This commit was manufactured by cvs2git to create branch 'unlabeled-1.1.1'.

299 files changed, 64443 insertions, 0 deletions

diff --git a/src/lib/libcrypto/aes/README b/src/lib/libcrypto/aes/README
new file mode 100644
index 0000000000..0f9620a80e
--- /dev/null
+++ b/src/lib/libcrypto/aes/README
@@ -0,0 +1,3 @@
+This is an OpenSSL-compatible version of AES (also called Rijndael).
+aes_core.c is basically the same as rijndael-alg-fst.c but with an
+API that looks like the rest of the OpenSSL symmetric cipher suite.
diff --git a/src/lib/libcrypto/aes/aes.h b/src/lib/libcrypto/aes/aes.h
new file mode 100644
index 0000000000..e8da921ec5
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes.h
@@ -0,0 +1,109 @@
+/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#ifndef HEADER_AES_H
+#define HEADER_AES_H
+
+#ifdef OPENSSL_NO_AES
+#error AES is disabled.
+#endif
+
+static const int AES_DECRYPT = 0;
+static const int AES_ENCRYPT = 1;
+/* Because array size can't be a const in C, the following two are macros.
+   Both sizes are in bytes. */
+#define AES_MAXNR 14
+#define AES_BLOCK_SIZE 16
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* This should be a hidden type, but EVP requires that the size be known */
+struct aes_key_st {
+    unsigned long rd_key[4 *(AES_MAXNR + 1)];
+    int rounds;
+};
+typedef struct aes_key_st AES_KEY;
+
+const char *AES_options(void);
+
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+        AES_KEY *key);
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+        AES_KEY *key);
+
+void AES_encrypt(const unsigned char *in, unsigned char *out,
+        const AES_KEY *key);
+void AES_decrypt(const unsigned char *in, unsigned char *out,
+        const AES_KEY *key);
+
+void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
+        const AES_KEY *key, const int enc);
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, const int enc);
+void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc);
+void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num);
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *counter, unsigned int *num);
+
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* !HEADER_AES_H */
diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c
new file mode 100644
index 0000000000..3dfd7aba2a
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_cbc.c
@@ -0,0 +1,89 @@
+/* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                     const unsigned long length, const AES_KEY *key,
+                     unsigned char *ivec, const int enc) {
+
+        int n;
+        unsigned long len = length;
+        unsigned char tmp[16];
+
+        assert(in && out && key && ivec);
+        assert(length % AES_BLOCK_SIZE == 0);
+        assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
+
+        if (AES_ENCRYPT == enc)
+                while (len > 0) {
+                        for(n=0; n < 16; ++n)
+                                tmp[n] = in[n] ^ ivec[n];
+                        AES_encrypt(tmp, out, key);
+                        memcpy(ivec, out, 16);
+                        len -= 16;
+                        in += 16;
+                        out += 16;
+                }
+        else
+                while (len > 0) {
+                        memcpy(tmp, in, 16);
+                        AES_decrypt(in, out, key);
+                        for(n=0; n < 16; ++n)
+                                out[n] ^= ivec[n];
+                        memcpy(ivec, tmp, 16);
+                        len -= 16;
+                        in += 16;
+                        out += 16;
+                }
+}
diff --git a/src/lib/libcrypto/aes/aes_cfb.c b/src/lib/libcrypto/aes/aes_cfb.c
new file mode 100644
index 0000000000..9b2917298a
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_cfb.c
@@ -0,0 +1,151 @@
+/* crypto/aes/aes_cfb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* The input and output encrypted as though 128bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+
+void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc) {
+
+        unsigned int n;
+        unsigned long l = length;
+        unsigned char c;
+
+        assert(in && out && key && ivec && num);
+
+        n = *num;
+
+        if (enc) {
+                while (l--) {
+                        if (n == 0) {
+                                AES_encrypt(ivec, ivec, key);
+                        }
+                        ivec[n] = *(out++) = *(in++) ^ ivec[n];
+                        n = (n+1) % AES_BLOCK_SIZE;
+                }
+        } else {
+                while (l--) {
+                        if (n == 0) {
+                                AES_decrypt(ivec, ivec, key);
+                        }
+                        c = *(in);
+                        *(out++) = *(in++) ^ ivec[n];
+                        ivec[n] = c;
+                        n = (n+1) % AES_BLOCK_SIZE;
+                }
+        }
+
+        *num=n;
+}
+
diff --git a/src/lib/libcrypto/aes/aes_core.c b/src/lib/libcrypto/aes/aes_core.c
new file mode 100644
index 0000000000..937988dd8c
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_core.c
@@ -0,0 +1,1251 @@
+/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */
+/**
+ * rijndael-alg-fst.c
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* Note: rewritten a little bit to provide error control and an OpenSSL-
+   compatible API */
+
+#include <assert.h>
+#include <stdlib.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/*
+Te0[x] = S [x].[02, 01, 01, 03];
+Te1[x] = S [x].[03, 02, 01, 01];
+Te2[x] = S [x].[01, 03, 02, 01];
+Te3[x] = S [x].[01, 01, 03, 02];
+Te4[x] = S [x].[01, 01, 01, 01];
+
+Td0[x] = Si[x].[0e, 09, 0d, 0b];
+Td1[x] = Si[x].[0b, 0e, 09, 0d];
+Td2[x] = Si[x].[0d, 0b, 0e, 09];
+Td3[x] = Si[x].[09, 0d, 0b, 0e];
+Td4[x] = Si[x].[01, 01, 01, 01];
+*/
+
+static const u32 Te0[256] = {
+    0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
+    0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
+    0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
+    0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
+    0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
+    0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
+    0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
+    0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
+    0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
+    0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
+    0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
+    0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
+    0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
+    0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
+    0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
+    0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
+    0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
+    0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
+    0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
+    0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
+    0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
+    0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
+    0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
+    0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
+    0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
+    0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
+    0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
+    0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
+    0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
+    0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
+    0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
+    0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
+    0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
+    0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
+    0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
+    0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
+    0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
+    0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
+    0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
+    0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
+    0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
+    0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
+    0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
+    0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
+    0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
+    0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
+    0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
+    0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
+    0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
+    0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
+    0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
+    0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
+    0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
+    0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
+    0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
+    0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
+    0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
+    0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
+    0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
+    0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
+    0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
+    0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
+    0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
+    0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
+};
+static const u32 Te1[256] = {
+    0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
+    0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
+    0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
+    0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
+    0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
+    0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
+    0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
+    0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
+    0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
+    0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
+    0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
+    0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
+    0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
+    0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
+    0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
+    0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
+    0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
+    0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
+    0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
+    0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
+    0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
+    0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
+    0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
+    0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
+    0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
+    0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
+    0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
+    0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
+    0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
+    0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
+    0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
+    0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
+    0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
+    0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
+    0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
+    0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
+    0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
+    0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
+    0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
+    0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
+    0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
+    0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
+    0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
+    0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
+    0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
+    0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
+    0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
+    0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
+    0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
+    0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
+    0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
+    0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
+    0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
+    0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
+    0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
+    0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
+    0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
+    0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
+    0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
+    0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
+    0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
+    0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
+    0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
+    0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
+};
+static const u32 Te2[256] = {
+    0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
+    0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
+    0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
+    0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
+    0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
+    0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
+    0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
+    0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
+    0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
+    0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
+    0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
+    0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
+    0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
+    0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
+    0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
+    0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
+    0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
+    0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
+    0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
+    0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
+    0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
+    0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
+    0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
+    0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
+    0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
+    0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
+    0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
+    0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
+    0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
+    0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
+    0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
+    0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
+    0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
+    0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
+    0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
+    0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
+    0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
+    0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
+    0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
+    0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
+    0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
+    0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
+    0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
+    0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
+    0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
+    0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
+    0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
+    0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
+    0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
+    0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
+    0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
+    0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
+    0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
+    0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
+    0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
+    0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
+    0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
+    0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
+    0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
+    0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
+    0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
+    0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
+    0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
+    0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
+};
+static const u32 Te3[256] = {
+
+    0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
+    0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
+    0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
+    0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
+    0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
+    0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
+    0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
+    0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
+    0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
+    0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
+    0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
+    0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
+    0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
+    0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
+    0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
+    0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
+    0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
+    0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
+    0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
+    0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
+    0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
+    0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
+    0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
+    0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
+    0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
+    0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
+    0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
+    0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
+    0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
+    0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
+    0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
+    0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
+    0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
+    0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
+    0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
+    0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
+    0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
+    0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
+    0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
+    0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
+    0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
+    0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
+    0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
+    0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
+    0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
+    0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
+    0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
+    0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
+    0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
+    0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
+    0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
+    0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
+    0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
+    0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
+    0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
+    0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
+    0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
+    0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
+    0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
+    0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
+    0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
+    0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
+    0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
+    0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
+};
+static const u32 Te4[256] = {
+    0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
+    0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
+    0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
+    0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
+    0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
+    0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
+    0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
+    0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
+    0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
+    0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
+    0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
+    0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
+    0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
+    0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
+    0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
+    0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
+    0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
+    0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
+    0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
+    0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
+    0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
+    0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
+    0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
+    0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
+    0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
+    0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
+    0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
+    0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
+    0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
+    0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
+    0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
+    0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
+    0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
+    0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
+    0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
+    0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
+    0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
+    0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
+    0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
+    0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
+    0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
+    0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
+    0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
+    0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
+    0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
+    0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
+    0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
+    0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
+    0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
+    0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
+    0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
+    0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
+    0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
+    0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
+    0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
+    0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
+    0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
+    0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
+    0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
+    0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
+    0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
+    0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
+    0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
+    0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
+};
+static const u32 Td0[256] = {
+    0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
+    0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
+    0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
+    0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
+    0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
+    0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
+    0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
+    0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
+    0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
+    0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
+    0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
+    0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
+    0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
+    0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
+    0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
+    0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
+    0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
+    0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
+    0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
+    0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
+    0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
+    0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
+    0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
+    0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
+    0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
+    0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
+    0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
+    0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
+    0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
+    0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
+    0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
+    0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
+    0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
+    0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
+    0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
+    0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
+    0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
+    0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
+    0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
+    0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
+    0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
+    0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
+    0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
+    0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
+    0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
+    0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
+    0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
+    0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
+    0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
+    0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
+    0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
+    0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
+    0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
+    0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
+    0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
+    0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
+    0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
+    0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
+    0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
+    0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
+    0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
+    0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
+    0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
+    0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
+};
+static const u32 Td1[256] = {
+    0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
+    0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
+    0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
+    0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
+    0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
+    0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
+    0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
+    0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
+    0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
+    0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
+    0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
+    0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
+    0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
+    0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
+    0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
+    0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
+    0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
+    0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
+    0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
+    0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
+    0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
+    0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
+    0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
+    0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
+    0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
+    0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
+    0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
+    0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
+    0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
+    0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
+    0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
+    0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
+    0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
+    0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
+    0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
+    0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
+    0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
+    0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
+    0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
+    0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
+    0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
+    0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
+    0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
+    0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
+    0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
+    0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
+    0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
+    0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
+    0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
+    0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
+    0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
+    0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
+    0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
+    0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
+    0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
+    0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
+    0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
+    0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
+    0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
+    0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
+    0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
+    0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
+    0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
+    0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
+};
+static const u32 Td2[256] = {
+    0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
+    0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
+    0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
+    0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
+    0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
+    0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
+    0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
+    0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
+    0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
+    0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
+    0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
+    0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
+    0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
+    0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
+    0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
+    0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
+    0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
+    0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
+    0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
+    0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
+
+    0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
+    0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
+    0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
+    0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
+    0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
+    0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
+    0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
+    0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
+    0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
+    0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
+    0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
+    0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
+    0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
+    0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
+    0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
+    0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
+    0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
+    0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
+    0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
+    0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
+    0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
+    0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
+    0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
+    0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
+    0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
+    0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
+    0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
+    0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
+    0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
+    0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
+    0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
+    0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
+    0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
+    0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
+    0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
+    0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
+    0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
+    0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
+    0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
+    0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
+    0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
+    0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
+    0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
+    0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
+};
+static const u32 Td3[256] = {
+    0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
+    0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
+    0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
+    0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
+    0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
+    0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
+    0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
+    0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
+    0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
+    0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
+    0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
+    0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
+    0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
+    0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
+    0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
+    0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
+    0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
+    0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
+    0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
+    0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
+    0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
+    0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
+    0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
+    0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
+    0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
+    0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
+    0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
+    0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
+    0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
+    0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
+    0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
+    0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
+    0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
+    0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
+    0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
+    0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
+    0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
+    0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
+    0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
+    0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
+    0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
+    0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
+    0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
+    0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
+    0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
+    0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
+    0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
+    0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
+    0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
+    0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
+    0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
+    0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
+    0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
+    0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
+    0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
+    0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
+    0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
+    0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
+    0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
+    0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
+    0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
+    0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
+    0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
+    0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
+};
+static const u32 Td4[256] = {
+    0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
+    0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
+    0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
+    0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
+    0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
+    0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
+    0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
+    0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
+    0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
+    0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
+    0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
+    0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
+    0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
+    0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
+    0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
+    0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
+    0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
+    0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
+    0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
+    0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
+    0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
+    0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
+    0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
+    0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
+    0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
+    0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
+    0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
+    0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
+    0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
+    0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
+    0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
+    0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
+    0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
+    0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
+    0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
+    0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
+    0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
+    0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
+    0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
+    0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
+    0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
+    0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
+    0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
+    0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
+    0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
+    0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
+    0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
+    0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
+    0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
+    0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
+    0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
+    0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
+    0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
+    0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
+    0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
+    0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
+    0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
+    0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
+    0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
+    0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
+    0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
+    0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
+    0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
+    0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
+};
+static const u32 rcon[] = {
+        0x01000000, 0x02000000, 0x04000000, 0x08000000,
+        0x10000000, 0x20000000, 0x40000000, 0x80000000,
+        0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
+};
+
+/**
+ * Expand the cipher key into the encryption key schedule.
+ */
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key) {
+
+        u32 *rk;
+        int i = 0;
+        u32 temp;
+
+        if (!userKey || !key)
+                return -1;
+        if (bits != 128 && bits != 192 && bits != 256)
+                return -2;
+
+        rk = key->rd_key;
+
+        if (bits==128)
+                key->rounds = 10;
+        else if (bits==192)
+                key->rounds = 12;
+        else
+                key->rounds = 14;
+
+        rk[0] = GETU32(userKey     );
+        rk[1] = GETU32(userKey +  4);
+        rk[2] = GETU32(userKey +  8);
+        rk[3] = GETU32(userKey + 12);
+        if (bits == 128) {
+                for (;;) {
+                        temp  = rk[3];
+                        rk[4] = rk[0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[5] = rk[1] ^ rk[4];
+                        rk[6] = rk[2] ^ rk[5];
+                        rk[7] = rk[3] ^ rk[6];
+                        if (++i == 10) {
+                                return 0;
+                        }
+                        rk += 4;
+                }
+        }
+        rk[4] = GETU32(userKey + 16);
+        rk[5] = GETU32(userKey + 20);
+        if (bits == 192) {
+                for (;;) {
+                        temp = rk[ 5];
+                        rk[ 6] = rk[ 0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[ 7] = rk[ 1] ^ rk[ 6];
+                        rk[ 8] = rk[ 2] ^ rk[ 7];
+                        rk[ 9] = rk[ 3] ^ rk[ 8];
+                        if (++i == 8) {
+                                return 0;
+                        }
+                        rk[10] = rk[ 4] ^ rk[ 9];
+                        rk[11] = rk[ 5] ^ rk[10];
+                        rk += 6;
+                }
+        }
+        rk[6] = GETU32(userKey + 24);
+        rk[7] = GETU32(userKey + 28);
+        if (bits == 256) {
+                for (;;) {
+                        temp = rk[ 7];
+                        rk[ 8] = rk[ 0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[ 9] = rk[ 1] ^ rk[ 8];
+                        rk[10] = rk[ 2] ^ rk[ 9];
+                        rk[11] = rk[ 3] ^ rk[10];
+                        if (++i == 7) {
+                                return 0;
+                        }
+                        temp = rk[11];
+                        rk[12] = rk[ 4] ^
+                                (Te4[(temp >> 24)       ] & 0xff000000) ^
+                                (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp      ) & 0xff] & 0x000000ff);
+                        rk[13] = rk[ 5] ^ rk[12];
+                        rk[14] = rk[ 6] ^ rk[13];
+                        rk[15] = rk[ 7] ^ rk[14];
+
+                        rk += 8;
+                }
+        }
+        return 0;
+}
+
+/**
+ * Expand the cipher key into the decryption key schedule.
+ */
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                         AES_KEY *key) {
+
+        u32 *rk;
+        int i, j, status;
+        u32 temp;
+
+        /* first, start with an encryption schedule */
+        status = AES_set_encrypt_key(userKey, bits, key);
+        if (status < 0)
+                return status;
+
+        rk = key->rd_key;
+
+        /* invert the order of the round keys: */
+        for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) {
+                temp = rk[i    ]; rk[i    ] = rk[j    ]; rk[j    ] = temp;
+                temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
+                temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
+                temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
+        }
+        /* apply the inverse MixColumn transform to all round keys but the first and the last: */
+        for (i = 1; i < (key->rounds); i++) {
+                rk += 4;
+                rk[0] =
+                        Td0[Te4[(rk[0] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[0] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[0]      ) & 0xff] & 0xff];
+                rk[1] =
+                        Td0[Te4[(rk[1] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[1] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[1]      ) & 0xff] & 0xff];
+                rk[2] =
+                        Td0[Te4[(rk[2] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[2] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[2]      ) & 0xff] & 0xff];
+                rk[3] =
+                        Td0[Te4[(rk[3] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[3] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[3]      ) & 0xff] & 0xff];
+        }
+        return 0;
+}
+
+/*
+ * Encrypt a single block
+ * in and out can overlap
+ */
+void AES_encrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key) {
+
+        const u32 *rk;
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+        int r;
+#endif /* ?FULL_UNROLL */
+
+        assert(in && out && key);
+        rk = key->rd_key;
+
+        /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+        s0 = GETU32(in     ) ^ rk[0];
+        s1 = GETU32(in +  4) ^ rk[1];
+        s2 = GETU32(in +  8) ^ rk[2];
+        s3 = GETU32(in + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+        /* round 1: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];
+        /* round 2: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
+        /* round 3: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
+        /* round 4: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
+        /* round 5: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
+        /* round 6: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
+        /* round 7: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
+        /* round 8: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
+        /* round 9: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
+    if (key->rounds > 10) {
+        /* round 10: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
+        /* round 11: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
+        if (key->rounds > 12) {
+            /* round 12: */
+            s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
+            s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
+            s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
+            s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
+            /* round 13: */
+            t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
+            t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
+            t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
+            t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
+        }
+    }
+    rk += key->rounds << 2;
+#else  /* !FULL_UNROLL */
+    /*
+     * Nr - 1 full rounds:
+     */
+    r = key->rounds >> 1;
+    for (;;) {
+        t0 =
+            Te0[(s0 >> 24)       ] ^
+            Te1[(s1 >> 16) & 0xff] ^
+            Te2[(s2 >>  8) & 0xff] ^
+            Te3[(s3      ) & 0xff] ^
+            rk[4];
+        t1 =
+            Te0[(s1 >> 24)       ] ^
+            Te1[(s2 >> 16) & 0xff] ^
+            Te2[(s3 >>  8) & 0xff] ^
+            Te3[(s0      ) & 0xff] ^
+            rk[5];
+        t2 =
+            Te0[(s2 >> 24)       ] ^
+            Te1[(s3 >> 16) & 0xff] ^
+            Te2[(s0 >>  8) & 0xff] ^
+            Te3[(s1      ) & 0xff] ^
+            rk[6];
+        t3 =
+            Te0[(s3 >> 24)       ] ^
+            Te1[(s0 >> 16) & 0xff] ^
+            Te2[(s1 >>  8) & 0xff] ^
+            Te3[(s2      ) & 0xff] ^
+            rk[7];
+
+        rk += 8;
+        if (--r == 0) {
+            break;
+        }
+
+        s0 =
+            Te0[(t0 >> 24)       ] ^
+            Te1[(t1 >> 16) & 0xff] ^
+            Te2[(t2 >>  8) & 0xff] ^
+            Te3[(t3      ) & 0xff] ^
+            rk[0];
+        s1 =
+            Te0[(t1 >> 24)       ] ^
+            Te1[(t2 >> 16) & 0xff] ^
+            Te2[(t3 >>  8) & 0xff] ^
+            Te3[(t0      ) & 0xff] ^
+            rk[1];
+        s2 =
+            Te0[(t2 >> 24)       ] ^
+            Te1[(t3 >> 16) & 0xff] ^
+            Te2[(t0 >>  8) & 0xff] ^
+            Te3[(t1      ) & 0xff] ^
+            rk[2];
+        s3 =
+            Te0[(t3 >> 24)       ] ^
+            Te1[(t0 >> 16) & 0xff] ^
+            Te2[(t1 >>  8) & 0xff] ^
+            Te3[(t2      ) & 0xff] ^
+            rk[3];
+    }
+#endif /* ?FULL_UNROLL */
+    /*
+         * apply last round and
+         * map cipher state to byte array block:
+         */
+        s0 =
+                (Te4[(t0 >> 24)       ] & 0xff000000) ^
+                (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t3      ) & 0xff] & 0x000000ff) ^
+                rk[0];
+        PUTU32(out     , s0);
+        s1 =
+                (Te4[(t1 >> 24)       ] & 0xff000000) ^
+                (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t0      ) & 0xff] & 0x000000ff) ^
+                rk[1];
+        PUTU32(out +  4, s1);
+        s2 =
+                (Te4[(t2 >> 24)       ] & 0xff000000) ^
+                (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t1      ) & 0xff] & 0x000000ff) ^
+                rk[2];
+        PUTU32(out +  8, s2);
+        s3 =
+                (Te4[(t3 >> 24)       ] & 0xff000000) ^
+                (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t2      ) & 0xff] & 0x000000ff) ^
+                rk[3];
+        PUTU32(out + 12, s3);
+}
+
+/*
+ * Decrypt a single block
+ * in and out can overlap
+ */
+void AES_decrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key) {
+
+        const u32 *rk;
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+        int r;
+#endif /* ?FULL_UNROLL */
+
+        assert(in && out && key);
+        rk = key->rd_key;
+
+        /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+    s0 = GETU32(in     ) ^ rk[0];
+    s1 = GETU32(in +  4) ^ rk[1];
+    s2 = GETU32(in +  8) ^ rk[2];
+    s3 = GETU32(in + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+    /* round 1: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7];
+    /* round 2: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11];
+    /* round 3: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15];
+    /* round 4: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19];
+    /* round 5: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23];
+    /* round 6: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27];
+    /* round 7: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31];
+    /* round 8: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35];
+    /* round 9: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39];
+    if (key->rounds > 10) {
+        /* round 10: */
+        s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40];
+        s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41];
+        s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42];
+        s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43];
+        /* round 11: */
+        t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44];
+        t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45];
+        t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46];
+        t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47];
+        if (key->rounds > 12) {
+            /* round 12: */
+            s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48];
+            s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49];
+            s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50];
+            s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51];
+            /* round 13: */
+            t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52];
+            t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53];
+            t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54];
+            t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55];
+        }
+    }
+        rk += key->rounds << 2;
+#else  /* !FULL_UNROLL */
+    /*
+     * Nr - 1 full rounds:
+     */
+    r = key->rounds >> 1;
+    for (;;) {
+        t0 =
+            Td0[(s0 >> 24)       ] ^
+            Td1[(s3 >> 16) & 0xff] ^
+            Td2[(s2 >>  8) & 0xff] ^
+            Td3[(s1      ) & 0xff] ^
+            rk[4];
+        t1 =
+            Td0[(s1 >> 24)       ] ^
+            Td1[(s0 >> 16) & 0xff] ^
+            Td2[(s3 >>  8) & 0xff] ^
+            Td3[(s2      ) & 0xff] ^
+            rk[5];
+        t2 =
+            Td0[(s2 >> 24)       ] ^
+            Td1[(s1 >> 16) & 0xff] ^
+            Td2[(s0 >>  8) & 0xff] ^
+            Td3[(s3      ) & 0xff] ^
+            rk[6];
+        t3 =
+            Td0[(s3 >> 24)       ] ^
+            Td1[(s2 >> 16) & 0xff] ^
+            Td2[(s1 >>  8) & 0xff] ^
+            Td3[(s0      ) & 0xff] ^
+            rk[7];
+
+        rk += 8;
+        if (--r == 0) {
+            break;
+        }
+
+        s0 =
+            Td0[(t0 >> 24)       ] ^
+            Td1[(t3 >> 16) & 0xff] ^
+            Td2[(t2 >>  8) & 0xff] ^
+            Td3[(t1      ) & 0xff] ^
+            rk[0];
+        s1 =
+            Td0[(t1 >> 24)       ] ^
+            Td1[(t0 >> 16) & 0xff] ^
+            Td2[(t3 >>  8) & 0xff] ^
+            Td3[(t2      ) & 0xff] ^
+            rk[1];
+        s2 =
+            Td0[(t2 >> 24)       ] ^
+            Td1[(t1 >> 16) & 0xff] ^
+            Td2[(t0 >>  8) & 0xff] ^
+            Td3[(t3      ) & 0xff] ^
+            rk[2];
+        s3 =
+            Td0[(t3 >> 24)       ] ^
+            Td1[(t2 >> 16) & 0xff] ^
+            Td2[(t1 >>  8) & 0xff] ^
+            Td3[(t0      ) & 0xff] ^
+            rk[3];
+    }
+#endif /* ?FULL_UNROLL */
+    /*
+         * apply last round and
+         * map cipher state to byte array block:
+         */
+        s0 =
+                (Td4[(t0 >> 24)       ] & 0xff000000) ^
+                (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t1      ) & 0xff] & 0x000000ff) ^
+                rk[0];
+        PUTU32(out     , s0);
+        s1 =
+                (Td4[(t1 >> 24)       ] & 0xff000000) ^
+                (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t2      ) & 0xff] & 0x000000ff) ^
+                rk[1];
+        PUTU32(out +  4, s1);
+        s2 =
+                (Td4[(t2 >> 24)       ] & 0xff000000) ^
+                (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t3      ) & 0xff] & 0x000000ff) ^
+                rk[2];
+        PUTU32(out +  8, s2);
+        s3 =
+                (Td4[(t3 >> 24)       ] & 0xff000000) ^
+                (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t0      ) & 0xff] & 0x000000ff) ^
+                rk[3];
+        PUTU32(out + 12, s3);
+}
+
diff --git a/src/lib/libcrypto/aes/aes_ctr.c b/src/lib/libcrypto/aes/aes_ctr.c
new file mode 100644
index 0000000000..8e800481de
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_ctr.c
@@ -0,0 +1,117 @@
+/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* NOTE: CTR mode is big-endian.  The rest of the AES code
+ * is endian-neutral. */
+
+/* increment counter (128-bit int) by 2^64 */
+static void AES_ctr128_inc(unsigned char *counter) {
+        unsigned long c;
+
+        /* Grab 3rd dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter + 8);
+        c++;
+        PUTU32(counter + 8, c);
+#else
+        c = GETU32(counter + 4);
+        c++;
+        PUTU32(counter + 4, c);
+#endif
+
+        /* if no overflow, we're done */
+        if (c)
+                return;
+
+        /* Grab top dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter + 12);
+        c++;
+        PUTU32(counter + 12, c);
+#else
+        c = GETU32(counter +  0);
+        c++;
+        PUTU32(counter +  0, c);
+#endif
+
+}
+
+/* The input encrypted as though 128bit counter mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *counter, unsigned int *num) {
+
+        unsigned int n;
+        unsigned long l=length;
+        unsigned char tmp[AES_BLOCK_SIZE];
+
+        assert(in && out && key && counter && num);
+
+        n = *num;
+
+        while (l--) {
+                if (n == 0) {
+                        AES_ctr128_inc(counter);
+                        AES_encrypt(counter, tmp, key);
+                }
+                *(out++) = *(in++) ^ tmp[n];
+                n = (n+1) % AES_BLOCK_SIZE;
+        }
+
+        *num=n;
+}
diff --git a/src/lib/libcrypto/aes/aes_ecb.c b/src/lib/libcrypto/aes/aes_ecb.c
new file mode 100644
index 0000000000..1cb2e07d3d
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_ecb.c
@@ -0,0 +1,67 @@
+/* crypto/aes/aes_ecb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
+                     const AES_KEY *key, const int enc) {
+
+        assert(in && out && key);
+        assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
+
+        if (AES_ENCRYPT == enc)
+                AES_encrypt(in, out, key);
+        else
+                AES_decrypt(in, out, key);
+}
+
diff --git a/src/lib/libcrypto/aes/aes_locl.h b/src/lib/libcrypto/aes/aes_locl.h
new file mode 100644
index 0000000000..541d1d6e84
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_locl.h
@@ -0,0 +1,88 @@
+/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#ifndef HEADER_AES_LOCL_H
+#define HEADER_AES_LOCL_H
+
+#include <openssl/e_os2.h>
+
+#ifdef OPENSSL_NO_AES
+#error AES is disabled.
