import openssl-0.9.7d

22 files changed, 852 insertions, 29 deletions

diff --git a/lib/libssl/src/certs/expired/vsign3.pem b/lib/libssl/src/certs/expired/vsign3.pem
new file mode 100644
index 00000000000..aa5bb4c1f32
--- /dev/null
+++ b/lib/libssl/src/certs/expired/vsign3.pem
@@ -0,0 +1,18 @@
+subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
+notBefore=Jan 29 00:00:00 1996 GMT
+notAfter=Jan  7 23:59:59 2004 GMT
+-----BEGIN CERTIFICATE-----
+MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
+c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
+NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
+VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp
+bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo
+RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4
+rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN
+BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp
+STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH
+ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ
+pA==
+-----END CERTIFICATE-----
diff --git a/lib/libssl/src/crypto/asn1/asn_moid.c b/lib/libssl/src/crypto/asn1/asn_moid.c
index be20db4bad7..edb44c988f0 100644
--- a/lib/libssl/src/crypto/asn1/asn_moid.c
+++ b/lib/libssl/src/crypto/asn1/asn_moid.c
@@ -87,9 +87,14 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
 			}
 		}
 	return 1;
-}
+	}
+
+static void oid_module_finish(CONF_IMODULE *md)
+	{
+	OBJ_cleanup();
+	}
 
 void ASN1_add_oid_module(void)
 	{
-	CONF_module_add("oid_section", oid_module_init, 0);
+	CONF_module_add("oid_section", oid_module_init, oid_module_finish);
 	}
diff --git a/lib/libssl/src/crypto/bn/asm/x86_64-gcc.c b/lib/libssl/src/crypto/bn/asm/x86_64-gcc.c
index b97b394661a..450e8e43228 100644
--- a/lib/libssl/src/crypto/bn/asm/x86_64-gcc.c
+++ b/lib/libssl/src/crypto/bn/asm/x86_64-gcc.c
@@ -142,7 +142,7 @@ void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
 BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
 {	BN_ULONG ret,waste;
 
-	asm ("divq	%3"
+	asm ("divq	%4"
 		: "=a"(ret),"=d"(waste)
 		: "a"(l),"d"(h),"g"(d)
 		: "cc");
diff --git a/lib/libssl/src/crypto/ec/ecp_smpl.c b/lib/libssl/src/crypto/ec/ecp_smpl.c
index 4666a052bfa..e9a51fb87a1 100644
--- a/lib/libssl/src/crypto/ec/ecp_smpl.c
+++ b/lib/libssl/src/crypto/ec/ecp_smpl.c
@@ -896,7 +896,7 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
 		}
 	form = buf[0];
 	y_bit = form & 1;
-	form = form & ~1;
+	form = form & ~1U;
 	if ((form != 0)	&& (form != POINT_CONVERSION_COMPRESSED)
 		&& (form != POINT_CONVERSION_UNCOMPRESSED)
 		&& (form != POINT_CONVERSION_HYBRID))
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_ext.c b/lib/libssl/src/crypto/ocsp/ocsp_ext.c
index d6c8899f58e..57399433fc4 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_ext.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_ext.c
@@ -305,6 +305,8 @@ err:
 
 /* Add a nonce to an extension stack. A nonce can be specificed or if NULL
  * a random nonce will be generated.
+ * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the 
+ * nonce, previous versions used the raw nonce.
  */
 
 static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
@@ -313,20 +315,28 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val,
 	ASN1_OCTET_STRING os;
 	int ret = 0;
 	if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
-	if (val) tmpval = val;
+	/* Create the OCTET STRING manually by writing out the header and
+	 * appending the content octets. This avoids an extra memory allocation
+	 * operation in some cases. Applications should *NOT* do this because
+         * it relies on library internals.
+	 */
+	os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
+	os.data = OPENSSL_malloc(os.length);
+	if (os.data == NULL)
+		goto err;
+	tmpval = os.data;
+	ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
+	if (val)
+		memcpy(tmpval, val, len);
 	else
-		{
-		if (!(tmpval = OPENSSL_malloc(len))) goto err;
 		RAND_pseudo_bytes(tmpval, len);
-		}
-	os.data = tmpval;
-	os.length = len;
 	if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
 			&os, 0, X509V3_ADD_REPLACE))
 				goto err;
 	ret = 1;
 	err:
-	if(!val) OPENSSL_free(tmpval);
+	if (os.data)
+		OPENSSL_free(os.data);
 	return ret;
 	}
 
