From owner-svn-src-head@FreeBSD.ORG  Sat Mar 13 19:22:41 2010
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CD076106566B;
	Sat, 13 Mar 2010 19:22:41 +0000 (UTC)
	(envelope-from simon@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id B72558FC0A;
	Sat, 13 Mar 2010 19:22:41 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o2DJMfO8010399;
	Sat, 13 Mar 2010 19:22:41 GMT (envelope-from simon@svn.freebsd.org)
Received: (from simon@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id o2DJMfY4010389;
	Sat, 13 Mar 2010 19:22:41 GMT (envelope-from simon@svn.freebsd.org)
Message-Id: <201003131922.o2DJMfY4010389@svn.freebsd.org>
From: "Simon L. Nielsen" <simon@FreeBSD.org>
Date: Sat, 13 Mar 2010 19:22:41 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r205128 - in head: crypto/openssl crypto/openssl/apps
	crypto/openssl/crypto crypto/openssl/crypto/aes
	crypto/openssl/crypto/aes/asm crypto/openssl/crypto/asn1
	crypto/openssl/crypto/bio ...
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Mar 2010 19:22:41 -0000

Author: simon
Date: Sat Mar 13 19:22:41 2010
New Revision: 205128
URL: http://svn.freebsd.org/changeset/base/205128

Log:
  Merge OpenSSL 0.9.8m into head.
  
  This also "reverts" some FreeBSD local changes so we should now
  be back to using entirely stock OpenSSL.  The local changes were
  simple $FreeBSD$ lines additions, which were required in the CVS
  days, and the patch for FreeBSD-SA-09:15.ssl which has been
  superseded with OpenSSL 0.9.8m's RFC5746 'TLS renegotiation
  extension' support.
  