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS)
+#include <string.h>
+#endif
+
+#ifdef _MSC_VER
+# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
+# define GETU32(p) SWAP(*((u32 *)(p)))
+# define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
+#else
+# define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
+# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
+#endif
+
+typedef unsigned long u32;
+typedef unsigned short u16;
+typedef unsigned char u8;
+
+#define MAXKC   (256/32)
+#define MAXKB   (256/8)
+#define MAXNR   14
+
+/* This controls loop-unrolling in aes_core.c */
+#undef FULL_UNROLL
+
+#endif /* !HEADER_AES_LOCL_H */
diff --git a/src/lib/libcrypto/aes/aes_misc.c b/src/lib/libcrypto/aes/aes_misc.c
new file mode 100644
index 0000000000..090def25d5
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_misc.c
@@ -0,0 +1,64 @@
+/* crypto/aes/aes_misc.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <openssl/opensslv.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+const char *AES_version="AES" OPENSSL_VERSION_PTEXT;
+
+const char *AES_options(void) {
+#ifdef FULL_UNROLL
+        return "aes(full)";
+#else   
+        return "aes(partial)";
+#endif
+}
diff --git a/src/lib/libcrypto/aes/aes_ofb.c b/src/lib/libcrypto/aes/aes_ofb.c
new file mode 100644
index 0000000000..e33bdaea28
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_ofb.c
@@ -0,0 +1,136 @@
+/* crypto/aes/aes_ofb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* The input and output encrypted as though 128bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num) {
+
+        unsigned int n;
+        unsigned long l=length;
+
+        assert(in && out && key && ivec && num);
+
+        n = *num;
+
+        while (l--) {
+                if (n == 0) {
+                        AES_encrypt(ivec, ivec, key);
+                }
+                *(out++) = *(in++) ^ ivec[n];
+                n = (n+1) % AES_BLOCK_SIZE;
+        }
+
+        *num=n;
+}
diff --git a/src/lib/libcrypto/asn1/a_enum.c b/src/lib/libcrypto/asn1/a_enum.c
new file mode 100644
index 0000000000..9239ecc439
--- /dev/null
+++ b/src/lib/libcrypto/asn1/a_enum.c
@@ -0,0 +1,326 @@
+/* crypto/asn1/a_enum.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+/* 
+ * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
+ * for comments on encoding see a_int.c
+ */
+
+int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **pp)
+        {
+        int pad=0,ret,r,i,t;
+        unsigned char *p,*n,pb=0;
+
+        if ((a == NULL) || (a->data == NULL)) return(0);
+        t=a->type;
+        if (a->length == 0)
+                ret=1;
+        else
+                {
+                ret=a->length;
+                i=a->data[0];
+                if ((t == V_ASN1_ENUMERATED) && (i > 127)) {
+                        pad=1;
+                        pb=0;
+                } else if(t == V_ASN1_NEG_ENUMERATED) {
+                        if(i>128) {
+                                pad=1;
+                                pb=0xFF;
+                        } else if(i == 128) {
+                                for(i = 1; i < a->length; i++) if(a->data[i]) {
+                                                pad=1;
+                                                pb=0xFF;
+                                                break;
+                                }
+                        }
+                }
+                ret+=pad;
+                }
+        r=ASN1_object_size(0,ret,V_ASN1_ENUMERATED);
+        if (pp == NULL) return(r);
+        p= *pp;
+
+        ASN1_put_object(&p,0,ret,V_ASN1_ENUMERATED,V_ASN1_UNIVERSAL);
+        if (pad) *(p++)=pb;
+        if (a->length == 0)
+                *(p++)=0;
+        else if (t == V_ASN1_ENUMERATED)
+                {
+                memcpy(p,a->data,(unsigned int)a->length);
+                p+=a->length;
+                }
+        else {
+                /* Begin at the end of the encoding */
+                n=a->data + a->length - 1;
+                p += a->length - 1;
+                i = a->length;
+                /* Copy zeros to destination as long as source is zero */
+                while(!*n) {
+                        *(p--) = 0;
+                        n--;
+                        i--;
+                }
+                /* Complement and increment next octet */
+                *(p--) = ((*(n--)) ^ 0xff) + 1;
+                i--;
+                /* Complement any octets left */
+                for(;i > 0; i--) *(p--) = *(n--) ^ 0xff;
+                p += a->length;
+        }
+
+        *pp=p;
+        return(r);
+        }
+
+ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
+             long length)
+        {
+        ASN1_ENUMERATED *ret=NULL;
+        unsigned char *p,*to,*s;
+        long len;
+        int inf,tag,xclass;
+        int i;
+
+        if ((a == NULL) || ((*a) == NULL))
+                {
+                if ((ret=ASN1_ENUMERATED_new()) == NULL) return(NULL);
+                ret->type=V_ASN1_ENUMERATED;
+                }
+        else
+                ret=(*a);
+
+        p= *pp;
+        inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+        if (inf & 0x80)
+                {
+                i=ASN1_R_BAD_OBJECT_HEADER;
+                goto err;
+                }
+
+        if (tag != V_ASN1_ENUMERATED)
+                {
+                i=ASN1_R_EXPECTING_AN_ENUMERATED;
+                goto err;
+                }
+
+        /* We must Malloc stuff, even for 0 bytes otherwise it
+         * signifies a missing NULL parameter. */
+        s=(unsigned char *)Malloc((int)len+1);
+        if (s == NULL)
+                {
+                i=ERR_R_MALLOC_FAILURE;
+                goto err;
+                }
+        to=s;
+        if (*p & 0x80) /* a negative number */
+                {
+                ret->type=V_ASN1_NEG_ENUMERATED;
+                if ((*p == 0xff) && (len != 1)) {
+                        p++;
+                        len--;
+                }
+                i = len;
+                p += i - 1;
+                to += i - 1;
+                while((!*p) && i) {
+                        *(to--) = 0;
+                        i--;
+                        p--;
+                }
+                if(!i) {
+                        *s = 1;
+                        s[len] = 0;
+                        p += len;
+                        len++;
+                } else {
+                        *(to--) = (*(p--) ^ 0xff) + 1;
+                        i--;
+                        for(;i > 0; i--) *(to--) = *(p--) ^ 0xff;
+                        p += len;
+                }
+        } else {
+                ret->type=V_ASN1_ENUMERATED;
+                if ((*p == 0) && (len != 1))
+                        {
+                        p++;
+                        len--;
+                        }
+                memcpy(s,p,(int)len);
+                p+=len;
+        }
+
+        if (ret->data != NULL) Free((char *)ret->data);
+        ret->data=s;
+        ret->length=(int)len;
+        if (a != NULL) (*a)=ret;
+        *pp=p;
+        return(ret);
+err:
+        ASN1err(ASN1_F_D2I_ASN1_ENUMERATED,i);
+        if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+                ASN1_ENUMERATED_free(ret);
+        return(NULL);
+        }
+
+int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
+        {
+        int i,j,k;
+        unsigned char buf[sizeof(long)+1];
+        long d;
+
+        a->type=V_ASN1_ENUMERATED;
+        if (a->length < (sizeof(long)+1))
+                {
+                if (a->data != NULL)
+                        Free((char *)a->data);
+                if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
+                        memset((char *)a->data,0,sizeof(long)+1);
+                }
+        if (a->data == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_ENUMERATED_SET,ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+        d=v;
+        if (d < 0)
+                {
+                d= -d;
+                a->type=V_ASN1_NEG_ENUMERATED;
+                }
+
+        for (i=0; i<sizeof(long); i++)
+                {
+                if (d == 0) break;
+                buf[i]=(int)d&0xff;
+                d>>=8;
+                }
+        j=0;
+        for (k=i-1; k >=0; k--)
+                a->data[j++]=buf[k];
+        a->length=j;
+        return(1);
+        }
+
+long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
+        {
+        int neg=0,i;
+        long r=0;
+
+        if (a == NULL) return(0L);
+        i=a->type;
+        if (i == V_ASN1_NEG_ENUMERATED)
+                neg=1;
+        else if (i != V_ASN1_ENUMERATED)
+                return(0);
+        
+        if (a->length > sizeof(long))
+                {
+                /* hmm... a bit ugly */
+                return(0xffffffffL);
+                }
+        if (a->data == NULL)
+                return(0);
+
+        for (i=0; i<a->length; i++)
+                {
+                r<<=8;
+                r|=(unsigned char)a->data[i];
+                }
+        if (neg) r= -r;
+        return(r);
+        }
+
+ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
+        {
+        ASN1_ENUMERATED *ret;
+        int len,j;
+
+        if (ai == NULL)
+                ret=ASN1_ENUMERATED_new();
+        else
+                ret=ai;
+        if (ret == NULL)
+                {
+                ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+                }
+        if(bn->neg) ret->type = V_ASN1_NEG_ENUMERATED;
+        else ret->type=V_ASN1_ENUMERATED;
+        j=BN_num_bits(bn);
+        len=((j == 0)?0:((j/8)+1));
+        ret->data=(unsigned char *)Malloc(len+4);
+        ret->length=BN_bn2bin(bn,ret->data);
+        return(ret);
+err:
+        if (ret != ai) ASN1_ENUMERATED_free(ret);
+        return(NULL);
+        }
+
+BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
+        {
+        BIGNUM *ret;
+
+        if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
+                ASN1err(ASN1_F_ASN1_ENUMERATED_TO_BN,ASN1_R_BN_LIB);
+        if(ai->type == V_ASN1_NEG_ENUMERATED) bn->neg = 1;
+        return(ret);
+        }
diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c
new file mode 100644
index 0000000000..7a710d5459
--- /dev/null
+++ b/src/lib/libcrypto/asn1/a_mbstr.c
@@ -0,0 +1,390 @@
+/* a_mbstr.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+static int traverse_string(const unsigned char *p, int len, int inform,
+                 int (*rfunc)(unsigned long value, void *in), void *arg);
+static int in_utf8(unsigned long value, void *arg);
+static int out_utf8(unsigned long value, void *arg);
+static int type_str(unsigned long value, void *arg);
+static int cpy_asc(unsigned long value, void *arg);
+static int cpy_bmp(unsigned long value, void *arg);
+static int cpy_univ(unsigned long value, void *arg);
+static int cpy_utf8(unsigned long value, void *arg);
+static int is_printable(unsigned long value);
+
+/* These functions take a string in UTF8, ASCII or multibyte form and
+ * a mask of permissible ASN1 string types. It then works out the minimal
+ * type (using the order Printable < IA5 < T61 < BMP < Universal < UTF8)
+ * and creates a string of the correct type with the supplied data.
+ * Yes this is horrible: it has to be :-(
+ * The 'ncopy' form checks minimum and maximum size limits too.
+ */
+
+int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
+                                        int inform, unsigned long mask)
+{
+        return ASN1_mbstring_ncopy(out, in, len, inform, mask, 0, 0);
+}
+
+int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
+                                        int inform, unsigned long mask, 
+                                        long minsize, long maxsize)
+{
+        int str_type;
+        int ret;
+        int outform, outlen;
+        ASN1_STRING *dest;
+        unsigned char *p;
+        int nchar;
+        char strbuf[32];
+        int (*cpyfunc)(unsigned long,void *) = NULL;
+        if(len == -1) len = strlen((const char *)in);
+        if(!mask) mask = DIRSTRING_TYPE;
+
+        /* First do a string check and work out the number of characters */
+        switch(inform) {
+
+                case MBSTRING_BMP:
+                if(len & 1) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+                                         ASN1_R_INVALID_BMPSTRING_LENGTH);
+                        return -1;
+                }
+                nchar = len >> 1;
+                break;
+
+                case MBSTRING_UNIV:
+                if(len & 3) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+                                         ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
+                        return -1;
+                }
+                nchar = len >> 2;
+                break;
+
+                case MBSTRING_UTF8:
+                nchar = 0;
+                /* This counts the characters and does utf8 syntax checking */
+                ret = traverse_string(in, len, MBSTRING_UTF8, in_utf8, &nchar);
+                if(ret < 0) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+                                                 ASN1_R_INVALID_UTF8STRING);
+                        return -1;
+                }
+                break;
+
+                case MBSTRING_ASC:
+                nchar = len;
+                break;
+
+                default:
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_UNKNOWN_FORMAT);
+                return -1;
+        }
+
+        if((minsize > 0) && (nchar < minsize)) {
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT);
+                sprintf(strbuf, "%ld", minsize);
+                ERR_add_error_data(2, "minsize=", strbuf);
+                return -1;
+        }
+
+        if((maxsize > 0) && (nchar > maxsize)) {
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG);
+                sprintf(strbuf, "%ld", maxsize);
+                ERR_add_error_data(2, "maxsize=", strbuf);
+                return -1;
+        }
+
+        /* Now work out minimal type (if any) */
+        if(traverse_string(in, len, inform, type_str, &mask) < 0) {
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_ILLEGAL_CHARACTERS);
+                return -1;
+        }
+
+
+        /* Now work out output format and string type */
+        outform = MBSTRING_ASC;
+        if(mask & B_ASN1_PRINTABLESTRING) str_type = V_ASN1_PRINTABLESTRING;
+        else if(mask & B_ASN1_IA5STRING) str_type = V_ASN1_IA5STRING;
+        else if(mask & B_ASN1_T61STRING) str_type = V_ASN1_T61STRING;
+        else if(mask & B_ASN1_BMPSTRING) {
+                str_type = V_ASN1_BMPSTRING;
+                outform = MBSTRING_BMP;
+        } else if(mask & B_ASN1_UNIVERSALSTRING) {
+                str_type = V_ASN1_UNIVERSALSTRING;
+                outform = MBSTRING_UNIV;
+        } else {
+                str_type = V_ASN1_UTF8STRING;
+                outform = MBSTRING_UTF8;
+        }
+        if(!out) return str_type;
+        if(*out) {
+                dest = *out;
+                if(dest->data) {
+                        dest->length = 0;
+                        Free(dest->data);
+                        dest->data = NULL;
+                }
+                dest->type = str_type;
+        } else {
+                dest = ASN1_STRING_type_new(str_type);
+                if(!dest) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+                                                        ERR_R_MALLOC_FAILURE);
+                        return -1;
+                }
+                *out = dest;
+        }
+        /* If both the same type just copy across */
+        if(inform == outform) {
+                if(!ASN1_STRING_set(dest, in, len)) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                }
+                return str_type;
+        } 
+
+        /* Work out how much space the destination will need */
+        switch(outform) {
+                case MBSTRING_ASC:
+                outlen = nchar;
+                cpyfunc = cpy_asc;
+                break;
+
+                case MBSTRING_BMP:
+                outlen = nchar << 1;
+                cpyfunc = cpy_bmp;
+                break;
+
+                case MBSTRING_UNIV:
+                outlen = nchar << 2;
+                cpyfunc = cpy_univ;
+                break;
+
+                case MBSTRING_UTF8:
+                outlen = 0;
+                traverse_string(in, len, inform, out_utf8, &outlen);
+                cpyfunc = cpy_utf8;
+                break;
+        }
+        if(!(p = Malloc(outlen + 1))) {
+                ASN1_STRING_free(dest);
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+                return -1;
+        }
+        dest->length = outlen;
+        dest->data = p;
+        p[outlen] = 0;
+        traverse_string(in, len, inform, cpyfunc, &p);
+        return str_type;        
+}
+
+/* This function traverses a string and passes the value of each character
+ * to an optional function along with a void * argument.
+ */
+
+static int traverse_string(const unsigned char *p, int len, int inform,
+                 int (*rfunc)(unsigned long value, void *in), void *arg)
+{
+        unsigned long value;
+        int ret;
+        while(len) {
+                if(inform == MBSTRING_ASC) {
+                        value = *p++;
+                        len--;
+                } else if(inform == MBSTRING_BMP) {
+                        value = *p++ << 8;
+                        value |= *p++;
+                        len -= 2;
+                } else if(inform == MBSTRING_UNIV) {
+                        value = *p++ << 24;
+                        value |= *p++ << 16;
+                        value |= *p++ << 8;
+                        value |= *p++;
+                        len -= 4;
+                } else {
+                        ret = UTF8_getc(p, len, &value);
+                        if(ret < 0) return -1;
+                        len -= ret;
+                        p += ret;
+                }
+                if(rfunc) {
+                        ret = rfunc(value, arg);
+                        if(ret <= 0) return ret;
+                }
+        }
+        return 1;
+}
+
+/* Various utility functions for traverse_string */
+
+/* Just count number of characters */
+
+static int in_utf8(unsigned long value, void *arg)
+{
+        int *nchar;
+        nchar = arg;
+        (*nchar)++;
+        return 1;
+}
+
+/* Determine size of output as a UTF8 String */
+
+static int out_utf8(unsigned long value, void *arg)
+{
+        long *outlen;
+        outlen = arg;
+        *outlen += UTF8_putc(NULL, -1, value);
+        return 1;
+}
+
+/* Determine the "type" of a string: check each character against a
+ * supplied "mask".
+ */
+
+static int type_str(unsigned long value, void *arg)
+{
+        unsigned long types;
+        types = *((unsigned long *)arg);
+        if((types & B_ASN1_PRINTABLESTRING) && !is_printable(value))
+                                        types &= ~B_ASN1_PRINTABLESTRING;
+        if((types & B_ASN1_IA5STRING) && (value > 127))
+                                        types &= ~B_ASN1_IA5STRING;
+        if((types & B_ASN1_T61STRING) && (value > 0xff))
+                                        types &= ~B_ASN1_T61STRING;
+        if((types & B_ASN1_BMPSTRING) && (value > 0xffff))
+                                        types &= ~B_ASN1_BMPSTRING;
+        if(!types) return -1;
+        *((unsigned long *)arg) = types;
+        return 1;
+}
+
+/* Copy one byte per character ASCII like strings */
+
+static int cpy_asc(unsigned long value, void *arg)
+{
+        unsigned char **p, *q;
+        p = arg;
+        q = *p;
+        *q = (unsigned char) value;
+        (*p)++;
+        return 1;
+}
+
+/* Copy two byte per character BMPStrings */
+
+static int cpy_bmp(unsigned long value, void *arg)
+{
+        unsigned char **p, *q;
+        p = arg;
+        q = *p;
+        *q++ = (unsigned char) ((value >> 8) & 0xff);
+        *q = (unsigned char) (value & 0xff);
+        *p += 2;
+        return 1;
+}
+
+/* Copy four byte per character UniversalStrings */
+
+static int cpy_univ(unsigned long value, void *arg)
+{
+        unsigned char **p, *q;
+        p = arg;
+        q = *p;
+        *q++ = (unsigned char) ((value >> 24) & 0xff);
+        *q++ = (unsigned char) ((value >> 16) & 0xff);
+        *q++ = (unsigned char) ((value >> 8) & 0xff);
+        *q = (unsigned char) (value & 0xff);
+        *p += 4;
+        return 1;
+}
+
+/* Copy to a UTF8String */
+
+static int cpy_utf8(unsigned long value, void *arg)
+{
+        unsigned char **p;
+        int ret;
+        p = arg;
+        /* We already know there is enough room so pass 0xff as the length */
+        ret = UTF8_putc(*p, 0xff, value);
+        *p += ret;
+        return 1;
+}
+
+/* Return 1 if the character is permitted in a PrintableString */
+static int is_printable(unsigned long value)
+{
+        int ch;
+        if(value > 0x7f) return 0;
+        ch = (int) value;
+        /* Note: we can't use 'isalnum' because certain accented 
+         * characters may count as alphanumeric in some environments.
+         */
+        if((ch >= 'a') && (ch <= 'z')) return 1;
+        if((ch >= 'A') && (ch <= 'Z')) return 1;
+        if((ch >= '0') && (ch <= '9')) return 1;
+        if ((ch == ' ') || strchr("'()+,-./:=?", ch)) return 1;
+        return 0;
+}
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
new file mode 100644
index 0000000000..569b811998
--- /dev/null
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -0,0 +1,533 @@
+/* a_strex.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+
+#include "charmap.h"
+
+/* ASN1_STRING_print_ex() and X509_NAME_print_ex().
+ * Enhanced string and name printing routines handling
+ * multibyte characters, RFC2253 and a host of other
+ * options.
+ */
+
+
+#define CHARTYPE_BS_ESC         (ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253)
+
+
+/* Three IO functions for sending data to memory, a BIO and
+ * and a FILE pointer.
+ */
+
+int send_mem_chars(void *arg, const void *buf, int len)
+{
+        unsigned char **out = arg;
+        if(!out) return 1;
+        memcpy(*out, buf, len);
+        *out += len;
+        return 1;
+}
+
+int send_bio_chars(void *arg, const void *buf, int len)
+{
+        if(!arg) return 1;
+        if(BIO_write(arg, buf, len) != len) return 0;
+        return 1;
+}
+
+int send_fp_chars(void *arg, const void *buf, int len)
+{
+        if(!arg) return 1;
+        if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
+        return 1;
+}
+
+typedef int char_io(void *arg, const void *buf, int len);
+
+/* This function handles display of
+ * strings, one character at a time.
+ * It is passed an unsigned long for each
+ * character because it could come from 2 or even
+ * 4 byte forms.
+ */
+
+static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg)
+{
+        unsigned char chflgs, chtmp;
+        char tmphex[11];
+        if(c > 0xffff) {
+                BIO_snprintf(tmphex, 11, "\\W%08lX", c);
+                if(!io_ch(arg, tmphex, 10)) return -1;
+                return 10;
+        }
+        if(c > 0xff) {
+                BIO_snprintf(tmphex, 11, "\\U%04lX", c);
+                if(!io_ch(arg, tmphex, 6)) return -1;
+                return 6;
+        }
+        chtmp = (unsigned char)c;
+        if(chtmp > 0x7f) chflgs = flags & ASN1_STRFLGS_ESC_MSB;
+        else chflgs = char_type[chtmp] & flags;
+        if(chflgs & CHARTYPE_BS_ESC) {
+                /* If we don't escape with quotes, signal we need quotes */
+                if(chflgs & ASN1_STRFLGS_ESC_QUOTE) {
+                        if(do_quotes) *do_quotes = 1;
+                        if(!io_ch(arg, &chtmp, 1)) return -1;
+                        return 1;
+                }
+                if(!io_ch(arg, "\\", 1)) return -1;
+                if(!io_ch(arg, &chtmp, 1)) return -1;
+                return 2;
+        }
+        if(chflgs & (ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_ESC_MSB)) {
+                BIO_snprintf(tmphex, 11, "\\%02X", chtmp);
+                if(!io_ch(arg, tmphex, 3)) return -1;
+                return 3;
+        }
+        if(!io_ch(arg, &chtmp, 1)) return -1;
+        return 1;
+}
+
+#define BUF_TYPE_WIDTH_MASK     0x7
+#define BUF_TYPE_CONVUTF8       0x8
+
+/* This function sends each character in a buffer to
+ * do_esc_char(). It interprets the content formats
+ * and converts to or from UTF8 as appropriate.