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_lib.c b/lib/libssl/src/crypto/ocsp/ocsp_lib.c
index 3875af165c7..9e87fc78957 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_lib.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_lib.c
@@ -253,6 +253,7 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
 
 
 	err:
+	if (buf) OPENSSL_free(buf);
 	if (*ppath) OPENSSL_free(*ppath);
 	if (*pport) OPENSSL_free(*pport);
 	if (*phost) OPENSSL_free(*phost);
diff --git a/lib/libssl/src/crypto/ocsp/ocsp_vfy.c b/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
index 1f5fda7ca31..3d58dfb06cf 100644
--- a/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
+++ b/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -272,7 +272,7 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
 
 	for (i = 1; i < idcount; i++)
 		{
-		tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+		tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
 		/* Check to see if IDs match */
 		if (OCSP_id_issuer_cmp(cid, tmpid))
 			{
@@ -330,7 +330,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
 		OCSP_CERTID *tmpid;
 		for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
 			{
-			tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+			tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
 			ret = ocsp_match_issuerid(cert, tmpid, NULL);
 			if (ret <= 0) return ret;
 			}
diff --git a/lib/libssl/src/crypto/rc5/rc5_locl.h b/lib/libssl/src/crypto/rc5/rc5_locl.h
new file mode 100644
index 00000000000..f4ebc23004b
--- /dev/null
+++ b/lib/libssl/src/crypto/rc5/rc5_locl.h
@@ -0,0 +1,207 @@
+/* crypto/rc5/rc5_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdlib.h>
+
+#undef c2l
+#define c2l(c,l)	(l =((unsigned long)(*((c)++)))    , \
+			 l|=((unsigned long)(*((c)++)))<< 8L, \
+			 l|=((unsigned long)(*((c)++)))<<16L, \
+			 l|=((unsigned long)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#undef c2ln
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))<<24L; \
+			case 7: l2|=((unsigned long)(*(--(c))))<<16L; \
+			case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \
+			case 5: l2|=((unsigned long)(*(--(c))));     \
+			case 4: l1 =((unsigned long)(*(--(c))))<<24L; \
+			case 3: l1|=((unsigned long)(*(--(c))))<<16L; \
+			case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \
+			case 1: l1|=((unsigned long)(*(--(c))));     \
+				} \
+			}
+
+#undef l2c
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#undef l2cn
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+				} \
+			}
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((unsigned long)(*(--(c))))    ; \
+			case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
+			case 6: l2|=((unsigned long)(*(--(c))))<<16; \
+			case 5: l2|=((unsigned long)(*(--(c))))<<24; \
+			case 4: l1 =((unsigned long)(*(--(c))))    ; \
+			case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
+			case 2: l1|=((unsigned long)(*(--(c))))<<16; \
+			case 1: l1|=((unsigned long)(*(--(c))))<<24; \
+				} \
+			}
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+				} \
+			}
+
+#undef n2l
+#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++))))
+
+#undef l2n
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+#if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)
+#define ROTATE_l32(a,n)     _lrotl(a,n)
+#define ROTATE_r32(a,n)     _lrotr(a,n)
+#elif defined(__GNUC__) && __GNUC__>=2 && !defined(__STRICT_ANSI__) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
+# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
+#  define ROTATE_l32(a,n)	({ register unsigned int ret;	\
+					asm ("roll %%cl,%0"	\
+						: "=r"(ret)	\
+						: "c"(n),"0"(a)	\
+						: "cc");	\
+					ret;			\
+				})
+#  define ROTATE_r32(a,n)	({ register unsigned int ret;	\
+					asm ("rorl %%cl,%0"	\
+						: "=r"(ret)	\
+						: "c"(n),"0"(a)	\
+						: "cc");	\
+					ret;			\
+				})
+# endif
+#endif
+#ifndef ROTATE_l32
+#define ROTATE_l32(a,n)     (((a)<<(n&0x1f))|(((a)&0xffffffff)>>(32-(n&0x1f))))
+#endif
+#ifndef ROTATE_r32
+#define ROTATE_r32(a,n)     (((a)<<(32-(n&0x1f)))|(((a)&0xffffffff)>>(n&0x1f)))
+#endif
+
+#define RC5_32_MASK	0xffffffffL
+
+#define RC5_16_P	0xB7E1
+#define RC5_16_Q	0x9E37
+#define RC5_32_P	0xB7E15163L
+#define RC5_32_Q	0x9E3779B9L
+#define RC5_64_P	0xB7E151628AED2A6BLL
+#define RC5_64_Q	0x9E3779B97F4A7C15LL
+
+#define E_RC5_32(a,b,s,n) \
+	a^=b; \
+	a=ROTATE_l32(a,b); \
+	a+=s[n]; \
+	a&=RC5_32_MASK; \
+	b^=a; \
+	b=ROTATE_l32(b,a); \
+	b+=s[n+1]; \
+	b&=RC5_32_MASK;
+
+#define D_RC5_32(a,b,s,n) \
+	b-=s[n+1]; \
+	b&=RC5_32_MASK; \
+	b=ROTATE_r32(b,a); \
+	b^=a; \
+	a-=s[n]; \
+	a&=RC5_32_MASK; \
+	a=ROTATE_r32(a,b); \
+	a^=b;
+
+
+
diff --git a/lib/libssl/src/doc/apps/config.pod b/lib/libssl/src/doc/apps/config.pod
index ce874a42ce1..8f823fa6d69 100644
--- a/lib/libssl/src/doc/apps/config.pod
+++ b/lib/libssl/src/doc/apps/config.pod
@@ -10,7 +10,8 @@ config - OpenSSL CONF library configuration files
 The OpenSSL CONF library can be used to read configuration files.
 It is used for the OpenSSL master configuration file B<openssl.cnf>
 and in a few other places like B<SPKAC> files and certificate extension
-files for the B<x509> utility.
+files for the B<x509> utility. OpenSSL applications can also use the
+CONF library for their own purposes.
 