  MFC after:	3 weeks

Added:
  head/crypto/openssl/engines/alpha.opt
     - copied unchanged from r204836, vendor-crypto/openssl/dist/engines/alpha.opt
  head/crypto/openssl/engines/ia64.opt
     - copied unchanged from r204836, vendor-crypto/openssl/dist/engines/ia64.opt
  head/crypto/openssl/ssl/t1_reneg.c
     - copied unchanged from r204836, vendor-crypto/openssl/dist/ssl/t1_reneg.c
Deleted:
  head/crypto/openssl/apps/genpkey.c
  head/crypto/openssl/apps/pkey.c
  head/crypto/openssl/apps/pkeyparam.c
  head/crypto/openssl/apps/pkeyutl.c
  head/crypto/openssl/apps/ts.c
  head/crypto/openssl/apps/tsget
  head/crypto/openssl/crypto/aes/aes_x86core.c
  head/crypto/openssl/crypto/aes/asm/aes-armv4.pl
  head/crypto/openssl/crypto/aes/asm/aes-ppc.pl
  head/crypto/openssl/crypto/aes/asm/aes-s390x.pl
  head/crypto/openssl/crypto/aes/asm/aes-sparcv9.pl
  head/crypto/openssl/crypto/asn1/ameth_lib.c
  head/crypto/openssl/crypto/asn1/asn1_locl.h
  head/crypto/openssl/crypto/asn1/bio_asn1.c
  head/crypto/openssl/crypto/asn1/bio_ndef.c
  head/crypto/openssl/crypto/asn1/x_nx509.c
  head/crypto/openssl/crypto/bn/asm/alpha-mont.pl
  head/crypto/openssl/crypto/bn/asm/armv4-mont.pl
  head/crypto/openssl/crypto/bn/asm/mips3-mont.pl
  head/crypto/openssl/crypto/bn/asm/ppc-mont.pl
  head/crypto/openssl/crypto/bn/asm/ppc64-mont.pl
  head/crypto/openssl/crypto/bn/asm/s390x-mont.pl
  head/crypto/openssl/crypto/bn/asm/s390x.S
  head/crypto/openssl/crypto/bn/asm/sparcv9-mont.pl
  head/crypto/openssl/crypto/bn/asm/sparcv9a-mont.pl
  head/crypto/openssl/crypto/bn/asm/via-mont.pl
  head/crypto/openssl/crypto/bn/asm/x86-mont.pl
  head/crypto/openssl/crypto/camellia/asm/cmll-x86.pl
  head/crypto/openssl/crypto/camellia/asm/cmll-x86_64.pl
  head/crypto/openssl/crypto/ppccpuid.pl
  head/crypto/openssl/crypto/s390xcpuid.S
  head/crypto/openssl/crypto/sparcv9cap.c
  head/crypto/openssl/engines/axp.opt
Modified:
  head/crypto/openssl/CHANGES
  head/crypto/openssl/Configure
  head/crypto/openssl/FAQ
  head/crypto/openssl/Makefile
  head/crypto/openssl/Makefile.org
  head/crypto/openssl/NEWS
  head/crypto/openssl/README
  head/crypto/openssl/apps/CA.sh
  head/crypto/openssl/apps/Makefile
  head/crypto/openssl/apps/apps.c
  head/crypto/openssl/apps/ca.c
  head/crypto/openssl/apps/dsa.c
  head/crypto/openssl/apps/dsaparam.c
  head/crypto/openssl/apps/enc.c
  head/crypto/openssl/apps/gendsa.c
  head/crypto/openssl/apps/genrsa.c
  head/crypto/openssl/apps/openssl.c
  head/crypto/openssl/apps/openssl.cnf
  head/crypto/openssl/apps/pkcs12.c
  head/crypto/openssl/apps/req.c
  head/crypto/openssl/apps/s_apps.h
  head/crypto/openssl/apps/s_cb.c
  head/crypto/openssl/apps/s_client.c
  head/crypto/openssl/apps/s_server.c
  head/crypto/openssl/apps/s_socket.c
  head/crypto/openssl/apps/speed.c
  head/crypto/openssl/apps/x509.c
  head/crypto/openssl/config
  head/crypto/openssl/crypto/aes/aes_cfb.c
  head/crypto/openssl/crypto/aes/asm/aes-x86_64.pl
  head/crypto/openssl/crypto/asn1/a_mbstr.c
  head/crypto/openssl/crypto/asn1/a_object.c
  head/crypto/openssl/crypto/asn1/asn1.h
  head/crypto/openssl/crypto/asn1/asn1_err.c
  head/crypto/openssl/crypto/asn1/asn1_gen.c
  head/crypto/openssl/crypto/asn1/asn1_par.c
  head/crypto/openssl/crypto/asn1/t_x509.c
  head/crypto/openssl/crypto/bio/bio.h
  head/crypto/openssl/crypto/bio/bss_dgram.c
  head/crypto/openssl/crypto/bio/bss_file.c
  head/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
  head/crypto/openssl/crypto/bn/bn_div.c
  head/crypto/openssl/crypto/bn/bn_exp.c
  head/crypto/openssl/crypto/bn/bn_gf2m.c
  head/crypto/openssl/crypto/bn/bn_mul.c
  head/crypto/openssl/crypto/bn/bntest.c
  head/crypto/openssl/crypto/camellia/Makefile
  head/crypto/openssl/crypto/cast/c_cfb64.c
  head/crypto/openssl/crypto/cast/c_ecb.c
  head/crypto/openssl/crypto/cast/c_enc.c
  head/crypto/openssl/crypto/cast/c_ofb64.c
  head/crypto/openssl/crypto/cast/cast.h
  head/crypto/openssl/crypto/cms/cms_ess.c
  head/crypto/openssl/crypto/cms/cms_lib.c
  head/crypto/openssl/crypto/comp/c_zlib.c
  head/crypto/openssl/crypto/cryptlib.c
  head/crypto/openssl/crypto/dsa/Makefile
  head/crypto/openssl/crypto/dsa/dsa_asn1.c
  head/crypto/openssl/crypto/dsa/dsa_lib.c
  head/crypto/openssl/crypto/dso/dso_dlfcn.c
  head/crypto/openssl/crypto/ec/ec2_smpl.c
  head/crypto/openssl/crypto/ecdsa/Makefile
  head/crypto/openssl/crypto/ecdsa/ecs_ossl.c
  head/crypto/openssl/crypto/ecdsa/ecs_sign.c
  head/crypto/openssl/crypto/engine/Makefile
  head/crypto/openssl/crypto/engine/eng_cnf.c
  head/crypto/openssl/crypto/engine/eng_cryptodev.c
  head/crypto/openssl/crypto/engine/eng_ctrl.c
  head/crypto/openssl/crypto/engine/eng_err.c
  head/crypto/openssl/crypto/engine/eng_table.c
  head/crypto/openssl/crypto/engine/engine.h
  head/crypto/openssl/crypto/err/Makefile
  head/crypto/openssl/crypto/err/err_all.c
  head/crypto/openssl/crypto/evp/c_allc.c
  head/crypto/openssl/crypto/evp/c_alld.c
  head/crypto/openssl/crypto/evp/digest.c
  head/crypto/openssl/crypto/evp/evp_lib.c
  head/crypto/openssl/crypto/evp/evp_locl.h
  head/crypto/openssl/crypto/lhash/lhash.c
  head/crypto/openssl/crypto/md5/asm/md5-x86_64.pl
  head/crypto/openssl/crypto/o_init.c