+ */
+
+static int do_buf(unsigned char *buf, int buflen,
+                        int type, unsigned char flags, char *quotes, char_io *io_ch, void *arg)
+{
+        int i, outlen, len;
+        unsigned char orflags, *p, *q;
+        unsigned long c;
+        p = buf;
+        q = buf + buflen;
+        outlen = 0;
+        while(p != q) {
+                if(p == buf) orflags = CHARTYPE_FIRST_ESC_2253;
+                else orflags = 0;
+                switch(type & BUF_TYPE_WIDTH_MASK) {
+                        case 4:
+                        c = ((unsigned long)*p++) << 24;
+                        c |= ((unsigned long)*p++) << 16;
+                        c |= ((unsigned long)*p++) << 8;
+                        c |= *p++;
+                        break;
+
+                        case 2:
+                        c = ((unsigned long)*p++) << 8;
+                        c |= *p++;
+                        break;
+
+                        case 1:
+                        c = *p++;
+                        break;
+                        
+                        case 0:
+                        i = UTF8_getc(p, buflen, &c);
+                        if(i < 0) return -1;    /* Invalid UTF8String */
+                        p += i;
+                        break;
+                }
+                if (p == q) orflags = CHARTYPE_LAST_ESC_2253;
+                if(type & BUF_TYPE_CONVUTF8) {
+                        unsigned char utfbuf[6];
+                        int utflen;
+                        utflen = UTF8_putc(utfbuf, 6, c);
+                        for(i = 0; i < utflen; i++) {
+                                /* We don't need to worry about setting orflags correctly
+                                 * because if utflen==1 its value will be correct anyway 
+                                 * otherwise each character will be > 0x7f and so the 
+                                 * character will never be escaped on first and last.
+                                 */
+                                len = do_esc_char(utfbuf[i], (unsigned char)(flags | orflags), quotes, io_ch, arg);
+                                if(len < 0) return -1;
+                                outlen += len;
+                        }
+                } else {
+                        len = do_esc_char(c, (unsigned char)(flags | orflags), quotes, io_ch, arg);
+                        if(len < 0) return -1;
+                        outlen += len;
+                }
+        }
+        return outlen;
+}
+
+/* This function hex dumps a buffer of characters */
+
+static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen)
+{
+        const static char hexdig[] = "0123456789ABCDEF";
+        unsigned char *p, *q;
+        char hextmp[2];
+        if(arg) {
+                p = buf;
+                q = buf + buflen;
+                while(p != q) {
+                        hextmp[0] = hexdig[*p >> 4];
+                        hextmp[1] = hexdig[*p & 0xf];
+                        if(!io_ch(arg, hextmp, 2)) return -1;
+                        p++;
+                }
+        }
+        return buflen << 1;
+}
+
+/* "dump" a string. This is done when the type is unknown,
+ * or the flags request it. We can either dump the content
+ * octets or the entire DER encoding. This uses the RFC2253
+ * #01234 format.
+ */
+
+int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
+{
+        /* Placing the ASN1_STRING in a temp ASN1_TYPE allows
+         * the DER encoding to readily obtained
+         */
+        ASN1_TYPE t;
+        unsigned char *der_buf, *p;
+        int outlen, der_len;
+
+        if(!io_ch(arg, "#", 1)) return -1;
+        /* If we don't dump DER encoding just dump content octets */
+        if(!(lflags & ASN1_STRFLGS_DUMP_DER)) {
+                outlen = do_hex_dump(io_ch, arg, str->data, str->length);
+                if(outlen < 0) return -1;
+                return outlen + 1;
+        }
+        t.type = str->type;
+        t.value.ptr = (char *)str;
+        der_len = i2d_ASN1_TYPE(&t, NULL);
+        der_buf = OPENSSL_malloc(der_len);
+        if(!der_buf) return -1;
+        p = der_buf;
+        i2d_ASN1_TYPE(&t, &p);
+        outlen = do_hex_dump(io_ch, arg, der_buf, der_len);
+        OPENSSL_free(der_buf);
+        if(outlen < 0) return -1;
+        return outlen + 1;
+}
+
+/* Lookup table to convert tags to character widths,
+ * 0 = UTF8 encoded, -1 is used for non string types
+ * otherwise it is the number of bytes per character
+ */
+
+const static char tag2nbyte[] = {
+        -1, -1, -1, -1, -1,     /* 0-4 */
+        -1, -1, -1, -1, -1,     /* 5-9 */
+        -1, -1, 0, -1,          /* 10-13 */
+        -1, -1, -1, -1,         /* 15-17 */
+        -1, 1, 1,               /* 18-20 */
+        -1, 1, -1,-1,           /* 21-24 */
+        -1, 1, -1,              /* 25-27 */
+        4, -1, 2                /* 28-30 */
+};
+
+#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
+                  ASN1_STRFLGS_ESC_QUOTE | \
+                  ASN1_STRFLGS_ESC_CTRL | \
+                  ASN1_STRFLGS_ESC_MSB)
+
+/* This is the main function, print out an
+ * ASN1_STRING taking note of various escape
+ * and display options. Returns number of
+ * characters written or -1 if an error
+ * occurred.
+ */
+
+static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, ASN1_STRING *str)
+{
+        int outlen, len;
+        int type;
+        char quotes;
+        unsigned char flags;
+        quotes = 0;
+        /* Keep a copy of escape flags */
+        flags = (unsigned char)(lflags & ESC_FLAGS);
+
+        type = str->type;
+
+        outlen = 0;
+
+
+        if(lflags & ASN1_STRFLGS_SHOW_TYPE) {
+                const char *tagname;
+                tagname = ASN1_tag2str(type);
+                outlen += strlen(tagname);
+                if(!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1)) return -1; 
+                outlen++;
+        }
+
+        /* Decide what to do with type, either dump content or display it */
+
+        /* Dump everything */
+        if(lflags & ASN1_STRFLGS_DUMP_ALL) type = -1;
+        /* Ignore the string type */
+        else if(lflags & ASN1_STRFLGS_IGNORE_TYPE) type = 1;
+        else {
+                /* Else determine width based on type */
+                if((type > 0) && (type < 31)) type = tag2nbyte[type];
+                else type = -1;
+                if((type == -1) && !(lflags & ASN1_STRFLGS_DUMP_UNKNOWN)) type = 1;
+        }
+
+        if(type == -1) {
+                len = do_dump(lflags, io_ch, arg, str);
+                if(len < 0) return -1;
+                outlen += len;
+                return outlen;
+        }
+
+        if(lflags & ASN1_STRFLGS_UTF8_CONVERT) {
+                /* Note: if string is UTF8 and we want
+                 * to convert to UTF8 then we just interpret
+                 * it as 1 byte per character to avoid converting
+                 * twice.
+                 */
+                if(!type) type = 1;
+                else type |= BUF_TYPE_CONVUTF8;
+        }
+
+        len = do_buf(str->data, str->length, type, flags, &quotes, io_ch, NULL);
+        if(outlen < 0) return -1;
+        outlen += len;
+        if(quotes) outlen += 2;
+        if(!arg) return outlen;
+        if(quotes && !io_ch(arg, "\"", 1)) return -1;
+        do_buf(str->data, str->length, type, flags, NULL, io_ch, arg);
+        if(quotes && !io_ch(arg, "\"", 1)) return -1;
+        return outlen;
+}
+
+/* Used for line indenting: print 'indent' spaces */
+
+static int do_indent(char_io *io_ch, void *arg, int indent)
+{
+        int i;
+        for(i = 0; i < indent; i++)
+                        if(!io_ch(arg, " ", 1)) return 0;
+        return 1;
+}
+
+
+static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
+                                int indent, unsigned long flags)
+{
+        int i, prev = -1, orflags, cnt;
+        int fn_opt, fn_nid;
+        ASN1_OBJECT *fn;
+        ASN1_STRING *val;
+        X509_NAME_ENTRY *ent;
+        char objtmp[80];
+        const char *objbuf;
+        int outlen, len;
+        char *sep_dn, *sep_mv, *sep_eq;
+        int sep_dn_len, sep_mv_len, sep_eq_len;
+        if(indent < 0) indent = 0;
+        outlen = indent;
+        if(!do_indent(io_ch, arg, indent)) return -1;
+        switch (flags & XN_FLAG_SEP_MASK)
+        {
+                case XN_FLAG_SEP_MULTILINE:
+                sep_dn = "\n";
+                sep_dn_len = 1;
+                sep_mv = " + ";
+                sep_mv_len = 3;
+                break;
+
+                case XN_FLAG_SEP_COMMA_PLUS:
+                sep_dn = ",";
+                sep_dn_len = 1;
+                sep_mv = "+";
+                sep_mv_len = 1;
+                indent = 0;
+                break;
+
+                case XN_FLAG_SEP_CPLUS_SPC:
+                sep_dn = ", ";
+                sep_dn_len = 2;
+                sep_mv = " + ";
+                sep_mv_len = 3;
+                indent = 0;
+                break;
+
+                case XN_FLAG_SEP_SPLUS_SPC:
+                sep_dn = "; ";
+                sep_dn_len = 2;
+                sep_mv = " + ";
+                sep_mv_len = 3;
+                indent = 0;
+                break;
+
+                default:
+                return -1;
+        }
+
+        if(flags & XN_FLAG_SPC_EQ) {
+                sep_eq = " = ";
+                sep_eq_len = 3;
+        } else {
+                sep_eq = "=";
+                sep_eq_len = 1;
+        }
+
+        fn_opt = flags & XN_FLAG_FN_MASK;
+
+        cnt = X509_NAME_entry_count(n); 
+        for(i = 0; i < cnt; i++) {
+                if(flags & XN_FLAG_DN_REV)
+                                ent = X509_NAME_get_entry(n, cnt - i - 1);
+                else ent = X509_NAME_get_entry(n, i);
+                if(prev != -1) {
+                        if(prev == ent->set) {
+                                if(!io_ch(arg, sep_mv, sep_mv_len)) return -1;
+                                outlen += sep_mv_len;
+                        } else {
+                                if(!io_ch(arg, sep_dn, sep_dn_len)) return -1;
+                                outlen += sep_dn_len;
+                                if(!do_indent(io_ch, arg, indent)) return -1;
+                                outlen += indent;
+                        }
+                }
+                prev = ent->set;
+                fn = X509_NAME_ENTRY_get_object(ent);
+                val = X509_NAME_ENTRY_get_data(ent);
+                fn_nid = OBJ_obj2nid(fn);
+                if(fn_opt != XN_FLAG_FN_NONE) {
+                        int objlen;
+                        if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
+                                OBJ_obj2txt(objtmp, 80, fn, 1);
+                                objbuf = objtmp;
+                        } else {
+                                if(fn_opt == XN_FLAG_FN_SN) 
+                                        objbuf = OBJ_nid2sn(fn_nid);
+                                else if(fn_opt == XN_FLAG_FN_LN)
+                                        objbuf = OBJ_nid2ln(fn_nid);
+                                else objbuf = "";
+                        }
+                        objlen = strlen(objbuf);
+                        if(!io_ch(arg, objbuf, objlen)) return -1;
+                        if(!io_ch(arg, sep_eq, sep_eq_len)) return -1;
+                        outlen += objlen + sep_eq_len;
+                }
+                /* If the field name is unknown then fix up the DER dump
+                 * flag. We might want to limit this further so it will
+                 * DER dump on anything other than a few 'standard' fields.
+                 */
+                if((fn_nid == NID_undef) && (flags & XN_FLAG_DUMP_UNKNOWN_FIELDS)) 
+                                        orflags = ASN1_STRFLGS_DUMP_ALL;
+                else orflags = 0;
+     
+                len = do_print_ex(io_ch, arg, flags | orflags, val);
+                if(len < 0) return -1;
+                outlen += len;
+        }
+        return outlen;
+}
+
+/* Wrappers round the main functions */
+
+int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags)
+{
+        return do_name_ex(send_bio_chars, out, nm, indent, flags);
+}
+
+
+int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags)
+{
+        return do_name_ex(send_fp_chars, fp, nm, indent, flags);
+}
+
+int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags)
+{
+        return do_print_ex(send_bio_chars, out, flags, str);
+}
+
+
+int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
+{
+        return do_print_ex(send_fp_chars, fp, flags, str);
+}
+
+/* Utility function: convert any string type to UTF8, returns number of bytes
+ * in output string or a negative error code
+ */
+
+int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
+{
+        ASN1_STRING stmp, *str = &stmp;
+        int mbflag, type, ret;
+        if(!*out || !in) return -1;
+        type = in->type;
+        if((type < 0) || (type > 30)) return -1;
+        mbflag = tag2nbyte[type];
+        if(mbflag == -1) return -1;
+        mbflag |= MBSTRING_FLAG;
+        stmp.data = NULL;
+        ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
+        if(ret < 0) return ret;
+        if(out) *out = stmp.data;
+        return stmp.length;
+}
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
new file mode 100644
index 0000000000..ab8417ffab
--- /dev/null
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -0,0 +1,247 @@
+/* a_strnid.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+
+
+static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
+static void st_free(ASN1_STRING_TABLE *tbl);
+static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b);
+static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b);
+
+
+/* This is the global mask for the mbstring functions: this is use to
+ * mask out certain types (such as BMPString and UTF8String) because
+ * certain software (e.g. Netscape) has problems with them.
+ */
+
+static unsigned long global_mask = 0xFFFFFFFFL;
+
+void ASN1_STRING_set_default_mask(unsigned long mask)
+{
+        global_mask = mask;
+}
+
+unsigned long ASN1_STRING_get_default_mask(void)
+{
+        return global_mask;
+}
+
+/* This function sets the default to various "flavours" of configuration.
+ * based on an ASCII string. Currently this is:
+ * MASK:XXXX : a numerical mask value.
+ * nobmp : Don't use BMPStrings (just Printable, T61).
+ * pkix : PKIX recommendation in RFC2459.
+ * utf8only : only use UTF8Strings (RFC2459 recommendation for 2004).
+ * default:   the default value, Printable, T61, BMP.
+ */
+
+int ASN1_STRING_set_default_mask_asc(char *p)
+{
+        unsigned long mask;
+        char *end;
+        if(!strncmp(p, "MASK:", 5)) {
+                if(!p[5]) return 0;
+                mask = strtoul(p + 5, &end, 0);
+                if(*end) return 0;
+        } else if(!strcmp(p, "nombstr"))
+                         mask = ~(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING);
+        else if(!strcmp(p, "pkix"))
+                        mask = ~B_ASN1_T61STRING;
+        else if(!strcmp(p, "utf8only")) mask = B_ASN1_UTF8STRING;
+        else if(!strcmp(p, "default"))
+            mask = 0xFFFFFFFFL;
+        else return 0;
+        ASN1_STRING_set_default_mask(mask);
+        return 1;
+}
+
+/* The following function generates an ASN1_STRING based on limits in a table.
+ * Frequently the types and length of an ASN1_STRING are restricted by a 
+ * corresponding OID. For example certificates and certificate requests.
+ */
+
+ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
+                                        int inlen, int inform, int nid)
+{
+        ASN1_STRING_TABLE *tbl;
+        ASN1_STRING *str = NULL;
+        unsigned long mask;
+        int ret;
+        if(!out) out = &str;
+        tbl = ASN1_STRING_TABLE_get(nid);
+        if(tbl) {
+                mask = tbl->mask;
+                if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask;
+                ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask,
+                                        tbl->minsize, tbl->maxsize);
+        } else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask);
+        if(ret <= 0) return NULL;
+        return *out;
+}
+
+/* Now the tables and helper functions for the string table:
+ */
+
+/* size limits: this stuff is taken straight from RFC2459 */
+
+#define ub_name                         32768
+#define ub_common_name                  64
+#define ub_locality_name                128
+#define ub_state_name                   128
+#define ub_organization_name            64
+#define ub_organization_unit_name       64
+#define ub_title                        64
+#define ub_email_address                128
+
+/* This table must be kept in NID order */
+
+static ASN1_STRING_TABLE tbl_standard[] = {
+{NID_commonName,                1, ub_common_name, DIRSTRING_TYPE, 0},
+{NID_countryName,               2, 2, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
+{NID_localityName,              1, ub_locality_name, DIRSTRING_TYPE, 0},
+{NID_stateOrProvinceName,       1, ub_state_name, DIRSTRING_TYPE, 0},
+{NID_organizationName,          1, ub_organization_name, DIRSTRING_TYPE, 0},
+{NID_organizationalUnitName,    1, ub_organization_unit_name, DIRSTRING_TYPE, 0},
+{NID_pkcs9_emailAddress,        1, ub_email_address, B_ASN1_IA5STRING, STABLE_NO_MASK},
+{NID_pkcs9_unstructuredName,    1, -1, PKCS9STRING_TYPE, 0},
+{NID_pkcs9_challengePassword,   1, -1, PKCS9STRING_TYPE, 0},
+{NID_pkcs9_unstructuredAddress, 1, -1, DIRSTRING_TYPE, 0},
+{NID_givenName,                 1, ub_name, DIRSTRING_TYPE, 0},
+{NID_surname,                   1, ub_name, DIRSTRING_TYPE, 0},
+{NID_initials,                  1, ub_name, DIRSTRING_TYPE, 0},
+{NID_name,                      1, ub_name, DIRSTRING_TYPE, 0},
+{NID_dnQualifier,               -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}
+};
+
+static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b)
+{
+        return (*a)->nid - (*b)->nid;
+}
+
+static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b)
+{
+        return a->nid - b->nid;
+}
+
+ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
+{
+        int idx;
+        ASN1_STRING_TABLE *ttmp;
+        ASN1_STRING_TABLE fnd;
+        fnd.nid = nid;
+        ttmp = (ASN1_STRING_TABLE *) OBJ_bsearch((char *)&fnd,
+                                        (char *)tbl_standard, 
+                        sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE),
+                        sizeof(ASN1_STRING_TABLE), (int(*)())table_cmp);
+        if(ttmp) return ttmp;
+        if(!stable) return NULL;
+        idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
+        if(idx < 0) return NULL;
+        return sk_ASN1_STRING_TABLE_value(stable, idx);
+}
+        
+int ASN1_STRING_TABLE_add(int nid,
+                 long minsize, long maxsize, unsigned long mask,
+                                unsigned long flags)
+{
+        ASN1_STRING_TABLE *tmp;
+        char new_nid = 0;
+        flags &= ~STABLE_FLAGS_MALLOC;
+        if(!stable) stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp);
+        if(!stable) {
+                ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if(!(tmp = ASN1_STRING_TABLE_get(nid))) {
+                tmp = Malloc(sizeof(ASN1_STRING_TABLE));
+                if(!tmp) {
+                        ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD,
+                                                        ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                tmp->flags = flags | STABLE_FLAGS_MALLOC;
+                tmp->nid = nid;
+                new_nid = 1;
+        } else tmp->flags = (tmp->flags & STABLE_FLAGS_MALLOC) | flags;
+        if(minsize != -1) tmp->minsize = minsize;
+        if(maxsize != -1) tmp->maxsize = maxsize;
+        tmp->mask = mask;
+        if(new_nid) sk_ASN1_STRING_TABLE_push(stable, tmp);
+        return 1;
+}
+
+void ASN1_STRING_TABLE_cleanup(void)
+{
+        STACK_OF(ASN1_STRING_TABLE) *tmp;
+        tmp = stable;
+        if(!tmp) return;
+        stable = NULL;
+        sk_ASN1_STRING_TABLE_pop_free(tmp, st_free);
+}
+
+static void st_free(ASN1_STRING_TABLE *tbl)
+{
+        if(tbl->flags & STABLE_FLAGS_MALLOC) Free(tbl);
+}
+
+IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
new file mode 100644
index 0000000000..c1690a5694
--- /dev/null
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -0,0 +1,123 @@
+/* crypto/asn1/a_time.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+/* This is an implementation of the ASN1 Time structure which is:
+ *    Time ::= CHOICE {
+ *      utcTime        UTCTime,
+ *      generalTime    GeneralizedTime }
+ * written by Steve Henson.
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **pp)
+        {
+#ifdef CHARSET_EBCDIC
+        /* KLUDGE! We convert to ascii before writing DER */
+        char tmp[24];
+        ASN1_STRING tmpstr;
+
+        if(a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME) {
+            int len;
+
+            tmpstr = *(ASN1_STRING *)a;
+            len = tmpstr.length;
+            ebcdic2ascii(tmp, tmpstr.data, (len >= sizeof tmp) ? sizeof tmp : len);
+            tmpstr.data = tmp;
+            a = (ASN1_GENERALIZEDTIME *) &tmpstr;
+        }
+#endif
+        if(a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME)
+                                return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+                                     a->type ,V_ASN1_UNIVERSAL));
+        ASN1err(ASN1_F_I2D_ASN1_TIME,ASN1_R_EXPECTING_A_TIME);
+        return -1;
+        }
+
+
+ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **a, unsigned char **pp, long length)
+        {
+        unsigned char tag;
+        tag = **pp & ~V_ASN1_CONSTRUCTED;
+        if(tag == (V_ASN1_UTCTIME|V_ASN1_UNIVERSAL))
+                                         return d2i_ASN1_UTCTIME(a, pp, length);
+        if(tag == (V_ASN1_GENERALIZEDTIME|V_ASN1_UNIVERSAL))
+                                return d2i_ASN1_GENERALIZEDTIME(a, pp, length);
+        ASN1err(ASN1_F_D2I_ASN1_TIME,ASN1_R_EXPECTING_A_TIME);
+        return(NULL);
+        }
+
+
+ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
+        {
+        struct tm *ts;
+#if defined(THREADS) && !defined(WIN32)
+        struct tm data;
+#endif
+
+#if defined(THREADS) && !defined(WIN32)
+        gmtime_r(&t,&data);
+        ts=&data; /* should return &data, but doesn't on some systems, so we don't even look at the return value */
+#else
+        ts=gmtime(&t);
+#endif
+        if((ts->tm_year >= 50) && (ts->tm_year < 150))
+                                        return ASN1_UTCTIME_set(s, t);
+        return ASN1_GENERALIZEDTIME_set(s,t);
+        }
diff --git a/src/lib/libcrypto/asn1/a_utf8.c b/src/lib/libcrypto/asn1/a_utf8.c
new file mode 100644
index 0000000000..4a8a92e9e4
--- /dev/null
+++ b/src/lib/libcrypto/asn1/a_utf8.c
@@ -0,0 +1,83 @@
+/* crypto/asn1/a_utf8.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+int i2d_ASN1_UTF8STRING(ASN1_UTF8STRING *a, unsigned char **pp)
+        {
+        return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+                V_ASN1_UTF8STRING,V_ASN1_UNIVERSAL));
+        }
+
+ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **a, unsigned char **pp,
+             long length)
+        {
+        ASN1_UTF8STRING *ret=NULL;
+
+        ret=(ASN1_UTF8STRING *)d2i_ASN1_bytes((ASN1_STRING **)a,
+                pp,length,V_ASN1_UTF8STRING,V_ASN1_UNIVERSAL);
+        if (ret == NULL)
+                {
+                ASN1err(ASN1_F_D2I_ASN1_UTF8STRING,ERR_R_NESTED_ASN1_ERROR);
+                return(NULL);
+                }
+        return(ret);
+        }
+
diff --git a/src/lib/libcrypto/asn1/asn1t.h b/src/lib/libcrypto/asn1/asn1t.h
new file mode 100644
index 0000000000..ed372f8554
--- /dev/null
+++ b/src/lib/libcrypto/asn1/asn1t.h
@@ -0,0 +1,846 @@
+/* asn1t.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#ifndef HEADER_ASN1T_H
+#define HEADER_ASN1T_H
+
+#include <stddef.h>
+#include <openssl/e_os2.h>
+#include <openssl/asn1.h>
+
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
+
+/* ASN1 template defines, structures and functions */
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+
+/* Macro to obtain ASN1_ADB pointer from a type (only used internally) */
+#define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)(iptr))
+
+
+/* Macros for start and end of ASN1_ITEM definition */
+
+#define ASN1_ITEM_start(itname) \
+        OPENSSL_GLOBAL const ASN1_ITEM itname##_it = {
+
+#define ASN1_ITEM_end(itname) \
+                };
+
+#else
+
+/* Macro to obtain ASN1_ADB pointer from a type (only used internally) */
+#define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)(iptr()))
+
+
+/* Macros for start and end of ASN1_ITEM definition */
+
+#define ASN1_ITEM_start(itname) \
+        const ASN1_ITEM * itname##_it(void) \
+        { \
+                static const ASN1_ITEM local_it = { \
+
+#define ASN1_ITEM_end(itname) \
+                }; \
+        return &local_it; \
+        }
+
+#endif
+
+
+/* Macros to aid ASN1 template writing */
+
+#define ASN1_ITEM_TEMPLATE(tname) \
+        const static ASN1_TEMPLATE tname##_item_tt 
+
+#define ASN1_ITEM_TEMPLATE_END(tname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_PRIMITIVE,\
+                -1,\
+                &tname##_item_tt,\
+                0,\
+                NULL,\
+                0,\
+                #tname \
+        ASN1_ITEM_end(tname)
+
+
+/* This is a ASN1 type which just embeds a template */
+ 
+/* This pair helps declare a SEQUENCE. We can do:
+ *
+ *      ASN1_SEQUENCE(stname) = {
+ *              ... SEQUENCE components ...
+ *      } ASN1_SEQUENCE_END(stname)
+ *
+ *      This will produce an ASN1_ITEM called stname_it
+ *      for a structure called stname.
+ *
+ *      If you want the same structure but a different
+ *      name then use:
+ *
+ *      ASN1_SEQUENCE(itname) = {
+ *              ... SEQUENCE components ...
+ *      } ASN1_SEQUENCE_END_name(stname, itname)
+ *
+ *      This will create an item called itname_it using
+ *      a structure called stname.
