	"ASN1_PBE_SET"},
+{ERR_FUNC(ASN1_F_ASN1_SEQ_PACK),	"ASN1_seq_pack"},
+{ERR_FUNC(ASN1_F_ASN1_SEQ_UNPACK),	"ASN1_seq_unpack"},
+{ERR_FUNC(ASN1_F_ASN1_SIGN),	"ASN1_sign"},
+{ERR_FUNC(ASN1_F_ASN1_STRING_SET),	"ASN1_STRING_set"},
+{ERR_FUNC(ASN1_F_ASN1_STRING_TABLE_ADD),	"ASN1_STRING_TABLE_add"},
+{ERR_FUNC(ASN1_F_ASN1_STRING_TYPE_NEW),	"ASN1_STRING_type_new"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_D2I),	"ASN1_TEMPLATE_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I),	"ASN1_TEMPLATE_EX_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW),	"ASN1_TEMPLATE_NEW"},
+{ERR_FUNC(ASN1_F_ASN1_TIME_SET),	"ASN1_TIME_set"},
+{ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING),	"ASN1_TYPE_get_int_octetstring"},
+{ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING),	"ASN1_TYPE_get_octetstring"},
+{ERR_FUNC(ASN1_F_ASN1_UNPACK_STRING),	"ASN1_unpack_string"},
+{ERR_FUNC(ASN1_F_ASN1_UTCTIME_SET),	"ASN1_UTCTIME_set"},
+{ERR_FUNC(ASN1_F_ASN1_VERIFY),	"ASN1_verify"},
+{ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED),	"BN_to_ASN1_ENUMERATED"},
+{ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER),	"BN_to_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_COLLECT_DATA),	"COLLECT_DATA"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_BIT_STRING),	"D2I_ASN1_BIT_STRING"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_BOOLEAN),	"d2i_ASN1_BOOLEAN"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_BYTES),	"d2i_ASN1_bytes"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_GENERALIZEDTIME),	"D2I_ASN1_GENERALIZEDTIME"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_HEADER),	"d2i_ASN1_HEADER"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_INTEGER),	"D2I_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_OBJECT),	"d2i_ASN1_OBJECT"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_SET),	"d2i_ASN1_SET"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_TYPE_BYTES),	"d2i_ASN1_type_bytes"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_UINTEGER),	"d2i_ASN1_UINTEGER"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_UTCTIME),	"D2I_ASN1_UTCTIME"},
+{ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA),	"d2i_Netscape_RSA"},
+{ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA_2),	"D2I_NETSCAPE_RSA_2"},
+{ERR_FUNC(ASN1_F_D2I_PRIVATEKEY),	"d2i_PrivateKey"},
+{ERR_FUNC(ASN1_F_D2I_PUBLICKEY),	"d2i_PublicKey"},
+{ERR_FUNC(ASN1_F_D2I_X509),	"D2I_X509"},
+{ERR_FUNC(ASN1_F_D2I_X509_CINF),	"D2I_X509_CINF"},
+{ERR_FUNC(ASN1_F_D2I_X509_NAME),	"D2I_X509_NAME"},
+{ERR_FUNC(ASN1_F_D2I_X509_PKEY),	"d2i_X509_PKEY"},
+{ERR_FUNC(ASN1_F_I2D_ASN1_SET),	"i2d_ASN1_SET"},
+{ERR_FUNC(ASN1_F_I2D_ASN1_TIME),	"I2D_ASN1_TIME"},
+{ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY),	"i2d_DSA_PUBKEY"},
+{ERR_FUNC(ASN1_F_I2D_NETSCAPE_RSA),	"i2d_Netscape_RSA"},
+{ERR_FUNC(ASN1_F_I2D_PRIVATEKEY),	"i2d_PrivateKey"},
+{ERR_FUNC(ASN1_F_I2D_PUBLICKEY),	"i2d_PublicKey"},
+{ERR_FUNC(ASN1_F_I2D_RSA_PUBKEY),	"i2d_RSA_PUBKEY"},
+{ERR_FUNC(ASN1_F_LONG_C2I),	"LONG_C2I"},
+{ERR_FUNC(ASN1_F_OID_MODULE_INIT),	"OID_MODULE_INIT"},
+{ERR_FUNC(ASN1_F_PKCS5_PBE2_SET),	"PKCS5_pbe2_set"},
+{ERR_FUNC(ASN1_F_X509_CINF_NEW),	"X509_CINF_NEW"},
+{ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED),	"X509_CRL_add0_revoked"},
+{ERR_FUNC(ASN1_F_X509_INFO_NEW),	"X509_INFO_new"},
+{ERR_FUNC(ASN1_F_X509_NAME_NEW),	"X509_NAME_NEW"},
+{ERR_FUNC(ASN1_F_X509_NEW),	"X509_NEW"},
+{ERR_FUNC(ASN1_F_X509_PKEY_NEW),	"X509_PKEY_new"},
 {0,NULL}
 	};

 static ERR_STRING_DATA ASN1_str_reasons[]=
 	{
-{ASN1_R_ADDING_OBJECT                    ,"adding object"},
-{ASN1_R_AUX_ERROR                        ,"aux error"},
-{ASN1_R_BAD_CLASS                        ,"bad class"},
-{ASN1_R_BAD_OBJECT_HEADER                ,"bad object header"},
-{ASN1_R_BAD_PASSWORD_READ                ,"bad password read"},
-{ASN1_R_BAD_TAG                          ,"bad tag"},
-{ASN1_R_BN_LIB                           ,"bn lib"},
-{ASN1_R_BOOLEAN_IS_WRONG_LENGTH          ,"boolean is wrong length"},
-{ASN1_R_BUFFER_TOO_SMALL                 ,"buffer too small"},
-{ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER  ,"cipher has no object identifier"},
-{ASN1_R_DATA_IS_WRONG                    ,"data is wrong"},
-{ASN1_R_DECODE_ERROR                     ,"decode error"},
-{ASN1_R_DECODING_ERROR                   ,"decoding error"},
-{ASN1_R_ENCODE_ERROR                     ,"encode error"},
-{ASN1_R_ERROR_GETTING_TIME               ,"error getting time"},
-{ASN1_R_ERROR_LOADING_SECTION            ,"error loading section"},
-{ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
-{ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
-{ASN1_R_EXPECTING_AN_INTEGER             ,"expecting an integer"},
-{ASN1_R_EXPECTING_AN_OBJECT              ,"expecting an object"},
-{ASN1_R_EXPECTING_A_BOOLEAN              ,"expecting a boolean"},
-{ASN1_R_EXPECTING_A_TIME                 ,"expecting a time"},
-{ASN1_R_EXPLICIT_LENGTH_MISMATCH         ,"explicit length mismatch"},
-{ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED     ,"explicit tag not constructed"},
-{ASN1_R_FIELD_MISSING                    ,"field missing"},
-{ASN1_R_FIRST_NUM_TOO_LARGE              ,"first num too large"},
-{ASN1_R_HEADER_TOO_LONG                  ,"header too long"},
-{ASN1_R_ILLEGAL_CHARACTERS               ,"illegal characters"},
-{ASN1_R_ILLEGAL_NULL                     ,"illegal null"},
-{ASN1_R_ILLEGAL_OPTIONAL_ANY             ,"illegal optional any"},
-{ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE ,"illegal options on item template"},
-{ASN1_R_ILLEGAL_TAGGED_ANY               ,"illegal tagged any"},
-{ASN1_R_INTEGER_TOO_LARGE_FOR_LONG       ,"integer too large for long"},
-{ASN1_R_INVALID_BMPSTRING_LENGTH         ,"invalid bmpstring length"},
-{ASN1_R_INVALID_DIGIT                    ,"invalid digit"},
-{ASN1_R_INVALID_SEPARATOR                ,"invalid separator"},
-{ASN1_R_INVALID_TIME_FORMAT              ,"invalid time format"},
-{ASN1_R_INVALID_UNIVERSALSTRING_LENGTH   ,"invalid universalstring length"},
-{ASN1_R_INVALID_UTF8STRING               ,"invalid utf8string"},
-{ASN1_R_IV_TOO_LARGE                     ,"iv too large"},
-{ASN1_R_LENGTH_ERROR                     ,"length error"},
-{ASN1_R_MISSING_EOC                      ,"missing eoc"},
-{ASN1_R_MISSING_SECOND_NUMBER            ,"missing second number"},
-{ASN1_R_MSTRING_NOT_UNIVERSAL            ,"mstring not universal"},
-{ASN1_R_MSTRING_WRONG_TAG                ,"mstring wrong tag"},
-{ASN1_R_NON_HEX_CHARACTERS               ,"non hex characters"},
-{ASN1_R_NOT_ENOUGH_DATA                  ,"not enough data"},
-{ASN1_R_NO_MATCHING_CHOICE_TYPE          ,"no matching choice type"},
-{ASN1_R_NULL_IS_WRONG_LENGTH             ,"null is wrong length"},
-{ASN1_R_ODD_NUMBER_OF_CHARS              ,"odd number of chars"},
-{ASN1_R_PRIVATE_KEY_HEADER_MISSING       ,"private key header missing"},
-{ASN1_R_SECOND_NUMBER_TOO_LARGE          ,"second number too large"},
-{ASN1_R_SEQUENCE_LENGTH_MISMATCH         ,"sequence length mismatch"},
-{ASN1_R_SEQUENCE_NOT_CONSTRUCTED         ,"sequence not constructed"},
-{ASN1_R_SHORT_LINE                       ,"short line"},
-{ASN1_R_STRING_TOO_LONG                  ,"string too long"},
-{ASN1_R_STRING_TOO_SHORT                 ,"string too short"},
-{ASN1_R_TAG_VALUE_TOO_HIGH               ,"tag value too high"},
-{ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
-{ASN1_R_TOO_LONG                         ,"too long"},
-{ASN1_R_TYPE_NOT_CONSTRUCTED             ,"type not constructed"},
-{ASN1_R_UNABLE_TO_DECODE_RSA_KEY         ,"unable to decode rsa key"},
-{ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"},
-{ASN1_R_UNEXPECTED_EOC                   ,"unexpected eoc"},
-{ASN1_R_UNKNOWN_FORMAT                   ,"unknown format"},
-{ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"},
-{ASN1_R_UNKNOWN_OBJECT_TYPE              ,"unknown object type"},
-{ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE          ,"unknown public key type"},
-{ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE  ,"unsupported any defined by type"},
-{ASN1_R_UNSUPPORTED_CIPHER               ,"unsupported cipher"},
-{ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM ,"unsupported encryption algorithm"},
-{ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE      ,"unsupported public key type"},
-{ASN1_R_WRONG_TAG                        ,"wrong tag"},
-{ASN1_R_WRONG_TYPE                       ,"wrong type"},
+{ERR_REASON(ASN1_R_ADDING_OBJECT)        ,"adding object"},
+{ERR_REASON(ASN1_R_AUX_ERROR)            ,"aux error"},
+{ERR_REASON(ASN1_R_BAD_CLASS)            ,"bad class"},
+{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER)    ,"bad object header"},
+{ERR_REASON(ASN1_R_BAD_PASSWORD_READ)    ,"bad password read"},
+{ERR_REASON(ASN1_R_BAD_TAG)              ,"bad tag"},
+{ERR_REASON(ASN1_R_BN_LIB)               ,"bn lib"},
+{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
+{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL)     ,"buffer too small"},
+{ERR_REASON(ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"},
+{ERR_REASON(ASN1_R_DATA_IS_WRONG)        ,"data is wrong"},
+{ERR_REASON(ASN1_R_DECODE_ERROR)         ,"decode error"},
+{ERR_REASON(ASN1_R_DECODING_ERROR)       ,"decoding error"},
+{ERR_REASON(ASN1_R_ENCODE_ERROR)         ,"encode error"},
+{ERR_REASON(ASN1_R_ERROR_GETTING_TIME)   ,"error getting time"},
+{ERR_REASON(ASN1_R_ERROR_LOADING_SECTION),"error loading section"},
+{ERR_REASON(ASN1_R_ERROR_PARSING_SET_ELEMENT),"error parsing set element"},
+{ERR_REASON(ASN1_R_ERROR_SETTING_CIPHER_PARAMS),"error setting cipher params"},
+{ERR_REASON(ASN1_R_EXPECTING_AN_INTEGER) ,"expecting an integer"},
+{ERR_REASON(ASN1_R_EXPECTING_AN_OBJECT)  ,"expecting an object"},
+{ERR_REASON(ASN1_R_EXPECTING_A_BOOLEAN)  ,"expecting a boolean"},
+{ERR_REASON(ASN1_R_EXPECTING_A_TIME)     ,"expecting a time"},
+{ERR_REASON(ASN1_R_EXPLICIT_LENGTH_MISMATCH),"explicit length mismatch"},
+{ERR_REASON(ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED),"explicit tag not constructed"},
+{ERR_REASON(ASN1_R_FIELD_MISSING)        ,"field missing"},
+{ERR_REASON(ASN1_R_FIRST_NUM_TOO_LARGE)  ,"first num too large"},
+{ERR_REASON(ASN1_R_HEADER_TOO_LONG)      ,"header too long"},
+{ERR_REASON(ASN1_R_ILLEGAL_CHARACTERS)   ,"illegal characters"},
+{ERR_REASON(ASN1_R_ILLEGAL_NULL)         ,"illegal null"},
+{ERR_REASON(ASN1_R_ILLEGAL_OPTIONAL_ANY) ,"illegal optional any"},
+{ERR_REASON(ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE),"illegal options on item template"},
+{ERR_REASON(ASN1_R_ILLEGAL_TAGGED_ANY)   ,"illegal tagged any"},
+{ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
+{ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
+{ERR_REASON(ASN1_R_INVALID_SEPARATOR)    ,"invalid separator"},
+{ERR_REASON(ASN1_R_INVALID_TIME_FORMAT)  ,"invalid time format"},
+{ERR_REASON(ASN1_R_INVALID_UNIVERSALSTRING_LENGTH),"invalid universalstring length"},
+{ERR_REASON(ASN1_R_INVALID_UTF8STRING)   ,"invalid utf8string"},
+{ERR_REASON(ASN1_R_IV_TOO_LARGE)         ,"iv too large"},
+{ERR_REASON(ASN1_R_LENGTH_ERROR)         ,"length error"},
+{ERR_REASON(ASN1_R_MISSING_EOC)          ,"missing eoc"},
+{ERR_REASON(ASN1_R_MISSING_SECOND_NUMBER),"missing second number"},
+{ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL),"mstring not universal"},
+{ERR_REASON(ASN1_R_MSTRING_WRONG_TAG)    ,"mstring wrong tag"},
+{ERR_REASON(ASN1_R_NESTED_ASN1_STRING)   ,"nested asn1 string"},
+{ERR_REASON(ASN1_R_NON_HEX_CHARACTERS)   ,"non hex characters"},
+{ERR_REASON(ASN1_R_NOT_ENOUGH_DATA)      ,"not enough data"},
+{ERR_REASON(ASN1_R_NO_MATCHING_CHOICE_TYPE),"no matching choice type"},
+{ERR_REASON(ASN1_R_NULL_IS_WRONG_LENGTH) ,"null is wrong length"},
+{ERR_REASON(ASN1_R_ODD_NUMBER_OF_CHARS)  ,"odd number of chars"},
+{ERR_REASON(ASN1_R_PRIVATE_KEY_HEADER_MISSING),"private key header missing"},
+{ERR_REASON(ASN1_R_SECOND_NUMBER_TOO_LARGE),"second number too large"},
+{ERR_REASON(ASN1_R_SEQUENCE_LENGTH_MISMATCH),"sequence length mismatch"},
+{ERR_REASON(ASN1_R_SEQUENCE_NOT_CONSTRUCTED),"sequence not constructed"},
+{ERR_REASON(ASN1_R_SHORT_LINE)           ,"short line"},
+{ERR_REASON(ASN1_R_STRING_TOO_LONG)      ,"string too long"},
+{ERR_REASON(ASN1_R_STRING_TOO_SHORT)     ,"string too short"},
+{ERR_REASON(ASN1_R_TAG_VALUE_TOO_HIGH)   ,"tag value too high"},
+{ERR_REASON(ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
+{ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
+{ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
+{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
+{ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNKNOWN_FORMAT)       ,"unknown format"},
+{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
+{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE)  ,"unknown object type"},
+{ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER)   ,"unsupported cipher"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE),"unsupported public key type"},
+{ERR_REASON(ASN1_R_WRONG_TAG)            ,"wrong tag"},
+{ERR_REASON(ASN1_R_WRONG_TYPE)           ,"wrong type"},
 {0,NULL}
 	};

@@ -240,8 +246,8 @@ void ERR_load_ASN1_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_ASN1,ASN1_str_functs);
-		ERR_load_strings(ERR_LIB_ASN1,ASN1_str_reasons);
+		ERR_load_strings(0,ASN1_str_functs);
+		ERR_load_strings(0,ASN1_str_reasons);
 #endif

 		}
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -66,6 +66,7 @@
 #include <openssl/err.h>

 static int asn1_check_eoc(unsigned char **in, long len);
+static int asn1_find_end(unsigned char **in, long len, char inf);
 static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass);
 static int collect_data(BUF_MEM *buf, unsigned char **p, long plen);
 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
@@ -644,7 +645,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl
 		cont = *in;
 		/* If indefinite length constructed find the real end */
 		if(inf) {
-			if(!asn1_collect(NULL, &p, plen, inf, -1, -1)) goto err;
+			if(!asn1_find_end(&p, plen, inf)) goto err;
 			len = p - cont;
 		} else {
 			len = p - cont + plen;
@@ -807,12 +808,66 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char
 	return ret;
 }

+/* This function finds the end of an ASN1 structure when passed its maximum
+ * length, whether it is indefinite length and a pointer to the content.
+ * This is more efficient than calling asn1_collect because it does not
+ * recurse on each indefinite length header.
+ */
+
+static int asn1_find_end(unsigned char **in, long len, char inf)
+	{
+	int expected_eoc;
+	long plen;
+	unsigned char *p = *in, *q;
+	/* If not indefinite length constructed just add length */
+	if (inf == 0)
+		{
+		*in += len;
+		return 1;
+		}
+	expected_eoc = 1;
+	/* Indefinite length constructed form. Find the end when enough EOCs
+	 * are found. If more indefinite length constructed headers
+	 * are encountered increment the expected eoc count otherwise justi
+	 * skip to the end of the data.
+	 */
+	while (len > 0)
+		{
+		if(asn1_check_eoc(&p, len))
+			{
+			expected_eoc--;
+			if (expected_eoc == 0)
+				break;
+			len -= 2;
+			continue;
+			}
+		q = p;
+		/* Just read in a header: only care about the length */
+		if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
+				-1, 0, 0, NULL))
+			{
+			ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR);
+			return 0;
+			}
+		if (inf)
+			expected_eoc++;
+		else
+			p += plen;
+		len -= p - q;
+		}
+	if (expected_eoc)
+		{
+		ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC);
+		return 0;
+		}
+	*in = p;
+	return 1;
+	}
+
 /* This function collects the asn1 data from a constructred string
 * type into a buffer. The values of 'in' and 'len' should refer
 * to the contents of the constructed type and 'inf' should be set
- * if it is indefinite length. If 'buf' is NULL then we just want
- * to find the end of the current structure: useful for indefinite
- * length constructed stuff.
+ * if it is indefinite length.
 */

 static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass)
@@ -822,11 +877,6 @@ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, in
 	char cst, ininf;
 	p = *in;
 	inf &= 1;
-	/* If no buffer and not indefinite length constructed just pass over the encoded data */
-	if(!buf && !inf) {
-		*in += len;
-		return 1;
-	}
 	while(len > 0) {
 		q = p;
 		/* Check for EOC */
@@ -845,7 +895,13 @@ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, in
 		}
 		/* If indefinite length constructed update max length */
 		if(cst) {
-			if(!asn1_collect(buf, &p, plen, ininf, tag, aclass)) return 0;
+#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS
+			if (!asn1_collect(buf, &p, plen, ininf, tag, aclass))
+				return 0;
+#else
+			ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING);
+			return 0;
+#endif
 		} else {
 			if(!collect_data(buf, &p, plen)) return 0;
 		}
--- a/crypto/bf/Makefile
+++ b/crypto/bf/Makefile
@@ -110,7 +110,7 @@ bf_enc.o: ../../include/openssl/opensslconf.h bf_enc.c bf_locl.h
 bf_ofb64.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
 bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h bf_ofb64.c
 bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/crypto.h
-bf_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-bf_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bf_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bf_skey.o: bf_locl.h bf_pi.h bf_skey.c
+bf_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/fips.h
+bf_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bf_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bf_skey.o: ../../include/openssl/symhacks.h bf_locl.h bf_pi.h bf_skey.c
--- a/crypto/bf/bf_skey.c
+++ b/crypto/bf/bf_skey.c
@@ -60,6 +60,7 @@
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/blowfish.h>
+#include <openssl/fips.h>
 #include "bf_locl.h"
 #include "bf_pi.h"

--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -576,7 +576,7 @@ abs_val(LDOUBLE value)
 }

 static LDOUBLE
-pow10(int in_exp)
+pow_10(int in_exp)
 {
    LDOUBLE result = 1;
    while (in_exp) {
@@ -639,11 +639,11 @@ fmtfp(

    /* we "cheat" by converting the fractional part to integer by
       multiplying by a factor of 10 */
-    fracpart = roundv((pow10(max)) * (ufvalue - intpart));
+    fracpart = roundv((pow_10(max)) * (ufvalue - intpart));

-    if (fracpart >= (long)pow10(max)) {
+    if (fracpart >= (long)pow_10(max)) {
        intpart++;
-        fracpart -= (long)pow10(max);
+        fracpart -= (long)pow_10(max);
    }

    /* convert integer part */
--- a/crypto/bio/bio_err.c
+++ b/crypto/bio/bio_err.c
@@ -1,6 +1,6 @@
 /* crypto/bio/bio_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,73 +64,77 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BIO,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BIO,0,reason)
+
 static ERR_STRING_DATA BIO_str_functs[]=
 	{
-{ERR_PACK(0,BIO_F_ACPT_STATE,0),	"ACPT_STATE"},
-{ERR_PACK(0,BIO_F_BIO_ACCEPT,0),	"BIO_accept"},
-{ERR_PACK(0,BIO_F_BIO_BER_GET_HEADER,0),	"BIO_BER_GET_HEADER"},
-{ERR_PACK(0,BIO_F_BIO_CTRL,0),	"BIO_ctrl"},
-{ERR_PACK(0,BIO_F_BIO_GETHOSTBYNAME,0),	"BIO_gethostbyname"},
-{ERR_PACK(0,BIO_F_BIO_GETS,0),	"BIO_gets"},
-{ERR_PACK(0,BIO_F_BIO_GET_ACCEPT_SOCKET,0),	"BIO_get_accept_socket"},
-{ERR_PACK(0,BIO_F_BIO_GET_HOST_IP,0),	"BIO_get_host_ip"},
-{ERR_PACK(0,BIO_F_BIO_GET_PORT,0),	"BIO_get_port"},
-{ERR_PACK(0,BIO_F_BIO_MAKE_PAIR,0),	"BIO_MAKE_PAIR"},
-{ERR_PACK(0,BIO_F_BIO_NEW,0),	"BIO_new"},
-{ERR_PACK(0,BIO_F_BIO_NEW_FILE,0),	"BIO_new_file"},
-{ERR_PACK(0,BIO_F_BIO_NEW_MEM_BUF,0),	"BIO_new_mem_buf"},
-{ERR_PACK(0,BIO_F_BIO_NREAD,0),	"BIO_nread"},
-{ERR_PACK(0,BIO_F_BIO_NREAD0,0),	"BIO_nread0"},
-{ERR_PACK(0,BIO_F_BIO_NWRITE,0),	"BIO_nwrite"},
-{ERR_PACK(0,BIO_F_BIO_NWRITE0,0),	"BIO_nwrite0"},
-{ERR_PACK(0,BIO_F_BIO_PUTS,0),	"BIO_puts"},
-{ERR_PACK(0,BIO_F_BIO_READ,0),	"BIO_read"},
-{ERR_PACK(0,BIO_F_BIO_SOCK_INIT,0),	"BIO_sock_init"},
-{ERR_PACK(0,BIO_F_BIO_WRITE,0),	"BIO_write"},
-{ERR_PACK(0,BIO_F_BUFFER_CTRL,0),	"BUFFER_CTRL"},
-{ERR_PACK(0,BIO_F_CONN_CTRL,0),	"CONN_CTRL"},
-{ERR_PACK(0,BIO_F_CONN_STATE,0),	"CONN_STATE"},
-{ERR_PACK(0,BIO_F_FILE_CTRL,0),	"FILE_CTRL"},
-{ERR_PACK(0,BIO_F_FILE_READ,0),	"FILE_READ"},
-{ERR_PACK(0,BIO_F_LINEBUFFER_CTRL,0),	"LINEBUFFER_CTRL"},
-{ERR_PACK(0,BIO_F_MEM_READ,0),	"MEM_READ"},
-{ERR_PACK(0,BIO_F_MEM_WRITE,0),	"MEM_WRITE"},
-{ERR_PACK(0,BIO_F_SSL_NEW,0),	"SSL_new"},
-{ERR_PACK(0,BIO_F_WSASTARTUP,0),	"WSASTARTUP"},
+{ERR_FUNC(BIO_F_ACPT_STATE),	"ACPT_STATE"},
+{ERR_FUNC(BIO_F_BIO_ACCEPT),	"BIO_accept"},
+{ERR_FUNC(BIO_F_BIO_BER_GET_HEADER),	"BIO_BER_GET_HEADER"},
+{ERR_FUNC(BIO_F_BIO_CTRL),	"BIO_ctrl"},
+{ERR_FUNC(BIO_F_BIO_GETHOSTBYNAME),	"BIO_gethostbyname"},
+{ERR_FUNC(BIO_F_BIO_GETS),	"BIO_gets"},
+{ERR_FUNC(BIO_F_BIO_GET_ACCEPT_SOCKET),	"BIO_get_accept_socket"},
+{ERR_FUNC(BIO_F_BIO_GET_HOST_IP),	"BIO_get_host_ip"},
+{ERR_FUNC(BIO_F_BIO_GET_PORT),	"BIO_get_port"},
+{ERR_FUNC(BIO_F_BIO_MAKE_PAIR),	"BIO_MAKE_PAIR"},
+{ERR_FUNC(BIO_F_BIO_NEW),	"BIO_new"},
+{ERR_FUNC(BIO_F_BIO_NEW_FILE),	"BIO_new_file"},
+{ERR_FUNC(BIO_F_BIO_NEW_MEM_BUF),	"BIO_new_mem_buf"},
+{ERR_FUNC(BIO_F_BIO_NREAD),	"BIO_nread"},
+{ERR_FUNC(BIO_F_BIO_NREAD0),	"BIO_nread0"},
+{ERR_FUNC(BIO_F_BIO_NWRITE),	"BIO_nwrite"},
+{ERR_FUNC(BIO_F_BIO_NWRITE0),	"BIO_nwrite0"},
+{ERR_FUNC(BIO_F_BIO_PUTS),	"BIO_puts"},
+{ERR_FUNC(BIO_F_BIO_READ),	"BIO_read"},
+{ERR_FUNC(BIO_F_BIO_SOCK_INIT),	"BIO_sock_init"},
+{ERR_FUNC(BIO_F_BIO_WRITE),	"BIO_write"},
+{ERR_FUNC(BIO_F_BUFFER_CTRL),	"BUFFER_CTRL"},
+{ERR_FUNC(BIO_F_CONN_CTRL),	"CONN_CTRL"},
+{ERR_FUNC(BIO_F_CONN_STATE),	"CONN_STATE"},
+{ERR_FUNC(BIO_F_FILE_CTRL),	"FILE_CTRL"},
+{ERR_FUNC(BIO_F_FILE_READ),	"FILE_READ"},
+{ERR_FUNC(BIO_F_LINEBUFFER_CTRL),	"LINEBUFFER_CTRL"},
+{ERR_FUNC(BIO_F_MEM_READ),	"MEM_READ"},
+{ERR_FUNC(BIO_F_MEM_WRITE),	"MEM_WRITE"},
+{ERR_FUNC(BIO_F_SSL_NEW),	"SSL_new"},
+{ERR_FUNC(BIO_F_WSASTARTUP),	"WSASTARTUP"},
 {0,NULL}
 	};

 static ERR_STRING_DATA BIO_str_reasons[]=
 	{
-{BIO_R_ACCEPT_ERROR                      ,"accept error"},
-{BIO_R_BAD_FOPEN_MODE                    ,"bad fopen mode"},
-{BIO_R_BAD_HOSTNAME_LOOKUP               ,"bad hostname lookup"},
-{BIO_R_BROKEN_PIPE                       ,"broken pipe"},
-{BIO_R_CONNECT_ERROR                     ,"connect error"},
-{BIO_R_EOF_ON_MEMORY_BIO                 ,"EOF on memory BIO"},
-{BIO_R_ERROR_SETTING_NBIO                ,"error setting nbio"},
-{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET,"error setting nbio on accepted socket"},
-{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET,"error setting nbio on accept socket"},
-{BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET ,"gethostbyname addr is not af inet"},
-{BIO_R_INVALID_ARGUMENT                  ,"invalid argument"},
-{BIO_R_INVALID_IP_ADDRESS                ,"invalid ip address"},
-{BIO_R_IN_USE                            ,"in use"},
-{BIO_R_KEEPALIVE                         ,"keepalive"},
-{BIO_R_NBIO_CONNECT_ERROR                ,"nbio connect error"},
-{BIO_R_NO_ACCEPT_PORT_SPECIFIED          ,"no accept port specified"},
-{BIO_R_NO_HOSTNAME_SPECIFIED             ,"no hostname specified"},
-{BIO_R_NO_PORT_DEFINED                   ,"no port defined"},
-{BIO_R_NO_PORT_SPECIFIED                 ,"no port specified"},
-{BIO_R_NO_SUCH_FILE                      ,"no such file"},
-{BIO_R_NULL_PARAMETER                    ,"null parameter"},
-{BIO_R_TAG_MISMATCH                      ,"tag mismatch"},
-{BIO_R_UNABLE_TO_BIND_SOCKET             ,"unable to bind socket"},
-{BIO_R_UNABLE_TO_CREATE_SOCKET           ,"unable to create socket"},
-{BIO_R_UNABLE_TO_LISTEN_SOCKET           ,"unable to listen socket"},
-{BIO_R_UNINITIALIZED                     ,"uninitialized"},
-{BIO_R_UNSUPPORTED_METHOD                ,"unsupported method"},
-{BIO_R_WRITE_TO_READ_ONLY_BIO            ,"write to read only BIO"},
-{BIO_R_WSASTARTUP                        ,"WSAStartup"},
+{ERR_REASON(BIO_R_ACCEPT_ERROR)          ,"accept error"},
+{ERR_REASON(BIO_R_BAD_FOPEN_MODE)        ,"bad fopen mode"},
+{ERR_REASON(BIO_R_BAD_HOSTNAME_LOOKUP)   ,"bad hostname lookup"},
+{ERR_REASON(BIO_R_BROKEN_PIPE)           ,"broken pipe"},
+{ERR_REASON(BIO_R_CONNECT_ERROR)         ,"connect error"},
+{ERR_REASON(BIO_R_EOF_ON_MEMORY_BIO)     ,"EOF on memory BIO"},
+{ERR_REASON(BIO_R_ERROR_SETTING_NBIO)    ,"error setting nbio"},
+{ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET),"error setting nbio on accepted socket"},
+{ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET),"error setting nbio on accept socket"},
+{ERR_REASON(BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET),"gethostbyname addr is not af inet"},
+{ERR_REASON(BIO_R_INVALID_ARGUMENT)      ,"invalid argument"},
+{ERR_REASON(BIO_R_INVALID_IP_ADDRESS)    ,"invalid ip address"},
+{ERR_REASON(BIO_R_IN_USE)                ,"in use"},
+{ERR_REASON(BIO_R_KEEPALIVE)             ,"keepalive"},
+{ERR_REASON(BIO_R_NBIO_CONNECT_ERROR)    ,"nbio connect error"},
+{ERR_REASON(BIO_R_NO_ACCEPT_PORT_SPECIFIED),"no accept port specified"},
+{ERR_REASON(BIO_R_NO_HOSTNAME_SPECIFIED) ,"no hostname specified"},
+{ERR_REASON(BIO_R_NO_PORT_DEFINED)       ,"no port defined"},
+{ERR_REASON(BIO_R_NO_PORT_SPECIFIED)     ,"no port specified"},
+{ERR_REASON(BIO_R_NO_SUCH_FILE)          ,"no such file"},
+{ERR_REASON(BIO_R_NULL_PARAMETER)        ,"null parameter"},
+{ERR_REASON(BIO_R_TAG_MISMATCH)          ,"tag mismatch"},
+{ERR_REASON(BIO_R_UNABLE_TO_BIND_SOCKET) ,"unable to bind socket"},
+{ERR_REASON(BIO_R_UNABLE_TO_CREATE_SOCKET),"unable to create socket"},
+{ERR_REASON(BIO_R_UNABLE_TO_LISTEN_SOCKET),"unable to listen socket"},
+{ERR_REASON(BIO_R_UNINITIALIZED)         ,"uninitialized"},
+{ERR_REASON(BIO_R_UNSUPPORTED_METHOD)    ,"unsupported method"},
+{ERR_REASON(BIO_R_WRITE_TO_READ_ONLY_BIO),"write to read only BIO"},
+{ERR_REASON(BIO_R_WSASTARTUP)            ,"WSAStartup"},
 {0,NULL}
 	};

@@ -144,8 +148,8 @@ void ERR_load_BIO_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_BIO,BIO_str_functs);
-		ERR_load_strings(ERR_LIB_BIO,BIO_str_reasons);
+		ERR_load_strings(0,BIO_str_functs);
+		ERR_load_strings(0,BIO_str_reasons);
 #endif

 		}
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -469,7 +469,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 		break;
 	case BIO_C_DO_STATE_MACHINE:
 		/* use this one to start the connection */
-		if (!data->state != BIO_CONN_S_OK)
+		if (!(data->state != BIO_CONN_S_OK))
 			ret=(long)conn_state(b,data);
 		else
 			ret=1;
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -225,10 +225,21 @@ extern "C" {

 #define BN_FLG_MALLOCED		0x01
 #define BN_FLG_STATIC_DATA	0x02
+#define BN_FLG_EXP_CONSTTIME	0x04 /* avoid leaking exponent information through timings
+                            	      * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
 #define BN_FLG_FREE		0x8000	/* used for debuging */
 #define BN_set_flags(b,n)	((b)->flags|=(n))
 #define BN_get_flags(b,n)	((b)->flags&(n))