  head/crypto/openssl/crypto/o_str.c
  head/crypto/openssl/crypto/objects/obj_dat.c
  head/crypto/openssl/crypto/objects/obj_dat.h
  head/crypto/openssl/crypto/objects/obj_mac.h
  head/crypto/openssl/crypto/objects/obj_mac.num
  head/crypto/openssl/crypto/objects/objects.txt
  head/crypto/openssl/crypto/ocsp/ocsp_prn.c
  head/crypto/openssl/crypto/opensslv.h
  head/crypto/openssl/crypto/pem/pem_seal.c
  head/crypto/openssl/crypto/perlasm/x86_64-xlate.pl
  head/crypto/openssl/crypto/pkcs12/p12_attr.c
  head/crypto/openssl/crypto/pkcs12/p12_key.c
  head/crypto/openssl/crypto/pkcs12/p12_utl.c
  head/crypto/openssl/crypto/pkcs12/pkcs12.h
  head/crypto/openssl/crypto/pkcs7/pk7_mime.c
  head/crypto/openssl/crypto/rand/rand_win.c
  head/crypto/openssl/crypto/rand/randfile.c
  head/crypto/openssl/crypto/rsa/rsa.h
  head/crypto/openssl/crypto/rsa/rsa_eay.c
  head/crypto/openssl/crypto/rsa/rsa_eng.c
  head/crypto/openssl/crypto/rsa/rsa_oaep.c
  head/crypto/openssl/crypto/rsa/rsa_pss.c
  head/crypto/openssl/crypto/rsa/rsa_sign.c
  head/crypto/openssl/crypto/sha/sha512.c
  head/crypto/openssl/crypto/stack/safestack.h
  head/crypto/openssl/crypto/symhacks.h
  head/crypto/openssl/crypto/ui/ui_openssl.c
  head/crypto/openssl/crypto/x509/by_dir.c
  head/crypto/openssl/crypto/x509/x509.h
  head/crypto/openssl/crypto/x509/x509_lu.c
  head/crypto/openssl/crypto/x509/x509_vfy.c
  head/crypto/openssl/crypto/x509/x509_vfy.h
  head/crypto/openssl/crypto/x509/x509_vpm.c
  head/crypto/openssl/crypto/x509v3/pcy_tree.c
  head/crypto/openssl/crypto/x509v3/v3_alt.c
  head/crypto/openssl/crypto/x509v3/v3_ocsp.c
  head/crypto/openssl/demos/x509/mkcert.c
  head/crypto/openssl/demos/x509/mkreq.c
  head/crypto/openssl/doc/apps/enc.pod
  head/crypto/openssl/doc/apps/verify.pod
  head/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
  head/crypto/openssl/doc/crypto/EVP_DigestInit.pod
  head/crypto/openssl/doc/crypto/PKCS12_parse.pod
  head/crypto/openssl/doc/crypto/bn_internal.pod
  head/crypto/openssl/doc/crypto/d2i_X509.pod
  head/crypto/openssl/doc/crypto/d2i_X509_CRL.pod
  head/crypto/openssl/doc/crypto/d2i_X509_REQ.pod
  head/crypto/openssl/doc/crypto/hmac.pod
  head/crypto/openssl/doc/crypto/pem.pod
  head/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
  head/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
  head/crypto/openssl/engines/Makefile
  head/crypto/openssl/engines/e_capi.c
  head/crypto/openssl/engines/e_capi_err.c
  head/crypto/openssl/engines/e_capi_err.h
  head/crypto/openssl/engines/e_ubsec.c
  head/crypto/openssl/fips/Makefile
  head/crypto/openssl/fips/aes/fips_aesavs.c
  head/crypto/openssl/fips/des/fips_desmovs.c
  head/crypto/openssl/fips/dsa/fips_dsa_key.c
  head/crypto/openssl/fips/dsa/fips_dsa_sign.c
  head/crypto/openssl/fips/dsa/fips_dsatest.c
  head/crypto/openssl/fips/dsa/fips_dssvs.c
  head/crypto/openssl/fips/fips_locl.h
  head/crypto/openssl/fips/fips_test_suite.c
  head/crypto/openssl/fips/fips_utl.h
  head/crypto/openssl/fips/fipsalgtest.pl
  head/crypto/openssl/fips/fipsld
  head/crypto/openssl/fips/hmac/fips_hmac.c
  head/crypto/openssl/fips/hmac/fips_hmac_selftest.c
  head/crypto/openssl/fips/rand/fips_rand.c
  head/crypto/openssl/fips/rand/fips_rngvs.c
  head/crypto/openssl/fips/rsa/fips_rsagtest.c
  head/crypto/openssl/fips/rsa/fips_rsastest.c
  head/crypto/openssl/fips/rsa/fips_rsavtest.c
  head/crypto/openssl/fips/sha/Makefile
  head/crypto/openssl/fips/sha/fips_sha1_selftest.c
  head/crypto/openssl/openssl.spec
  head/crypto/openssl/ssl/Makefile
  head/crypto/openssl/ssl/d1_both.c
  head/crypto/openssl/ssl/d1_clnt.c
  head/crypto/openssl/ssl/d1_enc.c
  head/crypto/openssl/ssl/d1_lib.c
  head/crypto/openssl/ssl/d1_pkt.c
  head/crypto/openssl/ssl/d1_srvr.c
  head/crypto/openssl/ssl/dtls1.h
  head/crypto/openssl/ssl/kssl.c
  head/crypto/openssl/ssl/s23_clnt.c
  head/crypto/openssl/ssl/s23_srvr.c
  head/crypto/openssl/ssl/s2_srvr.c
  head/crypto/openssl/ssl/s3_both.c
  head/crypto/openssl/ssl/s3_clnt.c
  head/crypto/openssl/ssl/s3_lib.c
  head/crypto/openssl/ssl/s3_pkt.c
  head/crypto/openssl/ssl/s3_srvr.c
  head/crypto/openssl/ssl/ssl.h
  head/crypto/openssl/ssl/ssl3.h
  head/crypto/openssl/ssl/ssl_algs.c
  head/crypto/openssl/ssl/ssl_asn1.c
  head/crypto/openssl/ssl/ssl_cert.c
  head/crypto/openssl/ssl/ssl_ciph.c
  head/crypto/openssl/ssl/ssl_err.c
  head/crypto/openssl/ssl/ssl_lib.c
  head/crypto/openssl/ssl/ssl_locl.h
  head/crypto/openssl/ssl/ssl_rsa.c
  head/crypto/openssl/ssl/ssl_sess.c
  head/crypto/openssl/ssl/ssl_stat.c
  head/crypto/openssl/ssl/ssl_txt.c
  head/crypto/openssl/ssl/t1_enc.c
  head/crypto/openssl/ssl/t1_lib.c
  head/crypto/openssl/ssl/tls1.h
  head/crypto/openssl/test/Makefile
  head/crypto/openssl/test/cms-test.pl
  head/crypto/openssl/util/domd
  head/crypto/openssl/util/libeay.num
  head/crypto/openssl/util/mk1mf.pl
  head/crypto/openssl/util/mkdef.pl
  head/crypto/openssl/util/mkerr.pl
  head/crypto/openssl/util/pl/Mingw32.pl
  head/crypto/openssl/util/pl/VC-32.pl
  head/crypto/openssl/util/pod2man.pl
  head/crypto/openssl/util/shlib_wrap.sh
  head/secure/lib/libssl/Makefile
Directory Properties:
  head/crypto/openssl/   (props changed)