+ */
+
+#define ASN1_SEQUENCE(tname) \
+        const static ASN1_TEMPLATE tname##_seq_tt[] 
+
+#define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname)
+
+#define ASN1_SEQUENCE_END_name(stname, tname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_SEQUENCE,\
+                V_ASN1_SEQUENCE,\
+                tname##_seq_tt,\
+                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                NULL,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+#define ASN1_SEQUENCE_cb(tname, cb) \
+        const static ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_BROKEN_SEQUENCE(tname) \
+        const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_BROKEN, 0, 0, 0, 0}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_SEQUENCE_ref(tname, cb, lck) \
+        const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_SEQUENCE_enc(tname, enc, cb) \
+        const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc)}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_BROKEN_SEQUENCE_END(stname) ASN1_SEQUENCE_END_ref(stname, stname)
+
+#define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+
+#define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+
+#define ASN1_SEQUENCE_END_ref(stname, tname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_SEQUENCE,\
+                V_ASN1_SEQUENCE,\
+                tname##_seq_tt,\
+                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                &tname##_aux,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+
+/* This pair helps declare a CHOICE type. We can do:
+ *
+ *      ASN1_CHOICE(chname) = {
+ *              ... CHOICE options ...
+ *      ASN1_CHOICE_END(chname)
+ *
+ *      This will produce an ASN1_ITEM called chname_it
+ *      for a structure called chname. The structure
+ *      definition must look like this:
+ *      typedef struct {
+ *              int type;
+ *              union {
+ *                      ASN1_SOMETHING *opt1;
+ *                      ASN1_SOMEOTHER *opt2;
+ *              } value;
+ *      } chname;
+ *      
+ *      the name of the selector must be 'type'.
+ *      to use an alternative selector name use the
+ *      ASN1_CHOICE_END_selector() version.
+ */
+
+#define ASN1_CHOICE(tname) \
+        const static ASN1_TEMPLATE tname##_ch_tt[] 
+
+#define ASN1_CHOICE_cb(tname, cb) \
+        const static ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        ASN1_CHOICE(tname)
+
+#define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname)
+
+#define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type)
+
+#define ASN1_CHOICE_END_selector(stname, tname, selname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_CHOICE,\
+                offsetof(stname,selname) ,\
+                tname##_ch_tt,\
+                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                NULL,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+#define ASN1_CHOICE_END_cb(stname, tname, selname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_CHOICE,\
+                offsetof(stname,selname) ,\
+                tname##_ch_tt,\
+                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                &tname##_aux,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+/* This helps with the template wrapper form of ASN1_ITEM */
+
+#define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) { \
+        (flags), (tag), 0,\
+        #name, ASN1_ITEM_ref(type) }
+
+/* These help with SEQUENCE or CHOICE components */
+
+/* used to declare other types */
+
+#define ASN1_EX_TYPE(flags, tag, stname, field, type) { \
+        (flags), (tag), offsetof(stname, field),\
+        #field, ASN1_ITEM_ref(type) }
+
+/* used when the structure is combined with the parent */
+
+#define ASN1_EX_COMBINE(flags, tag, type) { \
+        (flags)|ASN1_TFLG_COMBINE, (tag), 0, NULL, ASN1_ITEM_ref(type) }
+
+/* implicit and explicit helper macros */
+
+#define ASN1_IMP_EX(stname, field, type, tag, ex) \
+                ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type)
+
+#define ASN1_EXP_EX(stname, field, type, tag, ex) \
+                ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type)
+
+/* Any defined by macros: the field used is in the table itself */
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+#else
+#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, tblname##_adb }
+#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, tblname##_adb }
+#endif
+/* Plain simple type */
+#define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0,0, stname, field, type)
+
+/* OPTIONAL simple type */
+#define ASN1_OPT(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+
+/* IMPLICIT tagged simple type */
+#define ASN1_IMP(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, 0)
+
+/* IMPLICIT tagged OPTIONAL simple type */
+#define ASN1_IMP_OPT(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+
+/* Same as above but EXPLICIT */
+
+#define ASN1_EXP(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, 0)
+#define ASN1_EXP_OPT(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+
+/* SEQUENCE OF type */
+#define ASN1_SEQUENCE_OF(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type)
+
+/* OPTIONAL SEQUENCE OF */
+#define ASN1_SEQUENCE_OF_OPT(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+
+/* Same as above but for SET OF */
+
+#define ASN1_SET_OF(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type)
+
+#define ASN1_SET_OF_OPT(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+
+/* Finally compound types of SEQUENCE, SET, IMPLICIT, EXPLICIT and OPTIONAL */
+
+#define ASN1_IMP_SET_OF(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+
+#define ASN1_EXP_SET_OF(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+
+#define ASN1_IMP_SET_OF_OPT(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+
+#define ASN1_EXP_SET_OF_OPT(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+
+#define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+
+#define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+
+#define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+
+#define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+
+/* Macros for the ASN1_ADB structure */
+
+#define ASN1_ADB(name) \
+        const static ASN1_ADB_TABLE name##_adbtbl[] 
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+
+#define ASN1_ADB_END(name, flags, field, app_table, def, none) \
+        ;\
+        const static ASN1_ADB name##_adb = {\
+                flags,\
+                offsetof(name, field),\
+                app_table,\
+                name##_adbtbl,\
+                sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
+                def,\
+                none\
+        }
+
+#else
+
+#define ASN1_ADB_END(name, flags, field, app_table, def, none) \
+        ;\
+        const static ASN1_ITEM *name##_adb(void) \
+        { \
+        const static ASN1_ADB internal_adb = \
+                {\
+                flags,\
+                offsetof(name, field),\
+                app_table,\
+                name##_adbtbl,\
+                sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
+                def,\
+                none\
+                }; \
+                return (const ASN1_ITEM *) &internal_adb; \
+        } \
+        void dummy_function(void)
+
+#endif
+
+#define ADB_ENTRY(val, template) {val, template}
+
+#define ASN1_ADB_TEMPLATE(name) \
+        const static ASN1_TEMPLATE name##_tt 
+
+/* This is the ASN1 template structure that defines
+ * a wrapper round the actual type. It determines the
+ * actual position of the field in the value structure,
+ * various flags such as OPTIONAL and the field name.
+ */
+
+struct ASN1_TEMPLATE_st {
+unsigned long flags;            /* Various flags */
+long tag;                       /* tag, not used if no tagging */
+unsigned long offset;           /* Offset of this field in structure */
+#ifndef NO_ASN1_FIELD_NAMES
+char *field_name;               /* Field name */
+#endif
+ASN1_ITEM_EXP *item;            /* Relevant ASN1_ITEM or ASN1_ADB */
+};
+
+/* Macro to extract ASN1_ITEM and ASN1_ADB pointer from ASN1_TEMPLATE */
+
+#define ASN1_TEMPLATE_item(t) (t->item_ptr)
+#define ASN1_TEMPLATE_adb(t) (t->item_ptr)
+
+typedef struct ASN1_ADB_TABLE_st ASN1_ADB_TABLE;
+typedef struct ASN1_ADB_st ASN1_ADB;
+
+struct ASN1_ADB_st {
+        unsigned long flags;    /* Various flags */
+        unsigned long offset;   /* Offset of selector field */
+        STACK_OF(ASN1_ADB_TABLE) **app_items; /* Application defined items */
+        const ASN1_ADB_TABLE *tbl;      /* Table of possible types */
+        long tblcount;          /* Number of entries in tbl */
+        const ASN1_TEMPLATE *default_tt;  /* Type to use if no match */
+        const ASN1_TEMPLATE *null_tt;  /* Type to use if selector is NULL */
+};
+
+struct ASN1_ADB_TABLE_st {
+        long value;             /* NID for an object or value for an int */
+        const ASN1_TEMPLATE tt;         /* item for this value */
+};
+
+/* template flags */
+
+/* Field is optional */
+#define ASN1_TFLG_OPTIONAL      (0x1)
+
+/* Field is a SET OF */
+#define ASN1_TFLG_SET_OF        (0x1 << 1)
+
+/* Field is a SEQUENCE OF */
+#define ASN1_TFLG_SEQUENCE_OF   (0x2 << 1)
+
+/* Special case: this refers to a SET OF that
+ * will be sorted into DER order when encoded *and*
+ * the corresponding STACK will be modified to match
+ * the new order.
+ */
+#define ASN1_TFLG_SET_ORDER     (0x3 << 1)
+
+/* Mask for SET OF or SEQUENCE OF */
+#define ASN1_TFLG_SK_MASK       (0x3 << 1)
+
+/* These flags mean the tag should be taken from the
+ * tag field. If EXPLICIT then the underlying type
+ * is used for the inner tag.
+ */
+
+/* IMPLICIT tagging */
+#define ASN1_TFLG_IMPTAG        (0x1 << 3)
+
+
+/* EXPLICIT tagging, inner tag from underlying type */
+#define ASN1_TFLG_EXPTAG        (0x2 << 3)
+
+#define ASN1_TFLG_TAG_MASK      (0x3 << 3)
+
+/* context specific IMPLICIT */
+#define ASN1_TFLG_IMPLICIT      ASN1_TFLG_IMPTAG|ASN1_TFLG_CONTEXT
+
+/* context specific EXPLICIT */
+#define ASN1_TFLG_EXPLICIT      ASN1_TFLG_EXPTAG|ASN1_TFLG_CONTEXT
+
+/* If tagging is in force these determine the
+ * type of tag to use. Otherwise the tag is
+ * determined by the underlying type. These 
+ * values reflect the actual octet format.
+ */
+
+/* Universal tag */ 
+#define ASN1_TFLG_UNIVERSAL     (0x0<<6)
+/* Application tag */ 
+#define ASN1_TFLG_APPLICATION   (0x1<<6)
+/* Context specific tag */ 
+#define ASN1_TFLG_CONTEXT       (0x2<<6)
+/* Private tag */ 
+#define ASN1_TFLG_PRIVATE       (0x3<<6)
+
+#define ASN1_TFLG_TAG_CLASS     (0x3<<6)
+
+/* These are for ANY DEFINED BY type. In this case
+ * the 'item' field points to an ASN1_ADB structure
+ * which contains a table of values to decode the
+ * relevant type
+ */
+
+#define ASN1_TFLG_ADB_MASK      (0x3<<8)
+
+#define ASN1_TFLG_ADB_OID       (0x1<<8)
+
+#define ASN1_TFLG_ADB_INT       (0x1<<9)
+
+/* This flag means a parent structure is passed
+ * instead of the field: this is useful is a
+ * SEQUENCE is being combined with a CHOICE for
+ * example. Since this means the structure and
+ * item name will differ we need to use the
+ * ASN1_CHOICE_END_name() macro for example.
+ */
+
+#define ASN1_TFLG_COMBINE       (0x1<<10)
+
+/* This is the actual ASN1 item itself */
+
+struct ASN1_ITEM_st {
+char itype;                     /* The item type, primitive, SEQUENCE, CHOICE or extern */
+long utype;                     /* underlying type */
+const ASN1_TEMPLATE *templates; /* If SEQUENCE or CHOICE this contains the contents */
+long tcount;                    /* Number of templates if SEQUENCE or CHOICE */
+const void *funcs;              /* functions that handle this type */
+long size;                      /* Structure size (usually)*/
+#ifndef NO_ASN1_FIELD_NAMES
+const char *sname;              /* Structure name */
+#endif
+};
+
+/* These are values for the itype field and
+ * determine how the type is interpreted.
+ *
+ * For PRIMITIVE types the underlying type
+ * determines the behaviour if items is NULL.
+ *
+ * Otherwise templates must contain a single 
+ * template and the type is treated in the
+ * same way as the type specified in the template.
+ *
+ * For SEQUENCE types the templates field points
+ * to the members, the size field is the
+ * structure size.
+ *
+ * For CHOICE types the templates field points
+ * to each possible member (typically a union)
+ * and the 'size' field is the offset of the
+ * selector.
+ *
+ * The 'funcs' field is used for application
+ * specific functions. 
+ *
+ * For COMPAT types the funcs field gives a
+ * set of functions that handle this type, this
+ * supports the old d2i, i2d convention.
+ *
+ * The EXTERN type uses a new style d2i/i2d.
+ * The new style should be used where possible
+ * because it avoids things like the d2i IMPLICIT
+ * hack.
+ *
+ * MSTRING is a multiple string type, it is used
+ * for a CHOICE of character strings where the
+ * actual strings all occupy an ASN1_STRING
+ * structure. In this case the 'utype' field
+ * has a special meaning, it is used as a mask
+ * of acceptable types using the B_ASN1 constants.
+ *
+ */
+
+#define ASN1_ITYPE_PRIMITIVE    0x0
+
+#define ASN1_ITYPE_SEQUENCE     0x1
+
+#define ASN1_ITYPE_CHOICE       0x2
+
+#define ASN1_ITYPE_COMPAT       0x3
+
+#define ASN1_ITYPE_EXTERN       0x4
+
+#define ASN1_ITYPE_MSTRING      0x5
+
+/* Cache for ASN1 tag and length, so we
+ * don't keep re-reading it for things
+ * like CHOICE
+ */
+
+struct ASN1_TLC_st{
+        char valid;     /* Values below are valid */
+        int ret;        /* return value */
+        long plen;      /* length */
+        int ptag;       /* class value */
+        int pclass;     /* class value */
+        int hdrlen;     /* header length */
+};
+
+/* Typedefs for ASN1 function pointers */
+
+typedef ASN1_VALUE * ASN1_new_func(void);
+typedef void ASN1_free_func(ASN1_VALUE *a);
+typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, unsigned char ** in, long length);
+typedef int ASN1_i2d_func(ASN1_VALUE * a, unsigned char **in);
+
+typedef int ASN1_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+                                        int tag, int aclass, char opt, ASN1_TLC *ctx);
+
+typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
+typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+typedef int ASN1_primitive_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+typedef struct ASN1_COMPAT_FUNCS_st {
+        ASN1_new_func *asn1_new;
+        ASN1_free_func *asn1_free;
+        ASN1_d2i_func *asn1_d2i;
+        ASN1_i2d_func *asn1_i2d;
+} ASN1_COMPAT_FUNCS;
+
+typedef struct ASN1_EXTERN_FUNCS_st {
+        void *app_data;
+        ASN1_ex_new_func *asn1_ex_new;
+        ASN1_ex_free_func *asn1_ex_free;
+        ASN1_ex_free_func *asn1_ex_clear;
+        ASN1_ex_d2i *asn1_ex_d2i;
+        ASN1_ex_i2d *asn1_ex_i2d;
+} ASN1_EXTERN_FUNCS;
+
+typedef struct ASN1_PRIMITIVE_FUNCS_st {
+        void *app_data;
+        unsigned long flags;
+        ASN1_ex_new_func *prim_new;
+        ASN1_ex_free_func *prim_free;
+        ASN1_ex_free_func *prim_clear;
+        ASN1_primitive_c2i *prim_c2i;
+        ASN1_primitive_i2c *prim_i2c;
+} ASN1_PRIMITIVE_FUNCS;
+
+/* This is the ASN1_AUX structure: it handles various
+ * miscellaneous requirements. For example the use of
+ * reference counts and an informational callback.
+ *
+ * The "informational callback" is called at various
+ * points during the ASN1 encoding and decoding. It can
+ * be used to provide minor customisation of the structures
+ * used. This is most useful where the supplied routines
+ * *almost* do the right thing but need some extra help
+ * at a few points. If the callback returns zero then
+ * it is assumed a fatal error has occurred and the 
+ * main operation should be abandoned.
+ *
+ * If major changes in the default behaviour are required
+ * then an external type is more appropriate.
+ */
+
+typedef int ASN1_aux_cb(int operation, ASN1_VALUE **in, const ASN1_ITEM *it);
+
+typedef struct ASN1_AUX_st {
+        void *app_data;
+        int flags;
+        int ref_offset;         /* Offset of reference value */
+        int ref_lock;           /* Lock type to use */
+        ASN1_aux_cb *asn1_cb;
+        int enc_offset;         /* Offset of ASN1_ENCODING structure */
+} ASN1_AUX;
+
+/* Flags in ASN1_AUX */
+
+/* Use a reference count */
+#define ASN1_AFLG_REFCOUNT      1
+/* Save the encoding of structure (useful for signatures) */
+#define ASN1_AFLG_ENCODING      2
+/* The Sequence length is invalid */
+#define ASN1_AFLG_BROKEN        4
+
+/* operation values for asn1_cb */
+
+#define ASN1_OP_NEW_PRE         0
+#define ASN1_OP_NEW_POST        1
+#define ASN1_OP_FREE_PRE        2
+#define ASN1_OP_FREE_POST       3
+#define ASN1_OP_D2I_PRE         4
+#define ASN1_OP_D2I_POST        5
+#define ASN1_OP_I2D_PRE         6
+#define ASN1_OP_I2D_POST        7
+
+/* Macro to implement a primitive type */
+#define IMPLEMENT_ASN1_TYPE(stname) IMPLEMENT_ASN1_TYPE_ex(stname, stname, 0)
+#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \
+                                ASN1_ITEM_start(itname) \
+                                        ASN1_ITYPE_PRIMITIVE, V_##vname, NULL, 0, NULL, ex, #itname \
+                                ASN1_ITEM_end(itname)
+
+/* Macro to implement a multi string type */
+#define IMPLEMENT_ASN1_MSTRING(itname, mask) \
+                                ASN1_ITEM_start(itname) \
+                                        ASN1_ITYPE_MSTRING, mask, NULL, 0, NULL, sizeof(ASN1_STRING), #itname \
+                                ASN1_ITEM_end(itname)
+
+/* Macro to implement an ASN1_ITEM in terms of old style funcs */
+
+#define IMPLEMENT_COMPAT_ASN1(sname) IMPLEMENT_COMPAT_ASN1_type(sname, V_ASN1_SEQUENCE)
+
+#define IMPLEMENT_COMPAT_ASN1_type(sname, tag) \
+        static const ASN1_COMPAT_FUNCS sname##_ff = { \
+                (ASN1_new_func *)sname##_new, \
+                (ASN1_free_func *)sname##_free, \
+                (ASN1_d2i_func *)d2i_##sname, \
+                (ASN1_i2d_func *)i2d_##sname, \
+        }; \
+        ASN1_ITEM_start(sname) \
+                ASN1_ITYPE_COMPAT, \
+                tag, \
+                NULL, \
+                0, \
+                &sname##_ff, \
+                0, \
+                #sname \
+        ASN1_ITEM_end(sname)
+
+#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \
+        ASN1_ITEM_start(sname) \
+                ASN1_ITYPE_EXTERN, \
+                tag, \
+                NULL, \
+                0, \
+                &fptrs, \
+                0, \
+                #sname \
+        ASN1_ITEM_end(sname)
+
+/* Macro to implement standard functions in terms of ASN1_ITEM structures */
+
+#define IMPLEMENT_ASN1_FUNCTIONS(stname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname)
+
+#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname)
+
+#define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \
+                        IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname)
+
+#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \
+        stname *fname##_new(void) \
+        { \
+                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
+        } \
+        void fname##_free(stname *a) \
+        { \
+                ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \
+        }
+
+#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
+
+#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+        stname *d2i_##fname(stname **a, unsigned char **in, long len) \
+        { \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\
+        } \
+        int i2d_##fname(stname *a, unsigned char **out) \
+        { \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        } 
+
+/* This includes evil casts to remove const: they will go away when full
+ * ASN1 constification is done.
+ */
+#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
+        stname *d2i_##fname(stname **a, const unsigned char **in, long len) \
+        { \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, (unsigned char **)in, len, ASN1_ITEM_rptr(itname));\
+        } \
+        int i2d_##fname(const stname *a, unsigned char **out) \
+        { \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        } 
+
+#define IMPLEMENT_ASN1_DUP_FUNCTION(stname) \
+        stname * stname##_dup(stname *x) \
+        { \
+        return ASN1_item_dup(ASN1_ITEM_rptr(stname), x); \
+        }
+
+#define IMPLEMENT_ASN1_FUNCTIONS_const(name) \
+                IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name)
+
+#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
+
+/* external definitions for primitive types */
+
+DECLARE_ASN1_ITEM(ASN1_BOOLEAN)
+DECLARE_ASN1_ITEM(ASN1_TBOOLEAN)
+DECLARE_ASN1_ITEM(ASN1_FBOOLEAN)
+DECLARE_ASN1_ITEM(ASN1_ANY)
+DECLARE_ASN1_ITEM(ASN1_SEQUENCE)
+DECLARE_ASN1_ITEM(CBIGNUM)
+DECLARE_ASN1_ITEM(BIGNUM)
+DECLARE_ASN1_ITEM(LONG)
+DECLARE_ASN1_ITEM(ZLONG)
+
+DECLARE_STACK_OF(ASN1_VALUE)
+
+/* Functions used internally by the ASN1 code */
+
+int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt);
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+                                int tag, int aclass, char opt, ASN1_TLC *ctx);
+
+int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt);
+void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it);
+int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it);
+
+ASN1_VALUE ** asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+
+const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr);
+
+int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it);
+
+void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it);
+void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it);
+int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c
new file mode 100644
index 0000000000..be20db4bad
--- /dev/null
+++ b/src/lib/libcrypto/asn1/asn_moid.c
@@ -0,0 +1,95 @@
+/* asn_moid.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+
+/* Simple ASN1 OID module: add all objects in a given section */
+
+static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
+        {
+        int i;
+        const char *oid_section;
+        STACK_OF(CONF_VALUE) *sktmp;
+        CONF_VALUE *oval;
+        oid_section = CONF_imodule_get_value(md);
+        if(!(sktmp = NCONF_get_section(cnf, oid_section)))
+                {
+                ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ERROR_LOADING_SECTION);
+                return 0;
+                }
+        for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
+                {
+                oval = sk_CONF_VALUE_value(sktmp, i);
+                if(OBJ_create(oval->value, oval->name, oval->name) == NID_undef)
+                        {
+                        ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ADDING_OBJECT);
+                        return 0;
+                        }
+                }
+        return 1;
+}
+
+void ASN1_add_oid_module(void)
+        {
+        CONF_module_add("oid_section", oid_module_init, 0);
+        }
diff --git a/src/lib/libcrypto/asn1/asn_pack.c b/src/lib/libcrypto/asn1/asn_pack.c
new file mode 100644
index 0000000000..662a2626a1
--- /dev/null
+++ b/src/lib/libcrypto/asn1/asn_pack.c
@@ -0,0 +1,145 @@
+/* asn_pack.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+/* ASN1 packing and unpacking functions */
+
+/* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
+
+STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
+             void (*free_func)())
+{
+    STACK *sk;
+    unsigned char *pbuf;
+    pbuf =  buf;
+    if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
+                                        V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL)))
+                 ASN1err(ASN1_F_ASN1_SEQ_UNPACK,ASN1_R_DECODE_ERROR);
+    return sk;
+}
+
+/* Turn a STACK structures into an ASN1 encoded SEQUENCE OF structure in a
+ * Malloc'ed buffer
+ */
+
+unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
+             int *len)
+{
+        int safelen;
+        unsigned char *safe, *p;
+        if (!(safelen = i2d_ASN1_SET(safes, NULL, i2d, V_ASN1_SEQUENCE,
+                                              V_ASN1_UNIVERSAL, IS_SEQUENCE))) {
+                ASN1err(ASN1_F_ASN1_SEQ_PACK,ASN1_R_ENCODE_ERROR);
+                return NULL;
+        }
+        if (!(safe = Malloc (safelen))) {
+                ASN1err(ASN1_F_ASN1_SEQ_PACK,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p = safe;
+        i2d_ASN1_SET(safes, &p, i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,
+                                                                 IS_SEQUENCE);
+        if (len) *len = safelen;
+        if (buf) *buf = safe;
+        return safe;
+}
+
+/* Extract an ASN1 object from an ASN1_STRING */
+
+void *ASN1_unpack_string (ASN1_STRING *oct, char *(*d2i)())
+{
+        unsigned char *p;
+        char *ret;
+
+        p = oct->data;
+        if(!(ret = d2i(NULL, &p, oct->length)))
+                ASN1err(ASN1_F_ASN1_UNPACK_STRING,ASN1_R_DECODE_ERROR);
+        return ret;
+}
+
+/* Pack an ASN1 object into an ASN1_STRING */
+
+ASN1_STRING *ASN1_pack_string (void *obj, int (*i2d)(), ASN1_STRING **oct)
+{
+        unsigned char *p;
+        ASN1_STRING *octmp;
+
+        if (!oct || !*oct) {
+                if (!(octmp = ASN1_STRING_new ())) {
+                        ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+                        return NULL;
+                }
+                if (oct) *oct = octmp;
+        } else octmp = *oct;
+                
+        if (!(octmp->length = i2d(obj, NULL))) {
+                ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
+                return NULL;
+        }
+        if (!(p = Malloc (octmp->length))) {
+                ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        octmp->data = p;
+        i2d (obj, &p);
+        return octmp;
+}
+
diff --git a/src/lib/libcrypto/asn1/charmap.h b/src/lib/libcrypto/asn1/charmap.h
new file mode 100644
index 0000000000..bd020a9562
--- /dev/null
+++ b/src/lib/libcrypto/asn1/charmap.h
@@ -0,0 +1,15 @@
+/* Auto generated with chartype.pl script.
+ * Mask of various character properties
+ */
+
+static unsigned char char_type[] = {
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+120, 0, 1,40, 0, 0, 0,16,16,16, 0,25,25,16,16,16,
+16,16,16,16,16,16,16,16,16,16,16, 9, 9,16, 9,16,
+ 0,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,
+16,16,16,16,16,16,16,16,16,16,16, 0, 1, 0, 0, 0,
+ 0,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,
+16,16,16,16,16,16,16,16,16,16,16, 0, 0, 0, 0, 2
+};
+
diff --git a/src/lib/libcrypto/asn1/charmap.pl b/src/lib/libcrypto/asn1/charmap.pl
new file mode 100644
index 0000000000..2875c59867
--- /dev/null
+++ b/src/lib/libcrypto/asn1/charmap.pl
@@ -0,0 +1,80 @@
+#!/usr/local/bin/perl -w
+
+use strict;
+
+my ($i, @arr);
+
+# Set up an array with the type of ASCII characters
+# Each set bit represents a character property.