+#define BN_with_flags(dest,b,n)  ((dest)->d=(b)->d, \
+                                  (dest)->top=(b)->top, \
+                                  (dest)->dmax=(b)->dmax, \
+                                  (dest)->neg=(b)->neg, \
+                                  (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \
+                                                 |  ((b)->flags & ~BN_FLG_MALLOCED) \
+                                                 |  BN_FLG_STATIC_DATA \
+                                                 |  (n)))
+
 typedef struct bignum_st
 	{
 	BN_ULONG *d;	/* Pointer to an array of 'BN_BITS2' bit chunks. */
@@ -378,6 +389,8 @@ int	BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	const BIGNUM *m,BN_CTX *ctx);
 int	BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
 int	BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
 	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 int	BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
@@ -434,6 +447,8 @@ int BN_from_montgomery(BIGNUM *r,const BIGNUM *a,
 void BN_MONT_CTX_free(BN_MONT_CTX *mont);
 int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx);
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+					const BIGNUM *mod, BN_CTX *ctx);

 BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
 void BN_BLINDING_free(BN_BLINDING *b);
@@ -510,11 +525,15 @@ void ERR_load_BN_strings(void);
 #define BN_F_BN_CTX_GET					 116
 #define BN_F_BN_CTX_NEW					 106
 #define BN_F_BN_DIV					 107
+#define BN_F_BN_EXP					 123
 #define BN_F_BN_EXPAND2					 108
 #define BN_F_BN_EXPAND_INTERNAL				 120
 #define BN_F_BN_MOD_EXP2_MONT				 118
 #define BN_F_BN_MOD_EXP_MONT				 109
+#define BN_F_BN_MOD_EXP_MONT_CONSTTIME			 124
 #define BN_F_BN_MOD_EXP_MONT_WORD			 117
+#define BN_F_BN_MOD_EXP_RECP				 125
+#define BN_F_BN_MOD_EXP_SIMPLE				 126
 #define BN_F_BN_MOD_INVERSE				 110
 #define BN_F_BN_MOD_LSHIFT_QUICK			 119
 #define BN_F_BN_MOD_MUL_RECIPROCAL			 111
--- a/crypto/bn/bn_err.c
+++ b/crypto/bn/bn_err.c
@@ -1,6 +1,6 @@
 /* crypto/bn/bn_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,52 +64,60 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BN,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BN,0,reason)
+
 static ERR_STRING_DATA BN_str_functs[]=
 	{
-{ERR_PACK(0,BN_F_BN_BLINDING_CONVERT,0),	"BN_BLINDING_convert"},
-{ERR_PACK(0,BN_F_BN_BLINDING_INVERT,0),	"BN_BLINDING_invert"},
-{ERR_PACK(0,BN_F_BN_BLINDING_NEW,0),	"BN_BLINDING_new"},
-{ERR_PACK(0,BN_F_BN_BLINDING_UPDATE,0),	"BN_BLINDING_update"},
-{ERR_PACK(0,BN_F_BN_BN2DEC,0),	"BN_bn2dec"},
-{ERR_PACK(0,BN_F_BN_BN2HEX,0),	"BN_bn2hex"},
-{ERR_PACK(0,BN_F_BN_CTX_GET,0),	"BN_CTX_get"},
-{ERR_PACK(0,BN_F_BN_CTX_NEW,0),	"BN_CTX_new"},
-{ERR_PACK(0,BN_F_BN_DIV,0),	"BN_div"},
-{ERR_PACK(0,BN_F_BN_EXPAND2,0),	"bn_expand2"},
-{ERR_PACK(0,BN_F_BN_EXPAND_INTERNAL,0),	"BN_EXPAND_INTERNAL"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP2_MONT,0),	"BN_mod_exp2_mont"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT,0),	"BN_mod_exp_mont"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT_WORD,0),	"BN_mod_exp_mont_word"},
-{ERR_PACK(0,BN_F_BN_MOD_INVERSE,0),	"BN_mod_inverse"},
-{ERR_PACK(0,BN_F_BN_MOD_LSHIFT_QUICK,0),	"BN_mod_lshift_quick"},
-{ERR_PACK(0,BN_F_BN_MOD_MUL_RECIPROCAL,0),	"BN_mod_mul_reciprocal"},
-{ERR_PACK(0,BN_F_BN_MOD_SQRT,0),	"BN_mod_sqrt"},
-{ERR_PACK(0,BN_F_BN_MPI2BN,0),	"BN_mpi2bn"},
-{ERR_PACK(0,BN_F_BN_NEW,0),	"BN_new"},
-{ERR_PACK(0,BN_F_BN_RAND,0),	"BN_rand"},
-{ERR_PACK(0,BN_F_BN_RAND_RANGE,0),	"BN_rand_range"},
-{ERR_PACK(0,BN_F_BN_USUB,0),	"BN_usub"},
+{ERR_FUNC(BN_F_BN_BLINDING_CONVERT),	"BN_BLINDING_convert"},
+{ERR_FUNC(BN_F_BN_BLINDING_INVERT),	"BN_BLINDING_invert"},
+{ERR_FUNC(BN_F_BN_BLINDING_NEW),	"BN_BLINDING_new"},
+{ERR_FUNC(BN_F_BN_BLINDING_UPDATE),	"BN_BLINDING_update"},
+{ERR_FUNC(BN_F_BN_BN2DEC),	"BN_bn2dec"},
+{ERR_FUNC(BN_F_BN_BN2HEX),	"BN_bn2hex"},
+{ERR_FUNC(BN_F_BN_CTX_GET),	"BN_CTX_get"},
+{ERR_FUNC(BN_F_BN_CTX_NEW),	"BN_CTX_new"},
+{ERR_FUNC(BN_F_BN_DIV),	"BN_div"},
+{ERR_FUNC(BN_F_BN_EXP),	"BN_exp"},
+{ERR_FUNC(BN_F_BN_EXPAND2),	"bn_expand2"},
+{ERR_FUNC(BN_F_BN_EXPAND_INTERNAL),	"BN_EXPAND_INTERNAL"},
+{ERR_FUNC(BN_F_BN_MOD_EXP2_MONT),	"BN_mod_exp2_mont"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT),	"BN_mod_exp_mont"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_CONSTTIME),	"BN_mod_exp_mont_consttime"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_WORD),	"BN_mod_exp_mont_word"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_RECP),	"BN_mod_exp_recp"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_SIMPLE),	"BN_mod_exp_simple"},
+{ERR_FUNC(BN_F_BN_MOD_INVERSE),	"BN_mod_inverse"},
+{ERR_FUNC(BN_F_BN_MOD_LSHIFT_QUICK),	"BN_mod_lshift_quick"},
+{ERR_FUNC(BN_F_BN_MOD_MUL_RECIPROCAL),	"BN_mod_mul_reciprocal"},
+{ERR_FUNC(BN_F_BN_MOD_SQRT),	"BN_mod_sqrt"},
+{ERR_FUNC(BN_F_BN_MPI2BN),	"BN_mpi2bn"},
+{ERR_FUNC(BN_F_BN_NEW),	"BN_new"},
+{ERR_FUNC(BN_F_BN_RAND),	"BN_rand"},
+{ERR_FUNC(BN_F_BN_RAND_RANGE),	"BN_rand_range"},
+{ERR_FUNC(BN_F_BN_USUB),	"BN_usub"},
 {0,NULL}
 	};

 static ERR_STRING_DATA BN_str_reasons[]=
 	{
-{BN_R_ARG2_LT_ARG3                       ,"arg2 lt arg3"},
-{BN_R_BAD_RECIPROCAL                     ,"bad reciprocal"},
-{BN_R_BIGNUM_TOO_LONG                    ,"bignum too long"},
-{BN_R_CALLED_WITH_EVEN_MODULUS           ,"called with even modulus"},
-{BN_R_DIV_BY_ZERO                        ,"div by zero"},
-{BN_R_ENCODING_ERROR                     ,"encoding error"},
-{BN_R_EXPAND_ON_STATIC_BIGNUM_DATA       ,"expand on static bignum data"},
-{BN_R_INPUT_NOT_REDUCED                  ,"input not reduced"},
-{BN_R_INVALID_LENGTH                     ,"invalid length"},
-{BN_R_INVALID_RANGE                      ,"invalid range"},
-{BN_R_NOT_A_SQUARE                       ,"not a square"},
-{BN_R_NOT_INITIALIZED                    ,"not initialized"},
-{BN_R_NO_INVERSE                         ,"no inverse"},
-{BN_R_P_IS_NOT_PRIME                     ,"p is not prime"},
-{BN_R_TOO_MANY_ITERATIONS                ,"too many iterations"},
-{BN_R_TOO_MANY_TEMPORARY_VARIABLES       ,"too many temporary variables"},
+{ERR_REASON(BN_R_ARG2_LT_ARG3)           ,"arg2 lt arg3"},
+{ERR_REASON(BN_R_BAD_RECIPROCAL)         ,"bad reciprocal"},
+{ERR_REASON(BN_R_BIGNUM_TOO_LONG)        ,"bignum too long"},
+{ERR_REASON(BN_R_CALLED_WITH_EVEN_MODULUS),"called with even modulus"},
+{ERR_REASON(BN_R_DIV_BY_ZERO)            ,"div by zero"},
+{ERR_REASON(BN_R_ENCODING_ERROR)         ,"encoding error"},
+{ERR_REASON(BN_R_EXPAND_ON_STATIC_BIGNUM_DATA),"expand on static bignum data"},
+{ERR_REASON(BN_R_INPUT_NOT_REDUCED)      ,"input not reduced"},
+{ERR_REASON(BN_R_INVALID_LENGTH)         ,"invalid length"},
+{ERR_REASON(BN_R_INVALID_RANGE)          ,"invalid range"},
+{ERR_REASON(BN_R_NOT_A_SQUARE)           ,"not a square"},
+{ERR_REASON(BN_R_NOT_INITIALIZED)        ,"not initialized"},
+{ERR_REASON(BN_R_NO_INVERSE)             ,"no inverse"},
+{ERR_REASON(BN_R_P_IS_NOT_PRIME)         ,"p is not prime"},
+{ERR_REASON(BN_R_TOO_MANY_ITERATIONS)    ,"too many iterations"},
+{ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),"too many temporary variables"},
 {0,NULL}
 	};

@@ -123,8 +131,8 @@ void ERR_load_BN_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_BN,BN_str_functs);
-		ERR_load_strings(ERR_LIB_BN,BN_str_reasons);
+		ERR_load_strings(0,BN_str_functs);
+		ERR_load_strings(0,BN_str_reasons);
 #endif

 		}
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -56,7 +56,7 @@
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -113,6 +113,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"

+/* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE	32

 /* this one works - simple but works */
@@ -121,6 +122,13 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 	int i,bits,ret=0;
 	BIGNUM *v,*rr;

+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	BN_CTX_start(ctx);
 	if ((r == a) || (r == p))
 		rr = BN_CTX_get(ctx);
@@ -204,7 +212,7 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	if (BN_is_odd(m))
 		{
 #  ifdef MONT_EXP_WORD
-		if (a->top == 1 && !a->neg)
+		if (a->top == 1 && !a->neg && (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) == 0))
 			{
 			BN_ULONG A = a->d[0];
 			ret=BN_mod_exp_mont_word(r,A,p,m,ctx,NULL);
@@ -234,6 +242,13 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	BIGNUM val[TABLE_SIZE];
 	BN_RECP_CTX recp;

+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_MOD_EXP_RECP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	bits=BN_num_bits(p);

 	if (bits == 0)
@@ -361,6 +376,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 	BIGNUM val[TABLE_SIZE];
 	BN_MONT_CTX *mont=NULL;

+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
+		}
+
 	bn_check_top(a);
 	bn_check_top(p);
 	bn_check_top(m);
@@ -493,6 +513,212 @@ err:
 	return(ret);
 	}

+
+/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
+ * so that accessing any of these table values shows the same access pattern as far
+ * as cache lines are concerned.  The following functions are used to transfer a BIGNUM
+ * from/to that table. */
+
+static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+	{
+	size_t i, j;
+
+	if (bn_wexpand(b, top) == NULL)
+		return 0;
+	while (b->top < top)
+		{
+		b->d[b->top++] = 0;
+		}
+	
+	for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+		{
+		buf[j] = ((unsigned char*)b->d)[i];
+		}
+
+	bn_fix_top(b);
+	return 1;
+	}
+
+static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+	{
+	size_t i, j;
+
+	if (bn_wexpand(b, top) == NULL)
+		return 0;
+
+	for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+		{
+		((unsigned char*)b->d)[i] = buf[j];
+		}
+
+	b->top = top;
+	bn_fix_top(b);
+	return 1;
+	}	
+
+/* Given a pointer value, compute the next address that is a cache line multiple. */
+#define MOD_EXP_CTIME_ALIGN(x_) \
+	((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
+
+/* This variant of BN_mod_exp_mont() uses fixed windows and the special
+ * precomputation memory layout to limit data-dependency to a minimum
+ * to protect secret exponents (cf. the hyper-threading timing attacks
+ * pointed out by Colin Percival,
+ * http://www.daemonology.net/hyperthreading-considered-harmful/)
+ */
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+		    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	int i,bits,ret=0,idx,window,wvalue;
+	int top;
+ 	BIGNUM *r;
+	const BIGNUM *aa;
+	BN_MONT_CTX *mont=NULL;
+
+	int numPowers;
+	unsigned char *powerbufFree=NULL;
+	int powerbufLen = 0;
+	unsigned char *powerbuf=NULL;
+	BIGNUM *computeTemp=NULL, *am=NULL;
+
+	bn_check_top(a);
+	bn_check_top(p);
+	bn_check_top(m);
+
+	top = m->top;
+
+	if (!(m->d[0] & 1))
+		{
+		BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,BN_R_CALLED_WITH_EVEN_MODULUS);
+		return(0);
+		}
+	bits=BN_num_bits(p);
+	if (bits == 0)
+		{
+		ret = BN_one(rr);
+		return ret;
+		}
+
+ 	/* Initialize BIGNUM context and allocate intermediate result */
+	BN_CTX_start(ctx);
+	r = BN_CTX_get(ctx);
+	if (r == NULL) goto err;
+
+	/* Allocate a montgomery context if it was not supplied by the caller.
+	 * If this is not done, things will break in the montgomery part.
+ 	 */
+	if (in_mont != NULL)
+		mont=in_mont;
+	else
+		{
+		if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+		if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
+		}
+
+	/* Get the window size to use with size of p. */
+	window = BN_window_bits_for_ctime_exponent_size(bits);
+
+	/* Allocate a buffer large enough to hold all of the pre-computed
+	 * powers of a.
+	 */
+	numPowers = 1 << window;
+	powerbufLen = sizeof(m->d[0])*top*numPowers;
+	if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
+		goto err;
+		
+	powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
+	memset(powerbuf, 0, powerbufLen);
+
+ 	/* Initialize the intermediate result. Do this early to save double conversion,
+	 * once each for a^0 and intermediate result.
+	 */
+ 	if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
+	if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) goto err;
+
+	/* Initialize computeTemp as a^1 with montgomery precalcs */
+	computeTemp = BN_CTX_get(ctx);
+	am = BN_CTX_get(ctx);
+	if (computeTemp==NULL || am==NULL) goto err;
+
+	if (a->neg || BN_ucmp(a,m) >= 0)
+		{
+		if (!BN_mod(am,a,m,ctx))
+			goto err;
+		aa= am;
+		}
+	else
+		aa=a;
+	if (!BN_to_montgomery(am,aa,mont,ctx)) goto err;
+	if (!BN_copy(computeTemp, am)) goto err;
+	if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) goto err;
+
+	/* If the window size is greater than 1, then calculate
+	 * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
+	 * (even powers could instead be computed as (a^(i/2))^2
+	 * to use the slight performance advantage of sqr over mul).
+	 */
+	if (window > 1)
+		{
+		for (i=2; i<numPowers; i++)
+			{
+			/* Calculate a^i = a^(i-1) * a */
+			if (!BN_mod_mul_montgomery(computeTemp,am,computeTemp,mont,ctx))
+				goto err;
+			if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, numPowers)) goto err;
+			}
+		}
+
+ 	/* Adjust the number of bits up to a multiple of the window size.
+ 	 * If the exponent length is not a multiple of the window size, then
+ 	 * this pads the most significant bits with zeros to normalize the
+ 	 * scanning loop to there's no special cases.
+ 	 *
+ 	 * * NOTE: Making the window size a power of two less than the native
+	 * * word size ensures that the padded bits won't go past the last
+ 	 * * word in the internal BIGNUM structure. Going past the end will
+ 	 * * still produce the correct result, but causes a different branch
+ 	 * * to be taken in the BN_is_bit_set function.
+ 	 */
+ 	bits = ((bits+window-1)/window)*window;
+ 	idx=bits-1;	/* The top bit of the window */
+
+ 	/* Scan the exponent one window at a time starting from the most
+ 	 * significant bits.
+ 	 */
+ 	while (idx >= 0)
+  		{
+ 		wvalue=0; /* The 'value' of the window */
+ 		
+ 		/* Scan the window, squaring the result as we go */
+ 		for (i=0; i<window; i++,idx--)
+ 			{
+			if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))	goto err;
+			wvalue = (wvalue<<1)+BN_is_bit_set(p,idx);
+  			}
+ 		
+		/* Fetch the appropriate pre-computed value from the pre-buf */
+		if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(computeTemp, top, powerbuf, wvalue, numPowers)) goto err;
+
+ 		/* Multiply the result into the intermediate result */
+ 		if (!BN_mod_mul_montgomery(r,r,computeTemp,mont,ctx)) goto err;
+  		}
+
+ 	/* Convert the final result from montgomery to standard format */
+	if (!BN_from_montgomery(rr,r,mont,ctx)) goto err;
+	ret=1;
+err:
+	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
+	if (powerbuf!=NULL)
+		{
+		OPENSSL_cleanse(powerbuf,powerbufLen);
+		OPENSSL_free(powerbufFree);
+		}
+ 	if (am!=NULL) BN_clear(am);
+ 	if (computeTemp!=NULL) BN_clear(computeTemp);
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
 int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
 	{
@@ -517,6 +743,13 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 #define BN_TO_MONTGOMERY_WORD(r, w, mont) \
 		(BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))

+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_MOD_EXP_MONT_WORD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	bn_check_top(p);
 	bn_check_top(m);

@@ -644,6 +877,13 @@ int BN_mod_exp_simple(BIGNUM *r,
 	BIGNUM *d;
 	BIGNUM val[TABLE_SIZE];

+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_MOD_EXP_SIMPLE,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	bits=BN_num_bits(p);

 	if (bits == 0)
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -177,6 +177,45 @@ struct bignum_ctx



+/* BN_mod_exp_mont_conttime is based on the assumption that the
+ * L1 data cache line width of the target processor is at least
+ * the following value.
+ */
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH	( 64 )
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK	(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
+
+/* Window sizes optimized for fixed window size modular exponentiation
+ * algorithm (BN_mod_exp_mont_consttime).
+ *
+ * To achieve the security goals of BN_mode_exp_mont_consttime, the
+ * maximum size of the window must not exceed
+ * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). 
+ *
+ * Window size thresholds are defined for cache line sizes of 32 and 64,
+ * cache line sizes where log_2(32)=5 and log_2(64)=6 respectively. A
+ * window size of 7 should only be used on processors that have a 128
+ * byte or greater cache line size.
+ */
+#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
+
+#  define BN_window_bits_for_ctime_exponent_size(b) \
+		((b) > 937 ? 6 : \
+		 (b) > 306 ? 5 : \
+		 (b) >  89 ? 4 : \
+		 (b) >  22 ? 3 : 1)
+#  define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE	(6)
+
+#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
+
+#  define BN_window_bits_for_ctime_exponent_size(b) \
+		((b) > 306 ? 5 : \
+		 (b) >  89 ? 4 : \
+		 (b) >  22 ? 3 : 1)
+#  define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE	(5)
+
+#endif
+
+
 /* Pentium pro 16,16,16,32,64 */
 /* Alpha       16,16,16,16.64 */
 #define BN_MULL_SIZE_NORMAL			(16) /* 32 */
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -347,3 +347,23 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
 	return(to);
 	}

+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+					const BIGNUM *mod, BN_CTX *ctx)
+	{
+	if (*pmont)
+		return *pmont;
+	CRYPTO_w_lock(lock);
+	if (!*pmont)
+		{
+		*pmont = BN_MONT_CTX_new();
+		if (*pmont && !BN_MONT_CTX_set(*pmont, mod, ctx))
+			{
+			BN_MONT_CTX_free(*pmont);
+			*pmont = NULL;
+			}
+		}
+	CRYPTO_w_unlock(lock);
+	return *pmont;
+	}
+		
+
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -86,6 +86,7 @@ int test_mont(BIO *bp,BN_CTX *ctx);
 int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
 int test_kron(BIO *bp,BN_CTX *ctx);
 int test_sqrt(BIO *bp,BN_CTX *ctx);
@@ -213,6 +214,10 @@ int main(int argc, char *argv[])
 	if (!test_mod_exp(out,ctx)) goto err;
 	BIO_flush(out);

+	message(out,"BN_mod_exp_mont_consttime");
+	if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+	BIO_flush(out);
+
 	message(out,"BN_exp");
 	if (!test_exp(out,ctx)) goto err;
 	BIO_flush(out);
@@ -813,6 +818,57 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}

+int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*c,*d,*e;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
+	for (i=0; i<num2; i++)
+		{
+		BN_bntest_rand(a,20+i*5,0,0); /**/
+		BN_bntest_rand(b,2+i,0,0); /**/
+
+		if (!BN_mod_exp_mont_consttime(d,a,b,c,ctx,NULL))
+			return(00);
+
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," ^ ");
+				BN_print(bp,b);
+				BIO_puts(bp," % ");
+				BN_print(bp,c);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,d);
+			BIO_puts(bp,"\n");
+			}
+		BN_exp(e,a,b,ctx);
+		BN_sub(e,e,d);
+		BN_div(a,b,e,c,ctx);
+		if(!BN_is_zero(b))
+		    {
+		    fprintf(stderr,"Modulo exponentiation test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
 int test_exp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*d,*e,*one;
--- a/crypto/bn/expspeed.c
+++ b/crypto/bn/expspeed.c
@@ -321,7 +321,7 @@ void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx)
 #else /* TEST_SQRT */
 			"2*sqrt [prime == %d (mod 64)] %4d %4d mod %4d"
 #endif
-			" -> %8.3fms %5.1f (%ld)\n",
+			" -> %8.6fms %5.1f (%ld)\n",
 #ifdef TEST_SQRT
 			P_MOD_64,
 #endif
--- a/crypto/bn/exptest.c
+++ b/crypto/bn/exptest.c
@@ -77,7 +77,7 @@ int main(int argc, char *argv[])
 	BIO *out=NULL;
 	int i,ret;
 	unsigned char c;
-	BIGNUM *r_mont,*r_recp,*r_simple,*a,*b,*m;
+	BIGNUM *r_mont,*r_mont_const,*r_recp,*r_simple,*a,*b,*m;

 	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
 	                                       * even check its return value
@@ -88,6 +88,7 @@ int main(int argc, char *argv[])
 	ctx=BN_CTX_new();
 	if (ctx == NULL) EXIT(1);
 	r_mont=BN_new();
+	r_mont_const=BN_new();
 	r_recp=BN_new();
 	r_simple=BN_new();
 	a=BN_new();
@@ -143,8 +144,17 @@ int main(int argc, char *argv[])
 			EXIT(1);
 			}

+		ret=BN_mod_exp_mont_consttime(r_mont_const,a,b,m,ctx,NULL);
+		if (ret <= 0)
+			{
+			printf("BN_mod_exp_mont_consttime() problems\n");
+			ERR_print_errors(out);
+			EXIT(1);
+			}
+
 		if (BN_cmp(r_simple, r_mont) == 0
-		    && BN_cmp(r_simple,r_recp) == 0)
+		    && BN_cmp(r_simple,r_recp) == 0
+			&& BN_cmp(r_simple,r_mont_const) == 0)
 			{
 			printf(".");
 			fflush(stdout);
@@ -153,6 +163,8 @@ int main(int argc, char *argv[])
 		  	{
 			if (BN_cmp(r_simple,r_mont) != 0)
 				printf("\nsimple and mont results differ\n");
+			if (BN_cmp(r_simple,r_mont) != 0)
+				printf("\nsimple and mont const time results differ\n");
 			if (BN_cmp(r_simple,r_recp) != 0)
 				printf("\nsimple and recp results differ\n");

@@ -162,11 +174,13 @@ int main(int argc, char *argv[])
 			printf("\nsimple   =");	BN_print(out,r_simple);
 			printf("\nrecp     =");	BN_print(out,r_recp);
 			printf("\nmont     ="); BN_print(out,r_mont);
+			printf("\nmont_ct  ="); BN_print(out,r_mont_const);
 			printf("\n");
 			EXIT(1);
 			}
 		}
 	BN_free(r_mont);
+	BN_free(r_mont_const);
 	BN_free(r_recp);
 	BN_free(r_simple);
 	BN_free(a);
--- a/crypto/buffer/buf_err.c
+++ b/crypto/buffer/buf_err.c
@@ -1,6 +1,6 @@
 /* crypto/buffer/buf_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,11 +64,15 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BUF,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BUF,0,reason)
+
 static ERR_STRING_DATA BUF_str_functs[]=
 	{
-{ERR_PACK(0,BUF_F_BUF_MEM_GROW,0),	"BUF_MEM_grow"},
-{ERR_PACK(0,BUF_F_BUF_MEM_NEW,0),	"BUF_MEM_new"},
-{ERR_PACK(0,BUF_F_BUF_STRDUP,0),	"BUF_strdup"},
+{ERR_FUNC(BUF_F_BUF_MEM_GROW),	"BUF_MEM_grow"},
+{ERR_FUNC(BUF_F_BUF_MEM_NEW),	"BUF_MEM_new"},
+{ERR_FUNC(BUF_F_BUF_STRDUP),	"BUF_strdup"},
 {0,NULL}
 	};

@@ -87,8 +91,8 @@ void ERR_load_BUF_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_BUF,BUF_str_functs);
-		ERR_load_strings(ERR_LIB_BUF,BUF_str_reasons);
+		ERR_load_strings(0,BUF_str_functs);
+		ERR_load_strings(0,BUF_str_reasons);
 #endif

 		}
--- a/crypto/cast/Makefile
+++ b/crypto/cast/Makefile
@@ -115,6 +115,7 @@ c_ofb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 c_ofb64.o: c_ofb64.c cast_lcl.h
 c_skey.o: ../../e_os.h ../../include/openssl/cast.h
 c_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-c_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-c_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-c_skey.o: ../../include/openssl/symhacks.h c_skey.c cast_lcl.h cast_s.h
+c_skey.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
+c_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+c_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_skey.o: c_skey.c cast_lcl.h cast_s.h
--- a/crypto/cast/c_skey.c
+++ b/crypto/cast/c_skey.c
@@ -57,6 +57,7 @@
 */

 #include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include <openssl/cast.h>

 #include "cast_lcl.h"
--- a/crypto/cast/cast_lcl.h
+++ b/crypto/cast/cast_lcl.h
@@ -64,11 +64,6 @@
 #endif


-#ifdef OPENSSL_BUILD_SHLIBCRYPTO
-# undef OPENSSL_EXTERN
-# define OPENSSL_EXTERN OPENSSL_EXPORT
-#endif
-
 #undef c2l
 #define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \
 			 l|=((unsigned long)(*((c)++)))<< 8L, \
@@ -222,11 +217,11 @@
 	}
 #endif

-OPENSSL_EXTERN const CAST_LONG CAST_S_table0[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table1[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table2[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table3[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table4[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table5[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table6[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table7[256];
+extern const CAST_LONG CAST_S_table0[256];
+extern const CAST_LONG CAST_S_table1[256];
+extern const CAST_LONG CAST_S_table2[256];
+extern const CAST_LONG CAST_S_table3[256];
+extern const CAST_LONG CAST_S_table4[256];
+extern const CAST_LONG CAST_S_table5[256];
+extern const CAST_LONG CAST_S_table6[256];
+extern const CAST_LONG CAST_S_table7[256];
--- a/crypto/conf/conf_err.c
+++ b/crypto/conf/conf_err.c
@@ -1,6 +1,6 @@
 /* crypto/conf/conf_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,47 +64,51 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CONF,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CONF,0,reason)
+
 static ERR_STRING_DATA CONF_str_functs[]=
 	{
-{ERR_PACK(0,CONF_F_CONF_DUMP_FP,0),	"CONF_dump_fp"},
-{ERR_PACK(0,CONF_F_CONF_LOAD,0),	"CONF_load"},
-{ERR_PACK(0,CONF_F_CONF_LOAD_BIO,0),	"CONF_load_bio"},
-{ERR_PACK(0,CONF_F_CONF_LOAD_FP,0),	"CONF_load_fp"},
-{ERR_PACK(0,CONF_F_CONF_MODULES_LOAD,0),	"CONF_modules_load"},
-{ERR_PACK(0,CONF_F_MODULE_INIT,0),	"MODULE_INIT"},
-{ERR_PACK(0,CONF_F_MODULE_LOAD_DSO,0),	"MODULE_LOAD_DSO"},
-{ERR_PACK(0,CONF_F_MODULE_RUN,0),	"MODULE_RUN"},
-{ERR_PACK(0,CONF_F_NCONF_DUMP_BIO,0),	"NCONF_dump_bio"},
-{ERR_PACK(0,CONF_F_NCONF_DUMP_FP,0),	"NCONF_dump_fp"},
-{ERR_PACK(0,CONF_F_NCONF_GET_NUMBER,0),	"NCONF_get_number"},
-{ERR_PACK(0,CONF_F_NCONF_GET_NUMBER_E,0),	"NCONF_get_number_e"},
-{ERR_PACK(0,CONF_F_NCONF_GET_SECTION,0),	"NCONF_get_section"},
-{ERR_PACK(0,CONF_F_NCONF_GET_STRING,0),	"NCONF_get_string"},
-{ERR_PACK(0,CONF_F_NCONF_LOAD,0),	"NCONF_load"},
-{ERR_PACK(0,CONF_F_NCONF_LOAD_BIO,0),	"NCONF_load_bio"},
-{ERR_PACK(0,CONF_F_NCONF_LOAD_FP,0),	"NCONF_load_fp"},
-{ERR_PACK(0,CONF_F_NCONF_NEW,0),	"NCONF_new"},
-{ERR_PACK(0,CONF_F_STR_COPY,0),	"STR_COPY"},
+{ERR_FUNC(CONF_F_CONF_DUMP_FP),	"CONF_dump_fp"},
+{ERR_FUNC(CONF_F_CONF_LOAD),	"CONF_load"},
+{ERR_FUNC(CONF_F_CONF_LOAD_BIO),	"CONF_load_bio"},
+{ERR_FUNC(CONF_F_CONF_LOAD_FP),	"CONF_load_fp"},
+{ERR_FUNC(CONF_F_CONF_MODULES_LOAD),	"CONF_modules_load"},
+{ERR_FUNC(CONF_F_MODULE_INIT),	"MODULE_INIT"},
+{ERR_FUNC(CONF_F_MODULE_LOAD_DSO),	"MODULE_LOAD_DSO"},
+{ERR_FUNC(CONF_F_MODULE_RUN),	"MODULE_RUN"},
+{ERR_FUNC(CONF_F_NCONF_DUMP_BIO),	"NCONF_dump_bio"},
+{ERR_FUNC(CONF_F_NCONF_DUMP_FP),	"NCONF_dump_fp"},
+{ERR_FUNC(CONF_F_NCONF_GET_NUMBER),	"NCONF_get_number"},
+{ERR_FUNC(CONF_F_NCONF_GET_NUMBER_E),	"NCONF_get_number_e"},
+{ERR_FUNC(CONF_F_NCONF_GET_SECTION),	"NCONF_get_section"},
+{ERR_FUNC(CONF_F_NCONF_GET_STRING),	"NCONF_get_string"},
+{ERR_FUNC(CONF_F_NCONF_LOAD),	"NCONF_load"},
+{ERR_FUNC(CONF_F_NCONF_LOAD_BIO),	"NCONF_load_bio"},
+{ERR_FUNC(CONF_F_NCONF_LOAD_FP),	"NCONF_load_fp"},
+{ERR_FUNC(CONF_F_NCONF_NEW),	"NCONF_new"},
+{ERR_FUNC(CONF_F_STR_COPY),	"STR_COPY"},
 {0,NULL}
 	};

 static ERR_STRING_DATA CONF_str_reasons[]=
 	{
-{CONF_R_ERROR_LOADING_DSO                ,"error loading dso"},
-{CONF_R_MISSING_CLOSE_SQUARE_BRACKET     ,"missing close square bracket"},
-{CONF_R_MISSING_EQUAL_SIGN               ,"missing equal sign"},
-{CONF_R_MISSING_FINISH_FUNCTION          ,"missing finish function"},
-{CONF_R_MISSING_INIT_FUNCTION            ,"missing init function"},
-{CONF_R_MODULE_INITIALIZATION_ERROR      ,"module initialization error"},
-{CONF_R_NO_CLOSE_BRACE                   ,"no close brace"},
-{CONF_R_NO_CONF                          ,"no conf"},
-{CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE  ,"no conf or environment variable"},
-{CONF_R_NO_SECTION                       ,"no section"},
-{CONF_R_NO_SUCH_FILE                     ,"no such file"},
-{CONF_R_NO_VALUE                         ,"no value"},
-{CONF_R_UNABLE_TO_CREATE_NEW_SECTION     ,"unable to create new section"},
-{CONF_R_UNKNOWN_MODULE_NAME              ,"unknown module name"},
-{CONF_R_VARIABLE_HAS_NO_VALUE            ,"variable has no value"},
+{ERR_REASON(CONF_R_ERROR_LOADING_DSO)    ,"error loading dso"},
+{ERR_REASON(CONF_R_MISSING_CLOSE_SQUARE_BRACKET),"missing close square bracket"},
+{ERR_REASON(CONF_R_MISSING_EQUAL_SIGN)   ,"missing equal sign"},
+{ERR_REASON(CONF_R_MISSING_FINISH_FUNCTION),"missing finish function"},
+{ERR_REASON(CONF_R_MISSING_INIT_FUNCTION),"missing init function"},
+{ERR_REASON(CONF_R_MODULE_INITIALIZATION_ERROR),"module initialization error"},
+{ERR_REASON(CONF_R_NO_CLOSE_BRACE)       ,"no close brace"},
+{ERR_REASON(CONF_R_NO_CONF)              ,"no conf"},
+{ERR_REASON(CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE),"no conf or environment variable"},
+{ERR_REASON(CONF_R_NO_SECTION)           ,"no section"},
+{ERR_REASON(CONF_R_NO_SUCH_FILE)         ,"no such file"},
+{ERR_REASON(CONF_R_NO_VALUE)             ,"no value"},
+{ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION),"unable to create new section"},
+{ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME)  ,"unknown module name"},
+{ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE),"variable has no value"},
 {0,NULL}
 	};

@@ -118,8 +122,8 @@ void ERR_load_CONF_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_CONF,CONF_str_functs);
-		ERR_load_strings(ERR_LIB_CONF,CONF_str_reasons);
+		ERR_load_strings(0,CONF_str_functs);
+		ERR_load_strings(0,CONF_str_reasons);
 #endif