Modified: head/crypto/openssl/CHANGES
==============================================================================
--- head/crypto/openssl/CHANGES	Sat Mar 13 18:34:19 2010	(r205127)
+++ head/crypto/openssl/CHANGES	Sat Mar 13 19:22:41 2010	(r205128)
@@ -2,6 +2,176 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
+
+  *) Always check bn_wexpend() return values for failure.  (CVE-2009-3245)
+     [Martin Olsson, Neel Mehta]
+
+  *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
+     accommodate for stack sorting, always a write lock!).
+     [Bodo Moeller]
+
+  *) On some versions of WIN32 Heap32Next is very slow. This can cause
+     excessive delays in the RAND_poll(): over a minute. As a workaround
+     include a time check in the inner Heap32Next loop too.
+     [Steve Henson]
+
+  *) The code that handled flushing of data in SSL/TLS originally used the
+     BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
+     the problem outlined in PR#1949. The fix suggested there however can
+     trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
+     of Apache). So instead simplify the code to flush unconditionally.
+     This should be fine since flushing with no data to flush is a no op.
+     [Steve Henson]
+
+  *) Handle TLS versions 2.0 and later properly and correctly use the
+     highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
+     off ancient servers have a habit of sticking around for a while...
+     [Steve Henson]
+
+  *) Modify compression code so it frees up structures without using the
+     ex_data callbacks. This works around a problem where some applications
+     call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
+     restarting) then use compression (e.g. SSL with compression) later.
+     This results in significant per-connection memory leaks and
+     has caused some security issues including CVE-2008-1678 and
+     CVE-2009-4355.
+     [Steve Henson]
+
+  *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
+     change when encrypting or decrypting.
+     [Bodo Moeller]
+
+  *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
+     connect and renegotiate with servers which do not support RI.
+     Until RI is more widely deployed this option is enabled by default.
+     [Steve Henson]
+
+  *) Add "missing" ssl ctrls to clear options and mode.
+     [Steve Henson]
+
+  *) If client attempts to renegotiate and doesn't support RI respond with
+     a no_renegotiation alert as required by RFC5746.  Some renegotiating
+     TLS clients will continue a connection gracefully when they receive
+     the alert. Unfortunately OpenSSL mishandled this alert and would hang
+     waiting for a server hello which it will never receive. Now we treat a
+     received no_renegotiation alert as a fatal error. This is because
+     applications requesting a renegotiation might well expect it to succeed
+     and would have no code in place to handle the server denying it so the
+     only safe thing to do is to terminate the connection.
+     [Steve Henson]
+
+  *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
+     peer supports secure renegotiation and 0 otherwise. Print out peer
+     renegotiation support in s_client/s_server.
+     [Steve Henson]
+
+  *) Replace the highly broken and deprecated SPKAC certification method with
+     the updated NID creation version. This should correctly handle UTF8.
+     [Steve Henson]
+
+  *) Implement RFC5746. Re-enable renegotiation but require the extension
+     as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+     turns out to be a bad idea. It has been replaced by
+     SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
+     SSL_CTX_set_options(). This is really not recommended unless you
+     know what you are doing.
+     [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson]
+
+  *) Fixes to stateless session resumption handling. Use initial_ctx when
+     issuing and attempting to decrypt tickets in case it has changed during
+     servername handling. Use a non-zero length session ID when attempting
+     stateless session resumption: this makes it possible to determine if
+     a resumption has occurred immediately after receiving server hello
+     (several places in OpenSSL subtly assume this) instead of later in
+     the handshake.
+     [Steve Henson]
+
+  *) The functions ENGINE_ctrl(), OPENSSL_isservice(),
+     CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
+     fixes for a few places where the return code is not checked
+     correctly.
+     [Julia Lawall <julia@diku.dk>]
+
+  *) Add --strict-warnings option to Configure script to include devteam
+     warnings in other configurations.
+     [Steve Henson]
+
+  *) Add support for --libdir option and LIBDIR variable in makefiles. This
+     makes it possible to install openssl libraries in locations which
+     have names other than "lib", for example "/usr/lib64" which some
+     systems need.
+     [Steve Henson, based on patch from Jeremy Utley]
+
+  *) Don't allow the use of leading 0x80 in OIDs. This is a violation of
+     X690 8.9.12 and can produce some misleading textual output of OIDs.
+     [Steve Henson, reported by Dan Kaminsky]
+
+  *) Delete MD2 from algorithm tables. This follows the recommendation in
+     several standards that it is not used in new applications due to
+     several cryptographic weaknesses. For binary compatibility reasons
+     the MD2 API is still compiled in by default.
+     [Steve Henson]
+
+  *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
+     and restored.
+     [Steve Henson]
+
+  *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
+     OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
+     clash.
+     [Guenter <lists@gknw.net>]
+
+  *) Fix the server certificate chain building code to use X509_verify_cert(),
+     it used to have an ad-hoc builder which was unable to cope with anything
+     other than a simple chain.
+     [David Woodhouse <dwmw2@infradead.org>, Steve Henson]
+
+  *) Don't check self signed certificate signatures in X509_verify_cert()
+     by default (a flag can override this): it just wastes time without
+     adding any security. As a useful side effect self signed root CAs
+     with non-FIPS digests are now usable in FIPS mode.
+     [Steve Henson]
+
+  *) In dtls1_process_out_of_seq_message() the check if the current message
+     is already buffered was missing. For every new message was memory
+     allocated, allowing an attacker to perform an denial of service attack
+     with sending out of seq handshake messages until there is no memory
+     left. Additionally every future messege was buffered, even if the
+     sequence number made no sense and would be part of another handshake.
+     So only messages with sequence numbers less than 10 in advance will be
+     buffered.  (CVE-2009-1378)
+     [Robin Seggelmann, discovered by Daniel Mentz] 	
+
+  *) Records are buffered if they arrive with a future epoch to be
+     processed after finishing the corresponding handshake. There is
+     currently no limitation to this buffer allowing an attacker to perform
+     a DOS attack with sending records with future epochs until there is no
+     memory left. This patch adds the pqueue_size() function to detemine
+     the size of a buffer and limits the record buffer to 100 entries.
+     (CVE-2009-1377)
+     [Robin Seggelmann, discovered by Daniel Mentz] 	
+
+  *) Keep a copy of frag->msg_header.frag_len so it can be used after the
+     parent structure is freed.  (CVE-2009-1379)
+     [Daniel Mentz] 	
+
+  *) Handle non-blocking I/O properly in SSL_shutdown() call.
+     [Darryl Miles <darryl-mailinglists@netbauds.net>]
+
+  *) Add 2.5.4.* OIDs
+     [Ilya O. <vrghost@gmail.com>]
+
+ Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]
+
+  *) Disable renegotiation completely - this fixes a severe security
+     problem (CVE-2009-3555) at the cost of breaking all
+     renegotiation. Renegotiation can be re-enabled by setting
+     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
+     run-time. This is really not recommended unless you know what
+     you're doing.
+     [Ben Laurie]
+
  Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
 