+
+# RFC2253 character properties
+my $RFC2253_ESC = 1;    # Character escaped with \
+my $ESC_CTRL    = 2;    # Escaped control character
+# These are used with RFC1779 quoting using "
+my $NOESC_QUOTE = 8;    # Not escaped if quoted
+my $PSTRING_CHAR = 0x10;        # Valid PrintableString character
+my $RFC2253_FIRST_ESC = 0x20; # Escaped with \ if first character
+my $RFC2253_LAST_ESC = 0x40;  # Escaped with \ if last character
+
+for($i = 0; $i < 128; $i++) {
+        # Set the RFC2253 escape characters (control)
+        $arr[$i] = 0;
+        if(($i < 32) || ($i > 126)) {
+                $arr[$i] |= $ESC_CTRL;
+        }
+
+        # Some PrintableString characters
+        if(                ( ( $i >= ord("a")) && ( $i <= ord("z")) )
+                        || (  ( $i >= ord("A")) && ( $i <= ord("Z")) )
+                        || (  ( $i >= ord("0")) && ( $i <= ord("9")) )  ) {
+                $arr[$i] |= $PSTRING_CHAR;
+        }
+}
+
+# Now setup the rest
+
+# Remaining RFC2253 escaped characters
+
+$arr[ord(" ")] |= $NOESC_QUOTE | $RFC2253_FIRST_ESC | $RFC2253_LAST_ESC;
+$arr[ord("#")] |= $NOESC_QUOTE | $RFC2253_FIRST_ESC;
+
+$arr[ord(",")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord("+")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord("\"")] |= $RFC2253_ESC;
+$arr[ord("\\")] |= $RFC2253_ESC;
+$arr[ord("<")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord(">")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord(";")] |= $NOESC_QUOTE | $RFC2253_ESC;
+
+# Remaining PrintableString characters
+
+$arr[ord(" ")] |= $PSTRING_CHAR;
+$arr[ord("'")] |= $PSTRING_CHAR;
+$arr[ord("(")] |= $PSTRING_CHAR;
+$arr[ord(")")] |= $PSTRING_CHAR;
+$arr[ord("+")] |= $PSTRING_CHAR;
+$arr[ord(",")] |= $PSTRING_CHAR;
+$arr[ord("-")] |= $PSTRING_CHAR;
+$arr[ord(".")] |= $PSTRING_CHAR;
+$arr[ord("/")] |= $PSTRING_CHAR;
+$arr[ord(":")] |= $PSTRING_CHAR;
+$arr[ord("=")] |= $PSTRING_CHAR;
+$arr[ord("?")] |= $PSTRING_CHAR;
+
+# Now generate the C code
+
+print <<EOF;
+/* Auto generated with chartype.pl script.
+ * Mask of various character properties
+ */
+
+static unsigned char char_type[] = {
+EOF
+
+for($i = 0; $i < 128; $i++) {
+        print("\n") if($i && (($i % 16) == 0));
+        printf("%2d", $arr[$i]);
+        print(",") if ($i != 127);
+}
+print("\n};\n\n");
+
diff --git a/src/lib/libcrypto/asn1/f_enum.c b/src/lib/libcrypto/asn1/f_enum.c
new file mode 100644
index 0000000000..3bcceecdb8
--- /dev/null
+++ b/src/lib/libcrypto/asn1/f_enum.c
@@ -0,0 +1,207 @@
+/* crypto/asn1/f_enum.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+
+/* Based on a_int.c: equivalent ENUMERATED functions */
+
+int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a)
+        {
+        int i,n=0;
+        static const char *h="0123456789ABCDEF";
+        char buf[2];
+
+        if (a == NULL) return(0);
+
+        if (a->length == 0)
+                {
+                if (BIO_write(bp,"00",2) != 2) goto err;
+                n=2;
+                }
+        else
+                {
+                for (i=0; i<a->length; i++)
+                        {
+                        if ((i != 0) && (i%35 == 0))
+                                {
+                                if (BIO_write(bp,"\\\n",2) != 2) goto err;
+                                n+=2;
+                                }
+                        buf[0]=h[((unsigned char)a->data[i]>>4)&0x0f];
+                        buf[1]=h[((unsigned char)a->data[i]   )&0x0f];
+                        if (BIO_write(bp,buf,2) != 2) goto err;
+                        n+=2;
+                        }
+                }
+        return(n);
+err:
+        return(-1);
+        }
+
+int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
+        {
+        int ret=0;
+        int i,j,k,m,n,again,bufsize;
+        unsigned char *s=NULL,*sp;
+        unsigned char *bufp;
+        int num=0,slen=0,first=1;
+
+        bs->type=V_ASN1_ENUMERATED;
+
+        bufsize=BIO_gets(bp,buf,size);
+        for (;;)
+                {
+                if (bufsize < 1) goto err_sl;
+                i=bufsize;
+                if (buf[i-1] == '\n') buf[--i]='\0';
+                if (i == 0) goto err_sl;
+                if (buf[i-1] == '\r') buf[--i]='\0';
+                if (i == 0) goto err_sl;
+                again=(buf[i-1] == '\\');
+
+                for (j=0; j<i; j++)
+                        {
+                        if (!(  ((buf[j] >= '0') && (buf[j] <= '9')) ||
+                                ((buf[j] >= 'a') && (buf[j] <= 'f')) ||
+                                ((buf[j] >= 'A') && (buf[j] <= 'F'))))
+                                {
+                                i=j;
+                                break;
+                                }
+                        }
+                buf[i]='\0';
+                /* We have now cleared all the crap off the end of the
+                 * line */
+                if (i < 2) goto err_sl;
+
+                bufp=(unsigned char *)buf;
+                if (first)
+                        {
+                        first=0;
+                        if ((bufp[0] == '0') && (buf[1] == '0'))
+                                {
+                                bufp+=2;
+                                i-=2;
+                                }
+                        }
+                k=0;
+                i-=again;
+                if (i%2 != 0)
+                        {
+                        ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ASN1_R_ODD_NUMBER_OF_CHARS);
+                        goto err;
+                        }
+                i/=2;
+                if (num+i > slen)
+                        {
+                        if (s == NULL)
+                                sp=(unsigned char *)Malloc(
+                                        (unsigned int)num+i*2);
+                        else
+                                sp=(unsigned char *)Realloc(s,
+                                        (unsigned int)num+i*2);
+                        if (sp == NULL)
+                                {
+                                ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
+                                if (s != NULL) Free((char *)s);
+                                goto err;
+                                }
+                        s=sp;
+                        slen=num+i*2;
+                        }
+                for (j=0; j<i; j++,k+=2)
+                        {
+                        for (n=0; n<2; n++)
+                                {
+                                m=bufp[k+n];
+                                if ((m >= '0') && (m <= '9'))
+                                        m-='0';
+                                else if ((m >= 'a') && (m <= 'f'))
+                                        m=m-'a'+10;
+                                else if ((m >= 'A') && (m <= 'F'))
+                                        m=m-'A'+10;
+                                else
+                                        {
+                                        ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ASN1_R_NON_HEX_CHARACTERS);
+                                        goto err;
+                                        }
+                                s[num+j]<<=4;
+                                s[num+j]|=m;
+                                }
+                        }
+                num+=i;
+                if (again)
+                        bufsize=BIO_gets(bp,buf,size);
+                else
+                        break;
+                }
+        bs->length=num;
+        bs->data=s;
+        ret=1;
+err:
+        if (0)
+                {
+err_sl:
+                ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ASN1_R_SHORT_LINE);
+                }
+        return(ret);
+        }
+
diff --git a/src/lib/libcrypto/asn1/nsseq.c b/src/lib/libcrypto/asn1/nsseq.c
new file mode 100644
index 0000000000..417d024b81
--- /dev/null
+++ b/src/lib/libcrypto/asn1/nsseq.c
@@ -0,0 +1,118 @@
+/* nsseq.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+
+/* Netscape certificate sequence structure */
+
+int i2d_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE *a, unsigned char **pp)
+{
+        int v = 0;
+        M_ASN1_I2D_vars(a);
+        M_ASN1_I2D_len (a->type, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509,a->certs,i2d_X509,0,
+                                             V_ASN1_SEQUENCE,v);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->type, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509,a->certs,i2d_X509,0,
+                                             V_ASN1_SEQUENCE,v);
+
+        M_ASN1_I2D_finish();
+}
+
+NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void)
+{
+        NETSCAPE_CERT_SEQUENCE *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, NETSCAPE_CERT_SEQUENCE);
+        /* Note hardcoded object type */
+        ret->type = OBJ_nid2obj(NID_netscape_cert_sequence);
+        ret->certs = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW);
+}
+
+NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a,
+             unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,NETSCAPE_CERT_SEQUENCE *,
+                                        NETSCAPE_CERT_SEQUENCE_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->type, d2i_ASN1_OBJECT);
+        M_ASN1_D2I_get_EXP_set_opt_type(X509,ret->certs,d2i_X509,X509_free,0,
+                                        V_ASN1_SEQUENCE);
+        M_ASN1_D2I_Finish(a, NETSCAPE_CERT_SEQUENCE_free,
+                          ASN1_F_D2I_NETSCAPE_CERT_SEQUENCE);
+}
+
+void NETSCAPE_CERT_SEQUENCE_free (NETSCAPE_CERT_SEQUENCE *a)
+{
+        if (a == NULL) return;
+        ASN1_OBJECT_free(a->type);
+        if(a->certs)
+            sk_X509_pop_free(a->certs, X509_free);
+        Free (a);
+}
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
new file mode 100644
index 0000000000..b831836e7b
--- /dev/null
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -0,0 +1,156 @@
+/* p5_pbe.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+
+/* PKCS#5 password based encryption structure */
+
+int i2d_PBEPARAM(PBEPARAM *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+        M_ASN1_I2D_len (a->salt, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_len (a->iter, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_seq_total ();
+
+        M_ASN1_I2D_put (a->salt, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_put (a->iter, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_finish();
+}
+
+PBEPARAM *PBEPARAM_new(void)
+{
+        PBEPARAM *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PBEPARAM);
+        M_ASN1_New(ret->iter,ASN1_INTEGER_new);
+        M_ASN1_New(ret->salt,ASN1_OCTET_STRING_new);
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PBEPARAM_NEW);
+}
+
+PBEPARAM *d2i_PBEPARAM(PBEPARAM **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,PBEPARAM *,PBEPARAM_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->salt, d2i_ASN1_OCTET_STRING);
+        M_ASN1_D2I_get (ret->iter, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_Finish(a, PBEPARAM_free, ASN1_F_D2I_PBEPARAM);
+}
+
+void PBEPARAM_free (PBEPARAM *a)
+{
+        if(a==NULL) return;
+        ASN1_OCTET_STRING_free(a->salt);
+        ASN1_INTEGER_free (a->iter);
+        Free ((char *)a);
+}
+
+/* Return an algorithm identifier for a PKCS#5 PBE algorithm */
+
+X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
+             int saltlen)
+{
+        PBEPARAM *pbe;
+        ASN1_OBJECT *al;
+        X509_ALGOR *algor;
+        ASN1_TYPE *astype;
+
+        if (!(pbe = PBEPARAM_new ())) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
+        ASN1_INTEGER_set (pbe->iter, iter);
+        if (!saltlen) saltlen = PKCS5_SALT_LEN;
+        if (!(pbe->salt->data = Malloc (saltlen))) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        pbe->salt->length = saltlen;
+        if (salt) memcpy (pbe->salt->data, salt, saltlen);
+        else RAND_bytes (pbe->salt->data, saltlen);
+
+        if (!(astype = ASN1_TYPE_new())) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        astype->type = V_ASN1_SEQUENCE;
+        if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        PBEPARAM_free (pbe);
+        
+        al = OBJ_nid2obj(alg); /* never need to free al */
+        if (!(algor = X509_ALGOR_new())) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        ASN1_OBJECT_free(algor->algorithm);
+        algor->algorithm = al;
+        algor->parameter = astype;
+
+        return (algor);
+}
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
new file mode 100644
index 0000000000..09f4bf6112
--- /dev/null
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -0,0 +1,274 @@
+/* p5_pbev2.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+
+/* PKCS#5 v2.0 password based encryption structures */
+
+int i2d_PBE2PARAM(PBE2PARAM *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+        M_ASN1_I2D_len (a->keyfunc, i2d_X509_ALGOR);
+        M_ASN1_I2D_len (a->encryption, i2d_X509_ALGOR);
+
+        M_ASN1_I2D_seq_total ();
+
+        M_ASN1_I2D_put (a->keyfunc, i2d_X509_ALGOR);
+        M_ASN1_I2D_put (a->encryption, i2d_X509_ALGOR);
+
+        M_ASN1_I2D_finish();
+}
+
+PBE2PARAM *PBE2PARAM_new(void)
+{
+        PBE2PARAM *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PBE2PARAM);
+        M_ASN1_New(ret->keyfunc,X509_ALGOR_new);
+        M_ASN1_New(ret->encryption,X509_ALGOR_new);
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PBE2PARAM_NEW);
+}
+
+PBE2PARAM *d2i_PBE2PARAM(PBE2PARAM **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,PBE2PARAM *,PBE2PARAM_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->keyfunc, d2i_X509_ALGOR);
+        M_ASN1_D2I_get (ret->encryption, d2i_X509_ALGOR);
+        M_ASN1_D2I_Finish(a, PBE2PARAM_free, ASN1_F_D2I_PBE2PARAM);
+}
+
+void PBE2PARAM_free (PBE2PARAM *a)
+{
+        if(a==NULL) return;
+        X509_ALGOR_free(a->keyfunc);
+        X509_ALGOR_free(a->encryption);
+        Free ((char *)a);
+}
+
+int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+        M_ASN1_I2D_len (a->salt, i2d_ASN1_TYPE);
+        M_ASN1_I2D_len (a->iter, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len (a->keylength, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len (a->prf, i2d_X509_ALGOR);
+
+        M_ASN1_I2D_seq_total ();
+
+        M_ASN1_I2D_put (a->salt, i2d_ASN1_TYPE);
+        M_ASN1_I2D_put (a->iter, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put (a->keylength, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put (a->prf, i2d_X509_ALGOR);
+
+        M_ASN1_I2D_finish();
+}
+
+PBKDF2PARAM *PBKDF2PARAM_new(void)
+{
+        PBKDF2PARAM *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PBKDF2PARAM);
+        M_ASN1_New(ret->salt, ASN1_TYPE_new);
+        M_ASN1_New(ret->iter, ASN1_INTEGER_new);
+        ret->keylength = NULL;
+        ret->prf = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PBKDF2PARAM_NEW);
+}
+
+PBKDF2PARAM *d2i_PBKDF2PARAM(PBKDF2PARAM **a, unsigned char **pp,
+             long length)
+{
+        M_ASN1_D2I_vars(a,PBKDF2PARAM *,PBKDF2PARAM_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->salt, d2i_ASN1_TYPE);
+        M_ASN1_D2I_get (ret->iter, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_get_opt (ret->keylength, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+        M_ASN1_D2I_get_opt (ret->prf, d2i_X509_ALGOR, V_ASN1_SEQUENCE);
+        M_ASN1_D2I_Finish(a, PBKDF2PARAM_free, ASN1_F_D2I_PBKDF2PARAM);
+}
+
+void PBKDF2PARAM_free (PBKDF2PARAM *a)
+{
+        if(a==NULL) return;
+        ASN1_TYPE_free(a->salt);
+        ASN1_INTEGER_free(a->iter);
+        ASN1_INTEGER_free(a->keylength);
+        X509_ALGOR_free(a->prf);
+        Free ((char *)a);
+}
+
+/* Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm:
+ * yes I know this is horrible!
+ */
+
+X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
+                                 unsigned char *salt, int saltlen)
+{
+        X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
+        int alg_nid;
+        EVP_CIPHER_CTX ctx;
+        unsigned char iv[EVP_MAX_IV_LENGTH];
+        PBKDF2PARAM *kdf = NULL;
+        PBE2PARAM *pbe2 = NULL;
+        ASN1_OCTET_STRING *osalt = NULL;
+
+        if(!(pbe2 = PBE2PARAM_new())) goto merr;
+
+        /* Setup the AlgorithmIdentifier for the encryption scheme */
+        scheme = pbe2->encryption;
+
+        alg_nid = EVP_CIPHER_type(cipher);
+
+        scheme->algorithm = OBJ_nid2obj(alg_nid);
+        if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
+
+        /* Create random IV */
+        RAND_bytes(iv, EVP_CIPHER_iv_length(cipher));
+
+        /* Dummy cipherinit to just setup the IV */
+        EVP_CipherInit(&ctx, cipher, NULL, iv, 0);
+        if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
+                ASN1err(ASN1_F_PKCS5_PBE2_SET,
+                                        ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
+                goto err;
+        }
+        EVP_CIPHER_CTX_cleanup(&ctx);
+
+        if(!(kdf = PBKDF2PARAM_new())) goto merr;
+        if(!(osalt = ASN1_OCTET_STRING_new())) goto merr;
+
+        if (!saltlen) saltlen = PKCS5_SALT_LEN;
+        if (!(osalt->data = Malloc (saltlen))) goto merr;
+        osalt->length = saltlen;
+        if (salt) memcpy (osalt->data, salt, saltlen);
+        else RAND_bytes (osalt->data, saltlen);
+
+        if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
+        if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;
+
+        /* Now include salt in kdf structure */
+        kdf->salt->value.octet_string = osalt;
+        kdf->salt->type = V_ASN1_OCTET_STRING;
+        osalt = NULL;
+
+        /* If its RC2 then we'd better setup the key length */
+
+        if(alg_nid == NID_rc2_cbc) {
+                if(!(kdf->keylength = ASN1_INTEGER_new())) goto merr;
+                if(!ASN1_INTEGER_set (kdf->keylength,
+                                 EVP_CIPHER_key_length(cipher))) goto merr;
+        }
+
+        /* prf can stay NULL because we are using hmacWithSHA1 */
+
+        /* Now setup the PBE2PARAM keyfunc structure */
+
+        pbe2->keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
+
+        /* Encode PBKDF2PARAM into parameter of pbe2 */
+
+        if(!(pbe2->keyfunc->parameter = ASN1_TYPE_new())) goto merr;
+
+        if(!ASN1_pack_string(kdf, i2d_PBKDF2PARAM,
+                         &pbe2->keyfunc->parameter->value.sequence)) goto merr;
+        pbe2->keyfunc->parameter->type = V_ASN1_SEQUENCE;
+
+        PBKDF2PARAM_free(kdf);
+        kdf = NULL;
+
+        /* Now set up top level AlgorithmIdentifier */
+
+        if(!(ret = X509_ALGOR_new())) goto merr;
+        if(!(ret->parameter = ASN1_TYPE_new())) goto merr;
+
+        ret->algorithm = OBJ_nid2obj(NID_pbes2);
+
+        /* Encode PBE2PARAM into parameter */
+
+        if(!ASN1_pack_string(pbe2, i2d_PBE2PARAM,
+                                 &ret->parameter->value.sequence)) goto merr;
+        ret->parameter->type = V_ASN1_SEQUENCE;
+
+        PBE2PARAM_free(pbe2);
+        pbe2 = NULL;
+
+        return ret;
+
+        merr:
+        ASN1err(ASN1_F_PKCS5_PBE2_SET,ERR_R_MALLOC_FAILURE);
+
+        err:
+        PBE2PARAM_free(pbe2);
+        /* Note 'scheme' is freed as part of pbe2 */
+        ASN1_OCTET_STRING_free(osalt);
+        PBKDF2PARAM_free(kdf);
+        X509_ALGOR_free(kalg);
+        X509_ALGOR_free(ret);
+
+        return NULL;
+
+}
diff --git a/src/lib/libcrypto/asn1/p8_pkey.c b/src/lib/libcrypto/asn1/p8_pkey.c
new file mode 100644
index 0000000000..aa9a4f6c96
--- /dev/null
+++ b/src/lib/libcrypto/asn1/p8_pkey.c
@@ -0,0 +1,129 @@
+/* p8_pkey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS8_PRIV_KEY_INFO (PKCS8_PRIV_KEY_INFO *a, unsigned char **pp)
+{
+
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->version, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len (a->pkeyalg, i2d_X509_ALGOR);
+        M_ASN1_I2D_len (a->pkey, i2d_ASN1_TYPE);
+        M_ASN1_I2D_len_IMP_SET_opt_type (X509_ATTRIBUTE, a->attributes,
+                                         i2d_X509_ATTRIBUTE, 0);
+        
+        M_ASN1_I2D_seq_total ();
+
+        M_ASN1_I2D_put (a->version, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put (a->pkeyalg, i2d_X509_ALGOR);
+        M_ASN1_I2D_put (a->pkey, i2d_ASN1_TYPE);
+        M_ASN1_I2D_put_IMP_SET_opt_type (X509_ATTRIBUTE, a->attributes,
+                                         i2d_X509_ATTRIBUTE, 0);
+
+        M_ASN1_I2D_finish();
+}
+
+PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void)
+{
+        PKCS8_PRIV_KEY_INFO *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PKCS8_PRIV_KEY_INFO);
+        M_ASN1_New (ret->version, ASN1_INTEGER_new);
+        M_ASN1_New (ret->pkeyalg, X509_ALGOR_new);
+        M_ASN1_New (ret->pkey, ASN1_TYPE_new);
+        ret->attributes = NULL;
+        ret->broken = PKCS8_OK;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PKCS8_PRIV_KEY_INFO_NEW);
+}
+
+PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO **a,
+             unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,PKCS8_PRIV_KEY_INFO *,PKCS8_PRIV_KEY_INFO_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->version, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_get (ret->pkeyalg, d2i_X509_ALGOR);
+        M_ASN1_D2I_get (ret->pkey, d2i_ASN1_TYPE);
+        M_ASN1_D2I_get_IMP_set_opt_type(X509_ATTRIBUTE, ret->attributes,
+                                        d2i_X509_ATTRIBUTE,
+                                        X509_ATTRIBUTE_free, 0);
+        if (ASN1_TYPE_get(ret->pkey) == V_ASN1_SEQUENCE) 
+                                                ret->broken = PKCS8_NO_OCTET;
+        M_ASN1_D2I_Finish(a, PKCS8_PRIV_KEY_INFO_free, ASN1_F_D2I_PKCS8_PRIV_KEY_INFO);
+}
+
+void PKCS8_PRIV_KEY_INFO_free (PKCS8_PRIV_KEY_INFO *a)
+{
+        if (a == NULL) return;
+        ASN1_INTEGER_free (a->version);
+        X509_ALGOR_free(a->pkeyalg);
+        /* Clear sensitive data */
+        if (a->pkey->value.octet_string)
+                memset (a->pkey->value.octet_string->data,
+                                 0, a->pkey->value.octet_string->length);
+        ASN1_TYPE_free (a->pkey);
+        sk_X509_ATTRIBUTE_pop_free (a->attributes, X509_ATTRIBUTE_free);
+        Free (a);
+}
diff --git a/src/lib/libcrypto/asn1/t_bitst.c b/src/lib/libcrypto/asn1/t_bitst.c
new file mode 100644
index 0000000000..8ee789f082
--- /dev/null
+++ b/src/lib/libcrypto/asn1/t_bitst.c
@@ -0,0 +1,99 @@
+/* t_bitst.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
+                                BIT_STRING_BITNAME *tbl, int indent)
+{
+        BIT_STRING_BITNAME *bnam;
+        char first = 1;
+        BIO_printf(out, "%*s", indent, "");
+        for(bnam = tbl; bnam->lname; bnam++) {
+                if(ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) {
+                        if(!first) BIO_puts(out, ", ");
+                        BIO_puts(out, bnam->lname);
+                        first = 0;
+                }
+        }
+        BIO_puts(out, "\n");
+        return 1;
+}
+
+int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
+                                BIT_STRING_BITNAME *tbl)
+{
+        int bitnum;
+        bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
+        if(bitnum < 0) return 0;
+        if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value);
+        return 1;
+}
+
+int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl)
+{
+        BIT_STRING_BITNAME *bnam;
+        for(bnam = tbl; bnam->lname; bnam++) {
+                if(!strcmp(bnam->sname, name) ||
+                        !strcmp(bnam->lname, name) ) return bnam->bitnum;
+        }
+        return -1;
+}
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
new file mode 100644
index 0000000000..c2e447ce6f
--- /dev/null
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -0,0 +1,166 @@
+/* t_crl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+static void ext_print(BIO *out, X509_EXTENSION *ex);
+#ifndef NO_FP_API
+int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+                {
+                X509err(X509_F_X509_PRINT_FP,ERR_R_BUF_LIB);
+                return(0);
+                }
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=X509_CRL_print(b, x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int X509_CRL_print(BIO *out, X509_CRL *x)
+{
+        char buf[256];
+        unsigned char *s;
+        STACK_OF(X509_REVOKED) *rev;
+        X509_REVOKED *r;
+        long l;
+        int i, j, n;
+
+        BIO_printf(out, "Certificate Revocation List (CRL):\n");
+        l = X509_CRL_get_version(x);
+        BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l+1, l);
+        i = OBJ_obj2nid(x->sig_alg->algorithm);
+        BIO_printf(out, "%8sSignature Algorithm: %s\n", "",
+                                 (i == NID_undef) ? "NONE" : OBJ_nid2ln(i));
+        X509_NAME_oneline(X509_CRL_get_issuer(x),buf,256);
+        BIO_printf(out,"%8sIssuer: %s\n","",buf);
+        BIO_printf(out,"%8sLast Update: ","");
+        ASN1_TIME_print(out,X509_CRL_get_lastUpdate(x));
+        BIO_printf(out,"\n%8sNext Update: ","");
+        if (X509_CRL_get_nextUpdate(x))
+                 ASN1_TIME_print(out,X509_CRL_get_nextUpdate(x));
+        else BIO_printf(out,"NONE");
+        BIO_printf(out,"\n");
+
+        n=X509_CRL_get_ext_count(x);
+        if (n > 0) {
+                BIO_printf(out,"%8sCRL extensions:\n","");
+                for (i=0; i<n; i++) ext_print(out, X509_CRL_get_ext(x, i));
+        }
+
+
+        rev = X509_CRL_get_REVOKED(x);
+
+        if(sk_X509_REVOKED_num(rev))
+            BIO_printf(out, "Revoked Certificates:\n");
+        else BIO_printf(out, "No Revoked Certificates.\n");
+
+        for(i = 0; i < sk_X509_REVOKED_num(rev); i++) {
+                r = sk_X509_REVOKED_value(rev, i);
+                BIO_printf(out,"    Serial Number: ");
+                i2a_ASN1_INTEGER(out,r->serialNumber);
+                BIO_printf(out,"\n        Revocation Date: ","");
+                ASN1_TIME_print(out,r->revocationDate);
+                BIO_printf(out,"\n");
+                for(j = 0; j < X509_REVOKED_get_ext_count(r); j++)
+                                ext_print(out, X509_REVOKED_get_ext(r, j));
+        }
+
+        i=OBJ_obj2nid(x->sig_alg->algorithm);
+        BIO_printf(out,"    Signature Algorithm: %s",
+                                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+
+        s = x->signature->data;
+        n = x->signature->length;
+        for (i=0; i<n; i++, s++)
+        {
+                if ((i%18) == 0) BIO_write(out,"\n        ",9);
+                BIO_printf(out,"%02x%s",*s, ((i+1) == n)?"":":");
+        }
+        BIO_write(out,"\n",1);
+
+        return 1;
+
+}
+
+static void ext_print(BIO *out, X509_EXTENSION *ex)
+{
+        ASN1_OBJECT *obj;
+        int j;
+        BIO_printf(out,"%12s","");
+        obj=X509_EXTENSION_get_object(ex);
+        i2a_ASN1_OBJECT(out,obj);
+        j=X509_EXTENSION_get_critical(ex);
+        BIO_printf(out, ": %s\n", j ? "critical":"","");
+        if(!X509V3_EXT_print(out, ex, 0, 16)) {
+                BIO_printf(out, "%16s", "");
+                ASN1_OCTET_STRING_print(out,ex->value);
+        }
+        BIO_write(out,"\n",1);
+}
diff --git a/src/lib/libcrypto/asn1/t_spki.c b/src/lib/libcrypto/asn1/t_spki.c
new file mode 100644
index 0000000000..d708434fca
--- /dev/null
+++ b/src/lib/libcrypto/asn1/t_spki.c
@@ -0,0 +1,116 @@
+/* t_spki.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/asn1_mac.h>
+
+/* Print out an SPKI */
+
+int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
+{
+        EVP_PKEY *pkey;
+        ASN1_IA5STRING *chal;
+        int i, n;
+        char *s;
+        BIO_printf(out, "Netscape SPKI:\n");
+        i=OBJ_obj2nid(spki->spkac->pubkey->algor->algorithm);
+        BIO_printf(out,"  Public Key Algorithm: %s\n",
+                                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+        pkey = X509_PUBKEY_get(spki->spkac->pubkey);
+        if(!pkey) BIO_printf(out, "  Unable to load public key\n");
+        else {
+#ifndef NO_RSA
+                if (pkey->type == EVP_PKEY_RSA)
+                        {
+                        BIO_printf(out,"  RSA Public Key: (%d bit)\n",
+                                BN_num_bits(pkey->pkey.rsa->n));
+                        RSA_print(out,pkey->pkey.rsa,2);
+                        }
+                else 
+#endif
+#ifndef NO_DSA
+                if (pkey->type == EVP_PKEY_DSA)
+                {
+                BIO_printf(out,"  DSA Public Key:\n");
+                DSA_print(out,pkey->pkey.dsa,2);
+                }
+                else
+#endif
+                        BIO_printf(out,"  Unknown Public Key:\n");
+                EVP_PKEY_free(pkey);
+        }
+        chal = spki->spkac->challenge;
+        if(chal->length)
+                BIO_printf(out, "  Challenge String: %s\n", chal->data);
+        i=OBJ_obj2nid(spki->sig_algor->algorithm);
+        BIO_printf(out,"  Signature Algorithm: %s",
+                                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+
+        n=spki->signature->length;
+        s=(char *)spki->signature->data;
+        for (i=0; i<n; i++)
+                {
+                if ((i%18) == 0) BIO_write(out,"\n      ",7);
+                BIO_printf(out,"%02x%s",(unsigned char)s[i],
+                                                ((i+1) == n)?"":":");
+                }
+        BIO_write(out,"\n",1);
+        return 1;
+}
diff --git a/src/lib/libcrypto/asn1/t_x509a.c b/src/lib/libcrypto/asn1/t_x509a.c
new file mode 100644
index 0000000000..a18ebb586c
--- /dev/null
+++ b/src/lib/libcrypto/asn1/t_x509a.c
@@ -0,0 +1,102 @@
+/* t_x509a.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+/* X509_CERT_AUX and string set routines
+ */
+
+int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
+{
+        char oidstr[80], first;
+        int i;
+        if(!aux) return 1;
+        if(aux->trust) {
+                first = 1;
+                BIO_printf(out, "%*sTrusted Uses:\n%*s",
+                                                indent, "", indent + 2, "");
+                for(i = 0; i < sk_ASN1_OBJECT_num(aux->trust); i++) {
+                        if(!first) BIO_puts(out, ", ");
+                        else first = 0;
+                        OBJ_obj2txt(oidstr, 80,
+                                sk_ASN1_OBJECT_value(aux->trust, i), 0);
+                        BIO_puts(out, oidstr);
+                }
+                BIO_puts(out, "\n");
+        } else BIO_printf(out, "%*sNo Trusted Uses.\n", indent, "");
+        if(aux->reject) {
+                first = 1;
+                BIO_printf(out, "%*sRejected Uses:\n%*s",
+                                                indent, "", indent + 2, "");
+                for(i = 0; i < sk_ASN1_OBJECT_num(aux->reject); i++) {
+                        if(!first) BIO_puts(out, ", ");
+                        else first = 0;
+                        OBJ_obj2txt(oidstr, 80,
+                                sk_ASN1_OBJECT_value(aux->reject, i), 0);
+                        BIO_puts(out, oidstr);
+                }
+                BIO_puts(out, "\n");
+        } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
+        if(aux->alias) BIO_printf(out, "%*sAlias: %s\n", indent, "",
+                                                        aux->alias->data);
+        return 1;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
new file mode 100644
index 0000000000..0fc1f421e2
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -0,0 +1,958 @@
+/* tasn_dec.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+
+static int asn1_check_eoc(unsigned char **in, long len);
+static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass);
+static int collect_data(BUF_MEM *buf, unsigned char **p, long plen);
+static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
+                        unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx);
+static int asn1_template_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
+static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
+static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long len,
+                                        const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx);
+
+/* Table to convert tags to bit values, used for MSTRING type */
+static unsigned long tag2bit[32]={
+0,      0,      0,      B_ASN1_BIT_STRING,      /* tags  0 -  3 */
+B_ASN1_OCTET_STRING,    0,      0,              B_ASN1_UNKNOWN,/* tags  4- 7 */
+B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags  8-11 */
+B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */
+0,      0,      B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING,   /* tags 16-19 */
+B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING,       /* tags 20-22 */
+B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME,                        /* tags 23-24 */ 
+B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING,  /* tags 25-27 */
+B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 28-31 */
+        };
+
+unsigned long ASN1_tag2bit(int tag)
+{
+        if((tag < 0) || (tag > 30)) return 0;
+        return tag2bit[tag];
+}
+
+/* Macro to initialize and invalidate the cache */
+
+#define asn1_tlc_clear(c)       if(c) (c)->valid = 0
+
+/* Decode an ASN1 item, this currently behaves just 
+ * like a standard 'd2i' function. 'in' points to 
+ * a buffer to read the data from, in future we will
+ * have more advanced versions that can input data
+ * a piece at a time and this will simply be a special
+ * case.