 		}
--- a/crypto/cpt_err.c
+++ b/crypto/cpt_err.c
@@ -1,6 +1,6 @@
 /* crypto/cpt_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,23 +64,27 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CRYPTO,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CRYPTO,0,reason)
+
 static ERR_STRING_DATA CRYPTO_str_functs[]=
 	{
-{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,0),	"CRYPTO_get_ex_new_index"},
-{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,0),	"CRYPTO_get_new_dynlockid"},
-{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_LOCKID,0),	"CRYPTO_get_new_lockid"},
-{ERR_PACK(0,CRYPTO_F_CRYPTO_SET_EX_DATA,0),	"CRYPTO_set_ex_data"},
-{ERR_PACK(0,CRYPTO_F_DEF_ADD_INDEX,0),	"DEF_ADD_INDEX"},
-{ERR_PACK(0,CRYPTO_F_DEF_GET_CLASS,0),	"DEF_GET_CLASS"},
-{ERR_PACK(0,CRYPTO_F_INT_DUP_EX_DATA,0),	"INT_DUP_EX_DATA"},
-{ERR_PACK(0,CRYPTO_F_INT_FREE_EX_DATA,0),	"INT_FREE_EX_DATA"},
-{ERR_PACK(0,CRYPTO_F_INT_NEW_EX_DATA,0),	"INT_NEW_EX_DATA"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX),	"CRYPTO_get_ex_new_index"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID),	"CRYPTO_get_new_dynlockid"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_LOCKID),	"CRYPTO_get_new_lockid"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_SET_EX_DATA),	"CRYPTO_set_ex_data"},
+{ERR_FUNC(CRYPTO_F_DEF_ADD_INDEX),	"DEF_ADD_INDEX"},
+{ERR_FUNC(CRYPTO_F_DEF_GET_CLASS),	"DEF_GET_CLASS"},
+{ERR_FUNC(CRYPTO_F_INT_DUP_EX_DATA),	"INT_DUP_EX_DATA"},
+{ERR_FUNC(CRYPTO_F_INT_FREE_EX_DATA),	"INT_FREE_EX_DATA"},
+{ERR_FUNC(CRYPTO_F_INT_NEW_EX_DATA),	"INT_NEW_EX_DATA"},
 {0,NULL}
 	};

 static ERR_STRING_DATA CRYPTO_str_reasons[]=
 	{
-{CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK     ,"no dynlock create callback"},
+{ERR_REASON(CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK),"no dynlock create callback"},
 {0,NULL}
 	};

@@ -94,8 +98,8 @@ void ERR_load_CRYPTO_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_functs);
-		ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_reasons);
+		ERR_load_strings(0,CRYPTO_str_functs);
+		ERR_load_strings(0,CRYPTO_str_reasons);
 #endif

 		}
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -480,6 +480,8 @@ const char *CRYPTO_get_lock_name(int type)
 		return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
 	}

+int OPENSSL_NONPIC_relocated=0;
+
 #if defined(_WIN32) && defined(_WINDLL)

 /* All we really need to do is remove the 'error' state when a thread
@@ -491,6 +493,21 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
 	switch(fdwReason)
 		{
 	case DLL_PROCESS_ATTACH:
+#if defined(_WIN32_WINNT)
+		{
+		IMAGE_DOS_HEADER *dos_header = (IMAGE_DOS_HEADER *)hinstDLL;
+		IMAGE_NT_HEADERS *nt_headers;
+
+		if (dos_header->e_magic==IMAGE_DOS_SIGNATURE)
+			{
+			nt_headers = (IMAGE_NT_HEADERS *)((char *)dos_header
+						+ dos_header->e_lfanew);
+			if (nt_headers->Signature==IMAGE_NT_SIGNATURE &&
+			    hinstDLL!=(HINSTANCE)(nt_headers->OptionalHeader.ImageBase))
+				OPENSSL_NONPIC_relocated=1;
+			}
+		}
+#endif
 		break;
 	case DLL_THREAD_ATTACH:
 		break;
@@ -504,18 +521,160 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
 	}
 #endif

+#if defined(_WIN32)
+#include <tchar.h>
+
+#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
+static int IsService(void)
+{ HWINSTA h;
+  DWORD len;
+  WCHAR *name;
+
+    (void)GetDesktopWindow(); /* return value is ignored */
+
+    h = GetProcessWindowStation();
+    if (h==NULL) return -1;
+
+    if (GetUserObjectInformationW (h,UOI_NAME,NULL,0,&len) ||
+	GetLastError() != ERROR_INSUFFICIENT_BUFFER)
+	return -1;
+
+    if (len>512) return -1;		/* paranoia */
+    len++,len&=~1;			/* paranoia */
+#ifdef _MSC_VER
+    name=(WCHAR *)_alloca(len+sizeof(WCHAR));
+#else
+    name=(WCHAR *)alloca(len+sizeof(WCHAR));
+#endif
+    if (!GetUserObjectInformationW (h,UOI_NAME,name,len,&len))
+	return -1;
+
+    len++,len&=~1;			/* paranoia */
+    name[len/sizeof(WCHAR)]=L'\0';	/* paranoia */
+#if 1
+    /* This doesn't cover "interactive" services [working with real
+     * WinSta0's] nor programs started non-interactively by Task
+     * Scheduler [those are working with SAWinSta]. */
+    if (wcsstr(name,L"Service-0x"))	return 1;
+#else
+    /* This covers all non-interactive programs such as services. */
+    if (!wcsstr(name,L"WinSta0"))	return 1;
+#endif
+    else				return 0;
+}
+#endif
+
+void OPENSSL_showfatal (const char *fmta,...)
+{ va_list ap;
+  TCHAR buf[256];
+  const TCHAR *fmt;
+  HANDLE h;
+
+    if ((h=GetStdHandle(STD_ERROR_HANDLE)) != NULL &&
+	GetFileType(h)!=FILE_TYPE_UNKNOWN)
+    {	/* must be console application */
+	va_start (ap,fmta);
+	vfprintf (stderr,fmta,ap);
+	va_end (ap);
+	return;
+    }
+
+    if (sizeof(TCHAR)==sizeof(char))
+	fmt=(const TCHAR *)fmta;
+    else do
+    { int    keepgoing;
+      size_t len_0=strlen(fmta)+1,i;
+      WCHAR *fmtw;
+
+#ifdef _MSC_VER
+	fmtw = (WCHAR *)_alloca (len_0*sizeof(WCHAR));
+#else
+	fmtw = (WCHAR *)alloca (len_0*sizeof(WCHAR));
+#endif
+	if (fmtw == NULL) { fmt=(const TCHAR *)L"no stack?"; break; }
+
+#ifndef OPENSSL_NO_MULTIBYTE
+	if (!MultiByteToWideChar(CP_ACP,0,fmta,len_0,fmtw,len_0))
+#endif
+	    for (i=0;i<len_0;i++) fmtw[i]=(WCHAR)fmta[i];
+
+	for (i=0;i<len_0;i++)
+	{   if (fmtw[i]==L'%') do
+	    {	keepgoing=0;
+		switch (fmtw[i+1])
+		{   case L'0': case L'1': case L'2': case L'3': case L'4':
+		    case L'5': case L'6': case L'7': case L'8': case L'9':
+		    case L'.': case L'*':
+		    case L'-':	i++; keepgoing=1; break;
+		    case L's':	fmtw[i+1]=L'S';   break;
+		    case L'S':	fmtw[i+1]=L's';   break;
+		    case L'c':	fmtw[i+1]=L'C';   break;
+		    case L'C':	fmtw[i+1]=L'c';   break;
+		}
+	    } while (keepgoing);
+	}
+	fmt = (const TCHAR *)fmtw;
+    } while (0);
+
+    va_start (ap,fmta);
+    _vsntprintf (buf,sizeof(buf)/sizeof(TCHAR)-1,fmt,ap);
+    buf [sizeof(buf)/sizeof(TCHAR)-1] = _T('\0');
+    va_end (ap);
+
+#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
+    /* this -------------v--- guards NT-specific calls */
+    if (GetVersion() < 0x80000000 && IsService())
+    {	HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
+	const TCHAR *pmsg=buf;
+	ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);
+	DeregisterEventSource(h);
+    }
+    else
+#endif
+    {	MSGBOXPARAMS         m;
+
+	m.cbSize             = sizeof(m);
+	m.hwndOwner          = NULL;
+	m.lpszCaption        = _T("OpenSSL: FATAL");
+	m.dwStyle            = MB_OK;
+	m.hInstance          = NULL;
+	m.lpszIcon           = IDI_ERROR;
+	m.dwContextHelpId    = 0;
+	m.lpfnMsgBoxCallback = NULL;
+	m.dwLanguageId       = MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US);
+	m.lpszText           = buf;
+
+	MessageBoxIndirect (&m);
+    }
+}
+#else
+void OPENSSL_showfatal (const char *fmta,...)
+{ va_list ap;
+
+    va_start (ap,fmta);
+    vfprintf (stderr,fmta,ap);
+    va_end (ap);
+}
+#endif
+
 void OpenSSLDie(const char *file,int line,const char *assertion)
 	{
-	fprintf(stderr,
+	OPENSSL_showfatal(
 		"%s(%d): OpenSSL internal error, assertion failed: %s\n",
 		file,line,assertion);
 	abort();
 	}

+void *OPENSSL_stderr(void)	{ return stderr; }
+
 #ifdef OPENSSL_FIPS
+
+void fips_w_lock(void)		{ CRYPTO_w_lock(CRYPTO_LOCK_FIPS); }
+void fips_w_unlock(void)	{ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); }
+void fips_r_lock(void)		{ CRYPTO_r_lock(CRYPTO_LOCK_FIPS); }
+void fips_r_unlock(void)	{ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); }
+
 static int fips_started = 0;
-static int fips_mode = 0;
-static void *fips_rand_check = 0;
 static unsigned long fips_thread = 0;

 void fips_set_started(void)
@@ -575,58 +734,5 @@ int fips_clear_owning_thread(void)
 		}
 	return ret;
 	}
-
-void fips_set_mode(int onoff)
-	{
-	int owning_thread = fips_is_owning_thread();
-
-	if (fips_is_started())
-		{
-		if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
-		fips_mode = onoff;
-		if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
-		}
-	}
-
-void fips_set_rand_check(void *rand_check)
-	{
-	int owning_thread = fips_is_owning_thread();
-
-	if (fips_is_started())
-		{
-		if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
-		fips_rand_check = rand_check;
-		if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
-		}
-	}
-
-int FIPS_mode(void)
-	{
-	int ret = 0;
-	int owning_thread = fips_is_owning_thread();
-
-	if (fips_is_started())
-		{
-		if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
-		ret = fips_mode;
-		if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
-		}
-	return ret;
-	}
-
-void *FIPS_rand_check(void)
-	{
-	void *ret = 0;
-	int owning_thread = fips_is_owning_thread();
-
-	if (fips_is_started())
-		{
-		if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
-		ret = fips_rand_check;
-		if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
-		}
-	return ret;
-	}
-
 #endif /* OPENSSL_FIPS */

--- a/crypto/cryptlib.h
+++ b/crypto/cryptlib.h
@@ -93,6 +93,10 @@ extern "C" {
 #define DECIMAL_SIZE(type)	((sizeof(type)*8+2)/3+1)
 #define HEX_SIZE(type)		(sizeof(type)*2)

+void OPENSSL_showfatal(const char *,...);
+void *OPENSSL_stderr(void);
+extern int OPENSSL_NONPIC_relocated;
+
 #ifdef  __cplusplus
 }
 #endif
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -434,12 +434,9 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);

 /* die if we have to */
 void OpenSSLDie(const char *file,int line,const char *assertion);
-#define OPENSSL_assert(e)	((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
+#define OPENSSL_assert(e)	(void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))

 #ifdef OPENSSL_FIPS
-int FIPS_mode(void);
-void *FIPS_rand_check(void);
-
 #define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
 		alg " previous FIPS forbidden algorithm error ignored");

--- a/crypto/des/des_locl.h
+++ b/crypto/des/des_locl.h
@@ -421,7 +421,7 @@
 	PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
 	}

-OPENSSL_EXTERN const DES_LONG DES_SPtrans[8][64];
+extern const DES_LONG DES_SPtrans[8][64];

 void fcrypt_body(DES_LONG *out,DES_key_schedule *ks,
 		 DES_LONG Eswap0, DES_LONG Eswap1);
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -70,7 +70,14 @@
 #include <openssl/crypto.h>
 #include <openssl/ossl_typ.h>
 	
-#define DH_FLAG_CACHE_MONT_P	0x01
+#define DH_FLAG_CACHE_MONT_P     0x01
+#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
+                                       * implementation now uses constant time
+                                       * modular exponentiation for secret exponents
+                                       * by default. This flag causes the
+                                       * faster variable sliding window method to
+                                       * be used for all exponents.
+                                       */

 #ifdef  __cplusplus
 extern "C" {
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,21 +64,25 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DH,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DH,0,reason)
+
 static ERR_STRING_DATA DH_str_functs[]=
 	{
-{ERR_PACK(0,DH_F_DHPARAMS_PRINT,0),	"DHparams_print"},
-{ERR_PACK(0,DH_F_DHPARAMS_PRINT_FP,0),	"DHparams_print_fp"},
-{ERR_PACK(0,DH_F_DH_COMPUTE_KEY,0),	"DH_compute_key"},
-{ERR_PACK(0,DH_F_DH_GENERATE_KEY,0),	"DH_generate_key"},
-{ERR_PACK(0,DH_F_DH_GENERATE_PARAMETERS,0),	"DH_generate_parameters"},
-{ERR_PACK(0,DH_F_DH_NEW_METHOD,0),	"DH_new_method"},
+{ERR_FUNC(DH_F_DHPARAMS_PRINT),	"DHparams_print"},
+{ERR_FUNC(DH_F_DHPARAMS_PRINT_FP),	"DHparams_print_fp"},
+{ERR_FUNC(DH_F_DH_COMPUTE_KEY),	"DH_compute_key"},
+{ERR_FUNC(DH_F_DH_GENERATE_KEY),	"DH_generate_key"},
+{ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS),	"DH_generate_parameters"},
+{ERR_FUNC(DH_F_DH_NEW_METHOD),	"DH_new_method"},
 {0,NULL}
 	};

 static ERR_STRING_DATA DH_str_reasons[]=
 	{
-{DH_R_BAD_GENERATOR                      ,"bad generator"},
-{DH_R_NO_PRIVATE_VALUE                   ,"no private value"},
+{ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
+{ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
 {0,NULL}
 	};

@@ -92,8 +96,8 @@ void ERR_load_DH_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_DH,DH_str_functs);
-		ERR_load_strings(ERR_LIB_DH,DH_str_reasons);
+		ERR_load_strings(0,DH_str_functs);
+		ERR_load_strings(0,DH_str_reasons);
 #endif

 		}
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -105,7 +105,7 @@ static int generate_key(DH *dh)
 	int generate_new_key=0;
 	unsigned l;
 	BN_CTX *ctx;
-	BN_MONT_CTX *mont;
+	BN_MONT_CTX *mont=NULL;
 	BIGNUM *pub_key=NULL,*priv_key=NULL;

 	ctx = BN_CTX_new();
@@ -128,21 +128,36 @@ static int generate_key(DH *dh)
 	else
 		pub_key=dh->pub_key;

-	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+
+	if (dh->flags & DH_FLAG_CACHE_MONT_P)
 		{
-		if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
-				dh->p,ctx)) goto err;
+		mont = BN_MONT_CTX_set_locked(
+				(BN_MONT_CTX **)&dh->method_mont_p,
+				CRYPTO_LOCK_DH, dh->p, ctx);
+		if (!mont)
+			goto err;
 		}
-	mont=(BN_MONT_CTX *)dh->method_mont_p;

 	if (generate_new_key)
 		{
 		l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
 		if (!BN_rand(priv_key, l, 0, 0)) goto err;
 		}
-	if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont))
-		goto err;
+
+	{
+		BIGNUM local_prk;
+		BIGNUM *prk;
+
+		if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+			{
+			prk = &local_prk;
+			BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+			}
+		else
+			prk = priv_key;
+
+		if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err;
+	}
 		
 	dh->pub_key=pub_key;
 	dh->priv_key=priv_key;
@@ -160,7 +175,7 @@ err:
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 	{
 	BN_CTX *ctx;
-	BN_MONT_CTX *mont;
+	BN_MONT_CTX *mont=NULL;
 	BIGNUM *tmp;
 	int ret= -1;

@@ -174,14 +189,21 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 		DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
 		goto err;
 		}
-	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+
+	if (dh->flags & DH_FLAG_CACHE_MONT_P)
 		{
-		if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
-				dh->p,ctx)) goto err;
+		mont = BN_MONT_CTX_set_locked(
+				(BN_MONT_CTX **)&dh->method_mont_p,
+				CRYPTO_LOCK_DH, dh->p, ctx);
+		if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+			{
+			/* XXX */
+			BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME);
+			}
+		if (!mont)
+			goto err;
 		}

-	mont=(BN_MONT_CTX *)dh->method_mont_p;
 	if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
 		{
 		DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
@@ -200,7 +222,10 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
 			const BIGNUM *m, BN_CTX *ctx,
 			BN_MONT_CTX *m_ctx)
 	{
-	if (a->top == 1)
+	/* If a is only one word long and constant time is false, use the faster
+	 * exponenentiation function.
+	 */
+	if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0))
 		{
 		BN_ULONG A = a->d[0];
 		return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);
--- a/crypto/dh/dhtest.c
+++ b/crypto/dh/dhtest.c
@@ -136,6 +136,10 @@ int main(int argc, char *argv[])
 	b->g=BN_dup(a->g);
 	if ((b->p == NULL) || (b->g == NULL)) goto err;

+	/* Set a to run with normal modexp and b to use constant time */
+	a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
+	b->flags |= DH_FLAG_NO_EXP_CONSTTIME;
+
 	if (!DH_generate_key(a)) goto err;
 	BIO_puts(out,"pri 1=");
 	BN_print(out,a->priv_key);
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -80,6 +80,13 @@
 #endif

 #define DSA_FLAG_CACHE_MONT_P	0x01
+#define DSA_FLAG_NO_EXP_CONSTTIME       0x02 /* new with 0.9.7h; the built-in DSA
+                                              * implementation now uses constant time
+                                              * modular exponentiation for secret exponents
+                                              * by default. This flag causes the
+                                              * faster variable sliding window method to
+                                              * be used for all exponents.
+                                              */

 #if defined(OPENSSL_FIPS)
 #define FIPS_DSA_SIZE_T	int
--- a/crypto/dsa/dsa_err.c
+++ b/crypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/dsa/dsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,29 +64,33 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSA,0,reason)
+
 static ERR_STRING_DATA DSA_str_functs[]=
 	{
-{ERR_PACK(0,DSA_F_D2I_DSA_SIG,0),	"d2i_DSA_SIG"},
-{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT,0),	"DSAparams_print"},
-{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0),	"DSAparams_print_fp"},
-{ERR_PACK(0,DSA_F_DSA_DO_SIGN,0),	"DSA_do_sign"},
-{ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0),	"DSA_do_verify"},
-{ERR_PACK(0,DSA_F_DSA_NEW_METHOD,0),	"DSA_new_method"},
-{ERR_PACK(0,DSA_F_DSA_PRINT,0),	"DSA_print"},
-{ERR_PACK(0,DSA_F_DSA_PRINT_FP,0),	"DSA_print_fp"},
-{ERR_PACK(0,DSA_F_DSA_SIGN,0),	"DSA_sign"},
-{ERR_PACK(0,DSA_F_DSA_SIGN_SETUP,0),	"DSA_sign_setup"},
-{ERR_PACK(0,DSA_F_DSA_SIG_NEW,0),	"DSA_SIG_new"},
-{ERR_PACK(0,DSA_F_DSA_VERIFY,0),	"DSA_verify"},
-{ERR_PACK(0,DSA_F_I2D_DSA_SIG,0),	"i2d_DSA_SIG"},
-{ERR_PACK(0,DSA_F_SIG_CB,0),	"SIG_CB"},
+{ERR_FUNC(DSA_F_D2I_DSA_SIG),	"d2i_DSA_SIG"},
+{ERR_FUNC(DSA_F_DSAPARAMS_PRINT),	"DSAparams_print"},
+{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP),	"DSAparams_print_fp"},
+{ERR_FUNC(DSA_F_DSA_DO_SIGN),	"DSA_do_sign"},
+{ERR_FUNC(DSA_F_DSA_DO_VERIFY),	"DSA_do_verify"},
+{ERR_FUNC(DSA_F_DSA_NEW_METHOD),	"DSA_new_method"},
+{ERR_FUNC(DSA_F_DSA_PRINT),	"DSA_print"},
+{ERR_FUNC(DSA_F_DSA_PRINT_FP),	"DSA_print_fp"},
+{ERR_FUNC(DSA_F_DSA_SIGN),	"DSA_sign"},
+{ERR_FUNC(DSA_F_DSA_SIGN_SETUP),	"DSA_sign_setup"},
+{ERR_FUNC(DSA_F_DSA_SIG_NEW),	"DSA_SIG_new"},
+{ERR_FUNC(DSA_F_DSA_VERIFY),	"DSA_verify"},
+{ERR_FUNC(DSA_F_I2D_DSA_SIG),	"i2d_DSA_SIG"},
+{ERR_FUNC(DSA_F_SIG_CB),	"SIG_CB"},
 {0,NULL}
 	};

 static ERR_STRING_DATA DSA_str_reasons[]=
 	{
-{DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
-{DSA_R_MISSING_PARAMETERS                ,"missing parameters"},
+{ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+{ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
 {0,NULL}
 	};

@@ -100,8 +104,8 @@ void ERR_load_DSA_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_DSA,DSA_str_functs);
-		ERR_load_strings(ERR_LIB_DSA,DSA_str_reasons);
+		ERR_load_strings(0,DSA_str_functs);
+		ERR_load_strings(0,DSA_str_reasons);
 #endif

 		}
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@@ -90,8 +90,21 @@ int DSA_generate_key(DSA *dsa)
 		}
 	else
 		pub_key=dsa->pub_key;
+	
+	{
+		BIGNUM local_prk;
+		BIGNUM *prk;

-	if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err;
+		if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+			{
+			prk = &local_prk;
+			BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+			}
+		else
+			prk = priv_key;
+
+		if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err;
+	}

 	dsa->priv_key=priv_key;
 	dsa->pub_key=pub_key;
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -197,12 +197,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	do
 		if (!BN_rand_range(&k, dsa->q)) goto err;
 	while (BN_is_zero(&k));
-
-	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
 		{
-		if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-				dsa->p,ctx)) goto err;
+		BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
+		}
+
+	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
+		{
+		if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
+						CRYPTO_LOCK_DSA,
+						dsa->p, ctx))
+			goto err;
 		}

 	/* Compute r = (g^k mod p) mod q */
@@ -275,13 +280,15 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 	/* u2 = r * w mod q */
 	if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;

-	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+
+	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
 		{
-		if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-			if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-				dsa->p,ctx)) goto err;
+		mont = BN_MONT_CTX_set_locked(
+					(BN_MONT_CTX **)&dsa->method_mont_p,
+					CRYPTO_LOCK_DSA, dsa->p, ctx);
+		if (!mont)
+			goto err;
 		}
-	mont=(BN_MONT_CTX *)dsa->method_mont_p;

 #if 0
 	{
--- a/crypto/dsa/dsatest.c
+++ b/crypto/dsa/dsatest.c
@@ -194,10 +194,19 @@ int main(int argc, char **argv)
 		BIO_printf(bio_err,"g value is wrong\n");
 		goto end;
 		}
+
+	dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
 	DSA_generate_key(dsa);
 	DSA_sign(0, str1, 20, sig, &siglen, dsa);
 	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
 		ret=1;
+
+	dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
+	DSA_generate_key(dsa);
+	DSA_sign(0, str1, 20, sig, &siglen, dsa);
+	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
+		ret=1;
+
 end:
 	if (!ret)
 		ERR_print_errors(bio_err);
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -246,7 +246,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
 		return(NULL);
 		}
-	sym = (DSO_FUNC_TYPE)dlsym(ptr, symname);
+	*(void**)(&sym) = dlsym(ptr, symname);
 	if(sym == NULL)
 		{
 		DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
--- a/crypto/dso/dso_err.c
+++ b/crypto/dso/dso_err.c
@@ -1,6 +1,6 @@
 /* crypto/dso/dso_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,56 +64,60 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSO,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSO,0,reason)
+
 static ERR_STRING_DATA DSO_str_functs[]=
 	{
-{ERR_PACK(0,DSO_F_DLFCN_BIND_FUNC,0),	"DLFCN_BIND_FUNC"},
-{ERR_PACK(0,DSO_F_DLFCN_BIND_VAR,0),	"DLFCN_BIND_VAR"},
-{ERR_PACK(0,DSO_F_DLFCN_LOAD,0),	"DLFCN_LOAD"},
-{ERR_PACK(0,DSO_F_DLFCN_NAME_CONVERTER,0),	"DLFCN_NAME_CONVERTER"},
-{ERR_PACK(0,DSO_F_DLFCN_UNLOAD,0),	"DLFCN_UNLOAD"},
-{ERR_PACK(0,DSO_F_DL_BIND_FUNC,0),	"DL_BIND_FUNC"},
-{ERR_PACK(0,DSO_F_DL_BIND_VAR,0),	"DL_BIND_VAR"},
-{ERR_PACK(0,DSO_F_DL_LOAD,0),	"DL_LOAD"},
-{ERR_PACK(0,DSO_F_DL_NAME_CONVERTER,0),	"DL_NAME_CONVERTER"},
-{ERR_PACK(0,DSO_F_DL_UNLOAD,0),	"DL_UNLOAD"},
-{ERR_PACK(0,DSO_F_DSO_BIND_FUNC,0),	"DSO_bind_func"},
-{ERR_PACK(0,DSO_F_DSO_BIND_VAR,0),	"DSO_bind_var"},
-{ERR_PACK(0,DSO_F_DSO_CONVERT_FILENAME,0),	"DSO_convert_filename"},
-{ERR_PACK(0,DSO_F_DSO_CTRL,0),	"DSO_ctrl"},
-{ERR_PACK(0,DSO_F_DSO_FREE,0),	"DSO_free"},
-{ERR_PACK(0,DSO_F_DSO_GET_FILENAME,0),	"DSO_get_filename"},
-{ERR_PACK(0,DSO_F_DSO_GET_LOADED_FILENAME,0),	"DSO_get_loaded_filename"},
-{ERR_PACK(0,DSO_F_DSO_LOAD,0),	"DSO_load"},
-{ERR_PACK(0,DSO_F_DSO_NEW_METHOD,0),	"DSO_new_method"},
-{ERR_PACK(0,DSO_F_DSO_SET_FILENAME,0),	"DSO_set_filename"},
-{ERR_PACK(0,DSO_F_DSO_SET_NAME_CONVERTER,0),	"DSO_set_name_converter"},
-{ERR_PACK(0,DSO_F_DSO_UP_REF,0),	"DSO_up_ref"},
-{ERR_PACK(0,DSO_F_VMS_BIND_VAR,0),	"VMS_BIND_VAR"},
-{ERR_PACK(0,DSO_F_VMS_LOAD,0),	"VMS_LOAD"},
-{ERR_PACK(0,DSO_F_VMS_UNLOAD,0),	"VMS_UNLOAD"},
-{ERR_PACK(0,DSO_F_WIN32_BIND_FUNC,0),	"WIN32_BIND_FUNC"},
-{ERR_PACK(0,DSO_F_WIN32_BIND_VAR,0),	"WIN32_BIND_VAR"},
-{ERR_PACK(0,DSO_F_WIN32_LOAD,0),	"WIN32_LOAD"},
-{ERR_PACK(0,DSO_F_WIN32_NAME_CONVERTER,0),	"WIN32_NAME_CONVERTER"},
-{ERR_PACK(0,DSO_F_WIN32_UNLOAD,0),	"WIN32_UNLOAD"},
+{ERR_FUNC(DSO_F_DLFCN_BIND_FUNC),	"DLFCN_BIND_FUNC"},
+{ERR_FUNC(DSO_F_DLFCN_BIND_VAR),	"DLFCN_BIND_VAR"},
+{ERR_FUNC(DSO_F_DLFCN_LOAD),	"DLFCN_LOAD"},
+{ERR_FUNC(DSO_F_DLFCN_NAME_CONVERTER),	"DLFCN_NAME_CONVERTER"},
+{ERR_FUNC(DSO_F_DLFCN_UNLOAD),	"DLFCN_UNLOAD"},
+{ERR_FUNC(DSO_F_DL_BIND_FUNC),	"DL_BIND_FUNC"},
+{ERR_FUNC(DSO_F_DL_BIND_VAR),	"DL_BIND_VAR"},
+{ERR_FUNC(DSO_F_DL_LOAD),	"DL_LOAD"},
+{ERR_FUNC(DSO_F_DL_NAME_CONVERTER),	"DL_NAME_CONVERTER"},
+{ERR_FUNC(DSO_F_DL_UNLOAD),	"DL_UNLOAD"},
+{ERR_FUNC(DSO_F_DSO_BIND_FUNC),	"DSO_bind_func"},
+{ERR_FUNC(DSO_F_DSO_BIND_VAR),	"DSO_bind_var"},
+{ERR_FUNC(DSO_F_DSO_CONVERT_FILENAME),	"DSO_convert_filename"},
+{ERR_FUNC(DSO_F_DSO_CTRL),	"DSO_ctrl"},
+{ERR_FUNC(DSO_F_DSO_FREE),	"DSO_free"},
+{ERR_FUNC(DSO_F_DSO_GET_FILENAME),	"DSO_get_filename"},
+{ERR_FUNC(DSO_F_DSO_GET_LOADED_FILENAME),	"DSO_get_loaded_filename"},
+{ERR_FUNC(DSO_F_DSO_LOAD),	"DSO_load"},
+{ERR_FUNC(DSO_F_DSO_NEW_METHOD),	"DSO_new_method"},
+{ERR_FUNC(DSO_F_DSO_SET_FILENAME),	"DSO_set_filename"},
+{ERR_FUNC(DSO_F_DSO_SET_NAME_CONVERTER),	"DSO_set_name_converter"},
+{ERR_FUNC(DSO_F_DSO_UP_REF),	"DSO_up_ref"},
+{ERR_FUNC(DSO_F_VMS_BIND_VAR),	"VMS_BIND_VAR"},
+{ERR_FUNC(DSO_F_VMS_LOAD),	"VMS_LOAD"},
+{ERR_FUNC(DSO_F_VMS_UNLOAD),	"VMS_UNLOAD"},
+{ERR_FUNC(DSO_F_WIN32_BIND_FUNC),	"WIN32_BIND_FUNC"},
+{ERR_FUNC(DSO_F_WIN32_BIND_VAR),	"WIN32_BIND_VAR"},
+{ERR_FUNC(DSO_F_WIN32_LOAD),	"WIN32_LOAD"},
+{ERR_FUNC(DSO_F_WIN32_NAME_CONVERTER),	"WIN32_NAME_CONVERTER"},
+{ERR_FUNC(DSO_F_WIN32_UNLOAD),	"WIN32_UNLOAD"},
 {0,NULL}
 	};

 static ERR_STRING_DATA DSO_str_reasons[]=
 	{
-{DSO_R_CTRL_FAILED                       ,"control command failed"},
-{DSO_R_DSO_ALREADY_LOADED                ,"dso already loaded"},
-{DSO_R_FILENAME_TOO_BIG                  ,"filename too big"},
-{DSO_R_FINISH_FAILED                     ,"cleanup method function failed"},
-{DSO_R_LOAD_FAILED                       ,"could not load the shared library"},
-{DSO_R_NAME_TRANSLATION_FAILED           ,"name translation failed"},
-{DSO_R_NO_FILENAME                       ,"no filename"},
-{DSO_R_NULL_HANDLE                       ,"a null shared library handle was used"},
-{DSO_R_SET_FILENAME_FAILED               ,"set filename failed"},
-{DSO_R_STACK_ERROR                       ,"the meth_data stack is corrupt"},
-{DSO_R_SYM_FAILURE                       ,"could not bind to the requested symbol name"},
-{DSO_R_UNLOAD_FAILED                     ,"could not unload the shared library"},
-{DSO_R_UNSUPPORTED                       ,"functionality not supported"},
+{ERR_REASON(DSO_R_CTRL_FAILED)           ,"control command failed"},
+{ERR_REASON(DSO_R_DSO_ALREADY_LOADED)    ,"dso already loaded"},
+{ERR_REASON(DSO_R_FILENAME_TOO_BIG)      ,"filename too big"},
+{ERR_REASON(DSO_R_FINISH_FAILED)         ,"cleanup method function failed"},
+{ERR_REASON(DSO_R_LOAD_FAILED)           ,"could not load the shared library"},
+{ERR_REASON(DSO_R_NAME_TRANSLATION_FAILED),"name translation failed"},
+{ERR_REASON(DSO_R_NO_FILENAME)           ,"no filename"},
+{ERR_REASON(DSO_R_NULL_HANDLE)           ,"a null shared library handle was used"},
+{ERR_REASON(DSO_R_SET_FILENAME_FAILED)   ,"set filename failed"},
+{ERR_REASON(DSO_R_STACK_ERROR)           ,"the meth_data stack is corrupt"},
+{ERR_REASON(DSO_R_SYM_FAILURE)           ,"could not bind to the requested symbol name"},
+{ERR_REASON(DSO_R_UNLOAD_FAILED)         ,"could not unload the shared library"},
+{ERR_REASON(DSO_R_UNSUPPORTED)           ,"functionality not supported"},
 {0,NULL}
 	};

@@ -127,8 +131,8 @@ void ERR_load_DSO_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_DSO,DSO_str_functs);
-		ERR_load_strings(ERR_LIB_DSO,DSO_str_reasons);
+		ERR_load_strings(0,DSO_str_functs);
+		ERR_load_strings(0,DSO_str_reasons);
 #endif