 A configuration file is divided into a number of sections. Each section
 starts with a line B<[ section_name ]> and ends when a new section is
@@ -51,13 +52,146 @@ or the B<\> character. By making the last character of a line a B<\>
 a B<value> string can be spread across multiple lines. In addition
 the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized.
 
+=head1 OPENSSL LIBRARY CONFIGURATION
+
+In OpenSSL 0.9.7 and later applications can automatically configure certain
+aspects of OpenSSL using the master OpenSSL configuration file, or optionally
+an alternative configuration file. The B<openssl> utility includes this
+functionality: any sub command uses the master OpenSSL configuration file
+unless an option is used in the sub command to use an alternative configuration
+file.
+
+To enable library configuration the default section needs to contain an 
+appropriate line which points to the main configuration section. The default
+name is B<openssl_conf> which is used by the B<openssl> utility. Other
+applications may use an alternative name such as B<myapplicaton_conf>.
+
+The configuration section should consist of a set of name value pairs which
+contain specific module configuration information. The B<name> represents
+the name of the I<configuration module> the meaning of the B<value> is 
+module specific: it may, for example, represent a further configuration
+section containing configuration module specific information. E.g.
+
+ openssl_conf = openssl_init
+
+ [openssl_init]
+
+ oid_section = new_oids
+ engines = engine_section
+
+ [new_oids]
+
+ ... new oids here ...
+
+ [engine_section]
+
+ ... engine stuff here ...
+
+Currently there are two configuration modules. One for ASN1 objects another
+for ENGINE configuration.
+
+=head2 ASN1 OBJECT CONFIGURATION MODULE
+
+This module has the name B<oid_section>. The value of this variable points
+to a section containing name value pairs of OIDs: the name is the OID short
+and long name, the value is the numerical form of the OID. Although some of
+the B<openssl> utility sub commands already have their own ASN1 OBJECT section
+functionality not all do. By using the ASN1 OBJECT configuration module
+B<all> the B<openssl> utility sub commands can see the new objects as well
+as any compliant applications. For example:
+
+ [new_oids]
+ 
+ some_new_oid = 1.2.3.4
+ some_other_oid = 1.2.3.5
+
+=head2 ENGINE CONFIGURATION MODULE
+
+This ENGINE configuration module has the name B<engines>. The value of this
+variable points to a section containing further ENGINE configuration
+information.
+
+The section pointed to by B<engines> is a table of engine names (though see
+B<engine_id> below) and further sections containing configuration informations
+specific to each ENGINE.
+
+Each ENGINE specific section is used to set default algorithms, load
+dynamic, perform initialization and send ctrls. The actual operation performed
+depends on the I<command> name which is the name of the name value pair. The
+currently supported commands are listed below.
+
+For example:
+
+ [engine_section]
+
+ # Configure ENGINE named "foo"
+ foo = foo_section
+ # Configure ENGINE named "bar"
+ bar = bar_section
+
+ [foo_section]
+ ... foo ENGINE specific commands ...
+
+ [bar_section]
+ ... "bar" ENGINE specific commands ...
+
+The command B<engine_id> is used to give the ENGINE name. If used this 
+command must be first. For example:
+
+ [engine_section]
+ # This would normally handle an ENGINE named "foo"
+ foo = foo_section
+
+ [foo_section]
+ # Override default name and use "myfoo" instead.
+ engine_id = myfoo
+
+The command B<dynamic_path> loads and adds an ENGINE from the given path. It
+is equivalent to sending the ctrls B<SO_PATH> with the path argument followed
+by B<LIST_ADD> with value 2 and B<LOAD> to the dynamic ENGINE. If this is
+not the required behaviour then alternative ctrls can be sent directly
+to the dynamic ENGINE using ctrl commands.
+
+The command B<init> determines whether to initialize the ENGINE. If the value
+is B<0> the ENGINE will not be initialized, if B<1> and attempt it made to
+initialized the ENGINE immediately. If the B<init> command is not present
+then an attempt will be made to initialize the ENGINE after all commands in
+its section have been processed.
+
+The command B<default_algorithms> sets the default algorithms an ENGINE will
+supply using the functions B<ENGINE_set_default_string()>
+
+If the name matches none of the above command names it is assumed to be a
+ctrl command which is sent to the ENGINE. The value of the command is the 
+argument to the ctrl command. If the value is the string B<EMPTY> then no
+value is sent to the command.
+
+For example:
+
+
+ [engine_section]
+
+ # Configure ENGINE named "foo"
+ foo = foo_section
+
+ [foo_section]
+ # Load engine from DSO
+ dynamic_path = /some/path/fooengine.so
+ # A foo specific ctrl.
+ some_ctrl = some_value
+ # Another ctrl that doesn't take a value.
+ other_ctrl = EMPTY
+ # Supply all default algorithms
+ default_algorithms = ALL
+
 =head1 NOTES
 