   *) Don't set val to NULL when freeing up structures, it is freed up by
@@ -86,6 +256,10 @@
 
  Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
 
+  *) Fix NULL pointer dereference if a DTLS server received
+     ChangeCipherSpec as first record (CVE-2009-1386).
+     [PR #1679]
+
   *) Fix a state transitition in s3_srvr.c and d1_srvr.c
      (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
      [Nagendra Modadugu]
@@ -1489,19 +1663,6 @@
      differing sizes.
      [Richard Levitte]
 
- Changes between 0.9.7m and 0.9.7n  [xx XXX xxxx]
-
-  *) In the SSL/TLS server implementation, be strict about session ID
-     context matching (which matters if an application uses a single
-     external cache for different purposes).  Previously,
-     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
-     set.  This did ensure strict client verification, but meant that,
-     with applications using a single external cache for quite
-     different requirements, clients could circumvent ciphersuite
-     restrictions for a given session ID context by starting a session
-     in a different context.
-     [Bodo Moeller]
-
  Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
 
   *) Cleanse PEM buffers before freeing them since they may contain 

Modified: head/crypto/openssl/Configure
==============================================================================
--- head/crypto/openssl/Configure	Sat Mar 13 18:34:19 2010	(r205127)
+++ head/crypto/openssl/Configure	Sat Mar 13 19:22:41 2010	(r205128)
@@ -106,6 +106,8 @@ my $usage="Usage: Configure [no-<cipher>
 
 my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
 
+my $strict_warnings = 0;
+
 my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
 
 # MD2_CHAR slags pentium pros
@@ -159,14 +161,15 @@ my %table=(
 "debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::bn86-elf.o co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG  -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
+"debug-ben-debug",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -ggdb3 -O2 -pipe::(unknown)::::::",
+"debug-ben-debug-noopt",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -ggdb3 -pipe::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
-"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared",
 "debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared",
 "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -178,6 +181,9 @@ my %table=(
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO  -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown)::::::",
 
 # Basic configs that should work on any (32 and less bit) box
@@ -203,11 +209,11 @@ my %table=(
 # actually recommend to consider using gcc shared build even with vendor
 # compiler:-)
 #						<appro@fy.chalmers.se>
-"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  
 #### Solaris x86 with Sun C setups
 "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with GNU C setups
 "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -337,7 +343,7 @@ my %table=(
 "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Linux setups
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
@@ -390,7 +396,8 @@ my %table=(
 
 # QNX
 "qnx4",	"cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:",
-"qnx6",	"cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",
+"QNX6",       "gcc:-DTERMIOS::::-lsocket::${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"QNX6-i386",  "gcc:-DL_ENDIAN -DTERMIOS -O2 -Wall::::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SCO/Caldera targets.
 #
@@ -520,7 +527,7 @@ my %table=(
 "darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc64.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -fomit-frame-pointer -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -fomit-frame-pointer -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
 ##### A/UX
@@ -581,9 +588,11 @@ my $idx_ranlib = $idx++;
 my $idx_arflags = $idx++;
 
 my $prefix="";
+my $libdir="";
 my $openssldir="";
 my $exe_ext="";
-my $install_prefix="";
+my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+my $cross_compile_prefix="";
 my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
 my $nofipscanistercheck=0;
 my $fipsdso=0;
@@ -747,6 +756,10 @@ PROCESS_ARGS:
 			{
 			exit(&test_sanity());
 			}
+		elsif (/^--strict-warnings/)
+			{
+			$strict_warnings = 1;
+			}
 		elsif (/^reconfigure/ || /^reconf/)
 			{
 			if (open(IN,"<$Makefile"))
@@ -816,6 +829,10 @@ PROCESS_ARGS:
 				{
 				$prefix=$1;
 				}
+			elsif (/^--libdir=(.*)$/)
+				{
+				$libdir=$1;
+				}
 			elsif (/^--openssldir=(.*)$/)
 				{
 				$openssldir=$1;
@@ -979,7 +996,8 @@ my $shared_target = $fields[$idx_shared_
 my $shared_cflag = $fields[$idx_shared_cflag];
 my $shared_ldflag = $fields[$idx_shared_ldflag];
 my $shared_extension = $fields[$idx_shared_extension];
-my $ranlib = $fields[$idx_ranlib];
+my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib];
+my $ar = $ENV{'AR'} || "ar";
 my $arflags = $fields[$idx_arflags];
 
 if ($fips)
@@ -1079,9 +1097,14 @@ if ($openssldir eq "" and $prefix eq "")
 	}
 $prefix=$openssldir if $prefix eq "";
 
+$libdir="lib" if $libdir eq "";
+
 $default_ranlib= &which("ranlib") or $default_ranlib="true";
 $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
   or $perl="perl";
+my $make = $ENV{'MAKE'} || "make";
+
+$cross_compile_prefix=$ENV{'CROSS_COMPILE'} if $cross_compile_prefix eq "";
 
 chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /.\/$/;
@@ -1434,6 +1457,16 @@ if ($shlib_version_number =~ /(^[0-9]*)\
 	$shlib_minor=$2;
 	}
 