 		}
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -1,6 +1,6 @@
 /* crypto/ec/ec_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,70 +64,74 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EC,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EC,0,reason)
+
 static ERR_STRING_DATA EC_str_functs[]=
 	{
-{ERR_PACK(0,EC_F_COMPUTE_WNAF,0),	"COMPUTE_WNAF"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_DECODE,0),	"ec_GFp_mont_field_decode"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_ENCODE,0),	"ec_GFp_mont_field_encode"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_MUL,0),	"ec_GFp_mont_field_mul"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_SQR,0),	"ec_GFp_mont_field_sqr"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP,0),	"ec_GFp_simple_group_set_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR,0),	"ec_GFp_simple_group_set_generator"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_MAKE_AFFINE,0),	"ec_GFp_simple_make_affine"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_OCT2POINT,0),	"ec_GFp_simple_oct2point"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT2OCT,0),	"ec_GFp_simple_point2oct"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE,0),	"ec_GFp_simple_points_make_affine"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP,0),	"ec_GFp_simple_point_get_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP,0),	"ec_GFp_simple_point_set_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP,0),	"ec_GFp_simple_set_compressed_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_COPY,0),	"EC_GROUP_copy"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0),	"EC_GROUP_get0_generator"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0),	"EC_GROUP_get_cofactor"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0),	"EC_GROUP_get_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0),	"EC_GROUP_get_order"},
-{ERR_PACK(0,EC_F_EC_GROUP_NEW,0),	"EC_GROUP_new"},
-{ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0),	"EC_GROUP_precompute_mult"},
-{ERR_PACK(0,EC_F_EC_GROUP_SET_CURVE_GFP,0),	"EC_GROUP_set_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_SET_EXTRA_DATA,0),	"EC_GROUP_set_extra_data"},
-{ERR_PACK(0,EC_F_EC_GROUP_SET_GENERATOR,0),	"EC_GROUP_set_generator"},
-{ERR_PACK(0,EC_F_EC_POINTS_MAKE_AFFINE,0),	"EC_POINTs_make_affine"},
-{ERR_PACK(0,EC_F_EC_POINTS_MUL,0),	"EC_POINTs_mul"},
-{ERR_PACK(0,EC_F_EC_POINT_ADD,0),	"EC_POINT_add"},
-{ERR_PACK(0,EC_F_EC_POINT_CMP,0),	"EC_POINT_cmp"},
-{ERR_PACK(0,EC_F_EC_POINT_COPY,0),	"EC_POINT_copy"},
-{ERR_PACK(0,EC_F_EC_POINT_DBL,0),	"EC_POINT_dbl"},
-{ERR_PACK(0,EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP,0),	"EC_POINT_get_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP,0),	"EC_POINT_get_Jprojective_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_IS_AT_INFINITY,0),	"EC_POINT_is_at_infinity"},
-{ERR_PACK(0,EC_F_EC_POINT_IS_ON_CURVE,0),	"EC_POINT_is_on_curve"},
-{ERR_PACK(0,EC_F_EC_POINT_MAKE_AFFINE,0),	"EC_POINT_make_affine"},
-{ERR_PACK(0,EC_F_EC_POINT_NEW,0),	"EC_POINT_new"},
-{ERR_PACK(0,EC_F_EC_POINT_OCT2POINT,0),	"EC_POINT_oct2point"},
-{ERR_PACK(0,EC_F_EC_POINT_POINT2OCT,0),	"EC_POINT_point2oct"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,0),	"EC_POINT_set_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP,0),	"EC_POINT_set_compressed_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP,0),	"EC_POINT_set_Jprojective_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_TO_INFINITY,0),	"EC_POINT_set_to_infinity"},
-{ERR_PACK(0,EC_F_GFP_MONT_GROUP_SET_CURVE_GFP,0),	"GFP_MONT_GROUP_SET_CURVE_GFP"},
+{ERR_FUNC(EC_F_COMPUTE_WNAF),	"COMPUTE_WNAF"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_DECODE),	"ec_GFp_mont_field_decode"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_ENCODE),	"ec_GFp_mont_field_encode"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_MUL),	"ec_GFp_mont_field_mul"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR),	"ec_GFp_mont_field_sqr"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP),	"ec_GFp_simple_group_set_curve_GFp"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR),	"ec_GFp_simple_group_set_generator"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE),	"ec_GFp_simple_make_affine"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_OCT2POINT),	"ec_GFp_simple_oct2point"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT2OCT),	"ec_GFp_simple_point2oct"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE),	"ec_GFp_simple_points_make_affine"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP),	"ec_GFp_simple_point_get_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP),	"ec_GFp_simple_point_set_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP),	"ec_GFp_simple_set_compressed_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_GROUP_COPY),	"EC_GROUP_copy"},
+{ERR_FUNC(EC_F_EC_GROUP_GET0_GENERATOR),	"EC_GROUP_get0_generator"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_COFACTOR),	"EC_GROUP_get_cofactor"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GFP),	"EC_GROUP_get_curve_GFp"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_ORDER),	"EC_GROUP_get_order"},
+{ERR_FUNC(EC_F_EC_GROUP_NEW),	"EC_GROUP_new"},
+{ERR_FUNC(EC_F_EC_GROUP_PRECOMPUTE_MULT),	"EC_GROUP_precompute_mult"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GFP),	"EC_GROUP_set_curve_GFp"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_EXTRA_DATA),	"EC_GROUP_set_extra_data"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_GENERATOR),	"EC_GROUP_set_generator"},
+{ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE),	"EC_POINTs_make_affine"},
+{ERR_FUNC(EC_F_EC_POINTS_MUL),	"EC_POINTs_mul"},
+{ERR_FUNC(EC_F_EC_POINT_ADD),	"EC_POINT_add"},
+{ERR_FUNC(EC_F_EC_POINT_CMP),	"EC_POINT_cmp"},
+{ERR_FUNC(EC_F_EC_POINT_COPY),	"EC_POINT_copy"},
+{ERR_FUNC(EC_F_EC_POINT_DBL),	"EC_POINT_dbl"},
+{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP),	"EC_POINT_get_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP),	"EC_POINT_get_Jprojective_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_IS_AT_INFINITY),	"EC_POINT_is_at_infinity"},
+{ERR_FUNC(EC_F_EC_POINT_IS_ON_CURVE),	"EC_POINT_is_on_curve"},
+{ERR_FUNC(EC_F_EC_POINT_MAKE_AFFINE),	"EC_POINT_make_affine"},
+{ERR_FUNC(EC_F_EC_POINT_NEW),	"EC_POINT_new"},
+{ERR_FUNC(EC_F_EC_POINT_OCT2POINT),	"EC_POINT_oct2point"},
+{ERR_FUNC(EC_F_EC_POINT_POINT2OCT),	"EC_POINT_point2oct"},
+{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP),	"EC_POINT_set_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP),	"EC_POINT_set_compressed_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP),	"EC_POINT_set_Jprojective_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_SET_TO_INFINITY),	"EC_POINT_set_to_infinity"},
+{ERR_FUNC(EC_F_GFP_MONT_GROUP_SET_CURVE_GFP),	"GFP_MONT_GROUP_SET_CURVE_GFP"},
 {0,NULL}
 	};

 static ERR_STRING_DATA EC_str_reasons[]=
 	{
-{EC_R_BUFFER_TOO_SMALL                   ,"buffer too small"},
-{EC_R_INCOMPATIBLE_OBJECTS               ,"incompatible objects"},
-{EC_R_INVALID_ARGUMENT                   ,"invalid argument"},
-{EC_R_INVALID_COMPRESSED_POINT           ,"invalid compressed point"},
-{EC_R_INVALID_COMPRESSION_BIT            ,"invalid compression bit"},
-{EC_R_INVALID_ENCODING                   ,"invalid encoding"},
-{EC_R_INVALID_FIELD                      ,"invalid field"},
-{EC_R_INVALID_FORM                       ,"invalid form"},
-{EC_R_NOT_INITIALIZED                    ,"not initialized"},
-{EC_R_POINT_AT_INFINITY                  ,"point at infinity"},
-{EC_R_POINT_IS_NOT_ON_CURVE              ,"point is not on curve"},
-{EC_R_SLOT_FULL                          ,"slot full"},
-{EC_R_UNDEFINED_GENERATOR                ,"undefined generator"},
-{EC_R_UNKNOWN_ORDER                      ,"unknown order"},
+{ERR_REASON(EC_R_BUFFER_TOO_SMALL)       ,"buffer too small"},
+{ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS)   ,"incompatible objects"},
+{ERR_REASON(EC_R_INVALID_ARGUMENT)       ,"invalid argument"},
+{ERR_REASON(EC_R_INVALID_COMPRESSED_POINT),"invalid compressed point"},
+{ERR_REASON(EC_R_INVALID_COMPRESSION_BIT),"invalid compression bit"},
+{ERR_REASON(EC_R_INVALID_ENCODING)       ,"invalid encoding"},
+{ERR_REASON(EC_R_INVALID_FIELD)          ,"invalid field"},
+{ERR_REASON(EC_R_INVALID_FORM)           ,"invalid form"},
+{ERR_REASON(EC_R_NOT_INITIALIZED)        ,"not initialized"},
+{ERR_REASON(EC_R_POINT_AT_INFINITY)      ,"point at infinity"},
+{ERR_REASON(EC_R_POINT_IS_NOT_ON_CURVE)  ,"point is not on curve"},
+{ERR_REASON(EC_R_SLOT_FULL)              ,"slot full"},
+{ERR_REASON(EC_R_UNDEFINED_GENERATOR)    ,"undefined generator"},
+{ERR_REASON(EC_R_UNKNOWN_ORDER)          ,"unknown order"},
 {0,NULL}
 	};

@@ -141,8 +145,8 @@ void ERR_load_EC_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_EC,EC_str_functs);
-		ERR_load_strings(ERR_LIB_EC,EC_str_reasons);
+		ERR_load_strings(0,EC_str_functs);
+		ERR_load_strings(0,EC_str_reasons);
 #endif

 		}
--- a/crypto/engine/eng_cnf.c
+++ b/crypto/engine/eng_cnf.c
@@ -158,7 +158,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
 		 	 */
 			if (!strcmp(ctrlvalue, "EMPTY"))
 				ctrlvalue = NULL;
-			else if (!strcmp(ctrlname, "init"))
+			if (!strcmp(ctrlname, "init"))
 				{
 				if (!NCONF_get_number_e(cnf, value, "init", &do_init))
 					goto err;
--- a/crypto/engine/eng_err.c
+++ b/crypto/engine/eng_err.c
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,87 +64,91 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ENGINE,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ENGINE,0,reason)
+
 static ERR_STRING_DATA ENGINE_str_functs[]=
 	{
-{ERR_PACK(0,ENGINE_F_DYNAMIC_CTRL,0),	"DYNAMIC_CTRL"},
-{ERR_PACK(0,ENGINE_F_DYNAMIC_GET_DATA_CTX,0),	"DYNAMIC_GET_DATA_CTX"},
-{ERR_PACK(0,ENGINE_F_DYNAMIC_LOAD,0),	"DYNAMIC_LOAD"},
-{ERR_PACK(0,ENGINE_F_ENGINE_ADD,0),	"ENGINE_add"},
-{ERR_PACK(0,ENGINE_F_ENGINE_BY_ID,0),	"ENGINE_by_id"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,0),	"ENGINE_cmd_is_executable"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CTRL,0),	"ENGINE_ctrl"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD,0),	"ENGINE_ctrl_cmd"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD_STRING,0),	"ENGINE_ctrl_cmd_string"},
-{ERR_PACK(0,ENGINE_F_ENGINE_FINISH,0),	"ENGINE_finish"},
-{ERR_PACK(0,ENGINE_F_ENGINE_FREE,0),	"ENGINE_free"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_CIPHER,0),	"ENGINE_get_cipher"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_DEFAULT_TYPE,0),	"ENGINE_GET_DEFAULT_TYPE"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_DIGEST,0),	"ENGINE_get_digest"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_NEXT,0),	"ENGINE_get_next"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_PREV,0),	"ENGINE_get_prev"},
-{ERR_PACK(0,ENGINE_F_ENGINE_INIT,0),	"ENGINE_init"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LIST_ADD,0),	"ENGINE_LIST_ADD"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LIST_REMOVE,0),	"ENGINE_LIST_REMOVE"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,0),	"ENGINE_load_private_key"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,0),	"ENGINE_load_public_key"},
-{ERR_PACK(0,ENGINE_F_ENGINE_MODULE_INIT,0),	"ENGINE_MODULE_INIT"},
-{ERR_PACK(0,ENGINE_F_ENGINE_NEW,0),	"ENGINE_new"},
-{ERR_PACK(0,ENGINE_F_ENGINE_REMOVE,0),	"ENGINE_remove"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_STRING,0),	"ENGINE_set_default_string"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_TYPE,0),	"ENGINE_SET_DEFAULT_TYPE"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_ID,0),	"ENGINE_set_id"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0),	"ENGINE_set_name"},
-{ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0),	"ENGINE_TABLE_REGISTER"},
-{ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),	"ENGINE_UNLOAD_KEY"},
-{ERR_PACK(0,ENGINE_F_ENGINE_UP_REF,0),	"ENGINE_up_ref"},
-{ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0),	"INT_CTRL_HELPER"},
-{ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0),	"INT_ENGINE_CONFIGURE"},
-{ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),	"LOG_MESSAGE"},
-{ERR_PACK(0,ENGINE_F_SET_DATA_CTX,0),	"SET_DATA_CTX"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_CTRL),	"DYNAMIC_CTRL"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_GET_DATA_CTX),	"DYNAMIC_GET_DATA_CTX"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_LOAD),	"DYNAMIC_LOAD"},
+{ERR_FUNC(ENGINE_F_ENGINE_ADD),	"ENGINE_add"},
+{ERR_FUNC(ENGINE_F_ENGINE_BY_ID),	"ENGINE_by_id"},
+{ERR_FUNC(ENGINE_F_ENGINE_CMD_IS_EXECUTABLE),	"ENGINE_cmd_is_executable"},
+{ERR_FUNC(ENGINE_F_ENGINE_CTRL),	"ENGINE_ctrl"},
+{ERR_FUNC(ENGINE_F_ENGINE_CTRL_CMD),	"ENGINE_ctrl_cmd"},
+{ERR_FUNC(ENGINE_F_ENGINE_CTRL_CMD_STRING),	"ENGINE_ctrl_cmd_string"},
+{ERR_FUNC(ENGINE_F_ENGINE_FINISH),	"ENGINE_finish"},
+{ERR_FUNC(ENGINE_F_ENGINE_FREE),	"ENGINE_free"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_CIPHER),	"ENGINE_get_cipher"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_DEFAULT_TYPE),	"ENGINE_GET_DEFAULT_TYPE"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_DIGEST),	"ENGINE_get_digest"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_NEXT),	"ENGINE_get_next"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_PREV),	"ENGINE_get_prev"},
+{ERR_FUNC(ENGINE_F_ENGINE_INIT),	"ENGINE_init"},
+{ERR_FUNC(ENGINE_F_ENGINE_LIST_ADD),	"ENGINE_LIST_ADD"},
+{ERR_FUNC(ENGINE_F_ENGINE_LIST_REMOVE),	"ENGINE_LIST_REMOVE"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY),	"ENGINE_load_private_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY),	"ENGINE_load_public_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_MODULE_INIT),	"ENGINE_MODULE_INIT"},
+{ERR_FUNC(ENGINE_F_ENGINE_NEW),	"ENGINE_new"},
+{ERR_FUNC(ENGINE_F_ENGINE_REMOVE),	"ENGINE_remove"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_STRING),	"ENGINE_set_default_string"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_TYPE),	"ENGINE_SET_DEFAULT_TYPE"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_ID),	"ENGINE_set_id"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_NAME),	"ENGINE_set_name"},
+{ERR_FUNC(ENGINE_F_ENGINE_TABLE_REGISTER),	"ENGINE_TABLE_REGISTER"},
+{ERR_FUNC(ENGINE_F_ENGINE_UNLOAD_KEY),	"ENGINE_UNLOAD_KEY"},
+{ERR_FUNC(ENGINE_F_ENGINE_UP_REF),	"ENGINE_up_ref"},
+{ERR_FUNC(ENGINE_F_INT_CTRL_HELPER),	"INT_CTRL_HELPER"},
+{ERR_FUNC(ENGINE_F_INT_ENGINE_CONFIGURE),	"INT_ENGINE_CONFIGURE"},
+{ERR_FUNC(ENGINE_F_LOG_MESSAGE),	"LOG_MESSAGE"},
+{ERR_FUNC(ENGINE_F_SET_DATA_CTX),	"SET_DATA_CTX"},
 {0,NULL}
 	};

 static ERR_STRING_DATA ENGINE_str_reasons[]=
 	{
-{ENGINE_R_ALREADY_LOADED                 ,"already loaded"},
-{ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER       ,"argument is not a number"},
-{ENGINE_R_CMD_NOT_EXECUTABLE             ,"cmd not executable"},
-{ENGINE_R_COMMAND_TAKES_INPUT            ,"command takes input"},
-{ENGINE_R_COMMAND_TAKES_NO_INPUT         ,"command takes no input"},
-{ENGINE_R_CONFLICTING_ENGINE_ID          ,"conflicting engine id"},
-{ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
-{ENGINE_R_DH_NOT_IMPLEMENTED             ,"dh not implemented"},
-{ENGINE_R_DSA_NOT_IMPLEMENTED            ,"dsa not implemented"},
-{ENGINE_R_DSO_FAILURE                    ,"DSO failure"},
-{ENGINE_R_DSO_NOT_FOUND                  ,"dso not found"},
-{ENGINE_R_ENGINES_SECTION_ERROR          ,"engines section error"},
-{ENGINE_R_ENGINE_IS_NOT_IN_LIST          ,"engine is not in the list"},
-{ENGINE_R_ENGINE_SECTION_ERROR           ,"engine section error"},
-{ENGINE_R_FAILED_LOADING_PRIVATE_KEY     ,"failed loading private key"},
-{ENGINE_R_FAILED_LOADING_PUBLIC_KEY      ,"failed loading public key"},
-{ENGINE_R_FINISH_FAILED                  ,"finish failed"},
-{ENGINE_R_GET_HANDLE_FAILED              ,"could not obtain hardware handle"},
-{ENGINE_R_ID_OR_NAME_MISSING             ,"'id' or 'name' missing"},
-{ENGINE_R_INIT_FAILED                    ,"init failed"},
-{ENGINE_R_INTERNAL_LIST_ERROR            ,"internal list error"},
-{ENGINE_R_INVALID_ARGUMENT               ,"invalid argument"},
-{ENGINE_R_INVALID_CMD_NAME               ,"invalid cmd name"},
-{ENGINE_R_INVALID_CMD_NUMBER             ,"invalid cmd number"},
-{ENGINE_R_INVALID_INIT_VALUE             ,"invalid init value"},
-{ENGINE_R_INVALID_STRING                 ,"invalid string"},
-{ENGINE_R_NOT_INITIALISED                ,"not initialised"},
-{ENGINE_R_NOT_LOADED                     ,"not loaded"},
-{ENGINE_R_NO_CONTROL_FUNCTION            ,"no control function"},
-{ENGINE_R_NO_INDEX                       ,"no index"},
-{ENGINE_R_NO_LOAD_FUNCTION               ,"no load function"},
-{ENGINE_R_NO_REFERENCE                   ,"no reference"},
-{ENGINE_R_NO_SUCH_ENGINE                 ,"no such engine"},
-{ENGINE_R_NO_UNLOAD_FUNCTION             ,"no unload function"},
-{ENGINE_R_PROVIDE_PARAMETERS             ,"provide parameters"},
-{ENGINE_R_RSA_NOT_IMPLEMENTED            ,"rsa not implemented"},
-{ENGINE_R_UNIMPLEMENTED_CIPHER           ,"unimplemented cipher"},
-{ENGINE_R_UNIMPLEMENTED_DIGEST           ,"unimplemented digest"},
-{ENGINE_R_VERSION_INCOMPATIBILITY        ,"version incompatibility"},
+{ERR_REASON(ENGINE_R_ALREADY_LOADED)     ,"already loaded"},
+{ERR_REASON(ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER),"argument is not a number"},
+{ERR_REASON(ENGINE_R_CMD_NOT_EXECUTABLE) ,"cmd not executable"},
+{ERR_REASON(ENGINE_R_COMMAND_TAKES_INPUT),"command takes input"},
+{ERR_REASON(ENGINE_R_COMMAND_TAKES_NO_INPUT),"command takes no input"},
+{ERR_REASON(ENGINE_R_CONFLICTING_ENGINE_ID),"conflicting engine id"},
+{ERR_REASON(ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(ENGINE_R_DH_NOT_IMPLEMENTED) ,"dh not implemented"},
+{ERR_REASON(ENGINE_R_DSA_NOT_IMPLEMENTED),"dsa not implemented"},
+{ERR_REASON(ENGINE_R_DSO_FAILURE)        ,"DSO failure"},
+{ERR_REASON(ENGINE_R_DSO_NOT_FOUND)      ,"dso not found"},
+{ERR_REASON(ENGINE_R_ENGINES_SECTION_ERROR),"engines section error"},
+{ERR_REASON(ENGINE_R_ENGINE_IS_NOT_IN_LIST),"engine is not in the list"},
+{ERR_REASON(ENGINE_R_ENGINE_SECTION_ERROR),"engine section error"},
+{ERR_REASON(ENGINE_R_FAILED_LOADING_PRIVATE_KEY),"failed loading private key"},
+{ERR_REASON(ENGINE_R_FAILED_LOADING_PUBLIC_KEY),"failed loading public key"},
+{ERR_REASON(ENGINE_R_FINISH_FAILED)      ,"finish failed"},
+{ERR_REASON(ENGINE_R_GET_HANDLE_FAILED)  ,"could not obtain hardware handle"},
+{ERR_REASON(ENGINE_R_ID_OR_NAME_MISSING) ,"'id' or 'name' missing"},
+{ERR_REASON(ENGINE_R_INIT_FAILED)        ,"init failed"},
+{ERR_REASON(ENGINE_R_INTERNAL_LIST_ERROR),"internal list error"},
+{ERR_REASON(ENGINE_R_INVALID_ARGUMENT)   ,"invalid argument"},
+{ERR_REASON(ENGINE_R_INVALID_CMD_NAME)   ,"invalid cmd name"},
+{ERR_REASON(ENGINE_R_INVALID_CMD_NUMBER) ,"invalid cmd number"},
+{ERR_REASON(ENGINE_R_INVALID_INIT_VALUE) ,"invalid init value"},
+{ERR_REASON(ENGINE_R_INVALID_STRING)     ,"invalid string"},
+{ERR_REASON(ENGINE_R_NOT_INITIALISED)    ,"not initialised"},
+{ERR_REASON(ENGINE_R_NOT_LOADED)         ,"not loaded"},
+{ERR_REASON(ENGINE_R_NO_CONTROL_FUNCTION),"no control function"},
+{ERR_REASON(ENGINE_R_NO_INDEX)           ,"no index"},
+{ERR_REASON(ENGINE_R_NO_LOAD_FUNCTION)   ,"no load function"},
+{ERR_REASON(ENGINE_R_NO_REFERENCE)       ,"no reference"},
+{ERR_REASON(ENGINE_R_NO_SUCH_ENGINE)     ,"no such engine"},
+{ERR_REASON(ENGINE_R_NO_UNLOAD_FUNCTION) ,"no unload function"},
+{ERR_REASON(ENGINE_R_PROVIDE_PARAMETERS) ,"provide parameters"},
+{ERR_REASON(ENGINE_R_RSA_NOT_IMPLEMENTED),"rsa not implemented"},
+{ERR_REASON(ENGINE_R_UNIMPLEMENTED_CIPHER),"unimplemented cipher"},
+{ERR_REASON(ENGINE_R_UNIMPLEMENTED_DIGEST),"unimplemented digest"},
+{ERR_REASON(ENGINE_R_VERSION_INCOMPATIBILITY),"version incompatibility"},
 {0,NULL}
 	};

@@ -158,8 +162,8 @@ void ERR_load_ENGINE_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_functs);
-		ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_reasons);
+		ERR_load_strings(0,ENGINE_str_functs);
+		ERR_load_strings(0,ENGINE_str_reasons);
 #endif

 		}
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -621,7 +621,8 @@ static void err_load_strings(int lib, ERR_STRING_DATA *str)
 	{
 	while (str->error)
 		{
-		str->error|=ERR_PACK(lib,0,0);
+		if (lib)
+			str->error|=ERR_PACK(lib,0,0);
 		ERRFN(err_set_item)(str);
 		str++;
 		}
@@ -637,7 +638,8 @@ void ERR_unload_strings(int lib, ERR_STRING_DATA *str)
 	{
 	while (str->error)
 		{
-		str->error|=ERR_PACK(lib,0,0);
+		if (lib)
+			str->error|=ERR_PACK(lib,0,0);
 		ERRFN(err_del_item)(str);
 		str++;
 		}
--- a/crypto/evp/bio_enc.c
+++ b/crypto/evp/bio_enc.c
@@ -71,7 +71,7 @@ static int enc_new(BIO *h);
 static int enc_free(BIO *data);
 static long enc_callback_ctrl(BIO *h, int cmd, bio_info_cb *fps);
 #define ENC_BLOCK_SIZE	(1024*4)
-#define BUF_OFFSET	EVP_MAX_BLOCK_LENGTH
+#define BUF_OFFSET	(EVP_MAX_BLOCK_LENGTH*2)

 typedef struct enc_struct
 	{
--- a/crypto/evp/c_alld.c
+++ b/crypto/evp/c_alld.c
@@ -99,5 +99,15 @@ void OpenSSL_add_all_digests(void)
 	EVP_add_digest(EVP_ripemd160());
 	EVP_add_digest_alias(SN_ripemd160,"ripemd");
 	EVP_add_digest_alias(SN_ripemd160,"rmd160");
+#endif
+#ifdef OPENSSL_FIPS
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
 #endif
 	}
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -86,9 +86,9 @@ IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,

 #define IMPLEMENT_AES_CFBR(ksize,cbits,flags)	IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags)

-IMPLEMENT_AES_CFBR(128,1,0)
-IMPLEMENT_AES_CFBR(192,1,0)
-IMPLEMENT_AES_CFBR(256,1,0)
+IMPLEMENT_AES_CFBR(128,1,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(192,1,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(256,1,EVP_CIPH_FLAG_FIPS)

 IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS)
 IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS)
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -84,7 +84,11 @@
 #include <openssl/md5.h>
 #endif
 #ifndef OPENSSL_NO_SHA
+#ifndef OPENSSL_FIPS
 #include <openssl/sha.h>
+#else
+#include <openssl/fips_sha.h>
+#endif
 #endif
 #ifndef OPENSSL_NO_RIPEMD
 #include <openssl/ripemd.h>
@@ -128,7 +132,7 @@
 #define EVP_CAST5_KEY_SIZE		16
 #define EVP_RC5_32_12_16_KEY_SIZE	16
 */
-#define EVP_MAX_MD_SIZE			(16+20) /* The SSLv3 md5+sha1 type */
+#define EVP_MAX_MD_SIZE			64	/* longest known SHA512 */
 #define EVP_MAX_KEY_LENGTH		32
 #define EVP_MAX_IV_LENGTH		16
 #define EVP_MAX_BLOCK_LENGTH		32
@@ -642,6 +646,16 @@ const EVP_MD *EVP_sha(void);
 const EVP_MD *EVP_sha1(void);
 const EVP_MD *EVP_dss(void);
 const EVP_MD *EVP_dss1(void);
+#ifdef OPENSSL_FIPS
+#ifndef OPENSSL_NO_SHA256
+const EVP_MD *EVP_sha224(void);
+const EVP_MD *EVP_sha256(void);
+#endif
+#ifndef OPENSSL_NO_SHA512
+const EVP_MD *EVP_sha384(void);
+const EVP_MD *EVP_sha512(void);
+#endif
+#endif
 #endif
 #ifndef OPENSSL_NO_MDC2
 const EVP_MD *EVP_mdc2(void);
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -64,88 +64,92 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EVP,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EVP,0,reason)
+
 static ERR_STRING_DATA EVP_str_functs[]=
 	{
-{ERR_PACK(0,EVP_F_AES_INIT_KEY,0),	"AES_INIT_KEY"},
-{ERR_PACK(0,EVP_F_D2I_PKEY,0),	"D2I_PKEY"},
-{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0),	"EVP_add_cipher"},
-{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0),	"EVP_add_digest"},
-{ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0),	"EVP_CipherInit"},
-{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0),	"EVP_CIPHER_CTX_ctrl"},
-{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0),	"EVP_CIPHER_CTX_set_key_length"},
-{ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0),	"EVP_DecryptFinal"},
-{ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0),	"EVP_DigestInit"},
-{ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0),	"EVP_EncryptFinal"},
-{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0),	"EVP_get_cipherbyname"},
-{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0),	"EVP_get_digestbyname"},
-{ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0),	"EVP_MD_CTX_copy"},
-{ERR_PACK(0,EVP_F_EVP_OPENINIT,0),	"EVP_OpenInit"},
-{ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0),	"EVP_PBE_alg_add"},
-{ERR_PACK(0,EVP_F_EVP_PBE_CIPHERINIT,0),	"EVP_PBE_CipherInit"},
-{ERR_PACK(0,EVP_F_EVP_PKCS82PKEY,0),	"EVP_PKCS82PKEY"},
-{ERR_PACK(0,EVP_F_EVP_PKCS8_SET_BROKEN,0),	"EVP_PKCS8_SET_BROKEN"},
-{ERR_PACK(0,EVP_F_EVP_PKEY2PKCS8,0),	"EVP_PKEY2PKCS8"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_COPY_PARAMETERS,0),	"EVP_PKEY_copy_parameters"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_DECRYPT,0),	"EVP_PKEY_decrypt"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_ENCRYPT,0),	"EVP_PKEY_encrypt"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DH,0),	"EVP_PKEY_get1_DH"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DSA,0),	"EVP_PKEY_get1_DSA"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_RSA,0),	"EVP_PKEY_get1_RSA"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_NEW,0),	"EVP_PKEY_new"},
-{ERR_PACK(0,EVP_F_EVP_RIJNDAEL,0),	"EVP_RIJNDAEL"},
-{ERR_PACK(0,EVP_F_EVP_SIGNFINAL,0),	"EVP_SignFinal"},
-{ERR_PACK(0,EVP_F_EVP_VERIFYFINAL,0),	"EVP_VerifyFinal"},
-{ERR_PACK(0,EVP_F_PKCS5_PBE_KEYIVGEN,0),	"PKCS5_PBE_keyivgen"},
-{ERR_PACK(0,EVP_F_PKCS5_V2_PBE_KEYIVGEN,0),	"PKCS5_v2_PBE_keyivgen"},
-{ERR_PACK(0,EVP_F_RC2_MAGIC_TO_METH,0),	"RC2_MAGIC_TO_METH"},
-{ERR_PACK(0,EVP_F_RC5_CTRL,0),	"RC5_CTRL"},
+{ERR_FUNC(EVP_F_AES_INIT_KEY),	"AES_INIT_KEY"},
+{ERR_FUNC(EVP_F_D2I_PKEY),	"D2I_PKEY"},
+{ERR_FUNC(EVP_F_EVP_ADD_CIPHER),	"EVP_add_cipher"},
+{ERR_FUNC(EVP_F_EVP_ADD_DIGEST),	"EVP_add_digest"},
+{ERR_FUNC(EVP_F_EVP_CIPHERINIT),	"EVP_CipherInit"},
+{ERR_FUNC(EVP_F_EVP_CIPHER_CTX_CTRL),	"EVP_CIPHER_CTX_ctrl"},
+{ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH),	"EVP_CIPHER_CTX_set_key_length"},
+{ERR_FUNC(EVP_F_EVP_DECRYPTFINAL),	"EVP_DecryptFinal"},
+{ERR_FUNC(EVP_F_EVP_DIGESTINIT),	"EVP_DigestInit"},
+{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL),	"EVP_EncryptFinal"},
+{ERR_FUNC(EVP_F_EVP_GET_CIPHERBYNAME),	"EVP_get_cipherbyname"},
+{ERR_FUNC(EVP_F_EVP_GET_DIGESTBYNAME),	"EVP_get_digestbyname"},
+{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY),	"EVP_MD_CTX_copy"},
+{ERR_FUNC(EVP_F_EVP_OPENINIT),	"EVP_OpenInit"},
+{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD),	"EVP_PBE_alg_add"},
+{ERR_FUNC(EVP_F_EVP_PBE_CIPHERINIT),	"EVP_PBE_CipherInit"},
+{ERR_FUNC(EVP_F_EVP_PKCS82PKEY),	"EVP_PKCS82PKEY"},
+{ERR_FUNC(EVP_F_EVP_PKCS8_SET_BROKEN),	"EVP_PKCS8_SET_BROKEN"},
+{ERR_FUNC(EVP_F_EVP_PKEY2PKCS8),	"EVP_PKEY2PKCS8"},
+{ERR_FUNC(EVP_F_EVP_PKEY_COPY_PARAMETERS),	"EVP_PKEY_copy_parameters"},
+{ERR_FUNC(EVP_F_EVP_PKEY_DECRYPT),	"EVP_PKEY_decrypt"},
+{ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT),	"EVP_PKEY_encrypt"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_DH),	"EVP_PKEY_get1_DH"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_DSA),	"EVP_PKEY_get1_DSA"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_RSA),	"EVP_PKEY_get1_RSA"},
+{ERR_FUNC(EVP_F_EVP_PKEY_NEW),	"EVP_PKEY_new"},
+{ERR_FUNC(EVP_F_EVP_RIJNDAEL),	"EVP_RIJNDAEL"},
+{ERR_FUNC(EVP_F_EVP_SIGNFINAL),	"EVP_SignFinal"},
+{ERR_FUNC(EVP_F_EVP_VERIFYFINAL),	"EVP_VerifyFinal"},
+{ERR_FUNC(EVP_F_PKCS5_PBE_KEYIVGEN),	"PKCS5_PBE_keyivgen"},
+{ERR_FUNC(EVP_F_PKCS5_V2_PBE_KEYIVGEN),	"PKCS5_v2_PBE_keyivgen"},
+{ERR_FUNC(EVP_F_RC2_MAGIC_TO_METH),	"RC2_MAGIC_TO_METH"},
+{ERR_FUNC(EVP_F_RC5_CTRL),	"RC5_CTRL"},
 {0,NULL}
 	};

 static ERR_STRING_DATA EVP_str_reasons[]=
 	{
-{EVP_R_AES_KEY_SETUP_FAILED              ,"aes key setup failed"},
-{EVP_R_BAD_BLOCK_LENGTH                  ,"bad block length"},
-{EVP_R_BAD_DECRYPT                       ,"bad decrypt"},
-{EVP_R_BAD_KEY_LENGTH                    ,"bad key length"},
-{EVP_R_BN_DECODE_ERROR                   ,"bn decode error"},
-{EVP_R_BN_PUBKEY_ERROR                   ,"bn pubkey error"},
-{EVP_R_CIPHER_PARAMETER_ERROR            ,"cipher parameter error"},
-{EVP_R_CTRL_NOT_IMPLEMENTED              ,"ctrl not implemented"},
-{EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED    ,"ctrl operation not implemented"},
-{EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"},
-{EVP_R_DECODE_ERROR                      ,"decode error"},
-{EVP_R_DIFFERENT_KEY_TYPES               ,"different key types"},
-{EVP_R_DISABLED_FOR_FIPS                 ,"disabled for fips"},
-{EVP_R_ENCODE_ERROR                      ,"encode error"},
-{EVP_R_EVP_PBE_CIPHERINIT_ERROR          ,"evp pbe cipherinit error"},
-{EVP_R_EXPECTING_AN_RSA_KEY              ,"expecting an rsa key"},
-{EVP_R_EXPECTING_A_DH_KEY                ,"expecting a dh key"},
-{EVP_R_EXPECTING_A_DSA_KEY               ,"expecting a dsa key"},
-{EVP_R_INITIALIZATION_ERROR              ,"initialization error"},
-{EVP_R_INPUT_NOT_INITIALIZED             ,"input not initialized"},
-{EVP_R_INVALID_KEY_LENGTH                ,"invalid key length"},
-{EVP_R_IV_TOO_LARGE                      ,"iv too large"},
-{EVP_R_KEYGEN_FAILURE                    ,"keygen failure"},
-{EVP_R_MISSING_PARAMETERS                ,"missing parameters"},
-{EVP_R_NO_CIPHER_SET                     ,"no cipher set"},
-{EVP_R_NO_DIGEST_SET                     ,"no digest set"},
-{EVP_R_NO_DSA_PARAMETERS                 ,"no dsa parameters"},
-{EVP_R_NO_SIGN_FUNCTION_CONFIGURED       ,"no sign function configured"},
-{EVP_R_NO_VERIFY_FUNCTION_CONFIGURED     ,"no verify function configured"},
-{EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE         ,"pkcs8 unknown broken type"},
-{EVP_R_PUBLIC_KEY_NOT_RSA                ,"public key not rsa"},
-{EVP_R_UNKNOWN_PBE_ALGORITHM             ,"unknown pbe algorithm"},
-{EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS       ,"unsuported number of rounds"},
-{EVP_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
-{EVP_R_UNSUPPORTED_KEYLENGTH             ,"unsupported keylength"},
-{EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION,"unsupported key derivation function"},
-{EVP_R_UNSUPPORTED_KEY_SIZE              ,"unsupported key size"},
-{EVP_R_UNSUPPORTED_PRF                   ,"unsupported prf"},
-{EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM ,"unsupported private key algorithm"},
-{EVP_R_UNSUPPORTED_SALT_TYPE             ,"unsupported salt type"},
-{EVP_R_WRONG_FINAL_BLOCK_LENGTH          ,"wrong final block length"},
-{EVP_R_WRONG_PUBLIC_KEY_TYPE             ,"wrong public key type"},
+{ERR_REASON(EVP_R_AES_KEY_SETUP_FAILED)  ,"aes key setup failed"},
+{ERR_REASON(EVP_R_BAD_BLOCK_LENGTH)      ,"bad block length"},
+{ERR_REASON(EVP_R_BAD_DECRYPT)           ,"bad decrypt"},
+{ERR_REASON(EVP_R_BAD_KEY_LENGTH)        ,"bad key length"},
+{ERR_REASON(EVP_R_BN_DECODE_ERROR)       ,"bn decode error"},
+{ERR_REASON(EVP_R_BN_PUBKEY_ERROR)       ,"bn pubkey error"},
+{ERR_REASON(EVP_R_CIPHER_PARAMETER_ERROR),"cipher parameter error"},
+{ERR_REASON(EVP_R_CTRL_NOT_IMPLEMENTED)  ,"ctrl not implemented"},
+{ERR_REASON(EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED),"ctrl operation not implemented"},
+{ERR_REASON(EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH),"data not multiple of block length"},
+{ERR_REASON(EVP_R_DECODE_ERROR)          ,"decode error"},
+{ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES)   ,"different key types"},
+{ERR_REASON(EVP_R_DISABLED_FOR_FIPS)     ,"disabled for fips"},
+{ERR_REASON(EVP_R_ENCODE_ERROR)          ,"encode error"},
+{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
+{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY)  ,"expecting an rsa key"},
+{ERR_REASON(EVP_R_EXPECTING_A_DH_KEY)    ,"expecting a dh key"},
+{ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY)   ,"expecting a dsa key"},
+{ERR_REASON(EVP_R_INITIALIZATION_ERROR)  ,"initialization error"},
+{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"},
+{ERR_REASON(EVP_R_INVALID_KEY_LENGTH)    ,"invalid key length"},
+{ERR_REASON(EVP_R_IV_TOO_LARGE)          ,"iv too large"},
+{ERR_REASON(EVP_R_KEYGEN_FAILURE)        ,"keygen failure"},
+{ERR_REASON(EVP_R_MISSING_PARAMETERS)    ,"missing parameters"},
+{ERR_REASON(EVP_R_NO_CIPHER_SET)         ,"no cipher set"},
+{ERR_REASON(EVP_R_NO_DIGEST_SET)         ,"no digest set"},
+{ERR_REASON(EVP_R_NO_DSA_PARAMETERS)     ,"no dsa parameters"},
+{ERR_REASON(EVP_R_NO_SIGN_FUNCTION_CONFIGURED),"no sign function configured"},
+{ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no verify function configured"},
+{ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8 unknown broken type"},
+{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
+{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
+{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
+{ERR_REASON(EVP_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+{ERR_REASON(EVP_R_UNSUPPORTED_KEYLENGTH) ,"unsupported keylength"},
+{ERR_REASON(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION),"unsupported key derivation function"},
+{ERR_REASON(EVP_R_UNSUPPORTED_KEY_SIZE)  ,"unsupported key size"},
+{ERR_REASON(EVP_R_UNSUPPORTED_PRF)       ,"unsupported prf"},
+{ERR_REASON(EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM),"unsupported private key algorithm"},
+{ERR_REASON(EVP_R_UNSUPPORTED_SALT_TYPE) ,"unsupported salt type"},
+{ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH),"wrong final block length"},
+{ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE) ,"wrong public key type"},
 {0,NULL}
 	};

