@@ -883,9 +883,9 @@
 	if (db == NULL) goto err;
 
 	/* Lets check some fields */
-	for (i=0; i<sk_PSTRING_num(db->db->data); i++)
+	for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp=sk_PSTRING_value(db->db->data,i);
+		pp=sk_OPENSSL_PSTRING_value(db->db->data,i);
 		if ((pp[DB_type][0] != DB_TYPE_REV) &&
 			(pp[DB_rev_date][0] != '\0'))
 			{
@@ -938,7 +938,7 @@
 #endif
 		TXT_DB_write(out,db->db);
 		BIO_printf(bio_err,"%d entries loaded from the database\n",
-			   sk_PSTRING_num(db->db->data));
+			   sk_OPENSSL_PSTRING_num(db->db->data));
 		BIO_printf(bio_err,"generating index\n");
 		}
 	
@@ -1408,9 +1408,9 @@
 
 		ASN1_TIME_free(tmptm);
 
-		for (i=0; i<sk_PSTRING_num(db->db->data); i++)
+		for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++)
 			{
-			pp=sk_PSTRING_value(db->db->data,i);
+			pp=sk_OPENSSL_PSTRING_value(db->db->data,i);
 			if (pp[DB_type][0] == DB_TYPE_REV)
 				{
 				if ((r=X509_REVOKED_new()) == NULL) goto err;
@@ -1685,9 +1685,9 @@
 	int ok= -1,i,j,last,nid;
 	const char *p;
 	CONF_VALUE *cv;
-	STRING row[DB_NUMBER];
-	STRING *irow=NULL;
-	STRING *rrow=NULL;
+	OPENSSL_STRING row[DB_NUMBER];
+	OPENSSL_STRING *irow=NULL;
+	OPENSSL_STRING *rrow=NULL;
 	char buf[25];
 
 	tmptm=ASN1_UTCTIME_new();
@@ -1929,7 +1929,7 @@
 
 	if (db->attributes.unique_subject)
 		{
-		STRING *crow=row;
+		OPENSSL_STRING *crow=row;
 
 		rrow=TXT_DB_get_by_index(db->db,DB_name,crow);
 		if (rrow != NULL)
@@ -2632,9 +2632,9 @@
 	else
 		a_y2k = 0;
 
-	for (i = 0; i < sk_PSTRING_num(db->db->data); i++)
+	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		rrow = sk_PSTRING_value(db->db->data, i);
+		rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
 
 		if (rrow[DB_type][0] == 'V')
 		 	{

@@ -351,6 +351,15 @@
 	return(merged);
 	}
 
+#ifdef OPENSSL_SYS_MACOSX
+#define DSO_ext	".dylib"
+#define DSO_extlen 6
+#else
+#define DSO_ext	".so"
+#define DSO_extlen 3
+#endif
+
+
 static char *dlfcn_name_converter(DSO *dso, const char *filename)
 	{
 	char *translated;
@@ -361,8 +370,8 @@
 	transform = (strstr(filename, "/") == NULL);
 	if(transform)
 		{
-		/* We will convert this to "%s.so" or "lib%s.so" */
-		rsize += 3;	/* The length of ".so" */
+		/* We will convert this to "%s.so" or "lib%s.so" etc */
+		rsize += DSO_extlen;	/* The length of ".so" */
 		if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
 			rsize += 3; /* The length of "lib" */
 		}
@@ -376,9 +385,9 @@
 	if(transform)
 		{
 		if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
-			snprintf(translated, rsize, "lib%s.so", filename);
+			snprintf(translated, rsize, "lib%s" DSO_ext, filename);
 		else
-			snprintf(translated, rsize, "%s.so", filename);
+			snprintf(translated, rsize, "%s" DSO_ext, filename);
 		}
 	else
 		snprintf(translated, rsize, "%s", filename);

@@ -33,7 +33,7 @@
 #include <openssl/bn.h>
 
 #if (defined(__unix__) || defined(unix)) && !defined(USG) && \
-	(defined(OpenBSD) || defined(__FreeBSD_version))
+	(defined(OpenBSD) || defined(__FreeBSD__))
 #include <sys/param.h>
 # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041) || defined(__NetBSD__)
 #  define HAVE_CRYPTODEV
@@ -86,7 +86,7 @@
 static int open_dev_crypto(void);
 static int get_dev_crypto(void);
 static int get_cryptodev_ciphers(const int **cnids);
-static int get_cryptodev_digests(const int **cnids);
+/*static int get_cryptodev_digests(const int **cnids);*/
 static int cryptodev_usable_ciphers(const int **nids);
 static int cryptodev_usable_digests(const int **nids);
 static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -124,7 +124,7 @@
 static int cryptodev_dh_compute_key(unsigned char *key,
     const BIGNUM *pub_key, DH *dh);
 static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
-    void (*f)());
+    void (*f)(void));
 void ENGINE_load_cryptodev(void);
 
 static const ENGINE_CMD_DEFN cryptodev_defns[] = {
@@ -149,6 +149,7 @@
 	{ 0,				NID_undef,		0,	 0, },
 };
 