+if ($strict_warnings)
+	{
+	my $wopt;
+	die "ERROR --strict-warnings requires gcc" unless ($cc =~ /gcc$/);
+	foreach $wopt (split /\s+/, $gcc_devteam_warn)
+		{
+		$cflags .= " $wopt" unless ($cflags =~ /$wopt/)
+		}
+	}
+
 open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
 unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
 open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
@@ -1463,11 +1496,22 @@ while (<IN>)
 	s/^SHLIB_EXT=.*/SHLIB_EXT=$shared_extension/;
 	s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
 	s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
+	s/^LIBDIR=.*$/LIBDIR=$libdir/;
 	s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
 	s/^PLATFORM=.*$/PLATFORM=$target/;
 	s/^OPTIONS=.*$/OPTIONS=$options/;
 	s/^CONFIGURE_ARGS=.*$/CONFIGURE_ARGS=$argvstring/;
-	s/^CC=.*$/CC= $cc/;
+	if ($cross_compile_prefix)
+		{
+		s/^CC=.*$/CROSS_COMPILE= $cross_compile_prefix\nCC= \$\(CROSS_COMPILE\)$cc/;
+		s/^AR=\s*/AR= \$\(CROSS_COMPILE\)/;
+		s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
+		}
+	else	{
+		s/^CC=.*$/CC= $cc/;
+		s/^AR=\s*ar/AR= $ar/;
+		s/^RANLIB=.*/RANLIB= $ranlib/;
+		}
 	s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
 	s/^CFLAG=.*$/CFLAG= $cflags/;
 	s/^DEPFLAG=.*$/DEPFLAG=$depflags/;
@@ -1486,7 +1530,6 @@ while (<IN>)
 	s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/;
 	s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/;
 	s/^PROCESSOR=.*/PROCESSOR= $processor/;
-	s/^RANLIB=.*/RANLIB= $ranlib/;
 	s/^ARFLAGS=.*/ARFLAGS= $arflags/;
 	s/^PERL=.*/PERL= $perl/;
 	s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
@@ -1643,9 +1686,20 @@ print OUT "#define OPENSSL_CPUID_OBJ\n\n
 while (<IN>)
 	{
 	if	(/^#define\s+OPENSSLDIR/)
-		{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
+		{
+		my $foo = $openssldir;
+		$foo =~ s/\\/\\\\/g;
+		print OUT "#define OPENSSLDIR \"$foo\"\n";
+		}
 	elsif	(/^#define\s+ENGINESDIR/)
-		{ print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
+		{
+		# $foo is to become "$prefix/lib$multilib/engines";
+		# as Makefile.org and engines/Makefile are adapted for
+		# $multilib suffix.
+		my $foo = "$prefix/lib/engines";
+		$foo =~ s/\\/\\\\/g;
+		print OUT "#define ENGINESDIR \"$foo\"\n";
+		}
 	elsif	(/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
 		{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
 			if $export_var_as_fn;
@@ -1750,7 +1804,7 @@ if($IsMK1MF) {
 EOF
 	close(OUT);
 } else {
-	my $make_command = "make PERL=\'$perl\'";
+	my $make_command = "$make PERL=\'$perl\'";
 	my $make_targets = "";
 	$make_targets .= " links" if $symlink;
 	$make_targets .= " depend" if $depflags ne $default_depflags && $make_depend;

Modified: head/crypto/openssl/FAQ
==============================================================================
--- head/crypto/openssl/FAQ	Sat Mar 13 18:34:19 2010	(r205127)
+++ head/crypto/openssl/FAQ	Sat Mar 13 19:22:41 2010	(r205128)
@@ -78,7 +78,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8k was released on Mar 25th, 2009.
+OpenSSL 0.9.8m was released on Feb 25th, 2010.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

Modified: head/crypto/openssl/Makefile
==============================================================================
--- head/crypto/openssl/Makefile	Sat Mar 13 18:34:19 2010	(r205127)
+++ head/crypto/openssl/Makefile	Sat Mar 13 19:22:41 2010	(r205128)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=0.9.8k
+VERSION=0.9.8m
 MAJOR=0
 MINOR=9.8
 SHLIB_VERSION_NUMBER=0.9.8
@@ -66,13 +66,14 @@ PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
 ARFLAGS= 
-AR=ar $(ARFLAGS) r
+AR= ar $(ARFLAGS) r
 ARD=ar $(ARFLAGS) d
 RANLIB= /usr/bin/ranlib
 PERL= /usr/bin/perl
 TAR= tar
 TARFLAGS= --no-recursion
 MAKEDEPPROG=makedepend
+LIBDIR=lib
 
 # We let the C compiler driver to take care of .s files. This is done in
 # order to be excused from maintaining a separate set of architecture
@@ -202,9 +203,10 @@ BUILDENV=	PLATFORM='${PLATFORM}' PROCESS
 		CC='${CC}' CFLAG='${CFLAG}' 			\
 		AS='${CC}' ASFLAG='${CFLAG} -c'			\
 		AR='${AR}' PERL='${PERL}' RANLIB='${RANLIB}'	\
-		SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/lib'	\
+		SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/$(LIBDIR)'	\
 		INSTALL_PREFIX='${INSTALL_PREFIX}'		\
 		INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}'	\
+		LIBDIR='${LIBDIR}' \
 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \
 		DEPFLAG='-DOPENSSL_NO_DEPRECATED ${DEPFLAG}'	\
 		MAKEDEPPROG='${MAKEDEPPROG}'			\
@@ -335,15 +337,15 @@ build_crypto:
 		dir=crypto; target=all; $(BUILD_ONE_CMD)
 build_fips:
 	@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
-build_ssl:
+build_ssl: build_crypto
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
+build_engines: build_crypto
 	@dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps:
+build_apps: build_libs
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
+build_tests: build_libs
 	@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools:
+build_tools: build_libs
 	@dir=tools; target=all; $(BUILD_ONE_CMD)
 