@@ -159,8 +163,8 @@ void ERR_load_EVP_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_EVP,EVP_str_functs);
-		ERR_load_strings(ERR_LIB_EVP,EVP_str_reasons);
+		ERR_load_strings(0,EVP_str_functs);
+		ERR_load_strings(0,EVP_str_reasons);
 #endif

 		}
--- a/crypto/evp/m_sha.c
+++ b/crypto/evp/m_sha.c
@@ -59,6 +59,9 @@
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
 #include <stdio.h>
 #include "cryptlib.h"
+/* Including sha.h prior evp.h masks FIPS SHA declarations, but that's
+ * exactly what we want to achieve here... */
+#include <openssl/sha.h>
 #include <openssl/evp.h>
 #include "evp_locl.h"
 #include <openssl/objects.h>
--- a/crypto/evp/m_sha1.c
+++ b/crypto/evp/m_sha1.c
@@ -67,7 +67,14 @@ static int init(EVP_MD_CTX *ctx)
 	{ return SHA1_Init(ctx->md_data); }

 static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+#ifndef OPENSSL_FIPS
 	{ return SHA1_Update(ctx->md_data,data,count); }
+#else
+	{
+	OPENSSL_assert(sizeof(count)<=sizeof(size_t));
+	return SHA1_Update(ctx->md_data,data,count);
+	}
+#endif

 static int final(EVP_MD_CTX *ctx,unsigned char *md)
 	{ return SHA1_Final(md,ctx->md_data); }
@@ -93,3 +100,115 @@ const EVP_MD *EVP_sha1(void)
 	return(&sha1_md);
 	}
 #endif
+
+#ifdef OPENSSL_FIPS
+#ifndef OPENSSL_NO_SHA256
+static int init224(EVP_MD_CTX *ctx)
+	{ return SHA224_Init(ctx->md_data); }
+static int init256(EVP_MD_CTX *ctx)
+	{ return SHA256_Init(ctx->md_data); }
+/*
+ * Even though there're separate SHA224_[Update|Final], we call
+ * SHA256 functions even in SHA224 context. This is what happens
+ * there anyway, so we can spare few CPU cycles:-)
+ */
+static int update256(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+	{
+	OPENSSL_assert(sizeof(count)<=sizeof(size_t));
+	return SHA256_Update(ctx->md_data,data,count);
+	}
+static int final256(EVP_MD_CTX *ctx,unsigned char *md)
+	{ return SHA256_Final(md,ctx->md_data); }
+
+static const EVP_MD sha224_md=
+	{
+	NID_sha224,
+	NID_sha224WithRSAEncryption,
+	SHA224_DIGEST_LENGTH,
+	EVP_MD_FLAG_FIPS,
+	init224,
+	update256,
+	final256,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	SHA256_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA256_CTX),
+	};
+
+const EVP_MD *EVP_sha224(void)
+	{ return(&sha224_md); }
+
+static const EVP_MD sha256_md=
+	{
+	NID_sha256,
+	NID_sha256WithRSAEncryption,
+	SHA256_DIGEST_LENGTH,
+	EVP_MD_FLAG_FIPS,
+	init256,
+	update256,
+	final256,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	SHA256_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA256_CTX),
+	};
+
+const EVP_MD *EVP_sha256(void)
+	{ return(&sha256_md); }
+#endif /* ifndef OPENSSL_NO_SHA256 */
+
+#ifndef OPENSSL_NO_SHA512
+static int init384(EVP_MD_CTX *ctx)
+	{ return SHA384_Init(ctx->md_data); }
+static int init512(EVP_MD_CTX *ctx)
+	{ return SHA512_Init(ctx->md_data); }
+/* See comment in SHA224/256 section */
+static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+	{
+	OPENSSL_assert(sizeof(count)<=sizeof(size_t));
+	return SHA512_Update(ctx->md_data,data,count);
+	}
+static int final512(EVP_MD_CTX *ctx,unsigned char *md)
+	{ return SHA512_Final(md,ctx->md_data); }
+
+static const EVP_MD sha384_md=
+	{
+	NID_sha384,
+	NID_sha384WithRSAEncryption,
+	SHA384_DIGEST_LENGTH,
+	EVP_MD_FLAG_FIPS,
+	init384,
+	update512,
+	final512,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	SHA512_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA512_CTX),
+	};
+
+const EVP_MD *EVP_sha384(void)
+	{ return(&sha384_md); }
+
+static const EVP_MD sha512_md=
+	{
+	NID_sha512,
+	NID_sha512WithRSAEncryption,
+	SHA512_DIGEST_LENGTH,
+	EVP_MD_FLAG_FIPS,
+	init512,
+	update512,
+	final512,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	SHA512_CBLOCK,
+	sizeof(EVP_MD *)+sizeof(SHA512_CTX),
+	};
+
+const EVP_MD *EVP_sha512(void)
+	{ return(&sha512_md); }
+#endif /* ifndef OPENSSL_NO_SHA512 */
+#endif /* ifdef OPENSSL_FIPS */
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@@ -61,6 +61,8 @@
 #include <openssl/hmac.h>
 #include "cryptlib.h"

+#ifndef OPENSSL_FIPS
+
 void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
 		  const EVP_MD *md, ENGINE *impl)
 	{
@@ -77,15 +79,6 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,

 	if (key != NULL)
 		{
-#ifdef OPENSSL_FIPS
-		if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
-		&& (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-		 || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-		 || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
-		OpenSSLDie(__FILE__,__LINE__,
-			"HMAC: digest not allowed in FIPS mode");
-#endif
-		
 		reset=1;
 		j=EVP_MD_block_size(md);
 		OPENSSL_assert(j <= sizeof ctx->key);
@@ -187,3 +180,4 @@ void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
 	EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
 	}

+#endif
--- a/crypto/hmac/hmac.h
+++ b/crypto/hmac/hmac.h
@@ -64,7 +64,7 @@

 #include <openssl/evp.h>

-#define HMAC_MAX_MD_CBLOCK	64
+#define HMAC_MAX_MD_CBLOCK	128

 #ifdef  __cplusplus
 extern "C" {
--- a/crypto/idea/Makefile
+++ b/crypto/idea/Makefile
@@ -86,7 +86,7 @@ i_ecb.o: ../../include/openssl/opensslv.h i_ecb.c idea_lcl.h
 i_ofb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
 i_ofb64.o: i_ofb64.c idea_lcl.h
 i_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-i_skey.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
-i_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-i_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-i_skey.o: i_skey.c idea_lcl.h
+i_skey.o: ../../include/openssl/fips.h ../../include/openssl/idea.h
+i_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+i_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+i_skey.o: ../../include/openssl/symhacks.h i_skey.c idea_lcl.h
--- a/crypto/idea/i_skey.c
+++ b/crypto/idea/i_skey.c
@@ -58,6 +58,7 @@

 #include <openssl/idea.h>
 #include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "idea_lcl.h"

 static IDEA_INT inverse(unsigned int xin);
--- a/crypto/md2/md2_one.c
+++ b/crypto/md2/md2_one.c
@@ -69,7 +69,8 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
 	static unsigned char m[MD2_DIGEST_LENGTH];

 	if (md == NULL) md=m;
-	MD2_Init(&c);
+	if (!MD2_Init(&c))
+		return NULL;
 #ifndef CHARSET_EBCDIC
 	MD2_Update(&c,d,n);
 #else
--- a/crypto/md4/md4_one.c
+++ b/crypto/md4/md4_one.c
@@ -71,7 +71,8 @@ unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md)
 	static unsigned char m[MD4_DIGEST_LENGTH];

 	if (md == NULL) md=m;
-	MD4_Init(&c);
+	if (!MD4_Init(&c))
+		return NULL;
 #ifndef CHARSET_EBCDIC
 	MD4_Update(&c,d,n);
 #else
--- a/crypto/md5/md5_one.c
+++ b/crypto/md5/md5_one.c
@@ -71,7 +71,8 @@ unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md)
 	static unsigned char m[MD5_DIGEST_LENGTH];

 	if (md == NULL) md=m;
-	MD5_Init(&c);
+	if (!MD5_Init(&c))
+		return NULL;
 #ifndef CHARSET_EBCDIC
 	MD5_Update(&c,d,n);
 #else
--- a/crypto/mdc2/mdc2_one.c
+++ b/crypto/mdc2/mdc2_one.c
@@ -66,7 +66,8 @@ unsigned char *MDC2(const unsigned char *d, unsigned long n, unsigned char *md)
 	static unsigned char m[MDC2_DIGEST_LENGTH];

 	if (md == NULL) md=m;
-	MDC2_Init(&c);
+	if (!MDC2_Init(&c))
+		return NULL;
 	MDC2_Update(&c,d,n);
        MDC2_Final(md,&c);
 	OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -62,12 +62,12 @@
 * [including the GNU Public Licence.]
 */

-#define NUM_NID 668
-#define NUM_SN 660
-#define NUM_LN 660
-#define NUM_OBJ 624
+#define NUM_NID 676
+#define NUM_SN 668
+#define NUM_LN 668
+#define NUM_OBJ 632

-static unsigned char lvalues[4500]={
+static unsigned char lvalues[4572]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -692,6 +692,14 @@ static unsigned char lvalues[4500]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4475] OBJ_id_ppl_anyLanguage */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4483] OBJ_id_ppl_inheritAll */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4491] OBJ_Independent */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,/* [4499] OBJ_sha256WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,/* [4508] OBJ_sha384WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,/* [4517] OBJ_sha512WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,/* [4526] OBJ_sha224WithRSAEncryption */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,/* [4535] OBJ_sha256 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4544] OBJ_sha384 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4553] OBJ_sha512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4562] OBJ_sha224 */
 };

 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1756,6 +1764,18 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[4483]),0},
 {NULL,NULL,NID_undef,0,NULL},
 {"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4491]),0},
+{"RSA-SHA256","sha256WithRSAEncryption",NID_sha256WithRSAEncryption,9,
+	&(lvalues[4499]),0},
+{"RSA-SHA384","sha384WithRSAEncryption",NID_sha384WithRSAEncryption,9,
+	&(lvalues[4508]),0},
+{"RSA-SHA512","sha512WithRSAEncryption",NID_sha512WithRSAEncryption,9,
+	&(lvalues[4517]),0},
+{"RSA-SHA224","sha224WithRSAEncryption",NID_sha224WithRSAEncryption,9,
+	&(lvalues[4526]),0},
+{"SHA256","sha256",NID_sha256,9,&(lvalues[4535]),0},
+{"SHA384","sha384",NID_sha384,9,&(lvalues[4544]),0},
+{"SHA512","sha512",NID_sha512,9,&(lvalues[4553]),0},
+{"SHA224","sha224",NID_sha224,9,&(lvalues[4562]),0},
 };

 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -1881,8 +1901,16 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[42]),/* "RSA-SHA" */
 &(nid_objs[65]),/* "RSA-SHA1" */
 &(nid_objs[115]),/* "RSA-SHA1-2" */
+&(nid_objs[671]),/* "RSA-SHA224" */
+&(nid_objs[668]),/* "RSA-SHA256" */
+&(nid_objs[669]),/* "RSA-SHA384" */
+&(nid_objs[670]),/* "RSA-SHA512" */
 &(nid_objs[41]),/* "SHA" */
 &(nid_objs[64]),/* "SHA1" */
+&(nid_objs[675]),/* "SHA224" */
+&(nid_objs[672]),/* "SHA256" */
+&(nid_objs[673]),/* "SHA384" */
+&(nid_objs[674]),/* "SHA512" */
 &(nid_objs[188]),/* "SMIME" */
 &(nid_objs[167]),/* "SMIME-CAPS" */
 &(nid_objs[100]),/* "SN" */
@@ -3059,6 +3087,14 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[64]),/* "sha1" */
 &(nid_objs[115]),/* "sha1WithRSA" */
 &(nid_objs[65]),/* "sha1WithRSAEncryption" */
+&(nid_objs[675]),/* "sha224" */
+&(nid_objs[671]),/* "sha224WithRSAEncryption" */
+&(nid_objs[672]),/* "sha256" */
+&(nid_objs[668]),/* "sha256WithRSAEncryption" */
+&(nid_objs[673]),/* "sha384" */
+&(nid_objs[669]),/* "sha384WithRSAEncryption" */
+&(nid_objs[674]),/* "sha512" */
+&(nid_objs[670]),/* "sha512WithRSAEncryption" */
 &(nid_objs[42]),/* "shaWithRSAEncryption" */
 &(nid_objs[52]),/* "signingTime" */
 &(nid_objs[454]),/* "simpleSecurityObject" */
@@ -3480,6 +3516,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[ 8]),/* OBJ_md5WithRSAEncryption         1 2 840 113549 1 1 4 */
 &(nid_objs[65]),/* OBJ_sha1WithRSAEncryption        1 2 840 113549 1 1 5 */
 &(nid_objs[644]),/* OBJ_rsaOAEPEncryptionSET         1 2 840 113549 1 1 6 */
+&(nid_objs[668]),/* OBJ_sha256WithRSAEncryption      1 2 840 113549 1 1 11 */
+&(nid_objs[669]),/* OBJ_sha384WithRSAEncryption      1 2 840 113549 1 1 12 */
+&(nid_objs[670]),/* OBJ_sha512WithRSAEncryption      1 2 840 113549 1 1 13 */
+&(nid_objs[671]),/* OBJ_sha224WithRSAEncryption      1 2 840 113549 1 1 14 */
 &(nid_objs[28]),/* OBJ_dhKeyAgreement               1 2 840 113549 1 3 1 */
 &(nid_objs[ 9]),/* OBJ_pbeWithMD2AndDES_CBC         1 2 840 113549 1 5 1 */
 &(nid_objs[10]),/* OBJ_pbeWithMD5AndDES_CBC         1 2 840 113549 1 5 3 */
@@ -3544,6 +3584,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[427]),/* OBJ_aes_256_cbc                  2 16 840 1 101 3 4 1 42 */
 &(nid_objs[428]),/* OBJ_aes_256_ofb128               2 16 840 1 101 3 4 1 43 */
 &(nid_objs[429]),/* OBJ_aes_256_cfb128               2 16 840 1 101 3 4 1 44 */
+&(nid_objs[672]),/* OBJ_sha256                       2 16 840 1 101 3 4 2 1 */
+&(nid_objs[673]),/* OBJ_sha384                       2 16 840 1 101 3 4 2 2 */
+&(nid_objs[674]),/* OBJ_sha512                       2 16 840 1 101 3 4 2 3 */
+&(nid_objs[675]),/* OBJ_sha224                       2 16 840 1 101 3 4 2 4 */
 &(nid_objs[71]),/* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
 &(nid_objs[72]),/* OBJ_netscape_base_url            2 16 840 1 113730 1 2 */
 &(nid_objs[73]),/* OBJ_netscape_revocation_url      2 16 840 1 113730 1 3 */
--- a/crypto/objects/obj_err.c
+++ b/crypto/objects/obj_err.c
@@ -1,6 +1,6 @@
 /* crypto/objects/obj_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,22 +64,26 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OBJ,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OBJ,0,reason)
+
 static ERR_STRING_DATA OBJ_str_functs[]=
 	{
-{ERR_PACK(0,OBJ_F_OBJ_ADD_OBJECT,0),	"OBJ_add_object"},
-{ERR_PACK(0,OBJ_F_OBJ_CREATE,0),	"OBJ_create"},
-{ERR_PACK(0,OBJ_F_OBJ_DUP,0),	"OBJ_dup"},
-{ERR_PACK(0,OBJ_F_OBJ_NAME_NEW_INDEX,0),	"OBJ_NAME_new_index"},
-{ERR_PACK(0,OBJ_F_OBJ_NID2LN,0),	"OBJ_nid2ln"},
-{ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0),	"OBJ_nid2obj"},
-{ERR_PACK(0,OBJ_F_OBJ_NID2SN,0),	"OBJ_nid2sn"},
+{ERR_FUNC(OBJ_F_OBJ_ADD_OBJECT),	"OBJ_add_object"},
+{ERR_FUNC(OBJ_F_OBJ_CREATE),	"OBJ_create"},
+{ERR_FUNC(OBJ_F_OBJ_DUP),	"OBJ_dup"},
+{ERR_FUNC(OBJ_F_OBJ_NAME_NEW_INDEX),	"OBJ_NAME_new_index"},
+{ERR_FUNC(OBJ_F_OBJ_NID2LN),	"OBJ_nid2ln"},
+{ERR_FUNC(OBJ_F_OBJ_NID2OBJ),	"OBJ_nid2obj"},
+{ERR_FUNC(OBJ_F_OBJ_NID2SN),	"OBJ_nid2sn"},
 {0,NULL}
 	};

 static ERR_STRING_DATA OBJ_str_reasons[]=
 	{
-{OBJ_R_MALLOC_FAILURE                    ,"malloc failure"},
-{OBJ_R_UNKNOWN_NID                       ,"unknown nid"},
+{ERR_REASON(OBJ_R_MALLOC_FAILURE)        ,"malloc failure"},
+{ERR_REASON(OBJ_R_UNKNOWN_NID)           ,"unknown nid"},
 {0,NULL}
 	};

@@ -93,8 +97,8 @@ void ERR_load_OBJ_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_OBJ,OBJ_str_functs);
-		ERR_load_strings(ERR_LIB_OBJ,OBJ_str_reasons);
+		ERR_load_strings(0,OBJ_str_functs);
+		ERR_load_strings(0,OBJ_str_reasons);
 #endif

 		}
--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
@@ -241,6 +241,26 @@
 #define NID_sha1WithRSAEncryption		65
 #define OBJ_sha1WithRSAEncryption		OBJ_pkcs1,5L

+#define SN_sha256WithRSAEncryption		"RSA-SHA256"
+#define LN_sha256WithRSAEncryption		"sha256WithRSAEncryption"
+#define NID_sha256WithRSAEncryption		668
+#define OBJ_sha256WithRSAEncryption		OBJ_pkcs1,11L
+
+#define SN_sha384WithRSAEncryption		"RSA-SHA384"
+#define LN_sha384WithRSAEncryption		"sha384WithRSAEncryption"
+#define NID_sha384WithRSAEncryption		669
+#define OBJ_sha384WithRSAEncryption		OBJ_pkcs1,12L
+
+#define SN_sha512WithRSAEncryption		"RSA-SHA512"
+#define LN_sha512WithRSAEncryption		"sha512WithRSAEncryption"
+#define NID_sha512WithRSAEncryption		670
+#define OBJ_sha512WithRSAEncryption		OBJ_pkcs1,13L
+
+#define SN_sha224WithRSAEncryption		"RSA-SHA224"
+#define LN_sha224WithRSAEncryption		"sha224WithRSAEncryption"
+#define NID_sha224WithRSAEncryption		671
+#define OBJ_sha224WithRSAEncryption		OBJ_pkcs1,14L
+
 #define SN_pkcs3		"pkcs3"
 #define NID_pkcs3		27
 #define OBJ_pkcs3		OBJ_pkcs,3L
@@ -2081,6 +2101,28 @@
 #define LN_des_ede3_cfb8		"des-ede3-cfb8"
 #define NID_des_ede3_cfb8		659

+#define OBJ_nist_hashalgs		OBJ_nistAlgorithms,2L
+
+#define SN_sha256		"SHA256"
+#define LN_sha256		"sha256"
+#define NID_sha256		672
+#define OBJ_sha256		OBJ_nist_hashalgs,1L
+
+#define SN_sha384		"SHA384"
+#define LN_sha384		"sha384"
+#define NID_sha384		673
+#define OBJ_sha384		OBJ_nist_hashalgs,2L
+
+#define SN_sha512		"SHA512"
+#define LN_sha512		"sha512"
+#define NID_sha512		674
+#define OBJ_sha512		OBJ_nist_hashalgs,3L
+
+#define SN_sha224		"SHA224"
+#define LN_sha224		"sha224"
+#define NID_sha224		675
+#define OBJ_sha224		OBJ_nist_hashalgs,4L
+
 #define SN_hold_instruction_code		"holdInstructionCode"
 #define LN_hold_instruction_code		"Hold Instruction Code"
 #define NID_hold_instruction_code		430
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -665,3 +665,11 @@ id_ppl_anyLanguage		664
 id_ppl_inheritAll		665
 id_ppl_independent		666
 Independent		667
+sha256WithRSAEncryption		668
+sha384WithRSAEncryption		669
+sha512WithRSAEncryption		670
+sha224WithRSAEncryption		671
+sha256		672
+sha384		673
+sha512		674
+sha224		675
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -63,6 +63,11 @@ pkcs1 2			: RSA-MD2		: md2WithRSAEncryption
 pkcs1 3			: RSA-MD4		: md4WithRSAEncryption
 pkcs1 4			: RSA-MD5		: md5WithRSAEncryption
 pkcs1 5			: RSA-SHA1		: sha1WithRSAEncryption
+# According to PKCS #1 version 2.1
+pkcs1 11		: RSA-SHA256		: sha256WithRSAEncryption
+pkcs1 12		: RSA-SHA384		: sha384WithRSAEncryption
+pkcs1 13		: RSA-SHA512		: sha512WithRSAEncryption
+pkcs1 14		: RSA-SHA224		: sha224WithRSAEncryption

 pkcs 3			: pkcs3
 pkcs3 1			:			: dhKeyAgreement
@@ -703,6 +708,13 @@ aes 44			: AES-256-CFB		: aes-256-cfb
 			: DES-EDE3-CFB1		: des-ede3-cfb1
 			: DES-EDE3-CFB8		: des-ede3-cfb8

+# OIDs for SHA224, SHA256, SHA385 and SHA512, according to x9.84.
+!Alias nist_hashalgs nistAlgorithms 2
+nist_hashalgs 1		: SHA256		: sha256
+nist_hashalgs 2		: SHA384		: sha384
+nist_hashalgs 3		: SHA512		: sha512
+nist_hashalgs 4		: SHA224		: sha224
+
 # Hold instruction CRL entry extension
 !Cname hold-instruction-code
 id-ce 23		: holdInstructionCode	: Hold Instruction Code
--- a/crypto/ocsp/ocsp_err.c
+++ b/crypto/ocsp/ocsp_err.c
@@ -1,6 +1,6 @@
 /* crypto/ocsp/ocsp_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,60 +64,64 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
+
 static ERR_STRING_DATA OCSP_str_functs[]=
 	{
-{ERR_PACK(0,OCSP_F_ASN1_STRING_ENCODE,0),	"ASN1_STRING_encode"},
-{ERR_PACK(0,OCSP_F_CERT_ID_NEW,0),	"CERT_ID_NEW"},
-{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),	"D2I_OCSP_NONCE"},
-{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),	"OCSP_basic_add1_status"},
-{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0),	"OCSP_basic_sign"},
-{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),	"OCSP_basic_verify"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),	"OCSP_CHECK_DELEGATED"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),	"OCSP_CHECK_IDS"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),	"OCSP_CHECK_ISSUER"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_VALIDITY,0),	"OCSP_check_validity"},
-{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),	"OCSP_MATCH_ISSUERID"},
-{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0),	"OCSP_parse_url"},
-{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),	"OCSP_request_sign"},
-{ERR_PACK(0,OCSP_F_OCSP_REQUEST_VERIFY,0),	"OCSP_request_verify"},
-{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0),	"OCSP_response_get1_basic"},
-{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0),	"OCSP_sendreq_bio"},
-{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),	"REQUEST_VERIFY"},
+{ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE),	"ASN1_STRING_encode"},
+{ERR_FUNC(OCSP_F_CERT_ID_NEW),	"CERT_ID_NEW"},
+{ERR_FUNC(OCSP_F_D2I_OCSP_NONCE),	"D2I_OCSP_NONCE"},
+{ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS),	"OCSP_basic_add1_status"},
+{ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN),	"OCSP_basic_sign"},
+{ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY),	"OCSP_basic_verify"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED),	"OCSP_CHECK_DELEGATED"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_IDS),	"OCSP_CHECK_IDS"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER),	"OCSP_CHECK_ISSUER"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY),	"OCSP_check_validity"},
+{ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID),	"OCSP_MATCH_ISSUERID"},
+{ERR_FUNC(OCSP_F_OCSP_PARSE_URL),	"OCSP_parse_url"},
+{ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN),	"OCSP_request_sign"},
+{ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY),	"OCSP_request_verify"},
+{ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC),	"OCSP_response_get1_basic"},
+{ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO),	"OCSP_sendreq_bio"},
+{ERR_FUNC(OCSP_F_REQUEST_VERIFY),	"REQUEST_VERIFY"},
 {0,NULL}
 	};

 static ERR_STRING_DATA OCSP_str_reasons[]=
 	{
-{OCSP_R_BAD_DATA                         ,"bad data"},
-{OCSP_R_CERTIFICATE_VERIFY_ERROR         ,"certificate verify error"},
-{OCSP_R_DIGEST_ERR                       ,"digest err"},
-{OCSP_R_ERROR_IN_NEXTUPDATE_FIELD        ,"error in nextupdate field"},
-{OCSP_R_ERROR_IN_THISUPDATE_FIELD        ,"error in thisupdate field"},
-{OCSP_R_ERROR_PARSING_URL                ,"error parsing url"},
-{OCSP_R_MISSING_OCSPSIGNING_USAGE        ,"missing ocspsigning usage"},
-{OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE     ,"nextupdate before thisupdate"},
-{OCSP_R_NOT_BASIC_RESPONSE               ,"not basic response"},
-{OCSP_R_NO_CERTIFICATES_IN_CHAIN         ,"no certificates in chain"},
-{OCSP_R_NO_CONTENT                       ,"no content"},
-{OCSP_R_NO_PUBLIC_KEY                    ,"no public key"},
-{OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
-{OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
-{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
-{OCSP_R_REQUEST_NOT_SIGNED               ,"request not signed"},
-{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
-{OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},
-{OCSP_R_SERVER_READ_ERROR                ,"server read error"},
-{OCSP_R_SERVER_RESPONSE_ERROR            ,"server response error"},
-{OCSP_R_SERVER_RESPONSE_PARSE_ERROR      ,"server response parse error"},
-{OCSP_R_SERVER_WRITE_ERROR               ,"server write error"},
-{OCSP_R_SIGNATURE_FAILURE                ,"signature failure"},
-{OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND     ,"signer certificate not found"},
-{OCSP_R_STATUS_EXPIRED                   ,"status expired"},
-{OCSP_R_STATUS_NOT_YET_VALID             ,"status not yet valid"},
-{OCSP_R_STATUS_TOO_OLD                   ,"status too old"},
-{OCSP_R_UNKNOWN_MESSAGE_DIGEST           ,"unknown message digest"},
-{OCSP_R_UNKNOWN_NID                      ,"unknown nid"},
-{OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE   ,"unsupported requestorname type"},
+{ERR_REASON(OCSP_R_BAD_DATA)             ,"bad data"},
+{ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"},
+{ERR_REASON(OCSP_R_DIGEST_ERR)           ,"digest err"},
+{ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD),"error in nextupdate field"},
+{ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD),"error in thisupdate field"},
+{ERR_REASON(OCSP_R_ERROR_PARSING_URL)    ,"error parsing url"},
+{ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE),"missing ocspsigning usage"},
+{ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE),"nextupdate before thisupdate"},
+{ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE)   ,"not basic response"},
+{ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN),"no certificates in chain"},
+{ERR_REASON(OCSP_R_NO_CONTENT)           ,"no content"},
+{ERR_REASON(OCSP_R_NO_PUBLIC_KEY)        ,"no public key"},
+{ERR_REASON(OCSP_R_NO_RESPONSE_DATA)     ,"no response data"},
+{ERR_REASON(OCSP_R_NO_REVOKED_TIME)      ,"no revoked time"},
+{ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
+{ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED)   ,"request not signed"},
+{ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA),"response contains no revocation data"},
+{ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED)  ,"root ca not trusted"},
+{ERR_REASON(OCSP_R_SERVER_READ_ERROR)    ,"server read error"},
+{ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR),"server response error"},
+{ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR),"server response parse error"},
+{ERR_REASON(OCSP_R_SERVER_WRITE_ERROR)   ,"server write error"},
+{ERR_REASON(OCSP_R_SIGNATURE_FAILURE)    ,"signature failure"},
+{ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"},
+{ERR_REASON(OCSP_R_STATUS_EXPIRED)       ,"status expired"},
+{ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) ,"status not yet valid"},
+{ERR_REASON(OCSP_R_STATUS_TOO_OLD)       ,"status too old"},
+{ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST),"unknown message digest"},
+{ERR_REASON(OCSP_R_UNKNOWN_NID)          ,"unknown nid"},
+{ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE),"unsupported requestorname type"},
 {0,NULL}
 	};

@@ -131,8 +135,8 @@ void ERR_load_OCSP_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_OCSP,OCSP_str_functs);
-		ERR_load_strings(ERR_LIB_OCSP,OCSP_str_reasons);
+		ERR_load_strings(0,OCSP_str_functs);
+		ERR_load_strings(0,OCSP_str_reasons);
 #endif

 		}
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,11 +25,11 @@
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-#define OPENSSL_VERSION_NUMBER	0x0090707fL
+#define OPENSSL_VERSION_NUMBER	0x00907080L
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7g-fips 11 Apr 2005"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7h-fips-dev XX xxx XXXX"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7g 11 Apr 2005"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7h-dev XX xxx XXXX"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT

--- a/crypto/pem/pem_err.c
+++ b/crypto/pem/pem_err.c
@@ -1,6 +1,6 @@
 /* crypto/pem/pem_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,52 +64,56 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PEM,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PEM,0,reason)
+
 static ERR_STRING_DATA PEM_str_functs[]=
 	{
-{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_BIO,0),	"d2i_PKCS8PrivateKey_bio"},
-{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_FP,0),	"d2i_PKCS8PrivateKey_fp"},
-{ERR_PACK(0,PEM_F_DEF_CALLBACK,0),	"DEF_CALLBACK"},
-{ERR_PACK(0,PEM_F_LOAD_IV,0),	"LOAD_IV"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_READ,0),	"PEM_ASN1_read"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_READ_BIO,0),	"PEM_ASN1_read_bio"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE,0),	"PEM_ASN1_write"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE_BIO,0),	"PEM_ASN1_write_bio"},
-{ERR_PACK(0,PEM_F_PEM_DO_HEADER,0),	"PEM_do_header"},
-{ERR_PACK(0,PEM_F_PEM_F_DO_PK8KEY_FP,0),	"PEM_F_DO_PK8KEY_FP"},
-{ERR_PACK(0,PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY,0),	"PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"},
-{ERR_PACK(0,PEM_F_PEM_GET_EVP_CIPHER_INFO,0),	"PEM_get_EVP_CIPHER_INFO"},
-{ERR_PACK(0,PEM_F_PEM_READ,0),	"PEM_read"},
-{ERR_PACK(0,PEM_F_PEM_READ_BIO,0),	"PEM_read_bio"},
-{ERR_PACK(0,PEM_F_PEM_SEALFINAL,0),	"PEM_SealFinal"},
-{ERR_PACK(0,PEM_F_PEM_SEALINIT,0),	"PEM_SealInit"},
-{ERR_PACK(0,PEM_F_PEM_SIGNFINAL,0),	"PEM_SignFinal"},
-{ERR_PACK(0,PEM_F_PEM_WRITE,0),	"PEM_write"},
-{ERR_PACK(0,PEM_F_PEM_WRITE_BIO,0),	"PEM_write_bio"},
-{ERR_PACK(0,PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,0),	"PEM_write_bio_PKCS8PrivateKey"},
-{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ,0),	"PEM_X509_INFO_read"},
-{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ_BIO,0),	"PEM_X509_INFO_read_bio"},
-{ERR_PACK(0,PEM_F_PEM_X509_INFO_WRITE_BIO,0),	"PEM_X509_INFO_write_bio"},
+{ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_BIO),	"d2i_PKCS8PrivateKey_bio"},
+{ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_FP),	"d2i_PKCS8PrivateKey_fp"},
+{ERR_FUNC(PEM_F_DEF_CALLBACK),	"DEF_CALLBACK"},
+{ERR_FUNC(PEM_F_LOAD_IV),	"LOAD_IV"},
+{ERR_FUNC(PEM_F_PEM_ASN1_READ),	"PEM_ASN1_read"},
+{ERR_FUNC(PEM_F_PEM_ASN1_READ_BIO),	"PEM_ASN1_read_bio"},
+{ERR_FUNC(PEM_F_PEM_ASN1_WRITE),	"PEM_ASN1_write"},
+{ERR_FUNC(PEM_F_PEM_ASN1_WRITE_BIO),	"PEM_ASN1_write_bio"},
+{ERR_FUNC(PEM_F_PEM_DO_HEADER),	"PEM_do_header"},
+{ERR_FUNC(PEM_F_PEM_F_DO_PK8KEY_FP),	"PEM_F_DO_PK8KEY_FP"},
+{ERR_FUNC(PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY),	"PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"},
+{ERR_FUNC(PEM_F_PEM_GET_EVP_CIPHER_INFO),	"PEM_get_EVP_CIPHER_INFO"},
+{ERR_FUNC(PEM_F_PEM_READ),	"PEM_read"},
+{ERR_FUNC(PEM_F_PEM_READ_BIO),	"PEM_read_bio"},
+{ERR_FUNC(PEM_F_PEM_SEALFINAL),	"PEM_SealFinal"},
+{ERR_FUNC(PEM_F_PEM_SEALINIT),	"PEM_SealInit"},
+{ERR_FUNC(PEM_F_PEM_SIGNFINAL),	"PEM_SignFinal"},
+{ERR_FUNC(PEM_F_PEM_WRITE),	"PEM_write"},
+{ERR_FUNC(PEM_F_PEM_WRITE_BIO),	"PEM_write_bio"},
+{ERR_FUNC(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY),	"PEM_write_bio_PKCS8PrivateKey"},
+{ERR_FUNC(PEM_F_PEM_X509_INFO_READ),	"PEM_X509_INFO_read"},
+{ERR_FUNC(PEM_F_PEM_X509_INFO_READ_BIO),	"PEM_X509_INFO_read_bio"},
+{ERR_FUNC(PEM_F_PEM_X509_INFO_WRITE_BIO),	"PEM_X509_INFO_write_bio"},
 {0,NULL}
 	};

 static ERR_STRING_DATA PEM_str_reasons[]=
 	{
-{PEM_R_BAD_BASE64_DECODE                 ,"bad base64 decode"},
-{PEM_R_BAD_DECRYPT                       ,"bad decrypt"},
-{PEM_R_BAD_END_LINE                      ,"bad end line"},
-{PEM_R_BAD_IV_CHARS                      ,"bad iv chars"},
-{PEM_R_BAD_PASSWORD_READ                 ,"bad password read"},
-{PEM_R_ERROR_CONVERTING_PRIVATE_KEY      ,"error converting private key"},
-{PEM_R_NOT_DEK_INFO                      ,"not dek info"},
-{PEM_R_NOT_ENCRYPTED                     ,"not encrypted"},
-{PEM_R_NOT_PROC_TYPE                     ,"not proc type"},
-{PEM_R_NO_START_LINE                     ,"no start line"},
-{PEM_R_PROBLEMS_GETTING_PASSWORD         ,"problems getting password"},
-{PEM_R_PUBLIC_KEY_NO_RSA                 ,"public key no rsa"},
-{PEM_R_READ_KEY                          ,"read key"},
-{PEM_R_SHORT_HEADER                      ,"short header"},
-{PEM_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
-{PEM_R_UNSUPPORTED_ENCRYPTION            ,"unsupported encryption"},
+{ERR_REASON(PEM_R_BAD_BASE64_DECODE)     ,"bad base64 decode"},
+{ERR_REASON(PEM_R_BAD_DECRYPT)           ,"bad decrypt"},
+{ERR_REASON(PEM_R_BAD_END_LINE)          ,"bad end line"},
+{ERR_REASON(PEM_R_BAD_IV_CHARS)          ,"bad iv chars"},
+{ERR_REASON(PEM_R_BAD_PASSWORD_READ)     ,"bad password read"},
+{ERR_REASON(PEM_R_ERROR_CONVERTING_PRIVATE_KEY),"error converting private key"},
+{ERR_REASON(PEM_R_NOT_DEK_INFO)          ,"not dek info"},
+{ERR_REASON(PEM_R_NOT_ENCRYPTED)         ,"not encrypted"},
+{ERR_REASON(PEM_R_NOT_PROC_TYPE)         ,"not proc type"},
+{ERR_REASON(PEM_R_NO_START_LINE)         ,"no start line"},
+{ERR_REASON(PEM_R_PROBLEMS_GETTING_PASSWORD),"problems getting password"},
+{ERR_REASON(PEM_R_PUBLIC_KEY_NO_RSA)     ,"public key no rsa"},
+{ERR_REASON(PEM_R_READ_KEY)              ,"read key"},
+{ERR_REASON(PEM_R_SHORT_HEADER)          ,"short header"},
+{ERR_REASON(PEM_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+{ERR_REASON(PEM_R_UNSUPPORTED_ENCRYPTION),"unsupported encryption"},
 {0,NULL}
 	};

@@ -123,8 +127,8 @@ void ERR_load_PEM_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_PEM,PEM_str_functs);
-		ERR_load_strings(ERR_LIB_PEM,PEM_str_reasons);
+		ERR_load_strings(0,PEM_str_functs);
+		ERR_load_strings(0,PEM_str_reasons);
 #endif

 		}
--- a/crypto/pkcs12/pk12err.c
+++ b/crypto/pkcs12/pk12err.c
@@ -1,6 +1,6 @@
 /* crypto/pkcs12/pk12err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,60 +64,64 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason)
+
 static ERR_STRING_DATA PKCS12_str_functs[]=
 	{
-{ERR_PACK(0,PKCS12_F_PARSE_BAGS,0),	"PARSE_BAGS"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME,0),	"PKCS12_ADD_FRIENDLYNAME"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,0),	"PKCS12_add_friendlyname_asc"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,0),	"PKCS12_add_friendlyname_uni"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_LOCALKEYID,0),	"PKCS12_add_localkeyid"},
-{ERR_PACK(0,PKCS12_F_PKCS12_CREATE,0),	"PKCS12_create"},
-{ERR_PACK(0,PKCS12_F_PKCS12_DECRYPT_D2I,0),	"PKCS12_decrypt_d2i"},
-{ERR_PACK(0,PKCS12_F_PKCS12_GEN_MAC,0),	"PKCS12_gen_mac"},
-{ERR_PACK(0,PKCS12_F_PKCS12_I2D_ENCRYPT,0),	"PKCS12_i2d_encrypt"},
-{ERR_PACK(0,PKCS12_F_PKCS12_INIT,0),	"PKCS12_init"},
-{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_ASC,0),	"PKCS12_key_gen_asc"},
-{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_UNI,0),	"PKCS12_key_gen_uni"},
-{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_KEYBAG,0),	"PKCS12_MAKE_KEYBAG"},
-{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_SHKEYBAG,0),	"PKCS12_MAKE_SHKEYBAG"},
-{ERR_PACK(0,PKCS12_F_PKCS12_NEWPASS,0),	"PKCS12_newpass"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7DATA,0),	"PKCS12_pack_p7data"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7ENCDATA,0),	"PKCS12_pack_p7encdata"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PACK_SAFEBAG,0),	"PKCS12_pack_safebag"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PARSE,0),	"PKCS12_parse"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PBE_CRYPT,0),	"PKCS12_pbe_crypt"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PBE_KEYIVGEN,0),	"PKCS12_PBE_keyivgen"},
-{ERR_PACK(0,PKCS12_F_PKCS12_SETUP_MAC,0),	"PKCS12_setup_mac"},
-{ERR_PACK(0,PKCS12_F_PKCS12_SET_MAC,0),	"PKCS12_set_mac"},
-{ERR_PACK(0,PKCS12_F_PKCS8_ADD_KEYUSAGE,0),	"PKCS8_add_keyusage"},
-{ERR_PACK(0,PKCS12_F_PKCS8_ENCRYPT,0),	"PKCS8_encrypt"},
-{ERR_PACK(0,PKCS12_F_VERIFY_MAC,0),	"VERIFY_MAC"},
+{ERR_FUNC(PKCS12_F_PARSE_BAGS),	"PARSE_BAGS"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME),	"PKCS12_ADD_FRIENDLYNAME"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC),	"PKCS12_add_friendlyname_asc"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI),	"PKCS12_add_friendlyname_uni"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID),	"PKCS12_add_localkeyid"},
+{ERR_FUNC(PKCS12_F_PKCS12_CREATE),	"PKCS12_create"},
+{ERR_FUNC(PKCS12_F_PKCS12_DECRYPT_D2I),	"PKCS12_DECRYPT_D2I"},
+{ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC),	"PKCS12_gen_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_I2D_ENCRYPT),	"PKCS12_I2D_ENCRYPT"},
+{ERR_FUNC(PKCS12_F_PKCS12_INIT),	"PKCS12_init"},
+{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC),	"PKCS12_key_gen_asc"},
+{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI),	"PKCS12_key_gen_uni"},
+{ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG),	"PKCS12_MAKE_KEYBAG"},
+{ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG),	"PKCS12_MAKE_SHKEYBAG"},
+{ERR_FUNC(PKCS12_F_PKCS12_NEWPASS),	"PKCS12_newpass"},
+{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA),	"PKCS12_pack_p7data"},
+{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA),	"PKCS12_pack_p7encdata"},
+{ERR_FUNC(PKCS12_F_PKCS12_PACK_SAFEBAG),	"PKCS12_PACK_SAFEBAG"},
+{ERR_FUNC(PKCS12_F_PKCS12_PARSE),	"PKCS12_parse"},
+{ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT),	"PKCS12_pbe_crypt"},
+{ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN),	"PKCS12_PBE_keyivgen"},
+{ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC),	"PKCS12_setup_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_SET_MAC),	"PKCS12_set_mac"},
+{ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE),	"PKCS8_add_keyusage"},
+{ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT),	"PKCS8_encrypt"},
+{ERR_FUNC(PKCS12_F_VERIFY_MAC),	"VERIFY_MAC"},
 {0,NULL}
 	};

 static ERR_STRING_DATA PKCS12_str_reasons[]=
 	{
-{PKCS12_R_CANT_PACK_STRUCTURE            ,"cant pack structure"},
-{PKCS12_R_DECODE_ERROR                   ,"decode error"},
-{PKCS12_R_ENCODE_ERROR                   ,"encode error"},
-{PKCS12_R_ENCRYPT_ERROR                  ,"encrypt error"},
-{PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE,"error setting encrypted data type"},
-{PKCS12_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
-{PKCS12_R_INVALID_NULL_PKCS12_POINTER    ,"invalid null pkcs12 pointer"},
-{PKCS12_R_IV_GEN_ERROR                   ,"iv gen error"},
-{PKCS12_R_KEY_GEN_ERROR                  ,"key gen error"},
-{PKCS12_R_MAC_ABSENT                     ,"mac absent"},
-{PKCS12_R_MAC_GENERATION_ERROR           ,"mac generation error"},
-{PKCS12_R_MAC_SETUP_ERROR                ,"mac setup error"},
-{PKCS12_R_MAC_STRING_SET_ERROR           ,"mac string set error"},
-{PKCS12_R_MAC_VERIFY_ERROR               ,"mac verify error"},
-{PKCS12_R_MAC_VERIFY_FAILURE             ,"mac verify failure"},
-{PKCS12_R_PARSE_ERROR                    ,"parse error"},
-{PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR  ,"pkcs12 algor cipherinit error"},
-{PKCS12_R_PKCS12_CIPHERFINAL_ERROR       ,"pkcs12 cipherfinal error"},
-{PKCS12_R_PKCS12_PBE_CRYPT_ERROR         ,"pkcs12 pbe crypt error"},
-{PKCS12_R_UNKNOWN_DIGEST_ALGORITHM       ,"unknown digest algorithm"},
-{PKCS12_R_UNSUPPORTED_PKCS12_MODE        ,"unsupported pkcs12 mode"},
+{ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE),"cant pack structure"},
+{ERR_REASON(PKCS12_R_DECODE_ERROR)       ,"decode error"},
+{ERR_REASON(PKCS12_R_ENCODE_ERROR)       ,"encode error"},
+{ERR_REASON(PKCS12_R_ENCRYPT_ERROR)      ,"encrypt error"},
+{ERR_REASON(PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE),"error setting encrypted data type"},
+{ERR_REASON(PKCS12_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
+{ERR_REASON(PKCS12_R_INVALID_NULL_PKCS12_POINTER),"invalid null pkcs12 pointer"},
+{ERR_REASON(PKCS12_R_IV_GEN_ERROR)       ,"iv gen error"},
+{ERR_REASON(PKCS12_R_KEY_GEN_ERROR)      ,"key gen error"},
+{ERR_REASON(PKCS12_R_MAC_ABSENT)         ,"mac absent"},
+{ERR_REASON(PKCS12_R_MAC_GENERATION_ERROR),"mac generation error"},
+{ERR_REASON(PKCS12_R_MAC_SETUP_ERROR)    ,"mac setup error"},
+{ERR_REASON(PKCS12_R_MAC_STRING_SET_ERROR),"mac string set error"},
+{ERR_REASON(PKCS12_R_MAC_VERIFY_ERROR)   ,"mac verify error"},
+{ERR_REASON(PKCS12_R_MAC_VERIFY_FAILURE) ,"mac verify failure"},
+{ERR_REASON(PKCS12_R_PARSE_ERROR)        ,"parse error"},
+{ERR_REASON(PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR),"pkcs12 algor cipherinit error"},
+{ERR_REASON(PKCS12_R_PKCS12_CIPHERFINAL_ERROR),"pkcs12 cipherfinal error"},
+{ERR_REASON(PKCS12_R_PKCS12_PBE_CRYPT_ERROR),"pkcs12 pbe crypt error"},
+{ERR_REASON(PKCS12_R_UNKNOWN_DIGEST_ALGORITHM),"unknown digest algorithm"},
+{ERR_REASON(PKCS12_R_UNSUPPORTED_PKCS12_MODE),"unsupported pkcs12 mode"},
 {0,NULL}
 	};

@@ -131,8 +135,8 @@ void ERR_load_PKCS12_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_functs);
-		ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_reasons);
+		ERR_load_strings(0,PKCS12_str_functs);
+		ERR_load_strings(0,PKCS12_str_reasons);
 #endif

 		}
--- a/crypto/pkcs7/pk7_mime.c
+++ b/crypto/pkcs7/pk7_mime.c
@@ -3,7 +3,7 @@
 * project 1999.
 */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -152,11 +152,12 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 {
 	char bound[33], c;
 	int i;
-	char *mime_prefix, *mime_eol;
+	char *mime_prefix, *mime_eol, *msg_type=NULL;
 	if (flags & PKCS7_NOOLDMIMETYPE)
 		mime_prefix = "application/pkcs7-";
 	else
 		mime_prefix = "application/x-pkcs7-";
+
 	if (flags & PKCS7_CRLFEOL)
 		mime_eol = "\r\n";
 	else
@@ -198,11 +199,30 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 						mime_eol, mime_eol);
 		return 1;
 	}
+
+	/* Determine smime-type header */
+
+	if (PKCS7_type_is_enveloped(p7))
+		msg_type = "enveloped-data";
+	else if (PKCS7_type_is_signed(p7))
+		{
+		/* If we have any signers it is signed-data othewise 
+		 * certs-only.
+		 */
+		STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+		sinfos = PKCS7_get_signer_info(p7);
+		if (sk_PKCS7_SIGNER_INFO_num(sinfos) > 0)
+			msg_type = "signed-data";
+		else
+			msg_type = "certs-only";
+		}
 	/* MIME headers */
 	BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
 	BIO_printf(bio, "Content-Disposition: attachment;");
 	BIO_printf(bio, " filename=\"smime.p7m\"%s", mime_eol);
 	BIO_printf(bio, "Content-Type: %smime;", mime_prefix);
+	if (msg_type)
+		BIO_printf(bio, " smime-type=%s;", msg_type);
 	BIO_printf(bio, " name=\"smime.p7m\"%s", mime_eol);
 	BIO_printf(bio, "Content-Transfer-Encoding: base64%s%s",
 						mime_eol, mime_eol);
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -296,11 +296,9 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 	
 	if (tmpin == indata)
 		{
-		if(indata) BIO_pop(p7bio);
-		BIO_free_all(p7bio);
+		if (indata) BIO_pop(p7bio);
 		}
-	else
-		BIO_free_all(tmpin);
+	BIO_free_all(p7bio);

 	sk_X509_free(signers);

--- a/crypto/pkcs7/pkcs7err.c
+++ b/crypto/pkcs7/pkcs7err.c
@@ -1,6 +1,6 @@
 /* crypto/pkcs7/pkcs7err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,81 +64,85 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS7,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS7,0,reason)
+
 static ERR_STRING_DATA PKCS7_str_functs[]=
 	{
-{ERR_PACK(0,PKCS7_F_B64_READ_PKCS7,0),	"B64_READ_PKCS7"},
-{ERR_PACK(0,PKCS7_F_B64_WRITE_PKCS7,0),	"B64_WRITE_PKCS7"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,0),	"PKCS7_add_attrib_smimecap"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CERTIFICATE,0),	"PKCS7_add_certificate"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CRL,0),	"PKCS7_add_crl"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,0),	"PKCS7_add_recipient_info"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_SIGNER,0),	"PKCS7_add_signer"},
-{ERR_PACK(0,PKCS7_F_PKCS7_CTRL,0),	"PKCS7_ctrl"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATADECODE,0),	"PKCS7_dataDecode"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATAINIT,0),	"PKCS7_dataInit"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATASIGN,0),	"PKCS7_DATASIGN"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATAVERIFY,0),	"PKCS7_dataVerify"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DECRYPT,0),	"PKCS7_decrypt"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ENCRYPT,0),	"PKCS7_encrypt"},
-{ERR_PACK(0,PKCS7_F_PKCS7_GET0_SIGNERS,0),	"PKCS7_get0_signers"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SET_CIPHER,0),	"PKCS7_set_cipher"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SET_CONTENT,0),	"PKCS7_set_content"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SET_TYPE,0),	"PKCS7_set_type"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SIGN,0),	"PKCS7_sign"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SIGNATUREVERIFY,0),	"PKCS7_signatureVerify"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SIMPLE_SMIMECAP,0),	"PKCS7_simple_smimecap"},
-{ERR_PACK(0,PKCS7_F_PKCS7_VERIFY,0),	"PKCS7_verify"},
-{ERR_PACK(0,PKCS7_F_SMIME_READ_PKCS7,0),	"SMIME_read_PKCS7"},
-{ERR_PACK(0,PKCS7_F_SMIME_TEXT,0),	"SMIME_text"},
+{ERR_FUNC(PKCS7_F_B64_READ_PKCS7),	"B64_READ_PKCS7"},
+{ERR_FUNC(PKCS7_F_B64_WRITE_PKCS7),	"B64_WRITE_PKCS7"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP),	"PKCS7_add_attrib_smimecap"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_CERTIFICATE),	"PKCS7_add_certificate"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_CRL),	"PKCS7_add_crl"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO),	"PKCS7_add_recipient_info"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNER),	"PKCS7_add_signer"},
+{ERR_FUNC(PKCS7_F_PKCS7_CTRL),	"PKCS7_ctrl"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATADECODE),	"PKCS7_dataDecode"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATAINIT),	"PKCS7_dataInit"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATASIGN),	"PKCS7_DATASIGN"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATAVERIFY),	"PKCS7_dataVerify"},
+{ERR_FUNC(PKCS7_F_PKCS7_DECRYPT),	"PKCS7_decrypt"},
+{ERR_FUNC(PKCS7_F_PKCS7_ENCRYPT),	"PKCS7_encrypt"},
+{ERR_FUNC(PKCS7_F_PKCS7_GET0_SIGNERS),	"PKCS7_get0_signers"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_CIPHER),	"PKCS7_set_cipher"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_CONTENT),	"PKCS7_set_content"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_TYPE),	"PKCS7_set_type"},
+{ERR_FUNC(PKCS7_F_PKCS7_SIGN),	"PKCS7_sign"},
+{ERR_FUNC(PKCS7_F_PKCS7_SIGNATUREVERIFY),	"PKCS7_signatureVerify"},
+{ERR_FUNC(PKCS7_F_PKCS7_SIMPLE_SMIMECAP),	"PKCS7_simple_smimecap"},
+{ERR_FUNC(PKCS7_F_PKCS7_VERIFY),	"PKCS7_verify"},
+{ERR_FUNC(PKCS7_F_SMIME_READ_PKCS7),	"SMIME_read_PKCS7"},
+{ERR_FUNC(PKCS7_F_SMIME_TEXT),	"SMIME_text"},
 {0,NULL}
 	};

 static ERR_STRING_DATA PKCS7_str_reasons[]=
 	{
-{PKCS7_R_CERTIFICATE_VERIFY_ERROR        ,"certificate verify error"},
-{PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER ,"cipher has no object identifier"},
-{PKCS7_R_CIPHER_NOT_INITIALIZED          ,"cipher not initialized"},
-{PKCS7_R_CONTENT_AND_DATA_PRESENT        ,"content and data present"},
-{PKCS7_R_DECODE_ERROR                    ,"decode error"},
-{PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH   ,"decrypted key is wrong length"},
-{PKCS7_R_DECRYPT_ERROR                   ,"decrypt error"},
-{PKCS7_R_DIGEST_FAILURE                  ,"digest failure"},
-{PKCS7_R_ERROR_ADDING_RECIPIENT          ,"error adding recipient"},
-{PKCS7_R_ERROR_SETTING_CIPHER            ,"error setting cipher"},
-{PKCS7_R_INVALID_MIME_TYPE               ,"invalid mime type"},
-{PKCS7_R_INVALID_NULL_POINTER            ,"invalid null pointer"},
-{PKCS7_R_MIME_NO_CONTENT_TYPE            ,"mime no content type"},
-{PKCS7_R_MIME_PARSE_ERROR                ,"mime parse error"},
-{PKCS7_R_MIME_SIG_PARSE_ERROR            ,"mime sig parse error"},
-{PKCS7_R_MISSING_CERIPEND_INFO           ,"missing ceripend info"},
-{PKCS7_R_NO_CONTENT                      ,"no content"},
-{PKCS7_R_NO_CONTENT_TYPE                 ,"no content type"},
-{PKCS7_R_NO_MULTIPART_BODY_FAILURE       ,"no multipart body failure"},
-{PKCS7_R_NO_MULTIPART_BOUNDARY           ,"no multipart boundary"},
-{PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE,"no recipient matches certificate"},
-{PKCS7_R_NO_SIGNATURES_ON_DATA           ,"no signatures on data"},
-{PKCS7_R_NO_SIGNERS                      ,"no signers"},
-{PKCS7_R_NO_SIG_CONTENT_TYPE             ,"no sig content type"},
-{PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE,"operation not supported on this type"},
-{PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR       ,"pkcs7 add signature error"},
-{PKCS7_R_PKCS7_DATAFINAL_ERROR           ,"pkcs7 datafinal error"},
-{PKCS7_R_PKCS7_DATASIGN                  ,"pkcs7 datasign"},
-{PKCS7_R_PKCS7_PARSE_ERROR               ,"pkcs7 parse error"},
-{PKCS7_R_PKCS7_SIG_PARSE_ERROR           ,"pkcs7 sig parse error"},
-{PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
-{PKCS7_R_SIGNATURE_FAILURE               ,"signature failure"},
-{PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND    ,"signer certificate not found"},
-{PKCS7_R_SIG_INVALID_MIME_TYPE           ,"sig invalid mime type"},
-{PKCS7_R_SMIME_TEXT_ERROR                ,"smime text error"},
-{PKCS7_R_UNABLE_TO_FIND_CERTIFICATE      ,"unable to find certificate"},
-{PKCS7_R_UNABLE_TO_FIND_MEM_BIO          ,"unable to find mem bio"},
-{PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST   ,"unable to find message digest"},
-{PKCS7_R_UNKNOWN_DIGEST_TYPE             ,"unknown digest type"},
-{PKCS7_R_UNKNOWN_OPERATION               ,"unknown operation"},
-{PKCS7_R_UNSUPPORTED_CIPHER_TYPE         ,"unsupported cipher type"},
-{PKCS7_R_UNSUPPORTED_CONTENT_TYPE        ,"unsupported content type"},
-{PKCS7_R_WRONG_CONTENT_TYPE              ,"wrong content type"},
-{PKCS7_R_WRONG_PKCS7_TYPE                ,"wrong pkcs7 type"},
+{ERR_REASON(PKCS7_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"},
+{ERR_REASON(PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"},
+{ERR_REASON(PKCS7_R_CIPHER_NOT_INITIALIZED),"cipher not initialized"},
+{ERR_REASON(PKCS7_R_CONTENT_AND_DATA_PRESENT),"content and data present"},
+{ERR_REASON(PKCS7_R_DECODE_ERROR)        ,"decode error"},
+{ERR_REASON(PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH),"decrypted key is wrong length"},
+{ERR_REASON(PKCS7_R_DECRYPT_ERROR)       ,"decrypt error"},
+{ERR_REASON(PKCS7_R_DIGEST_FAILURE)      ,"digest failure"},
+{ERR_REASON(PKCS7_R_ERROR_ADDING_RECIPIENT),"error adding recipient"},
+{ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"},
+{ERR_REASON(PKCS7_R_INVALID_MIME_TYPE)   ,"invalid mime type"},
+{ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"},
+{ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"},
+{ERR_REASON(PKCS7_R_MIME_PARSE_ERROR)    ,"mime parse error"},
+{ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"},
+{ERR_REASON(PKCS7_R_MISSING_CERIPEND_INFO),"missing ceripend info"},
+{ERR_REASON(PKCS7_R_NO_CONTENT)          ,"no content"},
+{ERR_REASON(PKCS7_R_NO_CONTENT_TYPE)     ,"no content type"},
+{ERR_REASON(PKCS7_R_NO_MULTIPART_BODY_FAILURE),"no multipart body failure"},
+{ERR_REASON(PKCS7_R_NO_MULTIPART_BOUNDARY),"no multipart boundary"},
+{ERR_REASON(PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE),"no recipient matches certificate"},
+{ERR_REASON(PKCS7_R_NO_SIGNATURES_ON_DATA),"no signatures on data"},
+{ERR_REASON(PKCS7_R_NO_SIGNERS)          ,"no signers"},
+{ERR_REASON(PKCS7_R_NO_SIG_CONTENT_TYPE) ,"no sig content type"},
+{ERR_REASON(PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE),"operation not supported on this type"},
+{ERR_REASON(PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR),"pkcs7 add signature error"},
+{ERR_REASON(PKCS7_R_PKCS7_DATAFINAL_ERROR),"pkcs7 datafinal error"},
+{ERR_REASON(PKCS7_R_PKCS7_DATASIGN)      ,"pkcs7 datasign"},
+{ERR_REASON(PKCS7_R_PKCS7_PARSE_ERROR)   ,"pkcs7 parse error"},
+{ERR_REASON(PKCS7_R_PKCS7_SIG_PARSE_ERROR),"pkcs7 sig parse error"},
+{ERR_REASON(PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
+{ERR_REASON(PKCS7_R_SIGNATURE_FAILURE)   ,"signature failure"},
+{ERR_REASON(PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"},
+{ERR_REASON(PKCS7_R_SIG_INVALID_MIME_TYPE),"sig invalid mime type"},
+{ERR_REASON(PKCS7_R_SMIME_TEXT_ERROR)    ,"smime text error"},
+{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_CERTIFICATE),"unable to find certificate"},
+{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_MEM_BIO),"unable to find mem bio"},
+{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST),"unable to find message digest"},
+{ERR_REASON(PKCS7_R_UNKNOWN_DIGEST_TYPE) ,"unknown digest type"},
+{ERR_REASON(PKCS7_R_UNKNOWN_OPERATION)   ,"unknown operation"},
+{ERR_REASON(PKCS7_R_UNSUPPORTED_CIPHER_TYPE),"unsupported cipher type"},
+{ERR_REASON(PKCS7_R_UNSUPPORTED_CONTENT_TYPE),"unsupported content type"},
+{ERR_REASON(PKCS7_R_WRONG_CONTENT_TYPE)  ,"wrong content type"},
+{ERR_REASON(PKCS7_R_WRONG_PKCS7_TYPE)    ,"wrong pkcs7 type"},
 {0,NULL}
 	};

@@ -152,8 +156,8 @@ void ERR_load_PKCS7_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_functs);
-		ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_reasons);
+		ERR_load_strings(0,PKCS7_str_functs);
+		ERR_load_strings(0,PKCS7_str_reasons);
 #endif

 		}
--- a/crypto/rand/rand_err.c
+++ b/crypto/rand/rand_err.c
@@ -1,6 +1,6 @@
 /* crypto/rand/rand_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,22 +64,26 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RAND,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RAND,0,reason)
+
 static ERR_STRING_DATA RAND_str_functs[]=
 	{
-{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0),	"FIPS_RAND_BYTES"},
-{ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0),	"RAND_get_rand_method"},
-{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0),	"SSLEAY_RAND_BYTES"},
+{ERR_FUNC(RAND_F_FIPS_RAND_BYTES),	"FIPS_RAND_BYTES"},
+{ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD),	"RAND_get_rand_method"},
+{ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES),	"SSLEAY_RAND_BYTES"},
 {0,NULL}
 	};

 static ERR_STRING_DATA RAND_str_reasons[]=
 	{
-{RAND_R_NON_FIPS_METHOD                  ,"non fips method"},
-{RAND_R_PRNG_ASKING_FOR_TOO_MUCH         ,"prng asking for too much"},
-{RAND_R_PRNG_NOT_REKEYED                 ,"prng not rekeyed"},
-{RAND_R_PRNG_NOT_RESEEDED                ,"prng not reseeded"},
-{RAND_R_PRNG_NOT_SEEDED                  ,"PRNG not seeded"},
-{RAND_R_PRNG_STUCK                       ,"prng stuck"},
+{ERR_REASON(RAND_R_NON_FIPS_METHOD)      ,"non fips method"},
+{ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"},
+{ERR_REASON(RAND_R_PRNG_NOT_REKEYED)     ,"prng not rekeyed"},
+{ERR_REASON(RAND_R_PRNG_NOT_RESEEDED)    ,"prng not reseeded"},
+{ERR_REASON(RAND_R_PRNG_NOT_SEEDED)      ,"PRNG not seeded"},
+{ERR_REASON(RAND_R_PRNG_STUCK)           ,"prng stuck"},
 {0,NULL}
 	};

@@ -93,8 +97,8 @@ void ERR_load_RAND_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_RAND,RAND_str_functs);
-		ERR_load_strings(ERR_LIB_RAND,RAND_str_reasons);
+		ERR_load_strings(0,RAND_str_functs);
+		ERR_load_strings(0,RAND_str_reasons);
 #endif

 		}
--- a/crypto/rand/randfile.c
+++ b/crypto/rand/randfile.c
@@ -57,7 +57,7 @@
 */

 /* We need to define this to get macros like S_IFBLK and S_IFCHR */
-#define _XOPEN_SOURCE 1
+#define _XOPEN_SOURCE 500

 #include <errno.h>
 #include <stdio.h>
--- a/crypto/rc2/Makefile
+++ b/crypto/rc2/Makefile
@@ -82,7 +82,7 @@ rc2_cbc.o: rc2_cbc.c rc2_locl.h
 rc2_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 rc2_ecb.o: ../../include/openssl/rc2.h rc2_ecb.c rc2_locl.h
 rc2_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-rc2_skey.o: ../../include/openssl/opensslconf.h
+rc2_skey.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
 rc2_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
 rc2_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rc2_skey.o: ../../include/openssl/symhacks.h rc2_locl.h rc2_skey.c
--- a/crypto/rc2/rc2_skey.c
+++ b/crypto/rc2/rc2_skey.c
@@ -58,6 +58,7 @@

 #include <openssl/rc2.h>
 #include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "rc2_locl.h"

 static unsigned char key_table[256]={
--- a/crypto/rc4/Makefile
+++ b/crypto/rc4/Makefile
@@ -66,7 +66,7 @@ asm/rx86bsdi.o: asm/rx86unix.cpp
 asm/rx86unix.cpp: asm/rc4-586.pl ../perlasm/x86asm.pl
 	(cd asm; $(PERL) rc4-586.pl cpp >rx86unix.cpp)