+ */
+
+ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it)
+{
+        ASN1_TLC c;
+        ASN1_VALUE *ptmpval = NULL;
+        if(!pval) pval = &ptmpval;
+        asn1_tlc_clear(&c);
+        if(ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
+                return *pval;
+        return NULL;
+}
+
+int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt)
+{
+        ASN1_TLC c;
+        asn1_tlc_clear(&c);
+        return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
+}
+
+
+/* Decode an item, taking care of IMPLICIT tagging, if any.
+ * If 'opt' set and tag mismatch return -1 to handle OPTIONAL
+ */
+
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+                                int tag, int aclass, char opt, ASN1_TLC *ctx)
+{
+        const ASN1_TEMPLATE *tt, *errtt = NULL;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        unsigned char *p, *q, imphack = 0, oclass;
+        char seq_eoc, seq_nolen, cst, isopt;
+        long tmplen;
+        int i;
+        int otag;
+        int ret = 0;
+        ASN1_VALUE *pchval, **pchptr, *ptmpval;
+        if(!pval) return 0;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) {
+                        /* tagging or OPTIONAL is currently illegal on an item template
+                         * because the flags can't get passed down. In practice this isn't
+                         * a problem: we include the relevant flags from the item template
+                         * in the template itself.
+                         */
+                        if ((tag != -1) || opt) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+                                goto err;
+                        }
+                        return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx);
+                }
+                return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                p = *in;
+                /* Just read in tag and class */
+                ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } 
+                /* Must be UNIVERSAL class */
+                if(oclass != V_ASN1_UNIVERSAL) {
+                        /* If OPTIONAL, assume this is OK */
+                        if(opt) return -1;
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
+                        goto err;
+                } 
+                /* Check tag matches bit map */
+                if(!(ASN1_tag2bit(otag) & it->utype)) {
+                        /* If OPTIONAL, assume this is OK */
+                        if(opt) return -1;
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_WRONG_TAG);
+                        goto err;
+                } 
+                return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
+
+                case ASN1_ITYPE_EXTERN:
+                /* Use new style d2i */
+                ef = it->funcs;
+                return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
+
+                case ASN1_ITYPE_COMPAT:
+                /* we must resort to old style evil hackery */
+                cf = it->funcs;
+
+                /* If OPTIONAL see if it is there */
+                if(opt) {
+                        int exptag;
+                        p = *in;
+                        if(tag == -1) exptag = it->utype;
+                        else exptag = tag;
+                        /* Don't care about anything other than presence of expected tag */
+                        ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, &p, len, exptag, aclass, 1, ctx);
+                        if(!ret) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                        if(ret == -1) return -1;
+                }
+                /* This is the old style evil hack IMPLICIT handling:
+                 * since the underlying code is expecting a tag and
+                 * class other than the one present we change the
+                 * buffer temporarily then change it back afterwards.
+                 * This doesn't and never did work for tags > 30.
+                 *
+                 * Yes this is *horrible* but it is only needed for
+                 * old style d2i which will hopefully not be around
+                 * for much longer.
+                 * FIXME: should copy the buffer then modify it so
+                 * the input buffer can be const: we should *always*
+                 * copy because the old style d2i might modify the
+                 * buffer.
+                 */
+
+                if(tag != -1) {
+                        p = *in;
+                        imphack = *p;
+                        *p = (unsigned char)((*p & V_ASN1_CONSTRUCTED) | it->utype);
+                }
+
+                ptmpval = cf->asn1_d2i(pval, in, len);
+
+                if(tag != -1) *p = imphack;
+
+                if(ptmpval) return 1;
+                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+                                goto auxerr;
+
+                /* Allocate structure */
+                if(!*pval) {
+                        if(!ASN1_item_ex_new(pval, it)) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                }
+                /* CHOICE type, try each possibility in turn */
+                pchval = NULL;
+                p = *in;
+                for(i = 0, tt=it->templates; i < it->tcount; i++, tt++) {
+                        pchptr = asn1_get_field_ptr(pval, tt);
+                        /* We mark field as OPTIONAL so its absence
+                         * can be recognised.
+                         */
+                        ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
+                        /* If field not present, try the next one */
+                        if(ret == -1) continue;
+                        /* If positive return, read OK, break loop */
+                        if(ret > 0) break;
+                        /* Otherwise must be an ASN1 parsing error */
+                        errtt = tt;
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                }
+                /* Did we fall off the end without reading anything? */
+                if(i == it->tcount) {
+                        /* If OPTIONAL, this is OK */
+                        if(opt) {
+                                /* Free and zero it */
+                                ASN1_item_ex_free(pval, it);
+                                return -1;
+                        }
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE);
+                        goto err;
+                }
+                asn1_set_choice_selector(pval, i, it);
+                *in = p;
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
+                                goto auxerr;
+                return 1;
+
+                case ASN1_ITYPE_SEQUENCE:
+                p = *in;
+                tmplen = len;
+
+                /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
+                if(tag == -1) {
+                        tag = V_ASN1_SEQUENCE;
+                        aclass = V_ASN1_UNIVERSAL;
+                }
+                /* Get SEQUENCE length and update len, p */
+                ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, &p, len, tag, aclass, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } else if(ret == -1) return -1;
+                if(aux && (aux->flags & ASN1_AFLG_BROKEN)) {
+                        len = tmplen - (p - *in);
+                        seq_nolen = 1;
+                } else seq_nolen = seq_eoc;     /* If indefinite we don't do a length check */
+                if(!cst) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
+                        goto err;
+                }
+
+                if(!*pval) {
+                        if(!ASN1_item_ex_new(pval, it)) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                }
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+                                goto auxerr;
+
+                /* Get each field entry */
+                for(i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) goto err;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        /* Have we ran out of data? */
+                        if(!len) break;
+                        q = p;
+                        if(asn1_check_eoc(&p, len)) {
+                                if(!seq_eoc) {
+                                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_UNEXPECTED_EOC);
+                                        goto err;
+                                }
+                                len -= p - q;
+                                seq_eoc = 0;
+                                q = p;
+                                break;
+                        }
+                        /* This determines the OPTIONAL flag value. The field cannot
+                         * be omitted if it is the last of a SEQUENCE and there is
+                         * still data to be read. This isn't strictly necessary but
+                         * it increases efficiency in some cases.
+                         */
+                        if(i == (it->tcount - 1)) isopt = 0;
+                        else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
+                        /* attempt to read in field, allowing each to be OPTIONAL */
+                        ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);
+                        if(!ret) {
+                                errtt = seqtt;
+                                goto err;
+                        } else if(ret == -1) {
+                                /* OPTIONAL component absent. Free and zero the field
+                                 */
+                                ASN1_template_free(pseqval, seqtt);
+                                continue;
+                        }
+                        /* Update length */
+                        len -= p - q;
+                }
+                /* Check for EOC if expecting one */
+                if(seq_eoc && !asn1_check_eoc(&p, len)) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC);
+                        goto err;
+                }
+                /* Check all data read */
+                if(!seq_nolen && len) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
+                        goto err;
+                }
+
+                /* If we get here we've got no more data in the SEQUENCE,
+                 * however we may not have read all fields so check all
+                 * remaining are OPTIONAL and clear any that are.
+                 */
+                for(; i < it->tcount; tt++, i++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) goto err;
+                        if(seqtt->flags & ASN1_TFLG_OPTIONAL) {
+                                ASN1_VALUE **pseqval;
+                                pseqval = asn1_get_field_ptr(pval, seqtt);
+                                ASN1_template_free(pseqval, seqtt);
+                        } else {
+                                errtt = seqtt;
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_FIELD_MISSING);
+                                goto err;
+                        }
+                }
+                /* Save encoding */
+                if(!asn1_enc_save(pval, *in, p - *in, it)) goto auxerr;
+                *in = p;
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
+                                goto auxerr;
+                return 1;
+
+                default:
+                return 0;
+        }
+        auxerr:
+        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+        err:
+        ASN1_item_ex_free(pval, it);
+        if(errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname);
+        else ERR_add_error_data(2, "Type=", it->sname);
+        return 0;
+}
+
+/* Templates are handled with two separate functions. One handles any EXPLICIT tag and the other handles the
+ * rest.
+ */
+
+static int asn1_template_ex_d2i(ASN1_VALUE **val, unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
+{
+        int flags, aclass;
+        int ret;
+        long len;
+        unsigned char *p, *q;
+        char exp_eoc;
+        if(!val) return 0;
+        flags = tt->flags;
+        aclass = flags & ASN1_TFLG_TAG_CLASS;
+
+        p = *in;
+
+        /* Check if EXPLICIT tag expected */
+        if(flags & ASN1_TFLG_EXPTAG) {
+                char cst;
+                /* Need to work out amount of data available to the inner content and where it
+                 * starts: so read in EXPLICIT header to get the info.
+                 */
+                ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, &p, inlen, tt->tag, aclass, opt, ctx);
+                q = p;
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                } else if(ret == -1) return -1;
+                if(!cst) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
+                        return 0;
+                }
+                /* We've found the field so it can't be OPTIONAL now */
+                ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                }
+                /* We read the field in OK so update length */
+                len -= p - q;
+                if(exp_eoc) {
+                        /* If NDEF we must have an EOC here */
+                        if(!asn1_check_eoc(&p, len)) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_MISSING_EOC);
+                                goto err;
+                        }
+                } else {
+                        /* Otherwise we must hit the EXPLICIT tag end or its an error */
+                        if(len) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
+                                goto err;
+                        }
+                }
+        } else 
+                return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);
+
+        *in = p;
+        return 1;
+
+        err:
+        ASN1_template_free(val, tt);
+        *val = NULL;
+        return 0;
+}
+
+static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
+{
+        int flags, aclass;
+        int ret;
+        unsigned char *p, *q;
+        if(!val) return 0;
+        flags = tt->flags;
+        aclass = flags & ASN1_TFLG_TAG_CLASS;
+
+        p = *in;
+        q = p;
+
+        if(flags & ASN1_TFLG_SK_MASK) {
+                /* SET OF, SEQUENCE OF */
+                int sktag, skaclass;
+                char sk_eoc;
+                /* First work out expected inner tag value */
+                if(flags & ASN1_TFLG_IMPTAG) {
+                        sktag = tt->tag;
+                        skaclass = aclass;
+                } else {
+                        skaclass = V_ASN1_UNIVERSAL;
+                        if(flags & ASN1_TFLG_SET_OF) sktag = V_ASN1_SET;
+                        else sktag = V_ASN1_SEQUENCE;
+                }
+                /* Get the tag */
+                ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, &p, len, sktag, skaclass, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                } else if(ret == -1) return -1;
+                if(!*val) *val = (ASN1_VALUE *)sk_new_null();
+                else {
+                        /* We've got a valid STACK: free up any items present */
+                        STACK *sktmp = (STACK *)*val;
+                        ASN1_VALUE *vtmp;
+                        while(sk_num(sktmp) > 0) {
+                                vtmp = (ASN1_VALUE *)sk_pop(sktmp);
+                                ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));
+                        }
+                }
+                                
+                if(!*val) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                /* Read as many items as we can */
+                while(len > 0) {
+                        ASN1_VALUE *skfield;
+                        q = p;
+                        /* See if EOC found */
+                        if(asn1_check_eoc(&p, len)) {
+                                if(!sk_eoc) {
+                                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_UNEXPECTED_EOC);
+                                        goto err;
+                                }
+                                len -= p - q;
+                                sk_eoc = 0;
+                                break;
+                        }
+                        skfield = NULL;
+                        if(!ASN1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                        len -= p - q;
+                        if(!sk_push((STACK *)*val, (char *)skfield)) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
+                }
+                if(sk_eoc) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_MISSING_EOC);
+                        goto err;
+                }
+        } else if(flags & ASN1_TFLG_IMPTAG) {
+                /* IMPLICIT tagging */
+                ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } else if(ret == -1) return -1;
+        } else {
+                /* Nothing special */
+                ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } else if(ret == -1) return -1;
+        }
+
+        *in = p;
+        return 1;
+
+        err:
+        ASN1_template_free(val, tt);
+        *val = NULL;
+        return 0;
+}
+
+static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inlen, 
+                                                const ASN1_ITEM *it,
+                                                int tag, int aclass, char opt, ASN1_TLC *ctx)
+{
+        int ret = 0, utype;
+        long plen;
+        char cst, inf, free_cont = 0;
+        unsigned char *p;
+        BUF_MEM buf;
+        unsigned char *cont = NULL;
+        long len; 
+        if(!pval) {
+                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL);
+                return 0; /* Should never happen */
+        }
+
+        if(it->itype == ASN1_ITYPE_MSTRING) {
+                utype = tag;
+                tag = -1;
+        } else utype = it->utype;
+
+        if(utype == V_ASN1_ANY) {
+                /* If type is ANY need to figure out type from tag */
+                unsigned char oclass;
+                if(tag >= 0) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_TAGGED_ANY);
+                        return 0;
+                }
+                if(opt) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_OPTIONAL_ANY);
+                        return 0;
+                }
+                p = *in;
+                ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, &p, inlen, -1, 0, 0, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                }
+                if(oclass != V_ASN1_UNIVERSAL) utype = V_ASN1_OTHER;
+        }
+        if(tag == -1) {
+                tag = utype;
+                aclass = V_ASN1_UNIVERSAL;
+        }
+        p = *in;
+        /* Check header */
+        ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, &p, inlen, tag, aclass, opt, ctx);
+        if(!ret) {
+                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
+                return 0;
+        } else if(ret == -1) return -1;
+        /* SEQUENCE, SET and "OTHER" are left in encoded form */
+        if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
+                /* Clear context cache for type OTHER because the auto clear when
+                 * we have a exact match wont work
+                 */
+                if(utype == V_ASN1_OTHER) {
+                        asn1_tlc_clear(ctx);
+                /* SEQUENCE and SET must be constructed */
+                } else if(!cst) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_CONSTRUCTED);
+                        return 0;
+                }
+
+                cont = *in;
+                /* If indefinite length constructed find the real end */
+                if(inf) {
+                        if(!asn1_collect(NULL, &p, plen, inf, -1, -1)) goto err;
+                        len = p - cont;
+                } else {
+                        len = p - cont + plen;
+                        p += plen;
+                        buf.data = NULL;
+                }
+        } else if(cst) {
+                buf.length = 0;
+                buf.max = 0;
+                buf.data = NULL;
+                /* Should really check the internal tags are correct but
+                 * some things may get this wrong. The relevant specs
+                 * say that constructed string types should be OCTET STRINGs
+                 * internally irrespective of the type. So instead just check
+                 * for UNIVERSAL class and ignore the tag.
+                 */
+                if(!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) goto err;
+                len = buf.length;
+                /* Append a final null to string */
+                if(!BUF_MEM_grow(&buf, len + 1)) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                buf.data[len] = 0;
+                cont = (unsigned char *)buf.data;
+                free_cont = 1;
+        } else {
+                cont = p;
+                len = plen;
+                p += plen;
+        }
+
+        /* We now have content length and type: translate into a structure */
+        if(!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) goto err;
+
+        *in = p;
+        ret = 1;
+        err:
+        if(free_cont && buf.data) OPENSSL_free(buf.data);
+        return ret;
+}
+
+/* Translate ASN1 content octets into a structure */
+
+int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+{
+        ASN1_STRING *stmp;
+        ASN1_TYPE *typ = NULL;
+        int ret = 0;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        ASN1_INTEGER **tint;
+        pf = it->funcs;
+        if(pf && pf->prim_c2i) return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
+        /* If ANY type clear type and set pointer to internal value */
+        if(it->utype == V_ASN1_ANY) {
+                if(!*pval) {
+                        typ = ASN1_TYPE_new();
+                        *pval = (ASN1_VALUE *)typ;
+                } else typ = (ASN1_TYPE *)*pval;
+                if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL);
+                pval = (ASN1_VALUE **)&typ->value.ptr;
+        }
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                if(!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) goto err;
+                break;
+
+                case V_ASN1_NULL:
+                if(len) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_NULL_IS_WRONG_LENGTH);
+                        goto err;
+                }
+                *pval = (ASN1_VALUE *)1;
+                break;
+
+                case V_ASN1_BOOLEAN:
+                if(len != 1) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
+                        goto err;
+                } else {
+                        ASN1_BOOLEAN *tbool;
+                        tbool = (ASN1_BOOLEAN *)pval;
+                        *tbool = *cont;
+                }
+                break;
+
+                case V_ASN1_BIT_STRING:
+                if(!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) goto err;
+                break;
+
+                case V_ASN1_INTEGER:
+                case V_ASN1_NEG_INTEGER:
+                case V_ASN1_ENUMERATED:
+                case V_ASN1_NEG_ENUMERATED:
+                tint = (ASN1_INTEGER **)pval;
+                if(!c2i_ASN1_INTEGER(tint, &cont, len)) goto err;
+                /* Fixup type to match the expected form */
+                (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
+                break;
+
+                case V_ASN1_OCTET_STRING:
+                case V_ASN1_NUMERICSTRING:
+                case V_ASN1_PRINTABLESTRING:
+                case V_ASN1_T61STRING:
+                case V_ASN1_VIDEOTEXSTRING:
+                case V_ASN1_IA5STRING:
+                case V_ASN1_UTCTIME:
+                case V_ASN1_GENERALIZEDTIME:
+                case V_ASN1_GRAPHICSTRING:
+                case V_ASN1_VISIBLESTRING:
+                case V_ASN1_GENERALSTRING:
+                case V_ASN1_UNIVERSALSTRING:
+                case V_ASN1_BMPSTRING:
+                case V_ASN1_UTF8STRING:
+                case V_ASN1_OTHER:
+                case V_ASN1_SET:
+                case V_ASN1_SEQUENCE:
+                default:
+                /* All based on ASN1_STRING and handled the same */
+                if(!*pval) {
+                        stmp = ASN1_STRING_type_new(utype);
+                        if(!stmp) {
+                                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
+                        *pval = (ASN1_VALUE *)stmp;
+                } else {
+                        stmp = (ASN1_STRING *)*pval;
+                        stmp->type = utype;
+                }
+                /* If we've already allocated a buffer use it */
+                if(*free_cont) {
+                        if(stmp->data) OPENSSL_free(stmp->data);
+                        stmp->data = cont;
+                        stmp->length = len;
+                        *free_cont = 0;
+                } else {
+                        if(!ASN1_STRING_set(stmp, cont, len)) {
+                                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+                                ASN1_STRING_free(stmp); 
+                                *pval = NULL;
+                                goto err;
+                        }
+                }
+                break;
+        }
+        /* If ASN1_ANY and NULL type fix up value */
+        if(typ && utype==V_ASN1_NULL) typ->value.ptr = NULL;
+
+        ret = 1;
+        err:
+        if(!ret) ASN1_TYPE_free(typ);
+        return ret;
+}
+
+/* This function collects the asn1 data from a constructred string
+ * type into a buffer. The values of 'in' and 'len' should refer
+ * to the contents of the constructed type and 'inf' should be set
+ * if it is indefinite length. If 'buf' is NULL then we just want
+ * to find the end of the current structure: useful for indefinite
+ * length constructed stuff.