 If a configuration file attempts to expand a variable that doesn't exist
 then an error is flagged and the file will not load. This can happen
 if an attempt is made to expand an environment variable that doesn't
-exist. For example the default OpenSSL master configuration file used
-the value of B<HOME> which may not be defined on non Unix systems.
+exist. For example in a previous version of OpenSSL the default OpenSSL
+master configuration file used the value of B<HOME> which may not be
+defined on non Unix systems and would cause an error.
 
 This can be worked around by including a B<default> section to provide
 a default value: then if the environment lookup fails the default value
diff --git a/lib/libssl/src/doc/apps/s_time.pod b/lib/libssl/src/doc/apps/s_time.pod
new file mode 100644
index 00000000000..5a38aa2e039
--- /dev/null
+++ b/lib/libssl/src/doc/apps/s_time.pod
@@ -0,0 +1,173 @@
+
+=pod
+
+=head1 NAME
+
+s_time - SSL/TLS performance timing program
+
+=head1 SYNOPSIS
+
+B<openssl> B<s_time>
+[B<-connect host:port>]
+[B<-www page>]
+[B<-cert filename>]
+[B<-key filename>]
+[B<-CApath directory>]
+[B<-CAfile filename>]
+[B<-reuse>]
+[B<-new>]
+[B<-verify depth>]
+[B<-nbio>]
+[B<-time seconds>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-bugs>]
+[B<-cipher cipherlist>]
+
+=head1 DESCRIPTION
+
+The B<s_client> command implements a generic SSL/TLS client which connects to a
+remote host using SSL/TLS. It can request a page from the server and includes
+the time to transfer the payload data in its timing measurements. It measures
+the number of connections within a given timeframe, the amount of data
+transferred (if any), and calculates the average time spent for one connection.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-connect host:port>
+
+This specifies the host and optional port to connect to.
+
+=item B<-www page>
+
+This specifies the page to GET from the server. A value of '/' gets the
+index.htm[l] page. If this parameter is not specified, then B<s_time> will only
+perform the handshake to establish SSL connections but not transfer any
+payload data.
+
+=item B<-cert certname>
+
+The certificate to use, if one is requested by the server. The default is
+not to use a certificate. The file is in PEM format.
+
+=item B<-key keyfile>
+
+The private key to use. If not specified then the certificate file will
+be used. The file is in PEM format.
+
+=item B<-verify depth>
+
+The verify depth to use. This specifies the maximum length of the
+server certificate chain and turns on server certificate verification.
+Currently the verify operation continues after errors so all the problems
+with a certificate chain can be seen. As a side effect the connection
+will never fail due to a server certificate verify failure.
+
+=item B<-CApath directory>
+
+The directory to use for server certificate verification. This directory
+must be in "hash format", see B<verify> for more information. These are
+also used when building the client certificate chain.
+
+=item B<-CAfile file>
+
+A file containing trusted certificates to use during server authentication
+and to use when attempting to build the client certificate chain.
+
+=item B<-new>
+
+performs the timing test using a new session ID for each connection.
+If neither B<-new> nor B<-reuse> are specified, they are both on by default
+and executed in sequence.
+
+=item B<-reuse>
+
+performs the timing test using the same session ID; this can be used as a test
+that session caching is working. If neither B<-new> nor B<-reuse> are
+specified, they are both on by default and executed in sequence.
+
+=item B<-nbio>
+
+turns on non-blocking I/O.
+
+=item B<-ssl2>, B<-ssl3>
+
+these options disable the use of certain SSL or TLS protocols. By default
+the initial handshake uses a method which should be compatible with all
+servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+The timing program is not as rich in options to turn protocols on and off as