-asm/rc4-amd64.s: asm/rc4-amd64.pl;	$(PERL) asm/rc4-amd64.pl $@
+asm/rc4-x86_64.s: asm/rc4-x86_64.pl;	$(PERL) asm/rc4-x86_64.pl $@

 asm/rc4-ia64.s: asm/rc4-ia64.S
 	$(CC) $(CFLAGS) -E asm/rc4-ia64.S > $@
@@ -116,7 +116,8 @@ rc4_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h rc4_enc.c rc4_locl.h
 rc4_skey.o: ../../e_os.h ../../include/openssl/bio.h
 rc4_skey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rc4_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-rc4_skey.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rc4_skey.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rc4_skey.o: ../../include/openssl/opensslconf.h
 rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc4.h
 rc4_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rc4_skey.o: ../../include/openssl/symhacks.h ../cryptlib.h rc4_locl.h
--- a/crypto/rc4/asm/rc4-amd64.pl
+++ b/crypto/rc4/asm/rc4-amd64.pl
@@ -1,227 +0,0 @@
-#!/usr/bin/env perl
-#
-# ====================================================================
-# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
-# project. Rights for redistribution and usage in source and binary
-# forms are granted according to the OpenSSL license.
-# ====================================================================
-#
-# 2.22x RC4 tune-up:-) It should be noted though that my hand [as in
-# "hand-coded assembler"] doesn't stand for the whole improvement
-# coefficient. It turned out that eliminating RC4_CHAR from config
-# line results in ~40% improvement (yes, even for C implementation).
-# Presumably it has everything to do with AMD cache architecture and
-# RAW or whatever penalties. Once again! The module *requires* config
-# line *without* RC4_CHAR! As for coding "secret," I bet on partial
-# register arithmetics. For example instead of 'inc %r8; and $255,%r8'
-# I simply 'inc %r8b'. Even though optimization manual discourages
-# to operate on partial registers, it turned out to be the best bet.
-# At least for AMD... How IA32E would perform remains to be seen...
-
-# As was shown by Marc Bevand reordering of couple of load operations
-# results in even higher performance gain of 3.3x:-) At least on
-# Opteron... For reference, 1x in this case is RC4_CHAR C-code
-# compiled with gcc 3.3.2, which performs at ~54MBps per 1GHz clock.
-# Latter means that if you want to *estimate* what to expect from
-# *your* CPU, then multiply 54 by 3.3 and clock frequency in GHz.
-
-# Intel P4 EM64T core was found to run the AMD64 code really slow...
-# The only way to achieve comparable performance on P4 is to keep
-# RC4_CHAR. Kind of ironic, huh? As it's apparently impossible to
-# compose blended code, which would perform even within 30% marginal
-# on either AMD and Intel platforms, I implement both cases. See
-# rc4_skey.c for further details... This applies to 0.9.8 and later.
-# In 0.9.7 context RC4_CHAR codepath is never engaged and ~70 bytes
-# of code remain redundant.
-
-$output=shift;
-
-$win64a=1 if ($output =~ /win64a.[s|asm]/);
-
-open STDOUT,">$output" || die "can't open $output: $!";
-
-if (defined($win64a)) {
-    $dat="%rcx";	# arg1
-    $len="%rdx";	# arg2
-    $inp="%rsi";	# r8, arg3 moves here
-    $out="%rdi";	# r9, arg4 moves here
-} else {
-    $dat="%rdi";	# arg1
-    $len="%rsi";	# arg2
-    $inp="%rdx";	# arg3
-    $out="%rcx";	# arg4
-}
-
-$XX="%r10";
-$TX="%r8";
-$YY="%r11";
-$TY="%r9";
-
-sub PTR() {
-    my $ret=shift;
-    if (defined($win64a)) {
-	$ret =~ s/\[([\S]+)\+([\S]+)\]/[$2+$1]/g;   # [%rN+%rM*4]->[%rM*4+%rN]
-	$ret =~ s/:([^\[]+)\[([^\]]+)\]/:[$2+$1]/g; # :off[ea]->:[ea+off]
-    } else {
-	$ret =~ s/[\+\*]/,/g;		# [%rN+%rM*4]->[%rN,%rM,4]
-	$ret =~ s/\[([^\]]+)\]/($1)/g;	# [%rN]->(%rN)
-    }
-    $ret;
-}
-
-$code=<<___ if (!defined($win64a));
-.text
-
-.globl	RC4
-.type	RC4,\@function
-.align	16
-RC4:	or	$len,$len
-	jne	.Lentry
-	repret
-.Lentry:
-___
-$code=<<___ if (defined($win64a));
-_TEXT	SEGMENT
-PUBLIC	RC4
-ALIGN	16
-RC4	PROC
-	or	$len,$len
-	jne	.Lentry
-	repret
-.Lentry:
-	push	%rdi
-	push	%rsi
-	sub	\$40,%rsp
-	mov	%r8,$inp
-	mov	%r9,$out
-___
-$code.=<<___;
-	add	\$8,$dat
-	movl	`&PTR("DWORD:-8[$dat]")`,$XX#d
-	movl	`&PTR("DWORD:-4[$dat]")`,$YY#d
-	cmpl	\$-1,`&PTR("DWORD:256[$dat]")`
-	je	.LRC4_CHAR
-	test	\$-8,$len
-	jz	.Lloop1
-.align	16
-.Lloop8:
-	inc	$XX#b
-	movl	`&PTR("DWORD:[$dat+$XX*4]")`,$TX#d
-	add	$TX#b,$YY#b
-	movl	`&PTR("DWORD:[$dat+$YY*4]")`,$TY#d
-	movl	$TX#d,`&PTR("DWORD:[$dat+$YY*4]")`
-	movl	$TY#d,`&PTR("DWORD:[$dat+$XX*4]")`
-	add	$TX#b,$TY#b
-	inc	$XX#b
-	movl	`&PTR("DWORD:[$dat+$XX*4]")`,$TX#d
-	movb	`&PTR("BYTE:[$dat+$TY*4]")`,%al
-___
-for ($i=1;$i<=6;$i++) {
-$code.=<<___;
-	add	$TX#b,$YY#b
-	ror	\$8,%rax
-	movl	`&PTR("DWORD:[$dat+$YY*4]")`,$TY#d
-	movl	$TX#d,`&PTR("DWORD:[$dat+$YY*4]")`
-	movl	$TY#d,`&PTR("DWORD:[$dat+$XX*4]")`
-	add	$TX#b,$TY#b
-	inc	$XX#b
-	movl	`&PTR("DWORD:[$dat+$XX*4]")`,$TX#d
-	movb	`&PTR("BYTE:[$dat+$TY*4]")`,%al
-___
-}
-$code.=<<___;
-	add	$TX#b,$YY#b
-	ror	\$8,%rax
-	movl	`&PTR("DWORD:[$dat+$YY*4]")`,$TY#d
-	movl	$TX#d,`&PTR("DWORD:[$dat+$YY*4]")`
-	movl	$TY#d,`&PTR("DWORD:[$dat+$XX*4]")`
-	sub	\$8,$len
-	add	$TY#b,$TX#b
-	movb	`&PTR("BYTE:[$dat+$TX*4]")`,%al
-	ror	\$8,%rax
-	add	\$8,$inp
-	add	\$8,$out
-
-	xor	`&PTR("QWORD:-8[$inp]")`,%rax
-	mov	%rax,`&PTR("QWORD:-8[$out]")`
-
-	test	\$-8,$len
-	jnz	.Lloop8
-	cmp	\$0,$len
-	jne	.Lloop1
-.Lexit:
-	movl	$XX#d,`&PTR("DWORD:-8[$dat]")`
-	movl	$YY#d,`&PTR("DWORD:-4[$dat]")`
-___
-$code.=<<___ if (defined($win64a));
-	add	\$40,%rsp
-	pop	%rsi
-	pop	%rdi
-___
-$code.=<<___;
-	repret
-.align	16
-.Lloop1:
-	movzb	`&PTR("BYTE:[$inp]")`,%eax
-	inc	$XX#b
-	movl	`&PTR("DWORD:[$dat+$XX*4]")`,$TX#d
-	add	$TX#b,$YY#b
-	movl	`&PTR("DWORD:[$dat+$YY*4]")`,$TY#d
-	movl	$TX#d,`&PTR("DWORD:[$dat+$YY*4]")`
-	movl	$TY#d,`&PTR("DWORD:[$dat+$XX*4]")`
-	add	$TY#b,$TX#b
-	movl	`&PTR("DWORD:[$dat+$TX*4]")`,$TY#d
-	xor	$TY,%rax
-	inc	$inp
-	movb	%al,`&PTR("BYTE:[$out]")`
-	inc	$out
-	dec	$len
-	jnz	.Lloop1
-	jmp	.Lexit
-
-.align	16
-.LRC4_CHAR:
-	inc	$XX#b
-	movzb	`&PTR("BYTE:[$dat+$XX]")`,$TX#d
-	add	$TX#b,$YY#b
-	movzb	`&PTR("BYTE:[$dat+$YY]")`,$TY#d
-	movb	$TX#b,`&PTR("BYTE:[$dat+$YY]")`
-	movb	$TY#b,`&PTR("BYTE:[$dat+$XX]")`
-	add	$TX#b,$TY#b
-	movzb	`&PTR("BYTE:[$dat+$TY]")`,$TY#d
-	xorb	`&PTR("BYTE:[$inp]")`,$TY#b
-	movb	$TY#b,`&PTR("BYTE:[$out]")`
-	inc	$inp
-	inc	$out
-	dec	$len
-	jnz	.LRC4_CHAR
-	jmp	.Lexit
-___
-$code.=<<___ if (defined($win64a));
-RC4	ENDP
-_TEXT	ENDS
-END
-___
-$code.=<<___ if (!defined($win64a));
-.size	RC4,.-RC4
-___
-
-$code =~ s/#([bwd])/$1/gm;
-$code =~ s/\`([^\`]*)\`/eval $1/gem;
-
-if (defined($win64a)) {
-    $code =~ s/\.align/ALIGN/gm;
-    $code =~ s/[\$%]//gm;
-    $code =~ s/\.L/\$L/gm;
-    $code =~ s/([\w]+)([\s]+)([\S]+),([\S]+)/$1$2$4,$3/gm;
-    $code =~ s/([QD]*WORD|BYTE):/$1 PTR/gm;
-    $code =~ s/mov[bwlq]/mov/gm;
-    $code =~ s/movzb/movzx/gm;
-    $code =~ s/repret/DB\t0F3h,0C3h/gm;
-    $code =~ s/cmpl/cmp/gm;
-    $code =~ s/xorb/xor/gm;
-} else {
-    $code =~ s/([QD]*WORD|BYTE)://gm;
-    $code =~ s/repret/.byte\t0xF3,0xC3/gm;
-}
-print $code;
--- a/crypto/rc4/asm/rc4-x86_64.pl
+++ b/crypto/rc4/asm/rc4-x86_64.pl
@@ -0,0 +1,150 @@
+#!/usr/bin/env perl
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+# project. Rights for redistribution and usage in source and binary
+# forms are granted according to the OpenSSL license.
+# ====================================================================
+#
+# Unlike 0.9.7f this code expects RC4_CHAR back in config line! See
+# commentary section in corresponding script in development branch
+# for background information about this option carousel. For those
+# who don't have energy to figure out these gory details, here is
+# basis in form of performance matrix relative to the original
+# 0.9.7e C code-base:
+#
+#		0.9.7e	0.9.7f	this
+# AMD64		1x	3.3x	2.4x
+# EM64T		1x	0.8x	1.5x
+#
+# In other words idea is to trade -25% AMD64 performance to compensate
+# for deterioration and gain +90% on EM64T core. Development branch
+# maintains best performance for either target, i.e. 3.3x for AMD64
+# and 1.5x for EM64T.
+
+$output=shift;
+
+open STDOUT,">$output" || die "can't open $output: $!";
+
+$dat="%rdi";	    # arg1
+$len="%rsi";	    # arg2
+$inp="%rdx";	    # arg3
+$out="%rcx";	    # arg4
+
+@XX=("%r8","%r10");
+@TX=("%r9","%r11");
+$YY="%r12";
+$TY="%r13";
+
+$code=<<___;;
+.text
+
+.globl	RC4
+.type	RC4,\@function
+.align	16
+RC4:	or	$len,$len
+	jne	.Lentry
+	repret
+.Lentry:
+	push	%r12
+	push	%r13
+
+	add	\$2,$dat
+	movzb	-2($dat),$XX[0]#d
+	movzb	-1($dat),$YY#d
+
+	add	\$1,$XX[0]#b
+	movzb	($dat,$XX[0]),$TX[0]#d
+	test	\$-8,$len
+	jz	.Lcloop1
+	push	%rbx
+.align	16	# incidentally aligned already
+.Lcloop8:
+	mov	($inp),%eax
+	mov	4($inp),%ebx
+___
+# unroll 2x4-wise, because 64-bit rotates kill Intel P4...
+for ($i=0;$i<4;$i++) {
+$code.=<<___;
+	add	$TX[0]#b,$YY#b
+	lea	1($XX[0]),$XX[1]
+	movzb	($dat,$YY),$TY#d
+	movzb	$XX[1]#b,$XX[1]#d
+	movzb	($dat,$XX[1]),$TX[1]#d
+	movb	$TX[0]#b,($dat,$YY)
+	cmp	$XX[1],$YY
+	movb	$TY#b,($dat,$XX[0])
+	jne	.Lcmov$i			# Intel cmov is sloooow...
+	mov	$TX[0],$TX[1]
+.Lcmov$i:
+	add	$TX[0]#b,$TY#b
+	xor	($dat,$TY),%al
+	ror	\$8,%eax
+___
+push(@TX,shift(@TX)); push(@XX,shift(@XX));	# "rotate" registers
+}
+for ($i=4;$i<8;$i++) {
+$code.=<<___;
+	add	$TX[0]#b,$YY#b
+	lea	1($XX[0]),$XX[1]
+	movzb	($dat,$YY),$TY#d
+	movzb	$XX[1]#b,$XX[1]#d
+	movzb	($dat,$XX[1]),$TX[1]#d
+	movb	$TX[0]#b,($dat,$YY)
+	cmp	$XX[1],$YY
+	movb	$TY#b,($dat,$XX[0])
+	jne	.Lcmov$i			# Intel cmov is sloooow...
+	mov	$TX[0],$TX[1]
+.Lcmov$i:
+	add	$TX[0]#b,$TY#b
+	xor	($dat,$TY),%bl
+	ror	\$8,%ebx
+___
+push(@TX,shift(@TX)); push(@XX,shift(@XX));	# "rotate" registers
+}
+$code.=<<___;
+	lea	-8($len),$len
+	mov	%eax,($out)
+	lea	8($inp),$inp
+	mov	%ebx,4($out)
+	lea	8($out),$out
+
+	test	\$-8,$len
+	jnz	.Lcloop8
+	pop	%rbx
+	cmp	\$0,$len
+	jne	.Lcloop1
+.Lexit:
+	sub	\$1,$XX[0]#b
+	movb	$XX[0]#b,-2($dat)
+	movb	$YY#b,-1($dat)
+
+	pop	%r13
+	pop	%r12
+	repret
+
+.align	16
+.Lcloop1:
+	add	$TX[0]#b,$YY#b
+	movzb	($dat,$YY),$TY#d
+	movb	$TX[0]#b,($dat,$YY)
+	movb	$TY#b,($dat,$XX[0])
+	add	$TX[0]#b,$TY#b
+	add	\$1,$XX[0]#b
+	movzb	($dat,$TY),$TY#d
+	movzb	($dat,$XX[0]),$TX[0]#d
+	xorb	($inp),$TY#b
+	lea	1($inp),$inp
+	movb	$TY#b,($out)
+	lea	1($out),$out
+	sub	\$1,$len
+	jnz	.Lcloop1
+	jmp	.Lexit
+.size	RC4,.-RC4
+___
+
+$code =~ s/#([bwd])/$1/gm;
+
+$code =~ s/repret/.byte\t0xF3,0xC3/gm;
+
+print $code;
--- a/crypto/rc4/rc4_skey.c
+++ b/crypto/rc4/rc4_skey.c
@@ -58,6 +58,7 @@

 #include <openssl/rc4.h>
 #include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "rc4_locl.h"
 #include <openssl/opensslv.h>

--- a/crypto/rc5/Makefile
+++ b/crypto/rc5/Makefile
@@ -102,7 +102,7 @@ rc5_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
 rc5_ecb.o: rc5_ecb.c rc5_locl.h
 rc5_enc.o: ../../include/openssl/rc5.h rc5_enc.c rc5_locl.h
 rc5_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-rc5_skey.o: ../../include/openssl/opensslconf.h
+rc5_skey.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
 rc5_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
 rc5_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rc5_skey.o: ../../include/openssl/symhacks.h rc5_locl.h rc5_skey.c
--- a/crypto/rc5/rc5_skey.c
+++ b/crypto/rc5/rc5_skey.c
@@ -58,6 +58,7 @@

 #include <openssl/crypto.h>
 #include <openssl/rc5.h>
+#include <openssl/fips.h>
 #include "rc5_locl.h"


--- a/crypto/ripemd/rmd_one.c
+++ b/crypto/ripemd/rmd_one.c
@@ -68,7 +68,8 @@ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
 	static unsigned char m[RIPEMD160_DIGEST_LENGTH];

 	if (md == NULL) md=m;
-	RIPEMD160_Init(&c);
+	if (!RIPEMD160_Init(&c))
+		return NULL;
 	RIPEMD160_Update(&c,d,n);
 	RIPEMD160_Final(md,&c);
 	OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -157,28 +157,35 @@ struct rsa_st
 #define RSA_3	0x3L
 #define RSA_F4	0x10001L

-#define RSA_METHOD_FLAG_NO_CHECK	0x01 /* don't check pub/private match */
+#define RSA_METHOD_FLAG_NO_CHECK	0x0001 /* don't check pub/private match */

-#define RSA_FLAG_CACHE_PUBLIC		0x02
-#define RSA_FLAG_CACHE_PRIVATE		0x04
-#define RSA_FLAG_BLINDING		0x08
-#define RSA_FLAG_THREAD_SAFE		0x10
+#define RSA_FLAG_CACHE_PUBLIC		0x0002
+#define RSA_FLAG_CACHE_PRIVATE		0x0004
+#define RSA_FLAG_BLINDING		0x0008
+#define RSA_FLAG_THREAD_SAFE		0x0010
 /* This flag means the private key operations will be handled by rsa_mod_exp
 * and that they do not depend on the private key components being present:
 * for example a key stored in external hardware. Without this flag bn_mod_exp
 * gets called when private key components are absent.
 */
-#define RSA_FLAG_EXT_PKEY		0x20
+#define RSA_FLAG_EXT_PKEY		0x0020

 /* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
 */
-#define RSA_FLAG_SIGN_VER		0x40
+#define RSA_FLAG_SIGN_VER		0x0040

-#define RSA_FLAG_NO_BLINDING		0x80 /* new with 0.9.6j and 0.9.7b; the built-in
-                                              * RSA implementation now uses blinding by
-                                              * default (ignoring RSA_FLAG_BLINDING),
-                                              * but other engines might not need it
-                                              */
+#define RSA_FLAG_NO_BLINDING		0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
+                                                * RSA implementation now uses blinding by
+                                                * default (ignoring RSA_FLAG_BLINDING),
+                                                * but other engines might not need it
+                                                */
+#define RSA_FLAG_NO_EXP_CONSTTIME	0x0100 /* new with 0.9.7h; the built-in RSA
+                                                * implementation now uses constant time
+                                                * modular exponentiation for secret exponents
+                                                * by default. This flag causes the
+                                                * faster variable sliding window method to
+                                                * be used for all exponents.
+                                                */

 #define RSA_PKCS1_PADDING	1
 #define RSA_SSLV23_PADDING	2
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */

 #include <stdio.h>
 #include "cryptlib.h"
@@ -145,30 +198,13 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
 		goto err;
 		}

-	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
 		{
-		BN_MONT_CTX* bn_mont_ctx;
-		if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
+					CRYPTO_LOCK_RSA, rsa->n, ctx))
 			goto err;
-		if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
-			{
-			BN_MONT_CTX_free(bn_mont_ctx);
-			goto err;
-			}
-		if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
-			{
-			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-			if (rsa->_method_mod_n == NULL)
-				{
-				rsa->_method_mod_n = bn_mont_ctx;
-				bn_mont_ctx = NULL;
-				}
-			CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-			}
-		if (bn_mont_ctx)
-			BN_MONT_CTX_free(bn_mont_ctx);
 		}
-		
+
 	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
 		rsa->_method_mod_n)) goto err;

@@ -331,10 +367,22 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 		(rsa->dmp1 != NULL) &&
 		(rsa->dmq1 != NULL) &&
 		(rsa->iqmp != NULL)) )
-		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+		{ 
+		if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+		}
 	else
 		{
-		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+		BIGNUM local_d;
+		BIGNUM *d = NULL;
+		
+		if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+			{
+			d = &local_d;
+			BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+			}
+		else
+			d = rsa->d;
+		if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
 		}

 	if (blinding)
@@ -444,10 +492,22 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 		(rsa->dmp1 != NULL) &&
 		(rsa->dmq1 != NULL) &&
 		(rsa->iqmp != NULL)) )
-		{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+		{
+		if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+		}
 	else
 		{
-		if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
+		BIGNUM local_d;
+		BIGNUM *d = NULL;
+		
+		if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+			{
+			d = &local_d;
+			BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+			}
+		else
+			d = rsa->d;
+		if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
 			goto err;
 		}

@@ -534,30 +594,14 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 		}

 	/* do the decrypt */
-	if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+
+	if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
 		{
-		BN_MONT_CTX* bn_mont_ctx;
-		if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
+					CRYPTO_LOCK_RSA, rsa->n, ctx))
 			goto err;
-		if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
-			{
-			BN_MONT_CTX_free(bn_mont_ctx);
-			goto err;
-			}
-		if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
-			{
-			CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-			if (rsa->_method_mod_n == NULL)
-				{
-				rsa->_method_mod_n = bn_mont_ctx;
-				bn_mont_ctx = NULL;
-				}
-			CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-			}
-		if (bn_mont_ctx)
-			BN_MONT_CTX_free(bn_mont_ctx);
 		}
-		
+
 	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
 		rsa->_method_mod_n)) goto err;

@@ -594,6 +638,8 @@ err:
 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	{
 	BIGNUM r1,m1,vrfy;
+	BIGNUM local_dmp1, local_dmq1;
+	BIGNUM *dmp1, *dmq1;
 	int ret=0;
 	BN_CTX *ctx;

@@ -604,61 +650,34 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)

 	if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
 		{
-		if (rsa->_method_mod_p == NULL)
-			{
-			BN_MONT_CTX* bn_mont_ctx;
-			if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-				goto err;
-			if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
-				{
-				BN_MONT_CTX_free(bn_mont_ctx);
-				goto err;
-				}
-			if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
-				{
-				CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-				if (rsa->_method_mod_p == NULL)
-					{
-					rsa->_method_mod_p = bn_mont_ctx;
-					bn_mont_ctx = NULL;
-					}
-				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-				}
-			if (bn_mont_ctx)
-				BN_MONT_CTX_free(bn_mont_ctx);
-			}
-
-		if (rsa->_method_mod_q == NULL)
-			{
-			BN_MONT_CTX* bn_mont_ctx;
-			if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-				goto err;
-			if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
-				{
-				BN_MONT_CTX_free(bn_mont_ctx);
-				goto err;
-				}
-			if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
-				{
-				CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-				if (rsa->_method_mod_q == NULL)
-					{
-					rsa->_method_mod_q = bn_mont_ctx;
-					bn_mont_ctx = NULL;
-					}
-				CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-				}
-			if (bn_mont_ctx)
-				BN_MONT_CTX_free(bn_mont_ctx);
-			}
+		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
+					CRYPTO_LOCK_RSA, rsa->p, ctx))
+			goto err;
+		if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
+					CRYPTO_LOCK_RSA, rsa->q, ctx))
+			goto err;
 		}
-		
+
 	if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
-	if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
+	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+		{
+		dmq1 = &local_dmq1;
+		BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
+		}
+	else
+		dmq1 = rsa->dmq1;
+	if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,
 		rsa->_method_mod_q)) goto err;

 	if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
-	if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
+	if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+		{
+		dmp1 = &local_dmp1;
+		BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
+		}
+	else
+		dmp1 = rsa->dmp1;
+	if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
 		rsa->_method_mod_p)) goto err;

 	if (!BN_sub(r0,r0,&m1)) goto err;
@@ -693,10 +712,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 		if (vrfy.neg)
 			if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
 		if (!BN_is_zero(&vrfy))
+			{
 			/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
 			 * miscalculated CRT output, just do a raw (slower)
 			 * mod_exp and return that instead. */
-			if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
+
+			BIGNUM local_d;
+			BIGNUM *d = NULL;
+		
+			if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+				{
+				d = &local_d;
+				BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+				}
+			else
+				d = rsa->d;
+			if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
+			}
 		}
 	ret=1;
 err:
--- a/crypto/rsa/rsa_err.c
+++ b/crypto/rsa/rsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/rsa/rsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,70 +64,74 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
+
 static ERR_STRING_DATA RSA_str_functs[]=
 	{
-{ERR_PACK(0,RSA_F_MEMORY_LOCK,0),	"MEMORY_LOCK"},
-{ERR_PACK(0,RSA_F_RSA_CHECK_KEY,0),	"RSA_check_key"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_DECRYPT,0),	"RSA_EAY_PRIVATE_DECRYPT"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_ENCRYPT,0),	"RSA_EAY_PRIVATE_ENCRYPT"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_DECRYPT,0),	"RSA_EAY_PUBLIC_DECRYPT"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_ENCRYPT,0),	"RSA_EAY_PUBLIC_ENCRYPT"},
-{ERR_PACK(0,RSA_F_RSA_GENERATE_KEY,0),	"RSA_generate_key"},
-{ERR_PACK(0,RSA_F_RSA_NEW_METHOD,0),	"RSA_new_method"},
-{ERR_PACK(0,RSA_F_RSA_NULL,0),	"RSA_NULL"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_NONE,0),	"RSA_padding_add_none"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,0),	"RSA_padding_add_PKCS1_OAEP"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,0),	"RSA_padding_add_PKCS1_type_1"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,0),	"RSA_padding_add_PKCS1_type_2"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_SSLV23,0),	"RSA_padding_add_SSLv23"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_NONE,0),	"RSA_padding_check_none"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,0),	"RSA_padding_check_PKCS1_OAEP"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,0),	"RSA_padding_check_PKCS1_type_1"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,0),	"RSA_padding_check_PKCS1_type_2"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_SSLV23,0),	"RSA_padding_check_SSLv23"},
-{ERR_PACK(0,RSA_F_RSA_PRINT,0),	"RSA_print"},
-{ERR_PACK(0,RSA_F_RSA_PRINT_FP,0),	"RSA_print_fp"},
-{ERR_PACK(0,RSA_F_RSA_SIGN,0),	"RSA_sign"},
-{ERR_PACK(0,RSA_F_RSA_SIGN_ASN1_OCTET_STRING,0),	"RSA_sign_ASN1_OCTET_STRING"},
-{ERR_PACK(0,RSA_F_RSA_VERIFY,0),	"RSA_verify"},
-{ERR_PACK(0,RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,0),	"RSA_verify_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_MEMORY_LOCK),	"MEMORY_LOCK"},
+{ERR_FUNC(RSA_F_RSA_CHECK_KEY),	"RSA_check_key"},
+{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT),	"RSA_EAY_PRIVATE_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT),	"RSA_EAY_PRIVATE_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT),	"RSA_EAY_PUBLIC_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT),	"RSA_EAY_PUBLIC_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_GENERATE_KEY),	"RSA_generate_key"},
+{ERR_FUNC(RSA_F_RSA_NEW_METHOD),	"RSA_new_method"},
+{ERR_FUNC(RSA_F_RSA_NULL),	"RSA_NULL"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE),	"RSA_padding_add_none"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP),	"RSA_padding_add_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1),	"RSA_padding_add_PKCS1_type_1"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2),	"RSA_padding_add_PKCS1_type_2"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23),	"RSA_padding_add_SSLv23"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE),	"RSA_padding_check_none"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP),	"RSA_padding_check_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1),	"RSA_padding_check_PKCS1_type_1"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2),	"RSA_padding_check_PKCS1_type_2"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23),	"RSA_padding_check_SSLv23"},
+{ERR_FUNC(RSA_F_RSA_PRINT),	"RSA_print"},
+{ERR_FUNC(RSA_F_RSA_PRINT_FP),	"RSA_print_fp"},
+{ERR_FUNC(RSA_F_RSA_SIGN),	"RSA_sign"},
+{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),	"RSA_sign_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_RSA_VERIFY),	"RSA_verify"},
+{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING),	"RSA_verify_ASN1_OCTET_STRING"},
 {0,NULL}
 	};

 static ERR_STRING_DATA RSA_str_reasons[]=
 	{
-{RSA_R_ALGORITHM_MISMATCH                ,"algorithm mismatch"},
-{RSA_R_BAD_E_VALUE                       ,"bad e value"},
-{RSA_R_BAD_FIXED_HEADER_DECRYPT          ,"bad fixed header decrypt"},
-{RSA_R_BAD_PAD_BYTE_COUNT                ,"bad pad byte count"},
-{RSA_R_BAD_SIGNATURE                     ,"bad signature"},
-{RSA_R_BLOCK_TYPE_IS_NOT_01              ,"block type is not 01"},
-{RSA_R_BLOCK_TYPE_IS_NOT_02              ,"block type is not 02"},
-{RSA_R_DATA_GREATER_THAN_MOD_LEN         ,"data greater than mod len"},
-{RSA_R_DATA_TOO_LARGE                    ,"data too large"},
-{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
-{RSA_R_DATA_TOO_LARGE_FOR_MODULUS        ,"data too large for modulus"},
-{RSA_R_DATA_TOO_SMALL                    ,"data too small"},
-{RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE       ,"data too small for key size"},
-{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY        ,"digest too big for rsa key"},
-{RSA_R_DMP1_NOT_CONGRUENT_TO_D           ,"dmp1 not congruent to d"},
-{RSA_R_DMQ1_NOT_CONGRUENT_TO_D           ,"dmq1 not congruent to d"},
-{RSA_R_D_E_NOT_CONGRUENT_TO_1            ,"d e not congruent to 1"},
-{RSA_R_INVALID_MESSAGE_LENGTH            ,"invalid message length"},
-{RSA_R_IQMP_NOT_INVERSE_OF_Q             ,"iqmp not inverse of q"},
-{RSA_R_KEY_SIZE_TOO_SMALL                ,"key size too small"},
-{RSA_R_NULL_BEFORE_BLOCK_MISSING         ,"null before block missing"},
-{RSA_R_N_DOES_NOT_EQUAL_P_Q              ,"n does not equal p q"},
-{RSA_R_OAEP_DECODING_ERROR               ,"oaep decoding error"},
-{RSA_R_PADDING_CHECK_FAILED              ,"padding check failed"},
-{RSA_R_P_NOT_PRIME                       ,"p not prime"},
-{RSA_R_Q_NOT_PRIME                       ,"q not prime"},
-{RSA_R_RSA_OPERATIONS_NOT_SUPPORTED      ,"rsa operations not supported"},
-{RSA_R_SSLV3_ROLLBACK_ATTACK             ,"sslv3 rollback attack"},
-{RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
-{RSA_R_UNKNOWN_ALGORITHM_TYPE            ,"unknown algorithm type"},
-{RSA_R_UNKNOWN_PADDING_TYPE              ,"unknown padding type"},
-{RSA_R_WRONG_SIGNATURE_LENGTH            ,"wrong signature length"},
+{ERR_REASON(RSA_R_ALGORITHM_MISMATCH)    ,"algorithm mismatch"},
+{ERR_REASON(RSA_R_BAD_E_VALUE)           ,"bad e value"},
+{ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"},
+{ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT)    ,"bad pad byte count"},
+{ERR_REASON(RSA_R_BAD_SIGNATURE)         ,"bad signature"},
+{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01)  ,"block type is not 01"},
+{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02)  ,"block type is not 02"},
+{ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN),"data greater than mod len"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE)        ,"data too large"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS),"data too large for modulus"},
+{ERR_REASON(RSA_R_DATA_TOO_SMALL)        ,"data too small"},
+{ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE),"data too small for key size"},
+{ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY),"digest too big for rsa key"},
+{ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D),"dmp1 not congruent to d"},
+{ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D),"dmq1 not congruent to d"},
+{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},
+{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
+{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
+{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL)    ,"key size too small"},
+{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
+{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
+{ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
+{ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
+{ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
+{ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
+{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
+{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
+{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
+{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
+{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE)  ,"unknown padding type"},
+{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
 {0,NULL}
 	};

@@ -141,8 +145,8 @@ void ERR_load_RSA_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_RSA,RSA_str_functs);
-		ERR_load_strings(ERR_LIB_RSA,RSA_str_reasons);
+		ERR_load_strings(0,RSA_str_functs);
+		ERR_load_strings(0,RSA_str_reasons);
 #endif

 		}
--- a/crypto/rsa/rsa_test.c
+++ b/crypto/rsa/rsa_test.c
@@ -227,10 +227,10 @@ int main(int argc, char *argv[])

    plen = sizeof(ptext_ex) - 1;

-    for (v = 0; v < 3; v++)
+    for (v = 0; v < 6; v++)
 	{
 	key = RSA_new();
-	switch (v) {
+	switch (v%3) {
    case 0:
 	clen = key1(key, ctext_ex);
 	break;
@@ -241,6 +241,7 @@ int main(int argc, char *argv[])
 	clen = key3(key, ctext_ex);
 	break;
 	}
+	if (v/3 > 1) key->flags |= RSA_FLAG_NO_EXP_CONSTTIME;

 	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
 				 RSA_PKCS1_PADDING);
--- a/crypto/sha/sha1_one.c
+++ b/crypto/sha/sha1_one.c
@@ -61,14 +61,15 @@
 #include <openssl/sha.h>
 #include <openssl/crypto.h>

-#ifndef OPENSSL_NO_SHA1
+#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_FIPS)
 unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
 	{
 	SHA_CTX c;
 	static unsigned char m[SHA_DIGEST_LENGTH];

 	if (md == NULL) md=m;
-	SHA1_Init(&c);
+	if (!SHA1_Init(&c))
+		return NULL;
 	SHA1_Update(&c,d,n);
 	SHA1_Final(md,&c);
 	OPENSSL_cleanse(&c,sizeof(c));
--- a/crypto/sha/sha_one.c
+++ b/crypto/sha/sha_one.c
@@ -68,7 +68,8 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
 	static unsigned char m[SHA_DIGEST_LENGTH];

 	if (md == NULL) md=m;
-	SHA_Init(&c);
+	if (!SHA_Init(&c))
+		return NULL;
 	SHA_Update(&c,d,n);
 	SHA_Final(md,&c);
 	OPENSSL_cleanse(&c,sizeof(c));
--- a/crypto/stack/safestack.h
+++ b/crypto/stack/safestack.h
@@ -55,6 +55,9 @@
 #ifndef HEADER_SAFESTACK_H
 #define HEADER_SAFESTACK_H

+typedef void (*openssl_fptr)(void);
+#define openssl_fcast(f) ((openssl_fptr)f)
+
 #include <openssl/stack.h>