+ */
+
+static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass)
+{
+        unsigned char *p, *q;
+        long plen;
+        char cst, ininf;
+        p = *in;
+        inf &= 1;
+        /* If no buffer and not indefinite length constructed just pass over the encoded data */
+        if(!buf && !inf) {
+                *in += len;
+                return 1;
+        }
+        while(len > 0) {
+                q = p;
+                /* Check for EOC */
+                if(asn1_check_eoc(&p, len)) {
+                        /* EOC is illegal outside indefinite length constructed form */
+                        if(!inf) {
+                                ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_UNEXPECTED_EOC);
+                                return 0;
+                        }
+                        inf = 0;
+                        break;
+                }
+                if(!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, len, tag, aclass, 0, NULL)) {
+                        ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                }
+                /* If indefinite length constructed update max length */
+                if(cst) {
+                        if(!asn1_collect(buf, &p, plen, ininf, tag, aclass)) return 0;
+                } else {
+                        if(!collect_data(buf, &p, plen)) return 0;
+                }
+                len -= p - q;
+        }
+        if(inf) {
+                ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC);
+                return 0;
+        }
+        *in = p;
+        return 1;
+}
+
+static int collect_data(BUF_MEM *buf, unsigned char **p, long plen)
+{
+                int len;
+                if(buf) {
+                        len = buf->length;
+                        if(!BUF_MEM_grow(buf, len + plen)) {
+                                ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE);
+                                return 0;
+                        }
+                        memcpy(buf->data + len, *p, plen);
+                }
+                *p += plen;
+                return 1;
+}
+
+/* Check for ASN1 EOC and swallow it if found */
+
+static int asn1_check_eoc(unsigned char **in, long len)
+{
+        unsigned char *p;
+        if(len < 2) return 0;
+        p = *in;
+        if(!p[0] && !p[1]) {
+                *in += 2;
+                return 1;
+        }
+        return 0;
+}
+
+/* Check an ASN1 tag and length: a bit like ASN1_get_object
+ * but it sets the length for indefinite length constructed
+ * form, we don't know the exact length but we can set an
+ * upper bound to the amount of data available minus the
+ * header length just read.
+ */
+
+static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
+                unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx)
+{
+        int i;
+        int ptag, pclass;
+        long plen;
+        unsigned char *p, *q;
+        p = *in;
+        q = p;
+
+        if(ctx && ctx->valid) {
+                i = ctx->ret;
+                plen = ctx->plen;
+                pclass = ctx->pclass;
+                ptag = ctx->ptag;
+                p += ctx->hdrlen;
+        } else {
+                i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
+                if(ctx) {
+                        ctx->ret = i;
+                        ctx->plen = plen;
+                        ctx->pclass = pclass;
+                        ctx->ptag = ptag;
+                        ctx->hdrlen = p - q;
+                        ctx->valid = 1;
+                        /* If definite length, length + header can't exceed total
+                         * amount of data available.
+                         */
+                        if(!(i & 1) && ((plen + ctx->hdrlen) > len)) {
+                                ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG);
+                                asn1_tlc_clear(ctx);
+                                return 0;
+                        }
+                }
+        }
+
+        if(i & 0x80) {
+                ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER);
+                asn1_tlc_clear(ctx);
+                return 0;
+        }
+        if(exptag >= 0) {
+                if((exptag != ptag) || (expclass != pclass)) {
+                        /* If type is OPTIONAL, not an error, but indicate missing
+                         * type.
+                         */
+                        if(opt) return -1;
+                        asn1_tlc_clear(ctx);
+                        ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG);
+                        return 0;
+                }
+                /* We have a tag and class match, so assume we are going to do something with it */
+                asn1_tlc_clear(ctx);
+        }
+
+        if(i & 1) plen = len - (p - q);
+
+        if(inf) *inf = i & 1;
+
+        if(cst) *cst = i & V_ASN1_CONSTRUCTED;
+
+        if(olen) *olen = plen;
+        if(oclass) *oclass = pclass;
+        if(otag) *otag = ptag;
+
+        *in = p;
+        return 1;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c
new file mode 100644
index 0000000000..f6c8ddef0a
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_enc.c
@@ -0,0 +1,497 @@
+/* tasn_enc.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+
+static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *seq, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int isset);
+
+/* Encode an ASN1 item, this is compatible with the
+ * standard 'i2d' function. 'out' points to 
+ * a buffer to output the data to, in future we will
+ * have more advanced versions that can output data
+ * a piece at a time and this will simply be a special
+ * case.
+ *
+ * The new i2d has one additional feature. If the output
+ * buffer is NULL (i.e. *out == NULL) then a buffer is
+ * allocated and populated with the encoding.
+ */
+
+
+int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it)
+{
+        if(out && !*out) {
+                unsigned char *p, *buf;
+                int len;
+                len = ASN1_item_ex_i2d(&val, NULL, it, -1, 0);
+                if(len <= 0) return len;
+                buf = OPENSSL_malloc(len);
+                if(!buf) return -1;
+                p = buf;
+                ASN1_item_ex_i2d(&val, &p, it, -1, 0);
+                *out = buf;
+                return len;
+        }
+                
+        return ASN1_item_ex_i2d(&val, out, it, -1, 0);
+}
+
+/* Encode an item, taking care of IMPLICIT tagging (if any).
+ * This function performs the normal item handling: it can be
+ * used in external types.
+ */
+
+int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass)
+{
+        const ASN1_TEMPLATE *tt = NULL;
+        unsigned char *p = NULL;
+        int i, seqcontlen, seqlen;
+        ASN1_STRING *strtmp;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return 0;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates)
+                        return ASN1_template_i2d(pval, out, it->templates);
+                return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                strtmp = (ASN1_STRING *)*pval;
+                return asn1_i2d_ex_primitive(pval, out, it, -1, 0);
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
+                                return 0;
+                i = asn1_get_choice_selector(pval, it);
+                if((i >= 0) && (i < it->tcount)) {
+                        ASN1_VALUE **pchval;
+                        const ASN1_TEMPLATE *chtt;
+                        chtt = it->templates + i;
+                        pchval = asn1_get_field_ptr(pval, chtt);
+                        return ASN1_template_i2d(pchval, out, chtt);
+                } 
+                /* Fixme: error condition if selector out of range */
+                if(asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
+                                return 0;
+                break;
+
+                case ASN1_ITYPE_EXTERN:
+                /* If new style i2d it does all the work */
+                ef = it->funcs;
+                return ef->asn1_ex_i2d(pval, out, it, tag, aclass);
+
+                case ASN1_ITYPE_COMPAT:
+                /* old style hackery... */
+                cf = it->funcs;
+                if(out) p = *out;
+                i = cf->asn1_i2d(*pval, out);
+                /* Fixup for IMPLICIT tag: note this messes up for tags > 30,
+                 * but so did the old code. Tags > 30 are very rare anyway.
+                 */
+                if(out && (tag != -1))
+                        *p = aclass | tag | (*p & V_ASN1_CONSTRUCTED);
+                return i;
+                
+                case ASN1_ITYPE_SEQUENCE:
+                i = asn1_enc_restore(&seqcontlen, out, pval, it);
+                /* An error occurred */
+                if(i < 0) return 0;
+                /* We have a valid cached encoding... */
+                if(i > 0) return seqcontlen;
+                /* Otherwise carry on */
+                seqcontlen = 0;
+                /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
+                if(tag == -1) {
+                        tag = V_ASN1_SEQUENCE;
+                        aclass = V_ASN1_UNIVERSAL;
+                }
+                if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
+                                return 0;
+                /* First work out sequence content length */
+                for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) return 0;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        /* FIXME: check for errors in enhanced version */
+                        /* FIXME: special handling of indefinite length encoding */
+                        seqcontlen += ASN1_template_i2d(pseqval, NULL, seqtt);
+                }
+                seqlen = ASN1_object_size(1, seqcontlen, tag);
+                if(!out) return seqlen;
+                /* Output SEQUENCE header */
+                ASN1_put_object(out, 1, seqcontlen, tag, aclass);
+                for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) return 0;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        /* FIXME: check for errors in enhanced version */
+                        ASN1_template_i2d(pseqval, out, seqtt);
+                }
+                if(asn1_cb  && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
+                                return 0;
+                return seqlen;
+
+                default:
+                return 0;
+        }
+        return 0;
+}
+
+int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt)
+{
+        int i, ret, flags, aclass;
+        flags = tt->flags;
+        aclass = flags & ASN1_TFLG_TAG_CLASS;
+        if(flags & ASN1_TFLG_SK_MASK) {
+                /* SET OF, SEQUENCE OF */
+                STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
+                int isset, sktag, skaclass;
+                int skcontlen, sklen;
+                ASN1_VALUE *skitem;
+                if(!*pval) return 0;
+                if(flags & ASN1_TFLG_SET_OF) {
+                        isset = 1;
+                        /* 2 means we reorder */
+                        if(flags & ASN1_TFLG_SEQUENCE_OF) isset = 2;
+                } else isset = 0;
+                /* First work out inner tag value */
+                if(flags & ASN1_TFLG_IMPTAG) {
+                        sktag = tt->tag;
+                        skaclass = aclass;
+                } else {
+                        skaclass = V_ASN1_UNIVERSAL;
+                        if(isset) sktag = V_ASN1_SET;
+                        else sktag = V_ASN1_SEQUENCE;
+                }
+                /* Now work out length of items */
+                skcontlen = 0;
+                for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+                        skitem = sk_ASN1_VALUE_value(sk, i);
+                        skcontlen += ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), -1, 0);
+                }
+                sklen = ASN1_object_size(1, skcontlen, sktag);
+                /* If EXPLICIT need length of surrounding tag */
+                if(flags & ASN1_TFLG_EXPTAG)
+                        ret = ASN1_object_size(1, sklen, tt->tag);
+                else ret = sklen;
+
+                if(!out) return ret;
+
+                /* Now encode this lot... */
+                /* EXPLICIT tag */
+                if(flags & ASN1_TFLG_EXPTAG)
+                        ASN1_put_object(out, 1, sklen, tt->tag, aclass);
+                /* SET or SEQUENCE and IMPLICIT tag */
+                ASN1_put_object(out, 1, skcontlen, sktag, skaclass);
+                /* And finally the stuff itself */
+                asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), isset);
+
+                return ret;
+        }
+                        
+        if(flags & ASN1_TFLG_EXPTAG) {
+                /* EXPLICIT tagging */
+                /* Find length of tagged item */
+                i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, 0);
+                if(!i) return 0;
+                /* Find length of EXPLICIT tag */
+                ret = ASN1_object_size(1, i, tt->tag);
+                if(out) {
+                        /* Output tag and item */
+                        ASN1_put_object(out, 1, i, tt->tag, aclass);
+                        ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0);
+                }
+                return ret;
+        }
+        if(flags & ASN1_TFLG_IMPTAG) {
+                /* IMPLICIT tagging */
+                return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), tt->tag, aclass);
+        }
+        /* Nothing special: treat as normal */
+        return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0);
+}
+
+/* Temporary structure used to hold DER encoding of items for SET OF */
+
+typedef struct {
+        unsigned char *data;
+        int length;
+        ASN1_VALUE *field;
+} DER_ENC;
+
+static int der_cmp(const void *a, const void *b)
+{
+        const DER_ENC *d1 = a, *d2 = b;
+        int cmplen, i;
+        cmplen = (d1->length < d2->length) ? d1->length : d2->length;
+        i = memcmp(d1->data, d2->data, cmplen);
+        if(i) return i;
+        return d1->length - d2->length;
+}
+
+/* Output the content octets of SET OF or SEQUENCE OF */
+
+static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int do_sort)
+{
+        int i;
+        ASN1_VALUE *skitem;
+        unsigned char *tmpdat = NULL, *p = NULL;
+        DER_ENC *derlst = NULL, *tder;
+        if(do_sort) {
+                /* Don't need to sort less than 2 items */
+                if(sk_ASN1_VALUE_num(sk) < 2) do_sort = 0;
+                else {
+                        derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*derlst));
+                        tmpdat = OPENSSL_malloc(skcontlen);
+                        if(!derlst || !tmpdat) return 0;
+                }
+        }
+        /* If not sorting just output each item */
+        if(!do_sort) {
+                for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+                        skitem = sk_ASN1_VALUE_value(sk, i);
+                        ASN1_item_i2d(skitem, out, item);
+                }
+                return 1;
+        }
+        p = tmpdat;
+        /* Doing sort: build up a list of each member's DER encoding */
+        for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
+                skitem = sk_ASN1_VALUE_value(sk, i);
+                tder->data = p;
+                tder->length = ASN1_item_i2d(skitem, &p, item);
+                tder->field = skitem;
+        }
+        /* Now sort them */
+        qsort(derlst, sk_ASN1_VALUE_num(sk), sizeof(*derlst), der_cmp);
+        /* Output sorted DER encoding */        
+        p = *out;
+        for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
+                memcpy(p, tder->data, tder->length);
+                p += tder->length;
+        }
+        *out = p;
+        /* If do_sort is 2 then reorder the STACK */
+        if(do_sort == 2) {
+                for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++)
+                        sk_ASN1_VALUE_set(sk, i, tder->field);
+        }
+        OPENSSL_free(derlst);
+        OPENSSL_free(tmpdat);
+        return 1;
+}
+
+static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass)
+{
+        int len;
+        int utype;
+        int usetag;
+
+        utype = it->utype;
+
+        /* Get length of content octets and maybe find
+         * out the underlying type.
+         */
+
+        len = asn1_ex_i2c(pval, NULL, &utype, it);
+
+        /* If SEQUENCE, SET or OTHER then header is
+         * included in pseudo content octets so don't
+         * include tag+length. We need to check here
+         * because the call to asn1_ex_i2c() could change
+         * utype.
+         */
+        if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) ||
+           (utype == V_ASN1_OTHER))
+                usetag = 0;
+        else usetag = 1;
+
+        /* -1 means omit type */
+
+        if(len == -1) return 0;
+
+        /* If not implicitly tagged get tag from underlying type */
+        if(tag == -1) tag = utype;
+
+        /* Output tag+length followed by content octets */
+        if(out) {
+                if(usetag) ASN1_put_object(out, 0, len, tag, aclass);
+                asn1_ex_i2c(pval, *out, &utype, it);
+                *out += len;
+        }
+
+        if(usetag) return ASN1_object_size(0, len, tag);
+        return len;
+}
+
+/* Produce content octets from a structure */
+
+int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_ITEM *it)
+{
+        ASN1_BOOLEAN *tbool = NULL;
+        ASN1_STRING *strtmp;
+        ASN1_OBJECT *otmp;
+        int utype;
+        unsigned char *cont, c;
+        int len;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
+        if(pf && pf->prim_i2c) return pf->prim_i2c(pval, cout, putype, it);
+
+        /* Should type be omitted? */
+        if((it->itype != ASN1_ITYPE_PRIMITIVE) || (it->utype != V_ASN1_BOOLEAN)) {
+                if(!*pval) return -1;
+        }
+
+        if(it->itype == ASN1_ITYPE_MSTRING) {
+                /* If MSTRING type set the underlying type */
+                strtmp = (ASN1_STRING *)*pval;
+                utype = strtmp->type;
+                *putype = utype;
+        } else if(it->utype == V_ASN1_ANY) {
+                /* If ANY set type and pointer to value */
+                ASN1_TYPE *typ;
+                typ = (ASN1_TYPE *)*pval;
+                utype = typ->type;
+                *putype = utype;
+                pval = (ASN1_VALUE **)&typ->value.ptr;
+        } else utype = *putype;
+
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                otmp = (ASN1_OBJECT *)*pval;
+                cont = otmp->data;
+                len = otmp->length;
+                break;
+
+                case V_ASN1_NULL:
+                cont = NULL;
+                len = 0;
+                break;
+
+                case V_ASN1_BOOLEAN:
+                tbool = (ASN1_BOOLEAN *)pval;
+                if(*tbool == -1) return -1;
+                /* Default handling if value == size field then omit */
+                if(*tbool && (it->size > 0)) return -1;
+                if(!*tbool && !it->size) return -1;
+                c = (unsigned char)*tbool;
+                cont = &c;
+                len = 1;
+                break;
+
+                case V_ASN1_BIT_STRING:
+                return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? &cout : NULL);
+                break;
+
+                case V_ASN1_INTEGER:
+                case V_ASN1_NEG_INTEGER:
+                case V_ASN1_ENUMERATED:
+                case V_ASN1_NEG_ENUMERATED:
+                /* These are all have the same content format
+                 * as ASN1_INTEGER
+                 */
+                return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL);
+                break;
+
+                case V_ASN1_OCTET_STRING:
+                case V_ASN1_NUMERICSTRING:
+                case V_ASN1_PRINTABLESTRING:
+                case V_ASN1_T61STRING:
+                case V_ASN1_VIDEOTEXSTRING:
+                case V_ASN1_IA5STRING:
+                case V_ASN1_UTCTIME:
+                case V_ASN1_GENERALIZEDTIME:
+                case V_ASN1_GRAPHICSTRING:
+                case V_ASN1_VISIBLESTRING:
+                case V_ASN1_GENERALSTRING:
+                case V_ASN1_UNIVERSALSTRING:
+                case V_ASN1_BMPSTRING:
+                case V_ASN1_UTF8STRING:
+                case V_ASN1_SEQUENCE:
+                case V_ASN1_SET:
+                default:
+                /* All based on ASN1_STRING and handled the same */
+                strtmp = (ASN1_STRING *)*pval;
+                cont = strtmp->data;
+                len = strtmp->length;
+
+                break;
+
+        }
+        if(cout && len) memcpy(cout, cont, len);
+        return len;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_fre.c b/src/lib/libcrypto/asn1/tasn_fre.c
new file mode 100644
index 0000000000..c7610776f2
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_fre.c
@@ -0,0 +1,226 @@
+/* tasn_fre.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+
+static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine);
+
+/* Free up an ASN1 structure */
+
+void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it)
+{
+        asn1_item_combine_free(&val, it, 0);
+}
+
+void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        asn1_item_combine_free(pval, it, 0);
+}
+
+static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
+{
+        const ASN1_TEMPLATE *tt = NULL, *seqtt;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        int i;
+        if(!pval) return;
+        if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) ASN1_template_free(pval, it->templates);
+                else ASN1_primitive_free(pval, it);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                ASN1_primitive_free(pval, it);
+                break;
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+                        if(i == 2) return;
+                }
+                i = asn1_get_choice_selector(pval, it);
+                if(asn1_cb) asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+                if((i >= 0) && (i < it->tcount)) {
+                        ASN1_VALUE **pchval;
+                        tt = it->templates + i;
+                        pchval = asn1_get_field_ptr(pval, tt);
+                        ASN1_template_free(pchval, tt);
+                }
+                if(asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it);
+                if(!combine) {
+                        OPENSSL_free(*pval);
+                        *pval = NULL;
+                }
+                break;
+
+                case ASN1_ITYPE_COMPAT:
+                cf = it->funcs;
+                if(cf && cf->asn1_free) cf->asn1_free(*pval);
+                break;
+
+                case ASN1_ITYPE_EXTERN:
+                ef = it->funcs;
+                if(ef && ef->asn1_ex_free) ef->asn1_ex_free(pval, it);
+                break;
+
+                case ASN1_ITYPE_SEQUENCE:
+                if(asn1_do_lock(pval, -1, it) > 0) return;
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+                        if(i == 2) return;
+                }               
+                asn1_enc_free(pval, it);
+                /* If we free up as normal we will invalidate any
+                 * ANY DEFINED BY field and we wont be able to 
+                 * determine the type of the field it defines. So
+                 * free up in reverse order.
+                 */
+                tt = it->templates + it->tcount - 1;
+                for(i = 0; i < it->tcount; tt--, i++) {
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 0);
+                        if(!seqtt) continue;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        ASN1_template_free(pseqval, seqtt);
+                }
+                if(asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it);
+                if(!combine) {
+                        OPENSSL_free(*pval);
+                        *pval = NULL;
+                }
+                break;
+        }
+}
+
+void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        int i;
+        if(tt->flags & ASN1_TFLG_SK_MASK) {
+                STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
+                for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+                        ASN1_VALUE *vtmp;
+                        vtmp = sk_ASN1_VALUE_value(sk, i);
+                        asn1_item_combine_free(&vtmp, ASN1_ITEM_ptr(tt->item), 0);
+                }
+                sk_ASN1_VALUE_free(sk);
+                *pval = NULL;
+        } else asn1_item_combine_free(pval, ASN1_ITEM_ptr(tt->item),
+                                                tt->flags & ASN1_TFLG_COMBINE);
+}
+
+void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        int utype;
+        if(it) {
+                const ASN1_PRIMITIVE_FUNCS *pf;
+                pf = it->funcs;
+                if(pf && pf->prim_free) {
+                        pf->prim_free(pval, it);
+                        return;
+                }
+        }
+        /* Special case: if 'it' is NULL free contents of ASN1_TYPE */
+        if(!it) {
+                ASN1_TYPE *typ = (ASN1_TYPE *)*pval;
+                utype = typ->type;
+                pval = (ASN1_VALUE **)&typ->value.ptr;
+                if(!*pval) return;
+        } else if(it->itype == ASN1_ITYPE_MSTRING) {
+                utype = -1;
+                if(!*pval) return;
+        } else {
+                utype = it->utype;
+                if((utype != V_ASN1_BOOLEAN) && !*pval) return;
+        }
+
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                ASN1_OBJECT_free((ASN1_OBJECT *)*pval);
+                break;
+
+                case V_ASN1_BOOLEAN:
+                *(ASN1_BOOLEAN *)pval = it->size;
+                return;
+
+                case V_ASN1_NULL:
+                break;
+
+                case V_ASN1_ANY:
+                ASN1_primitive_free(pval, NULL);
+                OPENSSL_free(*pval);
+                break;
+
+                default:
+                ASN1_STRING_free((ASN1_STRING *)*pval);
+                *pval = NULL;
+                break;
+        }
+        *pval = NULL;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_new.c b/src/lib/libcrypto/asn1/tasn_new.c
new file mode 100644
index 0000000000..e33861f864
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_new.c
@@ -0,0 +1,348 @@
+/* tasn_new.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/err.h>
+#include <openssl/asn1t.h>
+#include <string.h>
+
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine);
+static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
+static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it)
+{
+        ASN1_VALUE *ret = NULL;
+        if(ASN1_item_ex_new(&ret, it) > 0) return ret;
+        return NULL;
+}
+
+/* Allocate an ASN1 structure */
+
+int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        return asn1_item_ex_combine_new(pval, it, 0);
+}
+
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
+{
+        const ASN1_TEMPLATE *tt = NULL;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        ASN1_VALUE **pseqval;
+        int i;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        if(!combine) *pval = NULL;
+
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_push_info(it->sname);
+#endif
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_EXTERN:
+                ef = it->funcs;
+                if(ef && ef->asn1_ex_new) {
+                        if(!ef->asn1_ex_new(pval, it))
+                                goto memerr;
+                }
+                break;
+
+                case ASN1_ITYPE_COMPAT:
+                cf = it->funcs;
+                if(cf && cf->asn1_new) {
+                        *pval = cf->asn1_new();
+                        if(!*pval) goto memerr;
+                }
+                break;
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) {
+                        if(!ASN1_template_new(pval, it->templates))
+                                goto memerr;
+                } else {
+                        if(!ASN1_primitive_new(pval, it))
+                                goto memerr;
+                }
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                if(!ASN1_primitive_new(pval, it))
+                                goto memerr;
+                break;
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_NEW_PRE, pval, it);
+                        if(!i) goto auxerr;
+                        if(i==2) {
+#ifdef CRYPTO_MDEBUG
+                                if(it->sname) CRYPTO_pop_info();
+#endif
+                                return 1;
+                        }
+                }
+                if(!combine) {
+                        *pval = OPENSSL_malloc(it->size);
+                        if(!*pval) goto memerr;
+                        memset(*pval, 0, it->size);
+                }
+                asn1_set_choice_selector(pval, -1, it);
+                if(asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
+                                goto auxerr;
+                break;
+
+                case ASN1_ITYPE_SEQUENCE:
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_NEW_PRE, pval, it);
+                        if(!i) goto auxerr;
+                        if(i==2) {
+#ifdef CRYPTO_MDEBUG
+                                if(it->sname) CRYPTO_pop_info();
+#endif
+                                return 1;
+                        }
+                }
+                if(!combine) {
+                        *pval = OPENSSL_malloc(it->size);
+                        if(!*pval) goto memerr;
+                        memset(*pval, 0, it->size);
+                        asn1_do_lock(pval, 0, it);
+                        asn1_enc_init(pval, it);
+                }
+                for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+                        pseqval = asn1_get_field_ptr(pval, tt);
+                        if(!ASN1_template_new(pseqval, tt)) goto memerr;
+                }
+                if(asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
+                                goto auxerr;
+                break;
+        }
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return 1;
+
+        memerr:
+        ASN1err(ASN1_F_ASN1_ITEM_NEW, ERR_R_MALLOC_FAILURE);
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return 0;
+
+        auxerr:
+        ASN1err(ASN1_F_ASN1_ITEM_NEW, ASN1_R_AUX_ERROR);
+        ASN1_item_ex_free(pval, it);
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return 0;
+
+}
+
+static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        const ASN1_EXTERN_FUNCS *ef;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_EXTERN:
+                ef = it->funcs;
+                if(ef && ef->asn1_ex_clear) 
+                        ef->asn1_ex_clear(pval, it);
+                else *pval = NULL;
+                break;
+
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) 
+                        asn1_template_clear(pval, it->templates);
+                else
+                        asn1_primitive_clear(pval, it);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                asn1_primitive_clear(pval, it);
+                break;
+
+                case ASN1_ITYPE_COMPAT:
+                case ASN1_ITYPE_CHOICE:
+                case ASN1_ITYPE_SEQUENCE:
+                *pval = NULL;
+                break;
+        }
+}
+
+
+int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        const ASN1_ITEM *it = ASN1_ITEM_ptr(tt->item);
+        int ret;
+        if(tt->flags & ASN1_TFLG_OPTIONAL) {
+                asn1_template_clear(pval, tt);
+                return 1;
+        }
+        /* If ANY DEFINED BY nothing to do */
+
+        if(tt->flags & ASN1_TFLG_ADB_MASK) {
+                *pval = NULL;
+                return 1;
+        }
+#ifdef CRYPTO_MDEBUG
+        if(tt->field_name) CRYPTO_push_info(tt->field_name);
+#endif
+        /* If SET OF or SEQUENCE OF, its a STACK */
+        if(tt->flags & ASN1_TFLG_SK_MASK) {
+                STACK_OF(ASN1_VALUE) *skval;
+                skval = sk_ASN1_VALUE_new_null();
+                if(!skval) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_NEW, ERR_R_MALLOC_FAILURE);
+                        ret = 0;
+                        goto done;
+                }
+                *pval = (ASN1_VALUE *)skval;
+                ret = 1;
+                goto done;
+        }
+        /* Otherwise pass it back to the item routine */
+        ret = asn1_item_ex_combine_new(pval, it, tt->flags & ASN1_TFLG_COMBINE);
+        done:
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return ret;
+}
+
+static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        /* If ADB or STACK just NULL the field */
+        if(tt->flags & (ASN1_TFLG_ADB_MASK|ASN1_TFLG_SK_MASK)) 
+                *pval = NULL;
+        else
+                asn1_item_clear(pval, ASN1_ITEM_ptr(tt->item));
+}
+
+
+/* NB: could probably combine most of the real XXX_new() behaviour and junk all the old
+ * functions.