+the L<s_client(1)|s_client(1)> program and may not connect to all servers.
+
+Unfortunately there are a lot of ancient and broken servers in use which
+cannot handle this technique and will fail to connect. Some servers only
+work if TLS is turned off with the B<-ssl3> option; others
+will only support SSL v2 and may need the B<-ssl2> option.
+
+=item B<-bugs>
+
+there are several known bug in SSL and TLS implementations. Adding this
+option enables various workarounds.
+
+=item B<-cipher cipherlist>
+
+this allows the cipher list sent by the client to be modified. Although
+the server determines which cipher suite is used it should take the first
+supported cipher in the list sent by the client.
+See the L<ciphers(1)|ciphers(1)> command for more information.
+
+=item B<-time length>
+
+specifies how long (in seconds) B<s_time> should establish connections and
+optionally transfer payload data from a server. Server and client performance
+and the link speed determine how many connections B<s_time> can establish.
+
+=back
+
+=head1 NOTES
+
+B<s_client> can be used to measure the performance of an SSL connection.
+To connect to an SSL HTTP server and get the default page the command
+
+ openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
+
+would typically be used (https uses port 443). 'commoncipher' is a cipher to
+which both client and server can agree, see the L<ciphers(1)|ciphers(1)> command
+for details.
+
+If the handshake fails then there are several possible causes, if it is
+nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+B<-ssl3> options can be tried
+in case it is a buggy server. In particular you should play with these
+options B<before> submitting a bug report to an OpenSSL mailing list.
+
+A frequent problem when attempting to get client certificates working
+is that a web client complains it has no certificates or gives an empty
+list to choose from. This is normally because the server is not sending
+the clients certificate authority in its "acceptable CA list" when it
+requests a certificate. By using L<s_client(1)|s_client(1)> the CA list can be
+viewed and checked. However some servers only request client authentication
+after a specific URL is requested. To obtain the list in this case it
+is necessary to use the B<-prexit> option of L<s_client(1)|s_client(1)> and
+send an HTTP request for an appropriate page.
+
+If a certificate is specified on the command line using the B<-cert>
+option it will not be used unless the server specifically requests
+a client certificate. Therefor merely including a client certificate
+on the command line is no guarantee that the certificate works.
+
+=head1 BUGS
+
+Because this program does not have all the options of the
+L<s_client(1)|s_client(1)> program to turn protocols on and off, you may not be
+able to measure the performance of all protocols with all servers.
+
+The B<-verify> option should really exit if the server verification
+fails.
+
+=head1 SEE ALSO
+
+L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
+
+=cut
diff --git a/lib/libssl/src/doc/crypto/BIO_f_ssl.pod b/lib/libssl/src/doc/crypto/BIO_f_ssl.pod
index a56ee2b92f2..f0b731731f5 100644
--- a/lib/libssl/src/doc/crypto/BIO_f_ssl.pod
+++ b/lib/libssl/src/doc/crypto/BIO_f_ssl.pod
@@ -287,8 +287,8 @@ a client and also echoes the request to standard output.
 	return 0;
  }
 
- BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n");
- BIO_puts(sbio, "<pre>\r\nConnection Established\r\nRequest headers:\r\n");
+ BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n");
+ BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n");
  BIO_puts(sbio, "--------------------------------------------------\r\n");
 
  for(;;) {
@@ -301,7 +301,7 @@ a client and also echoes the request to standard output.
  }
 
  BIO_puts(sbio, "--------------------------------------------------\r\n");
- BIO_puts(sbio, "</pre>\r\n");
+ BIO_puts(sbio, "\r\n");
 