+#if 0  /* not (yet?) used */
 static struct {
 	int	id;
 	int	nid;
@@ -163,6 +164,7 @@
 	{ CRYPTO_SHA1,			NID_sha1,		20},
 	{ 0,				NID_undef,		0},
 };
+#endif  /* 0 */
 
 /*
  * Return a fd if /dev/crypto seems usable, 0 otherwise.
@@ -241,6 +243,7 @@
  * returning them here is harmless, as long as we return NULL
  * when asked for a handler in the cryptodev_engine_digests routine
  */
+#if 0  /* not (yet?) used */
 static int
 get_cryptodev_digests(const int **cnids)
 {
@@ -271,6 +274,7 @@
 		*cnids = NULL;
 	return (count);
 }
+#endif  /* 0 */
 
 /*
  * Find the useable ciphers|digests from dev/crypto - this is the first
@@ -329,7 +333,7 @@
 	struct crypt_op cryp;
 	struct dev_crypto_state *state = ctx->cipher_data;
 	struct session_op *sess = &state->d_sess;
-	void *iiv;
+	const void *iiv;
 	unsigned char save_iv[EVP_MAX_IV_LENGTH];
 
 	if (state->d_fd < 0)
@@ -353,7 +357,7 @@
 	if (ctx->cipher->iv_len) {
 		cryp.iv = (void *) ctx->iv;
 		if (!ctx->encrypt) {
-			iiv = (char *) in + inl - ctx->cipher->iv_len;
+			iiv = in + inl - ctx->cipher->iv_len;
 			memcpy(save_iv, iiv, ctx->cipher->iv_len);
 		}
 	} else
@@ -368,7 +372,7 @@
 
 	if (ctx->cipher->iv_len) {
 		if (ctx->encrypt)
-			iiv = (char *) out + inl - ctx->cipher->iv_len;
+			iiv = out + inl - ctx->cipher->iv_len;
 		else
 			iiv = save_iv;
 		memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
@@ -382,7 +386,7 @@
 {
 	struct dev_crypto_state *state = ctx->cipher_data;
 	struct session_op *sess = &state->d_sess;
-	int cipher, i;
+	int cipher = -1, i;
 
 	for (i = 0; ciphers[i].id; i++)
 		if (ctx->cipher->nid == ciphers[i].nid &&
@@ -1261,7 +1265,7 @@
  * but I expect we'll want some options soon.
  */
 static int
-cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
 {
 #ifdef HAVE_SYSLOG_R
 	struct syslog_data sd = SYSLOG_DATA_INIT;

@@ -230,8 +230,8 @@
   lh_stats_bio(CHECKED_LHASH_OF(type, lh), out)
 #define LHM_lh_free(type, lh) lh_free(CHECKED_LHASH_OF(type, lh))
 
-DECLARE_LHASH_OF(STRING);
-DECLARE_LHASH_OF(CSTRING);
+DECLARE_LHASH_OF(OPENSSL_STRING);
+DECLARE_LHASH_OF(OPENSSL_CSTRING);
 
 #ifdef  __cplusplus
 }

@@ -160,7 +160,7 @@
 			if (pkt[0] == SSL3_RT_APPLICATION_DATA
 			    && (pkt[3]<<8|pkt[4]) >= 128)
 				{
-			 	/* Note that even if packet is corrupted
+				/* Note that even if packet is corrupted
 				 * and its length field is insane, we can
 				 * only be led to wrong decision about
 				 * whether memmove will occur or not.
@@ -176,11 +176,12 @@
 		/* ... now we can act as if 'extend' was set */
 		}
 
-	/* extend reads should not span multiple packets for DTLS */
-	if ( (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
-	     &&	extend)
+	/* For DTLS/UDP reads should not span multiple packets
+	 * because the read operation returns the whole packet
+	 * at once (as long as it fits into the buffer). */
+	if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
 		{
-		if ( left > 0 && n > left)
+		if (left > 0 && n > left)
 			n = left;
 		}
 
@@ -207,15 +208,22 @@
 		rb->offset = len + align;
 		}
 
-	max = rb->len - rb->offset;
-	if (n > max) /* does not happen */
+	if (n > (int)(rb->len - rb->offset)) /* does not happen */
 		{
 		SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
 		return -1;
 		}
 
 	if (!s->read_ahead)
-		max=n;
+		/* ignore max parameter */
+		max = n;
+	else
+		{
+		if (max < n)
+			max = n;
+		if (max > (int)(rb->len - rb->offset))
+			max = rb->len - rb->offset;
+		}
 
 	while (left < n)
 		{
@@ -244,6 +252,14 @@
 			return(i);
 			}
 		left+=i;
+		/* reads should *never* span multiple packets for DTLS because
+		 * the underlying transport protocol is message oriented as opposed
+		 * to byte oriented as in the TLS case. */
+		if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
+			{
+			if (n > left)
+				n = left; /* makes the while condition false */
+			}
 		}
 
 	/* done reading, now the book-keeping */