 #ifdef DEBUG_SAFESTACK
@@ -73,74 +76,74 @@ STACK_OF(type) \
 /* SKM_sk_... stack macros are internal to safestack.h:
 * never use them directly, use sk_<type>_... instead */
 #define SKM_sk_new(type, cmp) \
-	((STACK_OF(type) * (*)(int (*)(const type * const *, const type * const *)))sk_new)(cmp)
+	((STACK_OF(type) * (*)(int (*)(const type * const *, const type * const *)))openssl_fcast(sk_new))(cmp)
 #define SKM_sk_new_null(type) \
-	((STACK_OF(type) * (*)(void))sk_new_null)()
+	((STACK_OF(type) * (*)(void))openssl_fcast(sk_new_null))()
 #define SKM_sk_free(type, st) \
-	((void (*)(STACK_OF(type) *))sk_free)(st)
+	((void (*)(STACK_OF(type) *))openssl_fcast(sk_free))(st)
 #define SKM_sk_num(type, st) \
-	((int (*)(const STACK_OF(type) *))sk_num)(st)
+	((int (*)(const STACK_OF(type) *))openssl_fcast(sk_num))(st)
 #define SKM_sk_value(type, st,i) \
-	((type * (*)(const STACK_OF(type) *, int))sk_value)(st, i)
+	((type * (*)(const STACK_OF(type) *, int))openssl_fcast(sk_value))(st, i)
 #define SKM_sk_set(type, st,i,val) \
-	((type * (*)(STACK_OF(type) *, int, type *))sk_set)(st, i, val)
+	((type * (*)(STACK_OF(type) *, int, type *))openssl_fcast(sk_set))(st, i, val)
 #define SKM_sk_zero(type, st) \
-	((void (*)(STACK_OF(type) *))sk_zero)(st)
+	((void (*)(STACK_OF(type) *))openssl_fcast(sk_zero))(st)
 #define SKM_sk_push(type, st,val) \
-	((int (*)(STACK_OF(type) *, type *))sk_push)(st, val)
+	((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_push))(st, val)
 #define SKM_sk_unshift(type, st,val) \
-	((int (*)(STACK_OF(type) *, type *))sk_unshift)(st, val)
+	((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_unshift))(st, val)
 #define SKM_sk_find(type, st,val) \
-	((int (*)(STACK_OF(type) *, type *))sk_find)(st, val)
+	((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_find))(st, val)
 #define SKM_sk_delete(type, st,i) \
-	((type * (*)(STACK_OF(type) *, int))sk_delete)(st, i)
+	((type * (*)(STACK_OF(type) *, int))openssl_fcast(sk_delete))(st, i)
 #define SKM_sk_delete_ptr(type, st,ptr) \
-	((type * (*)(STACK_OF(type) *, type *))sk_delete_ptr)(st, ptr)
+	((type * (*)(STACK_OF(type) *, type *))openssl_fcast(sk_delete_ptr))(st, ptr)
 #define SKM_sk_insert(type, st,val,i) \
-	((int (*)(STACK_OF(type) *, type *, int))sk_insert)(st, val, i)
+	((int (*)(STACK_OF(type) *, type *, int))openssl_fcast(sk_insert))(st, val, i)
 #define SKM_sk_set_cmp_func(type, st,cmp) \
 	((int (*(*)(STACK_OF(type) *, int (*)(const type * const *, const type * const *))) \
-	  (const type * const *, const type * const *))sk_set_cmp_func)\
+	  (const type * const *, const type * const *))openssl_fcast(sk_set_cmp_func))\
 	(st, cmp)
 #define SKM_sk_dup(type, st) \
-	((STACK_OF(type) *(*)(STACK_OF(type) *))sk_dup)(st)
+	((STACK_OF(type) *(*)(STACK_OF(type) *))openssl_fcast(sk_dup))(st)
 #define SKM_sk_pop_free(type, st,free_func) \
-	((void (*)(STACK_OF(type) *, void (*)(type *)))sk_pop_free)\
+	((void (*)(STACK_OF(type) *, void (*)(type *)))openssl_fcast(sk_pop_free))\
 	(st, free_func)
 #define SKM_sk_shift(type, st) \
-	((type * (*)(STACK_OF(type) *))sk_shift)(st)
+	((type * (*)(STACK_OF(type) *))openssl_fcast(sk_shift))(st)
 #define SKM_sk_pop(type, st) \
-	((type * (*)(STACK_OF(type) *))sk_pop)(st)
+	((type * (*)(STACK_OF(type) *))openssl_fcast(sk_pop))(st)
 #define SKM_sk_sort(type, st) \
-	((void (*)(STACK_OF(type) *))sk_sort)(st)
+	((void (*)(STACK_OF(type) *))openssl_fcast(sk_sort))(st)
 #define SKM_sk_is_sorted(type, st) \
-	((int (*)(const STACK_OF(type) *))sk_is_sorted)(st)
+	((int (*)(const STACK_OF(type) *))openssl_fcast(sk_is_sorted))(st)

 #define	SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
 	((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \
                                       type *(*)(type **, unsigned char **,long), \
-                                       void (*)(type *), int ,int )) d2i_ASN1_SET) \
+                                       void (*)(type *), int ,int )) openssl_fcast(d2i_ASN1_SET)) \
 						(st,pp,length, d2i_func, free_func, ex_tag,ex_class)
 #define	SKM_ASN1_SET_OF_i2d(type, st, pp, i2d_func, ex_tag, ex_class, is_set) \
 	((int (*)(STACK_OF(type) *,unsigned char **, \
-                           int (*)(type *,unsigned char **), int , int , int)) i2d_ASN1_SET) \
+                           int (*)(type *,unsigned char **), int , int , int)) openssl_fcast(i2d_ASN1_SET)) \
 						(st,pp,i2d_func,ex_tag,ex_class,is_set)

 #define	SKM_ASN1_seq_pack(type, st, i2d_func, buf, len) \
 	((unsigned char *(*)(STACK_OF(type) *, \
-                                    int (*)(type *,unsigned char **), unsigned char **,int *)) ASN1_seq_pack) \
+                                    int (*)(type *,unsigned char **), unsigned char **,int *)) openssl_fcast(ASN1_seq_pack)) \
 				(st, i2d_func, buf, len)
 #define	SKM_ASN1_seq_unpack(type, buf, len, d2i_func, free_func) \
 	((STACK_OF(type) * (*)(unsigned char *,int, \
                                       type *(*)(type **,unsigned char **, long), \
-                                       void (*)(type *)))ASN1_seq_unpack) \
+                                       void (*)(type *)))openssl_fcast(ASN1_seq_unpack)) \
 					(buf,len,d2i_func, free_func)

 #define SKM_PKCS12_decrypt_d2i(type, algor, d2i_func, free_func, pass, passlen, oct, seq) \
 	((STACK_OF(type) * (*)(X509_ALGOR *, \
                                type *(*)(type **, unsigned char **, long), void (*)(type *), \
                                const char *, int, \
-                                ASN1_STRING *, int))PKCS12_decrypt_d2i) \
+                                ASN1_STRING *, int))openssl_fcast(PKCS12_decrypt_d2i)) \
 				(algor,d2i_func,free_func,pass,passlen,oct,seq)

 #else
--- a/crypto/ui/ui_err.c
+++ b/crypto/ui/ui_err.c
@@ -1,6 +1,6 @@
 /* crypto/ui/ui_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,32 +64,36 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_UI,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_UI,0,reason)
+
 static ERR_STRING_DATA UI_str_functs[]=
 	{
-{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_BOOLEAN,0),	"GENERAL_ALLOCATE_BOOLEAN"},
-{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_PROMPT,0),	"GENERAL_ALLOCATE_PROMPT"},
-{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_STRING,0),	"GENERAL_ALLOCATE_STRING"},
-{ERR_PACK(0,UI_F_UI_CTRL,0),	"UI_ctrl"},
-{ERR_PACK(0,UI_F_UI_DUP_ERROR_STRING,0),	"UI_dup_error_string"},
-{ERR_PACK(0,UI_F_UI_DUP_INFO_STRING,0),	"UI_dup_info_string"},
-{ERR_PACK(0,UI_F_UI_DUP_INPUT_BOOLEAN,0),	"UI_dup_input_boolean"},
-{ERR_PACK(0,UI_F_UI_DUP_INPUT_STRING,0),	"UI_dup_input_string"},
-{ERR_PACK(0,UI_F_UI_DUP_VERIFY_STRING,0),	"UI_dup_verify_string"},
-{ERR_PACK(0,UI_F_UI_GET0_RESULT,0),	"UI_get0_result"},
-{ERR_PACK(0,UI_F_UI_NEW_METHOD,0),	"UI_new_method"},
-{ERR_PACK(0,UI_F_UI_SET_RESULT,0),	"UI_set_result"},
+{ERR_FUNC(UI_F_GENERAL_ALLOCATE_BOOLEAN),	"GENERAL_ALLOCATE_BOOLEAN"},
+{ERR_FUNC(UI_F_GENERAL_ALLOCATE_PROMPT),	"GENERAL_ALLOCATE_PROMPT"},
+{ERR_FUNC(UI_F_GENERAL_ALLOCATE_STRING),	"GENERAL_ALLOCATE_STRING"},
+{ERR_FUNC(UI_F_UI_CTRL),	"UI_ctrl"},
+{ERR_FUNC(UI_F_UI_DUP_ERROR_STRING),	"UI_dup_error_string"},
+{ERR_FUNC(UI_F_UI_DUP_INFO_STRING),	"UI_dup_info_string"},
+{ERR_FUNC(UI_F_UI_DUP_INPUT_BOOLEAN),	"UI_dup_input_boolean"},
+{ERR_FUNC(UI_F_UI_DUP_INPUT_STRING),	"UI_dup_input_string"},
+{ERR_FUNC(UI_F_UI_DUP_VERIFY_STRING),	"UI_dup_verify_string"},
+{ERR_FUNC(UI_F_UI_GET0_RESULT),	"UI_get0_result"},
+{ERR_FUNC(UI_F_UI_NEW_METHOD),	"UI_new_method"},
+{ERR_FUNC(UI_F_UI_SET_RESULT),	"UI_set_result"},
 {0,NULL}
 	};

 static ERR_STRING_DATA UI_str_reasons[]=
 	{
-{UI_R_COMMON_OK_AND_CANCEL_CHARACTERS    ,"common ok and cancel characters"},
-{UI_R_INDEX_TOO_LARGE                    ,"index too large"},
-{UI_R_INDEX_TOO_SMALL                    ,"index too small"},
-{UI_R_NO_RESULT_BUFFER                   ,"no result buffer"},
-{UI_R_RESULT_TOO_LARGE                   ,"result too large"},
-{UI_R_RESULT_TOO_SMALL                   ,"result too small"},
-{UI_R_UNKNOWN_CONTROL_COMMAND            ,"unknown control command"},
+{ERR_REASON(UI_R_COMMON_OK_AND_CANCEL_CHARACTERS),"common ok and cancel characters"},
+{ERR_REASON(UI_R_INDEX_TOO_LARGE)        ,"index too large"},
+{ERR_REASON(UI_R_INDEX_TOO_SMALL)        ,"index too small"},
+{ERR_REASON(UI_R_NO_RESULT_BUFFER)       ,"no result buffer"},
+{ERR_REASON(UI_R_RESULT_TOO_LARGE)       ,"result too large"},
+{ERR_REASON(UI_R_RESULT_TOO_SMALL)       ,"result too small"},
+{ERR_REASON(UI_R_UNKNOWN_CONTROL_COMMAND),"unknown control command"},
 {0,NULL}
 	};

@@ -103,8 +107,8 @@ void ERR_load_UI_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_UI,UI_str_functs);
-		ERR_load_strings(ERR_LIB_UI,UI_str_reasons);
+		ERR_load_strings(0,UI_str_functs);
+		ERR_load_strings(0,UI_str_reasons);
 #endif

 		}
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -1,6 +1,6 @@
 /* crypto/x509/x509_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,77 +64,81 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
+
 static ERR_STRING_DATA X509_str_functs[]=
 	{
-{ERR_PACK(0,X509_F_ADD_CERT_DIR,0),	"ADD_CERT_DIR"},
-{ERR_PACK(0,X509_F_BY_FILE_CTRL,0),	"BY_FILE_CTRL"},
-{ERR_PACK(0,X509_F_DIR_CTRL,0),	"DIR_CTRL"},
-{ERR_PACK(0,X509_F_GET_CERT_BY_SUBJECT,0),	"GET_CERT_BY_SUBJECT"},
-{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_DECODE,0),	"NETSCAPE_SPKI_b64_decode"},
-{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_ENCODE,0),	"NETSCAPE_SPKI_b64_encode"},
-{ERR_PACK(0,X509_F_X509V3_ADD_EXT,0),	"X509v3_add_ext"},
-{ERR_PACK(0,X509_F_X509_ADD_ATTR,0),	"X509_ADD_ATTR"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_NID,0),	"X509_ATTRIBUTE_create_by_NID"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,0),	"X509_ATTRIBUTE_create_by_OBJ"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,0),	"X509_ATTRIBUTE_create_by_txt"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_GET0_DATA,0),	"X509_ATTRIBUTE_get0_data"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_SET1_DATA,0),	"X509_ATTRIBUTE_set1_data"},
-{ERR_PACK(0,X509_F_X509_CHECK_PRIVATE_KEY,0),	"X509_check_private_key"},
-{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_NID,0),	"X509_EXTENSION_create_by_NID"},
-{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_OBJ,0),	"X509_EXTENSION_create_by_OBJ"},
-{ERR_PACK(0,X509_F_X509_GET_PUBKEY_PARAMETERS,0),	"X509_get_pubkey_parameters"},
-{ERR_PACK(0,X509_F_X509_LOAD_CERT_CRL_FILE,0),	"X509_load_cert_crl_file"},
-{ERR_PACK(0,X509_F_X509_LOAD_CERT_FILE,0),	"X509_load_cert_file"},
-{ERR_PACK(0,X509_F_X509_LOAD_CRL_FILE,0),	"X509_load_crl_file"},
-{ERR_PACK(0,X509_F_X509_NAME_ADD_ENTRY,0),	"X509_NAME_add_entry"},
-{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_NID,0),	"X509_NAME_ENTRY_create_by_NID"},
-{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,0),	"X509_NAME_ENTRY_create_by_txt"},
-{ERR_PACK(0,X509_F_X509_NAME_ENTRY_SET_OBJECT,0),	"X509_NAME_ENTRY_set_object"},
-{ERR_PACK(0,X509_F_X509_NAME_ONELINE,0),	"X509_NAME_oneline"},
-{ERR_PACK(0,X509_F_X509_NAME_PRINT,0),	"X509_NAME_print"},
-{ERR_PACK(0,X509_F_X509_PRINT_FP,0),	"X509_print_fp"},
-{ERR_PACK(0,X509_F_X509_PUBKEY_GET,0),	"X509_PUBKEY_get"},
-{ERR_PACK(0,X509_F_X509_PUBKEY_SET,0),	"X509_PUBKEY_set"},
-{ERR_PACK(0,X509_F_X509_REQ_PRINT,0),	"X509_REQ_print"},
-{ERR_PACK(0,X509_F_X509_REQ_PRINT_FP,0),	"X509_REQ_print_fp"},
-{ERR_PACK(0,X509_F_X509_REQ_TO_X509,0),	"X509_REQ_to_X509"},
-{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_add_cert"},
-{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_add_crl"},
-{ERR_PACK(0,X509_F_X509_STORE_CTX_INIT,0),	"X509_STORE_CTX_init"},
-{ERR_PACK(0,X509_F_X509_STORE_CTX_NEW,0),	"X509_STORE_CTX_new"},
-{ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),	"X509_STORE_CTX_purpose_inherit"},
-{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},
-{ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_add"},
-{ERR_PACK(0,X509_F_X509_TRUST_SET,0),	"X509_TRUST_set"},
-{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0),	"X509_verify_cert"},
+{ERR_FUNC(X509_F_ADD_CERT_DIR),	"ADD_CERT_DIR"},
+{ERR_FUNC(X509_F_BY_FILE_CTRL),	"BY_FILE_CTRL"},
+{ERR_FUNC(X509_F_DIR_CTRL),	"DIR_CTRL"},
+{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT),	"GET_CERT_BY_SUBJECT"},
+{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE),	"NETSCAPE_SPKI_b64_decode"},
+{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE),	"NETSCAPE_SPKI_b64_encode"},
+{ERR_FUNC(X509_F_X509V3_ADD_EXT),	"X509v3_add_ext"},
+{ERR_FUNC(X509_F_X509_ADD_ATTR),	"X509_ADD_ATTR"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID),	"X509_ATTRIBUTE_create_by_NID"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ),	"X509_ATTRIBUTE_create_by_OBJ"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT),	"X509_ATTRIBUTE_create_by_txt"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA),	"X509_ATTRIBUTE_get0_data"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA),	"X509_ATTRIBUTE_set1_data"},
+{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY),	"X509_check_private_key"},
+{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID),	"X509_EXTENSION_create_by_NID"},
+{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ),	"X509_EXTENSION_create_by_OBJ"},
+{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS),	"X509_get_pubkey_parameters"},
+{ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE),	"X509_load_cert_crl_file"},
+{ERR_FUNC(X509_F_X509_LOAD_CERT_FILE),	"X509_load_cert_file"},
+{ERR_FUNC(X509_F_X509_LOAD_CRL_FILE),	"X509_load_crl_file"},
+{ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY),	"X509_NAME_add_entry"},
+{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID),	"X509_NAME_ENTRY_create_by_NID"},
+{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT),	"X509_NAME_ENTRY_create_by_txt"},
+{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT),	"X509_NAME_ENTRY_set_object"},
+{ERR_FUNC(X509_F_X509_NAME_ONELINE),	"X509_NAME_oneline"},
+{ERR_FUNC(X509_F_X509_NAME_PRINT),	"X509_NAME_print"},
+{ERR_FUNC(X509_F_X509_PRINT_FP),	"X509_print_fp"},
+{ERR_FUNC(X509_F_X509_PUBKEY_GET),	"X509_PUBKEY_get"},
+{ERR_FUNC(X509_F_X509_PUBKEY_SET),	"X509_PUBKEY_set"},
+{ERR_FUNC(X509_F_X509_REQ_PRINT),	"X509_REQ_print"},
+{ERR_FUNC(X509_F_X509_REQ_PRINT_FP),	"X509_REQ_print_fp"},
+{ERR_FUNC(X509_F_X509_REQ_TO_X509),	"X509_REQ_to_X509"},
+{ERR_FUNC(X509_F_X509_STORE_ADD_CERT),	"X509_STORE_add_cert"},
+{ERR_FUNC(X509_F_X509_STORE_ADD_CRL),	"X509_STORE_add_crl"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_INIT),	"X509_STORE_CTX_init"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_NEW),	"X509_STORE_CTX_new"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT),	"X509_STORE_CTX_purpose_inherit"},
+{ERR_FUNC(X509_F_X509_TO_X509_REQ),	"X509_to_X509_REQ"},
+{ERR_FUNC(X509_F_X509_TRUST_ADD),	"X509_TRUST_add"},
+{ERR_FUNC(X509_F_X509_TRUST_SET),	"X509_TRUST_set"},
+{ERR_FUNC(X509_F_X509_VERIFY_CERT),	"X509_verify_cert"},
 {0,NULL}
 	};

 static ERR_STRING_DATA X509_str_reasons[]=
 	{
-{X509_R_BAD_X509_FILETYPE                ,"bad x509 filetype"},
-{X509_R_BASE64_DECODE_ERROR              ,"base64 decode error"},
-{X509_R_CANT_CHECK_DH_KEY                ,"cant check dh key"},
-{X509_R_CERT_ALREADY_IN_HASH_TABLE       ,"cert already in hash table"},
-{X509_R_ERR_ASN1_LIB                     ,"err asn1 lib"},
-{X509_R_INVALID_DIRECTORY                ,"invalid directory"},
-{X509_R_INVALID_FIELD_NAME               ,"invalid field name"},
-{X509_R_INVALID_TRUST                    ,"invalid trust"},
-{X509_R_KEY_TYPE_MISMATCH                ,"key type mismatch"},
-{X509_R_KEY_VALUES_MISMATCH              ,"key values mismatch"},
-{X509_R_LOADING_CERT_DIR                 ,"loading cert dir"},
-{X509_R_LOADING_DEFAULTS                 ,"loading defaults"},
-{X509_R_NO_CERT_SET_FOR_US_TO_VERIFY     ,"no cert set for us to verify"},
-{X509_R_SHOULD_RETRY                     ,"should retry"},
-{X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN,"unable to find parameters in chain"},
-{X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY   ,"unable to get certs public key"},
-{X509_R_UNKNOWN_KEY_TYPE                 ,"unknown key type"},
-{X509_R_UNKNOWN_NID                      ,"unknown nid"},
-{X509_R_UNKNOWN_PURPOSE_ID               ,"unknown purpose id"},
-{X509_R_UNKNOWN_TRUST_ID                 ,"unknown trust id"},
-{X509_R_UNSUPPORTED_ALGORITHM            ,"unsupported algorithm"},
-{X509_R_WRONG_LOOKUP_TYPE                ,"wrong lookup type"},
-{X509_R_WRONG_TYPE                       ,"wrong type"},
+{ERR_REASON(X509_R_BAD_X509_FILETYPE)    ,"bad x509 filetype"},
+{ERR_REASON(X509_R_BASE64_DECODE_ERROR)  ,"base64 decode error"},
+{ERR_REASON(X509_R_CANT_CHECK_DH_KEY)    ,"cant check dh key"},
+{ERR_REASON(X509_R_CERT_ALREADY_IN_HASH_TABLE),"cert already in hash table"},
+{ERR_REASON(X509_R_ERR_ASN1_LIB)         ,"err asn1 lib"},
+{ERR_REASON(X509_R_INVALID_DIRECTORY)    ,"invalid directory"},
+{ERR_REASON(X509_R_INVALID_FIELD_NAME)   ,"invalid field name"},
+{ERR_REASON(X509_R_INVALID_TRUST)        ,"invalid trust"},
+{ERR_REASON(X509_R_KEY_TYPE_MISMATCH)    ,"key type mismatch"},
+{ERR_REASON(X509_R_KEY_VALUES_MISMATCH)  ,"key values mismatch"},
+{ERR_REASON(X509_R_LOADING_CERT_DIR)     ,"loading cert dir"},
+{ERR_REASON(X509_R_LOADING_DEFAULTS)     ,"loading defaults"},
+{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),"no cert set for us to verify"},
+{ERR_REASON(X509_R_SHOULD_RETRY)         ,"should retry"},
+{ERR_REASON(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN),"unable to find parameters in chain"},
+{ERR_REASON(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY),"unable to get certs public key"},
+{ERR_REASON(X509_R_UNKNOWN_KEY_TYPE)     ,"unknown key type"},
+{ERR_REASON(X509_R_UNKNOWN_NID)          ,"unknown nid"},
+{ERR_REASON(X509_R_UNKNOWN_PURPOSE_ID)   ,"unknown purpose id"},
+{ERR_REASON(X509_R_UNKNOWN_TRUST_ID)     ,"unknown trust id"},
+{ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM),"unsupported algorithm"},
+{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE)    ,"wrong lookup type"},
+{ERR_REASON(X509_R_WRONG_TYPE)           ,"wrong type"},
 {0,NULL}
 	};

@@ -148,8 +152,8 @@ void ERR_load_X509_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_X509,X509_str_functs);
-		ERR_load_strings(ERR_LIB_X509,X509_str_reasons);
+		ERR_load_strings(0,X509_str_functs);
+		ERR_load_strings(0,X509_str_reasons);
 #endif

 		}
--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c
@@ -64,114 +64,118 @@

 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
+
 static ERR_STRING_DATA X509V3_str_functs[]=
 	{
-{ERR_PACK(0,X509V3_F_COPY_EMAIL,0),	"COPY_EMAIL"},
-{ERR_PACK(0,X509V3_F_COPY_ISSUER,0),	"COPY_ISSUER"},
-{ERR_PACK(0,X509V3_F_DO_EXT_CONF,0),	"DO_EXT_CONF"},
-{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0),	"DO_EXT_I2D"},
-{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),	"hex_to_string"},
-{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),	"i2s_ASN1_ENUMERATED"},
-{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0),	"I2S_ASN1_IA5STRING"},
-{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),	"i2s_ASN1_INTEGER"},
-{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0),	"I2V_AUTHORITY_INFO_ACCESS"},
-{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0),	"NOTICE_SECTION"},
-{ERR_PACK(0,X509V3_F_NREF_NOS,0),	"NREF_NOS"},
-{ERR_PACK(0,X509V3_F_POLICY_SECTION,0),	"POLICY_SECTION"},
-{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),	"R2I_CERTPOL"},
-{ERR_PACK(0,X509V3_F_R2I_PCI,0),	"R2I_PCI"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),	"S2I_ASN1_IA5STRING"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),	"s2i_ASN1_INTEGER"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),	"s2i_ASN1_OCTET_STRING"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_SKEY_ID,0),	"S2I_ASN1_SKEY_ID"},
-{ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0),	"S2I_S2I_SKEY_ID"},
-{ERR_PACK(0,X509V3_F_STRING_TO_HEX,0),	"string_to_hex"},
-{ERR_PACK(0,X509V3_F_SXNET_ADD_ASC,0),	"SXNET_ADD_ASC"},
-{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_INTEGER,0),	"SXNET_add_id_INTEGER"},
-{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_ULONG,0),	"SXNET_add_id_ulong"},
-{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ASC,0),	"SXNET_get_id_asc"},
-{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ULONG,0),	"SXNET_get_id_ulong"},
-{ERR_PACK(0,X509V3_F_V2I_ACCESS_DESCRIPTION,0),	"V2I_ACCESS_DESCRIPTION"},
-{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),	"V2I_ASN1_BIT_STRING"},
-{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),	"V2I_AUTHORITY_KEYID"},
-{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),	"V2I_BASIC_CONSTRAINTS"},
-{ERR_PACK(0,X509V3_F_V2I_CRLD,0),	"V2I_CRLD"},
-{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),	"V2I_EXT_KU"},
-{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),	"v2i_GENERAL_NAME"},
-{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),	"v2i_GENERAL_NAMES"},
-{ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),	"V3_GENERIC_EXTENSION"},
-{ERR_PACK(0,X509V3_F_X509V3_ADD_I2D,0),	"X509V3_ADD_I2D"},
-{ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0),	"X509V3_add_value"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0),	"X509V3_EXT_add"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0),	"X509V3_EXT_add_alias"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_CONF,0),	"X509V3_EXT_conf"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_I2D,0),	"X509V3_EXT_i2d"},
-{ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),	"X509V3_get_value_bool"},
-{ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),	"X509V3_parse_list"},
-{ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0),	"X509_PURPOSE_add"},
-{ERR_PACK(0,X509V3_F_X509_PURPOSE_SET,0),	"X509_PURPOSE_set"},
+{ERR_FUNC(X509V3_F_COPY_EMAIL),	"COPY_EMAIL"},
+{ERR_FUNC(X509V3_F_COPY_ISSUER),	"COPY_ISSUER"},
+{ERR_FUNC(X509V3_F_DO_EXT_CONF),	"DO_EXT_CONF"},
+{ERR_FUNC(X509V3_F_DO_EXT_I2D),	"DO_EXT_I2D"},
+{ERR_FUNC(X509V3_F_HEX_TO_STRING),	"hex_to_string"},
+{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED),	"i2s_ASN1_ENUMERATED"},
+{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING),	"I2S_ASN1_IA5STRING"},
+{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER),	"i2s_ASN1_INTEGER"},
+{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS),	"I2V_AUTHORITY_INFO_ACCESS"},
+{ERR_FUNC(X509V3_F_NOTICE_SECTION),	"NOTICE_SECTION"},
+{ERR_FUNC(X509V3_F_NREF_NOS),	"NREF_NOS"},
+{ERR_FUNC(X509V3_F_POLICY_SECTION),	"POLICY_SECTION"},
+{ERR_FUNC(X509V3_F_R2I_CERTPOL),	"R2I_CERTPOL"},
+{ERR_FUNC(X509V3_F_R2I_PCI),	"R2I_PCI"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING),	"S2I_ASN1_IA5STRING"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER),	"s2i_ASN1_INTEGER"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING),	"s2i_ASN1_OCTET_STRING"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID),	"S2I_ASN1_SKEY_ID"},
+{ERR_FUNC(X509V3_F_S2I_S2I_SKEY_ID),	"S2I_S2I_SKEY_ID"},
+{ERR_FUNC(X509V3_F_STRING_TO_HEX),	"string_to_hex"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ASC),	"SXNET_ADD_ASC"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER),	"SXNET_add_id_INTEGER"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG),	"SXNET_add_id_ulong"},
+{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC),	"SXNET_get_id_asc"},
+{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG),	"SXNET_get_id_ulong"},
+{ERR_FUNC(X509V3_F_V2I_ACCESS_DESCRIPTION),	"V2I_ACCESS_DESCRIPTION"},
+{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING),	"V2I_ASN1_BIT_STRING"},
+{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID),	"V2I_AUTHORITY_KEYID"},
+{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS),	"V2I_BASIC_CONSTRAINTS"},
+{ERR_FUNC(X509V3_F_V2I_CRLD),	"V2I_CRLD"},
+{ERR_FUNC(X509V3_F_V2I_EXT_KU),	"V2I_EXT_KU"},
+{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME),	"v2i_GENERAL_NAME"},
+{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES),	"v2i_GENERAL_NAMES"},
+{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION),	"V3_GENERIC_EXTENSION"},
+{ERR_FUNC(X509V3_F_X509V3_ADD_I2D),	"X509V3_ADD_I2D"},
+{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE),	"X509V3_add_value"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_ADD),	"X509V3_EXT_add"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS),	"X509V3_EXT_add_alias"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_CONF),	"X509V3_EXT_conf"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_I2D),	"X509V3_EXT_i2d"},
+{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL),	"X509V3_get_value_bool"},
+{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST),	"X509V3_parse_list"},
+{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD),	"X509_PURPOSE_add"},
+{ERR_FUNC(X509V3_F_X509_PURPOSE_SET),	"X509_PURPOSE_set"},
 {0,NULL}
 	};

 static ERR_STRING_DATA X509V3_str_reasons[]=
 	{
-{X509V3_R_BAD_IP_ADDRESS                 ,"bad ip address"},
-{X509V3_R_BAD_OBJECT                     ,"bad object"},
-{X509V3_R_BN_DEC2BN_ERROR                ,"bn dec2bn error"},
-{X509V3_R_BN_TO_ASN1_INTEGER_ERROR       ,"bn to asn1 integer error"},
-{X509V3_R_DUPLICATE_ZONE_ID              ,"duplicate zone id"},
-{X509V3_R_ERROR_CONVERTING_ZONE          ,"error converting zone"},
-{X509V3_R_ERROR_CREATING_EXTENSION       ,"error creating extension"},
-{X509V3_R_ERROR_IN_EXTENSION             ,"error in extension"},
-{X509V3_R_EXPECTED_A_SECTION_NAME        ,"expected a section name"},
-{X509V3_R_EXTENSION_EXISTS               ,"extension exists"},
-{X509V3_R_EXTENSION_NAME_ERROR           ,"extension name error"},
-{X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
-{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
-{X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
-{X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
-{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG    ,"incorrect policy syntax tag"},
-{X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
-{X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
-{X509V3_R_INVALID_NAME                   ,"invalid name"},
-{X509V3_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
-{X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
-{X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
-{X509V3_R_INVALID_NUMBER                 ,"invalid number"},
-{X509V3_R_INVALID_NUMBERS                ,"invalid numbers"},
-{X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
-{X509V3_R_INVALID_OPTION                 ,"invalid option"},
-{X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
-{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"},
-{X509V3_R_INVALID_PROXY_POLICY_SETTING   ,"invalid proxy policy setting"},
-{X509V3_R_INVALID_PURPOSE                ,"invalid purpose"},
-{X509V3_R_INVALID_SECTION                ,"invalid section"},
-{X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
-{X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
-{X509V3_R_MISSING_VALUE                  ,"missing value"},
-{X509V3_R_NEED_ORGANIZATION_AND_NUMBERS  ,"need organization and numbers"},
-{X509V3_R_NO_CONFIG_DATABASE             ,"no config database"},
-{X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
-{X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
-{X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
-{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"},
-{X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
-{X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
-{X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
-{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"},
-{X509V3_R_POLICY_PATH_LENGTH             ,"policy path length"},
-{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"},
-{X509V3_R_POLICY_SYNTAX_NOT              ,"policy syntax not"},
-{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"},
-{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"},
-{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
-{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
-{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
-{X509V3_R_UNKNOWN_EXTENSION              ,"unknown extension"},
-{X509V3_R_UNKNOWN_EXTENSION_NAME         ,"unknown extension name"},
-{X509V3_R_UNKNOWN_OPTION                 ,"unknown option"},
-{X509V3_R_UNSUPPORTED_OPTION             ,"unsupported option"},
-{X509V3_R_USER_TOO_LONG                  ,"user too long"},
+{ERR_REASON(X509V3_R_BAD_IP_ADDRESS)     ,"bad ip address"},
+{ERR_REASON(X509V3_R_BAD_OBJECT)         ,"bad object"},
+{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR)    ,"bn dec2bn error"},
+{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
+{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID)  ,"duplicate zone id"},
+{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
+{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
+{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) ,"error in extension"},
+{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME),"expected a section name"},
+{ERR_REASON(X509V3_R_EXTENSION_EXISTS)   ,"extension exists"},
+{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR),"extension name error"},
+{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"},
+{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"},
+{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"},
+{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT)  ,"illegal hex digit"},
+{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
+{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
+{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"},
+{ERR_REASON(X509V3_R_INVALID_NAME)       ,"invalid name"},
+{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
+{ERR_REASON(X509V3_R_INVALID_NULL_NAME)  ,"invalid null name"},
+{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) ,"invalid null value"},
+{ERR_REASON(X509V3_R_INVALID_NUMBER)     ,"invalid number"},
+{ERR_REASON(X509V3_R_INVALID_NUMBERS)    ,"invalid numbers"},
+{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"},
+{ERR_REASON(X509V3_R_INVALID_OPTION)     ,"invalid option"},
+{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"},
+{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER),"invalid proxy policy identifier"},
+{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"},
+{ERR_REASON(X509V3_R_INVALID_PURPOSE)    ,"invalid purpose"},
+{ERR_REASON(X509V3_R_INVALID_SECTION)    ,"invalid section"},
+{ERR_REASON(X509V3_R_INVALID_SYNTAX)     ,"invalid syntax"},
+{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"},
+{ERR_REASON(X509V3_R_MISSING_VALUE)      ,"missing value"},
+{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),"need organization and numbers"},
+{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) ,"no config database"},
+{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE),"no issuer certificate"},
+{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS)  ,"no issuer details"},
+{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER),"no policy identifier"},
+{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),"no proxy cert policy language defined"},
+{ERR_REASON(X509V3_R_NO_PUBLIC_KEY)      ,"no public key"},
+{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"},
+{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
+{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
+{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT)  ,"policy syntax not"},
+{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
+{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
+{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"},
+{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"},
+{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"},
+{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION)  ,"unknown extension"},
+{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"},
+{ERR_REASON(X509V3_R_UNKNOWN_OPTION)     ,"unknown option"},
+{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"},
+{ERR_REASON(X509V3_R_USER_TOO_LONG)      ,"user too long"},
 {0,NULL}
 	};

@@ -185,8 +189,8 @@ void ERR_load_X509V3_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_X509V3,X509V3_str_functs);
-		ERR_load_strings(ERR_LIB_X509V3,X509V3_str_reasons);
+		ERR_load_strings(0,X509V3_str_functs);
+		ERR_load_strings(0,X509V3_str_reasons);
 #endif

 		}
--- a/Show More
+++ b/Show More