  /* Since there is a buffering BIO present we had better flush it */
  BIO_flush(sbio);
diff --git a/lib/libssl/src/doc/crypto/CONF_modules_free.pod b/lib/libssl/src/doc/crypto/CONF_modules_free.pod
new file mode 100644
index 00000000000..af8ae6a5c92
--- /dev/null
+++ b/lib/libssl/src/doc/crypto/CONF_modules_free.pod
@@ -0,0 +1,47 @@
+=pod
+
+=head1 NAME
+
+ CONF_modules_free, CONF_modules_load, CONF_modules_unload -
+ OpenSSL configuration cleanup functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/conf.h>
+
+ void CONF_modules_free(void);
+ void CONF_modules_unload(int all);
+ void CONF_modules_finish(void);
+
+=head1 DESCRIPTION
+
+CONF_modules_free() closes down and frees up all memory allocated by all
+configuration modules.
+
+CONF_modules_finish() calls each configuration modules B<finish> handler
+to free up any configuration that module may have performed.
+
+CONF_modules_unload() finishes and unloads configuration modules. If
+B<all> is set to B<0> only modules loaded from DSOs will be unloads. If
+B<all> is B<1> all modules, including builtin modules will be unloaded.
+
+=head1 NOTES
+
+Normally applications will only call CONF_modules_free() at application to
+tidy up any configuration performed.
+
+=head1 RETURN VALUE
+
+None of the functions return a value.
+
+=head1 SEE ALSO
+
+L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
+L<CONF_modules_load_file(3), CONF_modules_load_file(3)>
+
+=head1 HISTORY
+
+CONF_modules_free(), CONF_modules_unload(), and CONF_modules_finish()
+first appeared in OpenSSL 0.9.7.
+
+=cut
diff --git a/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod b/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod
new file mode 100644
index 00000000000..9965d69bf2e
--- /dev/null
+++ b/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod
@@ -0,0 +1,60 @@
+=pod
+
+=head1 NAME
+
+ CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/conf.h>
+
+ int CONF_modules_load_file(const char *filename, const char *appname,
+			   unsigned long flags);
+ int CONF_modules_load(const CONF *cnf, const char *appname,
+		      unsigned long flags);
+
+=head1 DESCRIPTION
+
+The function CONF_modules_load_file() configures OpenSSL using file
+B<filename> and application name B<appname>. If B<filename> is NULL
+the standard OpenSSL configuration file is used. If B<appname> is
+NULL the standard OpenSSL application name B<openssl_conf> is used.
+The behaviour can be cutomized using B<flags>.
+
+CONF_modules_load() is idential to CONF_modules_load_file() except it
+read configuration information from B<cnf>. 
+
+=head1 NOTES
+
+The following B<flags> are currently recognized:
+
+B<CONF_MFLAGS_IGNORE_ERRORS> if set errors returned by individual
+configuration modules are ignored. If not set the first module error is
+considered fatal and no further modules are loads.
+
+Normally any modules errors will add error information to the error queue. If
+B<CONF_MFLAGS_SILENT> is set no error information is added.
+
+If B<CONF_MFLAGS_NO_DSO> is set configuration module loading from DSOs is
+disabled.
+
+B<CONF_MFLAGS_IGNORE_MISSING_FILE> if set will make CONF_load_modules_file()
+ignore missing configuration files. Normally a missing configuration file
+return an error.
+
+=head1 RETURN VALUE
+
+These functions return 1 for success and a zero or negative value for
+failure. If module errors are not ignored the return code will reflect the
+return value of the failing module (this will always be zero or negative).
+
+=head1 SEE ALSO
+
+L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
+L<CONF_free(3), CONF_free(3)>, L<err(3),err(3)>
+
+=head1 HISTORY
+
+CONF_modules_load_file and CONF_modules_load first appeared in OpenSSL 0.9.7.
+
+=cut
diff --git a/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod b/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod
index 5ce4add0821..016381f3e99 100644
--- a/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod
+++ b/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
- EVP_BytesToKey - password based encryption routine
+EVP_BytesToKey - password based encryption routine
 