 all_testapps: build_libs build_testapps
@@ -359,7 +361,7 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
 			$(AR) libcrypto.a fips/fipscanister.o ; \
 		else \
 			if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
-				FIPSLD_CC=$(CC); CC=fips/fipsld; \
+				FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
 				export CC FIPSLD_CC; \
 			fi; \
 			$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
@@ -382,7 +384,7 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
 fips/fipscanister.o:	build_fips
 libfips$(SHLIB_EXT):		fips/fipscanister.o
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
+		FIPSLD_CC="$(CC)"; CC=fips/fipsld; export CC FIPSLD_CC; \
 		$(MAKE) -f Makefile.shared -e $(BUILDENV) \
 			CC=$${CC} LIBNAME=fips THIS=$@ \
 			LIBEXTRAS=fips/fipscanister.o \
@@ -438,7 +440,7 @@ do_$(SHLIB_TARGET):
 libcrypto.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL-libcrypto'; \
@@ -451,7 +453,7 @@ libcrypto.pc: Makefile
 libssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
@@ -464,7 +466,7 @@ libssl.pc: Makefile
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
@@ -519,12 +521,14 @@ dclean:
 	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 
 rehash: rehash.time
-rehash.time: certs
-	@(OPENSSL="`pwd`/util/opensslwrap.sh"; \
-	  OPENSSL_DEBUG_MEMORY=on; \
-	  export OPENSSL OPENSSL_DEBUG_MEMORY; \
-	  $(PERL) tools/c_rehash certs)
-	touch rehash.time
+rehash.time: certs apps
+	@if [ -z "$(CROSS_COMPILE)" ]; then \
+		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
+		OPENSSL_DEBUG_MEMORY=on; \
+		export OPENSSL OPENSSL_DEBUG_MEMORY; \
+		$(PERL) tools/c_rehash certs) && \
+		touch rehash.time; \
+	fi
 
 test:   tests
 
@@ -617,9 +621,9 @@ install: all install_docs install_sw
 
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
@@ -634,10 +638,10 @@ install_sw:
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
 		fi; \
 	done;
 	@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
@@ -647,22 +651,22 @@ install_sw:
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi ); \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
-			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+			cd $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR); \
 			$(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
@@ -671,12 +675,12 @@ install_sw:
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
-	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libcrypto.pc
-	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libssl.pc
-	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc
+	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -684,7 +688,7 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
+	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
 	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \

Modified: head/crypto/openssl/Makefile.org
==============================================================================
--- head/crypto/openssl/Makefile.org	Sat Mar 13 18:34:19 2010	(r205127)
+++ head/crypto/openssl/Makefile.org	Sat Mar 13 19:22:41 2010	(r205128)
@@ -71,6 +71,7 @@ PERL= perl
 TAR= tar
 TARFLAGS= --no-recursion
 MAKEDEPPROG=makedepend
+LIBDIR=lib
 
 # We let the C compiler driver to take care of .s files. This is done in
 # order to be excused from maintaining a separate set of architecture
@@ -112,7 +113,7 @@ LIBZLIB=
 # $(INSTALLTOP) for this build make be different so hard
 # code the path.
 
-FIPSLIBDIR=/usr/local/ssl/lib/
+FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
 
 # This is set to "y" if fipscanister.o is compiled internally as
 # opposed to coming from an external validated location.
@@ -200,9 +201,10 @@ BUILDENV=	PLATFORM='${PLATFORM}' PROCESS
 		CC='${CC}' CFLAG='${CFLAG}' 			\
 		AS='${CC}' ASFLAG='${CFLAG} -c'			\
 		AR='${AR}' PERL='${PERL}' RANLIB='${RANLIB}'	\
-		SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/lib'	\
+		SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/$(LIBDIR)'	\
 		INSTALL_PREFIX='${INSTALL_PREFIX}'		\
 		INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}'	\
+		LIBDIR='${LIBDIR}' \
 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \
 		DEPFLAG='-DOPENSSL_NO_DEPRECATED ${DEPFLAG}'	\
 		MAKEDEPPROG='${MAKEDEPPROG}'			\
@@ -333,15 +335,15 @@ build_crypto:
 		dir=crypto; target=all; $(BUILD_ONE_CMD)
 build_fips:
 	@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
-build_ssl:
+build_ssl: build_crypto
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
+build_engines: build_crypto
 	@dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps:
+build_apps: build_libs
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
+build_tests: build_libs
 	@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools:
+build_tools: build_libs
 	@dir=tools; target=all; $(BUILD_ONE_CMD)
 
 all_testapps: build_libs build_testapps
@@ -357,7 +359,7 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
 			$(AR) libcrypto.a fips/fipscanister.o ; \
 		else \
 			if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
-				FIPSLD_CC=$(CC); CC=fips/fipsld; \
+				FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
 				export CC FIPSLD_CC; \
 			fi; \
 			$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
@@ -380,7 +382,7 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
 fips/fipscanister.o:	build_fips
 libfips$(SHLIB_EXT):		fips/fipscanister.o
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
+		FIPSLD_CC="$(CC)"; CC=fips/fipsld; export CC FIPSLD_CC; \
 		$(MAKE) -f Makefile.shared -e $(BUILDENV) \
 			CC=$${CC} LIBNAME=fips THIS=$@ \
 			LIBEXTRAS=fips/fipscanister.o \
@@ -436,7 +438,7 @@ do_$(SHLIB_TARGET):
 libcrypto.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL-libcrypto'; \
@@ -449,7 +451,7 @@ libcrypto.pc: Makefile
 libssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
@@ -462,7 +464,7 @@ libssl.pc: Makefile
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
@@ -517,12 +519,14 @@ dclean:
 	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 
 rehash: rehash.time
-rehash.time: certs
-	@(OPENSSL="`pwd`/util/opensslwrap.sh"; \
-	  OPENSSL_DEBUG_MEMORY=on; \
-	  export OPENSSL OPENSSL_DEBUG_MEMORY; \
-	  $(PERL) tools/c_rehash certs)
-	touch rehash.time
+rehash.time: certs apps
+	@if [ -z "$(CROSS_COMPILE)" ]; then \
+		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
+		OPENSSL_DEBUG_MEMORY=on; \
+		export OPENSSL OPENSSL_DEBUG_MEMORY; \
+		$(PERL) tools/c_rehash certs) && \
+		touch rehash.time; \
+	fi
 
 test:   tests
 
@@ -615,9 +619,9 @@ install: all install_docs install_sw
 
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
@@ -632,10 +636,10 @@ install_sw:
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
 		fi; \
 	done;
 	@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
@@ -645,22 +649,22 @@ install_sw:
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi ); \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
-			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+			cd $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR); \
 			$(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
@@ -669,12 +673,12 @@ install_sw:
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
-	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libcrypto.pc
-	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libssl.pc
-	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc
+	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -682,7 +686,7 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
+	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
 	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \

Modified: head/crypto/openssl/NEWS
==============================================================================
--- head/crypto/openssl/NEWS	Sat Mar 13 18:34:19 2010	(r205127)
+++ head/crypto/openssl/NEWS	Sat Mar 13 19:22:41 2010	(r205128)
@@ -5,6 +5,22 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
+
+      o Cipher definition fixes.
+      o Workaround for slow RAND_poll() on some WIN32 versions.
+      o Remove MD2 from algorithm tables.
+      o SPKAC handling fixes.
+      o Support for RFC5746 TLS renegotiation extension.
+      o Compression memory leak fixed.
+      o Compression session resumption fixed.
+      o Ticket and SNI coexistence fixes.
+      o Many fixes to DTLS handling. 
+
+  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
+
+      o Temporary work around for CVE-2009-3555: disable renegotiation.
+
   Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
 
       o Fix various build issues.

Modified: head/crypto/openssl/README
==============================================================================
--- head/crypto/openssl/README	Sat Mar 13 18:34:19 2010	(r205127)
+++ head/crypto/openssl/README	Sat Mar 13 19:22:41 2010	(r205128)
@@ -1,7 +1,7 @@
 
- OpenSSL 0.9.8k
+ OpenSSL 0.9.8m
 
- Copyright (c) 1998-2008 The OpenSSL Project
+ Copyright (c) 1998-2009 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
@@ -112,8 +112,6 @@
  should be contacted if that algorithm is to be used; their web page is
  http://www.ascom.ch/.
 
- The MDC2 algorithm is patented by IBM.
-
  NTT and Mitsubishi have patents and pending patents on the Camellia
  algorithm, but allow use at no charge without requiring an explicit
  licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
@@ -139,6 +137,9 @@
  SUPPORT
  -------
 
+ See the OpenSSL website www.openssl.org for details of how to obtain
+ commercial technical support.
+
  If you have any problems with OpenSSL then please take the following steps
  first:
 
@@ -165,6 +166,10 @@
 
     openssl-bugs@openssl.org
 
+ Note that the request tracker should NOT be used for general assistance
+ or support queries. Just because something doesn't work the way you expect
+ does not mean it is necessarily a bug in OpenSSL.
+
  Note that mail to openssl-bugs@openssl.org is recorded in the publicly
  readable request tracker database and is forwarded to a public
  mailing list. Confidential mail may be sent to openssl-security@openssl.org
@@ -175,10 +180,22 @@
 
  Development is coordinated on the openssl-dev mailing list (see
  http://www.openssl.org for information on subscribing). If you
- would like to submit a patch, send it to openssl-dev@openssl.org with
+ would like to submit a patch, send it to openssl-bugs@openssl.org with
  the string "[PATCH]" in the subject. Please be sure to include a
  textual explanation of what your patch does.
 
+ If you are unsure as to whether a feature will be useful for the general
+ OpenSSL community please discuss it on the openssl-dev mailing list first.
+ Someone may be already working on the same thing or there may be a good
+ reason as to why that feature isn't implemented.
+
+ Patches should be as up to date as possible, preferably relative to the
+ current CVS or the last snapshot. They should follow the coding style of
+ OpenSSL and compile without warnings. Some of the core team developer targets
+ can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
+ compiles on many varied platforms: try to ensure you only use portable
+ features.
+
  Note: For legal reasons, contributions from the US can be accepted only
  if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
  (formerly BXA) with a copy to the ENC Encryption Request Coordinator;

Modified: head/crypto/openssl/apps/CA.sh
==============================================================================
--- head/crypto/openssl/apps/CA.sh	Sat Mar 13 18:34:19 2010	(r205127)
+++ head/crypto/openssl/apps/CA.sh	Sat Mar 13 19:22:41 2010	(r205128)
@@ -5,10 +5,10 @@
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
-# CA -newreq ... will generate a certificate request 
-# CA -sign ... will sign the generated request and output 
+# CA -newreq ... will generate a certificate request
+# CA -sign ... will sign the generated request and output
 #
-# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# At the end of that grab newreq.pem and newcert.pem (one has the key
 # and the other the certificate) and cat them together and that is what
 # you want/need ... I'll make even this a little cleaner later.
 #
@@ -16,8 +16,8 @@
 # 12-Jan-96 tjh    Added more things ... including CA -signcert which
 #                  converts a certificate to a request and then signs it.
 # 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
-#		   environment variable so this can be driven from
-#		   a script.
+#                  environment variable so this can be driven from
+#                  a script.
 # 25-Jul-96 eay    Cleaned up filenames some more.
 # 11-Jun-96 eay    Fixed a few filename missmatches.
 # 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
@@ -29,52 +29,87 @@
 
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
+cp_pem() {
+    infile=$1
+    outfile=$2
+    bound=$3
+    flag=0
+    exec <$infile;
+    while read line; do
+	if [ $flag -eq 1 ]; then
+		echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
+		if [ $? -eq 0 ] ; then
+			echo $line >>$outfile
+			break
+		else
+			echo $line >>$outfile
+		fi
+	fi
+
+	echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***