 =head1 SYNOPSIS
 
diff --git a/lib/libssl/src/doc/crypto/OPENSSL_config.pod b/lib/libssl/src/doc/crypto/OPENSSL_config.pod
new file mode 100644
index 00000000000..16600620ccf
--- /dev/null
+++ b/lib/libssl/src/doc/crypto/OPENSSL_config.pod
@@ -0,0 +1,82 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/conf.h>
+
+ void OPENSSL_config(const char *config_name);
+ void OPENSSL_no_config(void);
+
+=head1 DESCRIPTION
+
+OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf>
+configuration file name using B<config_name>. If B<config_name> is NULL then
+the default name B<openssl_conf> will be used. Any errors are ignored. Further
+calls to OPENSSL_config() will have no effect. The configuration file format
+is documented in the L<conf(5)|conf(5)> manual page.
+
+OPENSSL_no_config() disables configuration. If called before OPENSSL_config()
+no configuration takes place.
+
+=head1 NOTES
+
+It is B<strongly> recommended that B<all> new applications call OPENSSL_config()
+or the more sophisticated functions such as CONF_modules_load() during
+initialization (that is before starting any threads). By doing this
+an application does not need to keep track of all configuration options
+and some new functionality can be supported automatically.
+
+It is also possible to automatically call OPENSSL_config() when an application
+calls OPENSSL_add_all_algorithms() by compiling an application with the
+preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration
+can be added without source changes.
+
+The environment variable B<OPENSSL_CONFIG> can be set to specify the location
+of the configuration file.
+ 
+Currently ASN1 OBJECTs and ENGINE configuration can be performed future
+versions of OpenSSL will add new configuration options.
+
+There are several reasons why calling the OpenSSL configuration routines is
+advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7.
+In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be
+used (among other things) to load dynamic ENGINEs from shared libraries (DSOs).
+However very few applications currently support the control interface and so
+very few can load and use dynamic ENGINEs. Equally in future more sophisticated
+ENGINEs will require certain control operations to customize them. If an
+application calls OPENSSL_config() it doesn't need to know or care about
+ENGINE control operations because they can be performed by editing a
+configuration file.
+
+Applications should free up configuration at application closedown by calling
+CONF_modules_free().
+
+=head1 RESTRICTIONS
+
+The OPENSSL_config() function is designed to be a very simple "call it and
+forget it" function. As a result its behaviour is somewhat limited. It ignores
+all errors silently and it can only load from the standard configuration file
+location for example.
+
+It is however B<much> better than nothing. Applications which need finer
+control over their configuration functionality should use the configuration
+functions such as CONF_load_modules() directly.
+
+=head1 RETURN VALUES
+
+Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
+
+=head1 SEE ALSO
+
+L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>,
+L<CONF_modules_free(3),CONF_modules_free(3)>
+
+=head1 HISTORY
+
+OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7
+
+=cut
diff --git a/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod b/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod
new file mode 100644
index 00000000000..f14dfaf005d
--- /dev/null
+++ b/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_load_builtin_modules - add standard configuration modules
+
+=head1 SYNOPSIS
+
+ #include <openssl/conf.h>
+
+ void OPENSSL_load_builtin_modules(void);
+ void ASN1_add_oid_module(void);
+ ENGINE_add_conf_module();
+
+=head1 DESCRIPTION
+
+The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL
+configuration modules to the internal list. They can then be used by the
+OpenSSL configuration code.
+
+ASN1_add_oid_module() adds just the ASN1 OBJECT module.
+
+ENGINE_add_conf_module() adds just the ENGINE configuration module.
+
+=head1 NOTES
+
+If the simple configuration function OPENSSL_config() is called then 
+OPENSSL_load_builtin_modules() is called automatically.
+
+Applications which use the configuration functions directly will need to
+call OPENSSL_load_builtin_modules() themselves I<before> any other 
+configuration code.
+
+Applications should call OPENSSL_load_builtin_modules() to load all
+configuration modules instead of adding modules selectively: otherwise 
+functionality may be missing from the application if an when new
+modules are added.
+
+=head1 RETURN VALUE
+
+None of the functions return a value.
+
+=head1 SEE ALSO
+
+L<conf(3)|conf(3)>, L<OPENSSL_config(3)|OPENSSL_config(3)>
+
+=head1 HISTORY
+
+These functions first appeared in OpenSSL 0.9.7.
+
+=cut
diff --git a/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod b/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod
index 6ebd30427b8..22c1b50f228 100644
--- a/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod
+++ b/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod
@@ -9,6 +9,7 @@ and parsing functions.
 =head1 SYNOPSIS
 
  #include <openssl/dsa.h>
+ #include <openssl/x509.h>
 
  DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length);
 
@@ -35,8 +36,8 @@ and parsing functions.
 d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key
 components structure.
 
-d2i_DSA_PUKEY() and i2d_DSA_PUKEY() decode and encode an DSA public key using a
-SubjectPublicKeyInfo (certificate public key) structure.
+d2i_DSA_PUBKEY() and i2d_DSA_PUBKEY() decode and encode an DSA public key using
+a SubjectPublicKeyInfo (certificate public key) structure.
 
 d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key
 components.
diff --git a/lib/libssl/src/doc/crypto/pem.pod b/lib/libssl/src/doc/crypto/pem.pod
index a4f8cc33376..8613114452e 100644
--- a/lib/libssl/src/doc/crypto/pem.pod
+++ b/lib/libssl/src/doc/crypto/pem.pod
@@ -330,7 +330,7 @@ most of them are set to 0 or NULL.
 Read a certificate in PEM format from a BIO:
 
  X509 *x;
- x = PEM_read_bio(bp, NULL, 0, NULL);
+ x = PEM_read_bio_X509(bp, NULL, 0, NULL);
  if (x == NULL)
 	{
 	/* Error */
@@ -459,12 +459,12 @@ returned by EVP_bytestokey().
 The PEM read routines in some versions of OpenSSL will not correctly reuse
 an existing structure. Therefore the following:
 
- PEM_read_bio(bp, &x, 0, NULL);
+ PEM_read_bio_X509(bp, &x, 0, NULL);
 
 where B<x> already contains a valid certificate, may not work, whereas: 
 
  X509_free(x);
- x = PEM_read_bio(bp, NULL, 0, NULL);
+ x = PEM_read_bio_X509(bp, NULL, 0, NULL);
 
 is guaranteed to work.
 
diff --git a/lib/libssl/src/doc/crypto/ui.pod b/lib/libssl/src/doc/crypto/ui.pod
index 2b3535a7461..6df68d604a8 100644
--- a/lib/libssl/src/doc/crypto/ui.pod
+++ b/lib/libssl/src/doc/crypto/ui.pod
@@ -5,7 +5,7 @@
 UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string,
 UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean,
 UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string,
-UI_add_error_string, UI_dup_error_string, UI_construct_prompt
+UI_add_error_string, UI_dup_error_string, UI_construct_prompt,
 UI_add_user_data, UI_get0_user_data, UI_get0_result, UI_process,
 UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method,
 UI_set_method, UI_OpenSSL, ERR_load_UI_strings - New User Interface
diff --git a/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod b/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod
index 2a987391147..42fa66b1975 100644
--- a/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod
+++ b/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may return the following values:
 
 =over 4
 
-=item 1
+=item 0
 
 The operation succeeded.
 
-=item 0
+=item 1
 
 The operation failed. Check the error queue to find out the reason.
 
diff --git a/lib/libssl/src/os2/backwardify.pl b/lib/libssl/src/os2/backwardify.pl
new file mode 100644
index 00000000000..272423c8fa1
--- /dev/null
+++ b/lib/libssl/src/os2/backwardify.pl
@@ -0,0 +1,32 @@
+#!/usr/bin/perl -w
+use strict;
+
+# Use as $0
+# Use as $0 -noname
+
+my $did_library;
+my $did_description;
+my $do_exports;
+my @imports;
+my $noname = (@ARGV and $ARGV[0] eq '-noname' and shift);
+while (<>) {
+  unless ($did_library) {
+    s/\b(cryptssl)\b/crypto/ and $did_library = $1 if /^LIBRARY\s+cryptssl\b/;
+    s/\b(open_ssl)\b/ssl/    and $did_library = $1 if /^LIBRARY\s+open_ssl\b/;
+  }
+  unless ($did_description) {
+    s&^(DESCRIPTION\s+(['"])).*&${1}\@#www.openssl.org/:#\@forwarder DLL for pre-0.9.7c+ OpenSSL to the new dll naming scheme$2& and $did_description++;
+  }
+  if ($do_exports) {{
+    last unless /\S/;
+    warn, last unless /^ \s* ( \w+ ) \s+ \@(\d+)\s*$/x;
+    push @imports, [$1, $2];
+    s/$/ NONAME/ if $noname;
+  }}
+  $do_exports++ if not $do_exports and /^EXPORTS/;
+  print $_;
+}
+print "IMPORTS\n";
+for my $imp (@imports) {
+  print "\t$imp->[0]=$did_library.$imp->[1]\n";
+}
diff --git a/lib/libssl/src/util/extract-names.pl b/lib/libssl/src/util/extract-names.pl
index 9f2ad5ef166..744a8e2324e 100644
--- a/lib/libssl/src/util/extract-names.pl
+++ b/lib/libssl/src/util/extract-names.pl
@@ -10,6 +10,8 @@ while(<STDIN>) {
 	if (/ - /) {
 	    s/ - .*//;
 	    s/,[ \t]+/,/g;
+	    s/^[ \t]+//g;
+	    s/[ \t]+$//g;
 	    push @words, split ',';
 	}
     }