+ */
+
+int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_TYPE *typ;
+        int utype;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
+        if(pf && pf->prim_new) return pf->prim_new(pval, it);
+        if(!it || (it->itype == ASN1_ITYPE_MSTRING)) utype = -1;
+        else utype = it->utype;
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                *pval = (ASN1_VALUE *)OBJ_nid2obj(NID_undef);
+                return 1;
+
+                case V_ASN1_BOOLEAN:
+                *(ASN1_BOOLEAN *)pval = it->size;
+                return 1;
+
+                case V_ASN1_NULL:
+                *pval = (ASN1_VALUE *)1;
+                return 1;
+
+                case V_ASN1_ANY:
+                typ = OPENSSL_malloc(sizeof(ASN1_TYPE));
+                if(!typ) return 0;
+                typ->value.ptr = NULL;
+                typ->type = -1;
+                *pval = (ASN1_VALUE *)typ;
+                break;
+
+                default:
+                *pval = (ASN1_VALUE *)ASN1_STRING_type_new(utype);
+                break;
+        }
+        if(*pval) return 1;
+        return 0;
+}
+
+void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        int utype;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
+        if(pf) {
+                if(pf->prim_clear)
+                        pf->prim_clear(pval, it);
+                else 
+                        *pval = NULL;
+                return;
+        }
+        if(!it || (it->itype == ASN1_ITYPE_MSTRING)) utype = -1;
+        else utype = it->utype;
+        if(utype == V_ASN1_BOOLEAN)
+                *(ASN1_BOOLEAN *)pval = it->size;
+        else *pval = NULL;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_prn.c b/src/lib/libcrypto/asn1/tasn_prn.c
new file mode 100644
index 0000000000..fab67ae5ac
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_prn.c
@@ -0,0 +1,198 @@
+/* tasn_prn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/nasn.h>
+
+/* Print routines. Print out a whole structure from a template.
+ */
+
+static int asn1_item_print_nm(BIO *out, void *fld, int indent, const ASN1_ITEM *it, const char *name);
+
+int ASN1_item_print(BIO *out, void *fld, int indent, const ASN1_ITEM *it)
+{
+        return asn1_item_print_nm(out, fld, indent, it, it->sname);
+}
+
+static int asn1_item_print_nm(BIO *out, void *fld, int indent, const ASN1_ITEM *it, const char *name)
+{
+        ASN1_STRING *str;
+        const ASN1_TEMPLATE *tt;
+        void *tmpfld;
+        int i;
+        if(!fld) {
+                BIO_printf(out, "%*s%s ABSENT\n", indent, "", name);
+                return 1;
+        }
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates)
+                        return ASN1_template_print(out, fld, indent, it->templates);
+                return asn1_primitive_print(out, fld, it->utype, indent, name);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                str = fld;
+                return asn1_primitive_print(out, fld, str->type, indent, name);
+
+                case ASN1_ITYPE_EXTERN:
+                BIO_printf(out, "%*s%s:EXTERNAL TYPE %s %s\n", indent, "", name, it->sname, fld ? "" : "ABSENT");
+                return 1;
+                case ASN1_ITYPE_COMPAT:
+                BIO_printf(out, "%*s%s:COMPATIBLE TYPE %s %s\n", indent, "", name, it->sname, fld ? "" : "ABSENT");
+                return 1;
+
+
+                case ASN1_ITYPE_CHOICE:
+                /* CHOICE type, get selector */
+                i = asn1_get_choice_selector(fld, it);
+                /* This should never happen... */
+                if((i < 0) || (i >= it->tcount)) {
+                        BIO_printf(out, "%s selector [%d] out of range\n", it->sname, i);
+                        return 1;
+                }
+                tt = it->templates + i;
+                tmpfld = asn1_get_field(fld, tt);
+                return ASN1_template_print(out, tmpfld, indent, tt);
+
+                case ASN1_ITYPE_SEQUENCE:
+                BIO_printf(out, "%*s%s {\n", indent, "", name);
+                /* Get each field entry */
+                for(i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+                        tmpfld = asn1_get_field(fld, tt);
+                        ASN1_template_print(out, tmpfld, indent + 2, tt);
+                }
+                BIO_printf(out, "%*s}\n", indent, "");
+                return 1;
+
+                default:
+                return 0;
+        }
+}
+
+int ASN1_template_print(BIO *out, void *fld, int indent, const ASN1_TEMPLATE *tt)
+{
+        int i, flags;
+#if 0
+        if(!fld) return 0; 
+#endif
+        flags = tt->flags;
+        if(flags & ASN1_TFLG_SK_MASK) {
+                char *tname;
+                void *skitem;
+                /* SET OF, SEQUENCE OF */
+                if(flags & ASN1_TFLG_SET_OF) tname = "SET";
+                else tname = "SEQUENCE";
+                if(fld) {
+                        BIO_printf(out, "%*s%s OF %s {\n", indent, "", tname, tt->field_name);
+                        for(i = 0; i < sk_num(fld); i++) {
+                                skitem = sk_value(fld, i);
+                                asn1_item_print_nm(out, skitem, indent + 2, tt->item, "");
+                        }
+                        BIO_printf(out, "%*s}\n", indent, "");
+                } else 
+                        BIO_printf(out, "%*s%s OF %s ABSENT\n", indent, "", tname, tt->field_name);
+                return 1;
+        }
+        return asn1_item_print_nm(out, fld, indent, tt->item, tt->field_name);
+}
+
+static int asn1_primitive_print(BIO *out, void *fld, long utype, int indent, const char *name)
+{
+        ASN1_STRING *str = fld;
+        if(fld) {
+                if(utype == V_ASN1_BOOLEAN) {
+                        int *bool = fld;
+if(*bool == -1) printf("BOOL MISSING\n");
+                        BIO_printf(out, "%*s%s:%s", indent, "", "BOOLEAN", *bool ? "TRUE" : "FALSE");
+                } else if((utype == V_ASN1_INTEGER) 
+                          || (utype == V_ASN1_ENUMERATED)) {
+                        char *s, *nm;
+                        s = i2s_ASN1_INTEGER(NULL, fld);
+                        if(utype == V_ASN1_INTEGER) nm = "INTEGER";
+                        else nm = "ENUMERATED";
+                        BIO_printf(out, "%*s%s:%s", indent, "", nm, s);
+                        OPENSSL_free(s);
+                } else if(utype == V_ASN1_NULL) {
+                        BIO_printf(out, "%*s%s", indent, "", "NULL");
+                } else if(utype == V_ASN1_UTCTIME) {
+                        BIO_printf(out, "%*s%s:%s:", indent, "", name, "UTCTIME");
+                        ASN1_UTCTIME_print(out, str);
+                } else if(utype == V_ASN1_GENERALIZEDTIME) {
+                        BIO_printf(out, "%*s%s:%s:", indent, "", name, "GENERALIZEDTIME");
+                        ASN1_GENERALIZEDTIME_print(out, str);
+                } else if(utype == V_ASN1_OBJECT) {
+                        char objbuf[80], *ln;
+                        ln = OBJ_nid2ln(OBJ_obj2nid(fld));
+                        if(!ln) ln = "";
+                        OBJ_obj2txt(objbuf, 80, fld, 1);
+                        BIO_printf(out, "%*s%s:%s (%s)", indent, "", "OBJECT", ln, objbuf);
+                } else {
+                        BIO_printf(out, "%*s%s:", indent, "", name);
+                        ASN1_STRING_print_ex(out, str, ASN1_STRFLGS_DUMP_UNKNOWN|ASN1_STRFLGS_SHOW_TYPE);
+                }
+                BIO_printf(out, "\n");
+        } else BIO_printf(out, "%*s%s [ABSENT]\n", indent, "", name);
+        return 1;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_typ.c b/src/lib/libcrypto/asn1/tasn_typ.c
new file mode 100644
index 0000000000..804d2eeba2
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_typ.c
@@ -0,0 +1,133 @@
+/* tasn_typ.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+
+/* Declarations for string types */
+
+
+IMPLEMENT_ASN1_TYPE(ASN1_INTEGER)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_INTEGER)
+
+IMPLEMENT_ASN1_TYPE(ASN1_ENUMERATED)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_ENUMERATED)
+
+IMPLEMENT_ASN1_TYPE(ASN1_BIT_STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_BIT_STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_OCTET_STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_OCTET_STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_NULL)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_NULL)
+
+IMPLEMENT_ASN1_TYPE(ASN1_OBJECT)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UTF8STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTF8STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_PRINTABLESTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_T61STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_T61STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_IA5STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_IA5STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_GENERALSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UTCTIME)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTCTIME)
+
+IMPLEMENT_ASN1_TYPE(ASN1_GENERALIZEDTIME)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
+
+IMPLEMENT_ASN1_TYPE(ASN1_VISIBLESTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UNIVERSALSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_BMPSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_BMPSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_ANY)
+
+/* Just swallow an ASN1_SEQUENCE in an ASN1_STRING */
+IMPLEMENT_ASN1_TYPE(ASN1_SEQUENCE)
+
+IMPLEMENT_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)
+
+/* Multistring types */
+
+IMPLEMENT_ASN1_MSTRING(ASN1_PRINTABLE, B_ASN1_PRINTABLE)
+IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE)
+
+IMPLEMENT_ASN1_MSTRING(DISPLAYTEXT, B_ASN1_DISPLAYTEXT)
+IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT)
+
+IMPLEMENT_ASN1_MSTRING(DIRECTORYSTRING, B_ASN1_DIRECTORYSTRING)
+IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING)
+
+/* Three separate BOOLEAN type: normal, DEFAULT TRUE and DEFAULT FALSE */
+IMPLEMENT_ASN1_TYPE_ex(ASN1_BOOLEAN, ASN1_BOOLEAN, -1)
+IMPLEMENT_ASN1_TYPE_ex(ASN1_TBOOLEAN, ASN1_BOOLEAN, 1)
+IMPLEMENT_ASN1_TYPE_ex(ASN1_FBOOLEAN, ASN1_BOOLEAN, 0)
diff --git a/src/lib/libcrypto/asn1/tasn_utl.c b/src/lib/libcrypto/asn1/tasn_utl.c
new file mode 100644
index 0000000000..8996ce8c13
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_utl.c
@@ -0,0 +1,253 @@
+/* tasn_utl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+#include <openssl/err.h>
+
+/* Utility functions for manipulating fields and offsets */
+
+/* Add 'offset' to 'addr' */
+#define offset2ptr(addr, offset) (void *)(((char *) addr) + offset)
+
+/* Given an ASN1_ITEM CHOICE type return
+ * the selector value
+ */
+
+int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        int *sel = offset2ptr(*pval, it->utype);
+        return *sel;
+}
+
+/* Given an ASN1_ITEM CHOICE type set
+ * the selector value, return old value.
+ */
+
+int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it)
+{       
+        int *sel, ret;
+        sel = offset2ptr(*pval, it->utype);
+        ret = *sel;
+        *sel = value;
+        return ret;
+}
+
+/* Do reference counting. The value 'op' decides what to do. 
+ * if it is +1 then the count is incremented. If op is 0 count is
+ * set to 1. If op is -1 count is decremented and the return value
+ * is the current refrence count or 0 if no reference count exists.
+ */
+
+int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it)
+{
+        const ASN1_AUX *aux;
+        int *lck, ret;
+        if(it->itype != ASN1_ITYPE_SEQUENCE) return 0;
+        aux = it->funcs;
+        if(!aux || !(aux->flags & ASN1_AFLG_REFCOUNT)) return 0;
+        lck = offset2ptr(*pval, aux->ref_offset);
+        if(op == 0) {
+                *lck = 1;
+                return 1;
+        }
+        ret = CRYPTO_add(lck, op, aux->ref_lock);
+#ifdef REF_PRINT
+        fprintf(stderr, "%s: Reference Count: %d\n", it->sname, *lck);
+#endif
+#ifdef REF_CHECK
+        if(ret < 0) 
+                fprintf(stderr, "%s, bad reference count\n", it->sname);
+#endif
+        return ret;
+}
+
+static ASN1_ENCODING *asn1_get_enc_ptr(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        const ASN1_AUX *aux;
+        if(!pval || !*pval) return NULL;
+        aux = it->funcs;
+        if(!aux || !(aux->flags & ASN1_AFLG_ENCODING)) return NULL;
+        return offset2ptr(*pval, aux->enc_offset);
+}
+
+void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(enc) {
+                enc->enc = NULL;
+                enc->len = 0;
+                enc->modified = 1;
+        }
+}
+
+void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(enc) {
+                if(enc->enc) OPENSSL_free(enc->enc);
+                enc->enc = NULL;
+                enc->len = 0;
+                enc->modified = 1;
+        }
+}
+
+int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(!enc) return 1;
+
+        if(enc->enc) OPENSSL_free(enc->enc);
+        enc->enc = OPENSSL_malloc(inlen);
+        if(!enc->enc) return 0;
+        memcpy(enc->enc, in, inlen);
+        enc->len = inlen;
+        enc->modified = 0;
+
+        return 1;
+}
+                
+int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(!enc || enc->modified) return 0;
+        if(out) {
+                memcpy(*out, enc->enc, enc->len);
+                *out += enc->len;
+        }
+        if(len) *len = enc->len;
+        return 1;
+}
+
+/* Given an ASN1_TEMPLATE get a pointer to a field */
+ASN1_VALUE ** asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        ASN1_VALUE **pvaltmp;
+        if(tt->flags & ASN1_TFLG_COMBINE) return pval;
+        pvaltmp = offset2ptr(*pval, tt->offset);
+        /* NOTE for BOOLEAN types the field is just a plain
+         * int so we can't return int **, so settle for
+         * (int *).
+         */
+        return pvaltmp;
+}
+
+/* Handle ANY DEFINED BY template, find the selector, look up
+ * the relevant ASN1_TEMPLATE in the table and return it.
+ */
+
+const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr)
+{
+        const ASN1_ADB *adb;
+        const ASN1_ADB_TABLE *atbl;
+        long selector;
+        ASN1_VALUE **sfld;
+        int i;
+        if(!(tt->flags & ASN1_TFLG_ADB_MASK)) return tt;
+
+        /* Else ANY DEFINED BY ... get the table */
+        adb = ASN1_ADB_ptr(tt->item);
+
+        /* Get the selector field */
+        sfld = offset2ptr(*pval, adb->offset);
+
+        /* Check if NULL */
+        if(!sfld) {
+                if(!adb->null_tt) goto err;
+                return adb->null_tt;
+        }
+
+        /* Convert type to a long:
+         * NB: don't check for NID_undef here because it
+         * might be a legitimate value in the table
+         */
+        if(tt->flags & ASN1_TFLG_ADB_OID) 
+                selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld);
+        else 
+                selector = ASN1_INTEGER_get((ASN1_INTEGER *)*sfld);
+
+        /* Try to find matching entry in table
+         * Maybe should check application types first to
+         * allow application override? Might also be useful
+         * to have a flag which indicates table is sorted and
+         * we can do a binary search. For now stick to a
+         * linear search.
+         */
+
+        for(atbl = adb->tbl, i = 0; i < adb->tblcount; i++, atbl++)
+                if(atbl->value == selector) return &atbl->tt;
+
+        /* FIXME: need to search application table too */
+
+        /* No match, return default type */
+        if(!adb->default_tt) goto err;          
+        return adb->default_tt;
+        
+        err:
+        /* FIXME: should log the value or OID of unsupported type */
+        if(nullerr) ASN1err(ASN1_F_ASN1_DO_ADB, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);
+        return NULL;
+}
diff --git a/src/lib/libcrypto/asn1/x_bignum.c b/src/lib/libcrypto/asn1/x_bignum.c
new file mode 100644
index 0000000000..848c7a0877
--- /dev/null
+++ b/src/lib/libcrypto/asn1/x_bignum.c
@@ -0,0 +1,137 @@
+/* x_bignum.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+
+/* Custom primitive type for BIGNUM handling. This reads in an ASN1_INTEGER as a
+ * BIGNUM directly. Currently it ignores the sign which isn't a problem since all
+ * BIGNUMs used are non negative and anything that looks negative is normally due
+ * to an encoding error.
+ */
+
+#define BN_SENSITIVE    1
+
+static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+static ASN1_PRIMITIVE_FUNCS bignum_pf = {
+        NULL, 0,
+        bn_new,
+        bn_free,
+        0,
+        bn_c2i,
+        bn_i2c
+};
+
+ASN1_ITEM_start(BIGNUM)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, 0, "BIGNUM"
+ASN1_ITEM_end(BIGNUM)
+
+ASN1_ITEM_start(CBIGNUM)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, BN_SENSITIVE, "BIGNUM"
+ASN1_ITEM_end(CBIGNUM)
+
+static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        *pval = (ASN1_VALUE *)BN_new();
+        if(*pval) return 1;
+        else return 0;
+}
+
+static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(!*pval) return;
+        if(it->size & BN_SENSITIVE) BN_clear_free((BIGNUM *)*pval);
+        else BN_free((BIGNUM *)*pval);
+        *pval = NULL;
+}
+
+static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it)
+{
+        BIGNUM *bn;
+        int pad;
+        if(!*pval) return -1;
+        bn = (BIGNUM *)*pval;
+        /* If MSB set in an octet we need a padding byte */
+        if(BN_num_bits(bn) & 0x7) pad = 0;
+        else pad = 1;
+        if(cont) {
+                if(pad) *cont++ = 0;
+                BN_bn2bin(bn, cont);
+        }
+        return pad + BN_num_bytes(bn);
+}
+
+static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+{
+        BIGNUM *bn;
+        if(!*pval) bn_new(pval, it);
+        bn  = (BIGNUM *)*pval;
+        if(!BN_bin2bn(cont, len, bn)) {
+                bn_free(pval, it);
+                return 0;
+        }
+        return 1;
+}
+
+
diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c
new file mode 100644
index 0000000000..c5f25956cb
--- /dev/null
+++ b/src/lib/libcrypto/asn1/x_long.c
@@ -0,0 +1,169 @@
+/* x_long.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+
+/* Custom primitive type for long handling. This converts between an ASN1_INTEGER
+ * and a long directly.
+ */
+
+
+static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+static ASN1_PRIMITIVE_FUNCS long_pf = {
+        NULL, 0,
+        long_new,
+        long_free,
+        long_free,      /* Clear should set to initial value */
+        long_c2i,
+        long_i2c
+};
+
+ASN1_ITEM_start(LONG)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, ASN1_LONG_UNDEF, "LONG"
+ASN1_ITEM_end(LONG)
+
+ASN1_ITEM_start(ZLONG)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, 0, "ZLONG"
+ASN1_ITEM_end(ZLONG)
+
+static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        *(long *)pval = it->size;
+        return 1;
+}
+
+static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        *(long *)pval = it->size;
+}
+
+static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it)
+{
+        long ltmp;
+        unsigned long utmp;
+        int clen, pad, i;
+        /* this exists to bypass broken gcc optimization */
+        char *cp = (char *)pval;
+
+        /* use memcpy, because we may not be long aligned */
+        memcpy(&ltmp, cp, sizeof(long));
+
+        if(ltmp == it->size) return -1;
+        /* Convert the long to positive: we subtract one if negative so
+         * we can cleanly handle the padding if only the MSB of the leading
+         * octet is set. 
+         */
+        if(ltmp < 0) utmp = -ltmp - 1;
+        else utmp = ltmp;
+        clen = BN_num_bits_word(utmp);
+        /* If MSB of leading octet set we need to pad */
+        if(!(clen & 0x7)) pad = 1;
+        else pad = 0;
+
+        /* Convert number of bits to number of octets */
+        clen = (clen + 7) >> 3;
+
+        if(cont) {
+                if(pad) *cont++ = (ltmp < 0) ? 0xff : 0;
+                for(i = clen - 1; i >= 0; i--) {
+                        cont[i] = (unsigned char)(utmp & 0xff);
+                        if(ltmp < 0) cont[i] ^= 0xff;
+                        utmp >>= 8;
+                }
+        }
+        return clen + pad;
+}
+
+static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+{
+        int neg, i;
+        long ltmp;
+        unsigned long utmp = 0;
+        char *cp = (char *)pval;
+        if(len > sizeof(long)) {
+                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+                return 0;
+        }
+        /* Is it negative? */
+        if(len && (cont[0] & 0x80)) neg = 1;
+        else neg = 0;
+        utmp = 0;
+        for(i = 0; i < len; i++) {
+                utmp <<= 8;
+                if(neg) utmp |= cont[i] ^ 0xff;
+                else utmp |= cont[i];
+        }
+        ltmp = (long)utmp;
+        if(neg) {
+                ltmp++;
+                ltmp = -ltmp;
+        }
+        if(ltmp == it->size) {
+                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+                return 0;
+        }
+        memcpy(cp, &ltmp, sizeof(long));
+        return 1;
+}
diff --git a/src/lib/libcrypto/asn1/x_x509a.c b/src/lib/libcrypto/asn1/x_x509a.c
new file mode 100644
index 0000000000..b9987ea968
--- /dev/null
+++ b/src/lib/libcrypto/asn1/x_x509a.c
@@ -0,0 +1,200 @@
+/* a_x509a.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+/* X509_CERT_AUX routines. These are used to encode additional
+ * user modifiable data about a certificate. This data is
+ * appended to the X509 encoding when the *_X509_AUX routines
+ * are used. This means that the "traditional" X509 routines
+ * will simply ignore the extra data. 
+ */
+
+static X509_CERT_AUX *aux_get(X509 *x);
+
+X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a, X509_CERT_AUX *, X509_CERT_AUX_new);
+        
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+
+        M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->trust,
+                                        d2i_ASN1_OBJECT, ASN1_OBJECT_free);
+        M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->reject,
+                                        d2i_ASN1_OBJECT, ASN1_OBJECT_free, 0);
+        M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING);
+        M_ASN1_D2I_get_opt(ret->keyid, d2i_ASN1_OCTET_STRING, V_ASN1_OCTET_STRING);
+        M_ASN1_D2I_get_IMP_set_opt_type(X509_ALGOR, ret->other,
+                                        d2i_X509_ALGOR, X509_ALGOR_free, 1);
+
+        M_ASN1_D2I_Finish(a, X509_CERT_AUX_free, ASN1_F_D2I_X509_CERT_AUX);
+}
+
+X509_CERT_AUX *X509_CERT_AUX_new()
+{
+        X509_CERT_AUX *ret = NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, X509_CERT_AUX);
+        ret->trust = NULL;
+        ret->reject = NULL;
+        ret->alias = NULL;
+        ret->keyid = NULL;
+        ret->other = NULL;
+        return(ret);
+        M_ASN1_New_Error(ASN1_F_X509_CERT_AUX_NEW);
+}
+
+void X509_CERT_AUX_free(X509_CERT_AUX *a)
+{
+        if(a == NULL) return;
+        sk_ASN1_OBJECT_pop_free(a->trust, ASN1_OBJECT_free);
+        sk_ASN1_OBJECT_pop_free(a->reject, ASN1_OBJECT_free);
+        ASN1_UTF8STRING_free(a->alias);
+        ASN1_OCTET_STRING_free(a->keyid);
+        sk_X509_ALGOR_pop_free(a->other, X509_ALGOR_free);
+        Free(a);
+}
+
+int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0);
+
+        M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING);
+        M_ASN1_I2D_len(a->keyid, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(X509_ALGOR, a->other, i2d_X509_ALGOR, 1);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0);
+
+        M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING);
+        M_ASN1_I2D_put(a->keyid, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(X509_ALGOR, a->other, i2d_X509_ALGOR, 1);
+
+        M_ASN1_I2D_finish();
+}
+
+static X509_CERT_AUX *aux_get(X509 *x)
+{
+        if(!x) return NULL;
+        if(!x->aux && !(x->aux = X509_CERT_AUX_new())) return NULL;
+        return x->aux;
+}
+
+int X509_alias_set1(X509 *x, unsigned char *name, int len)
+{
+        X509_CERT_AUX *aux;
+        if(!(aux = aux_get(x))) return 0;
+        if(!aux->alias && !(aux->alias = ASN1_UTF8STRING_new())) return 0;
+        return ASN1_STRING_set(aux->alias, name, len);
+}
+
+unsigned char *X509_alias_get0(X509 *x, int *len)
+{
+        if(!x->aux || !x->aux->alias) return NULL;
+        if(len) *len = x->aux->alias->length;
+        return x->aux->alias->data;
+}
+
+int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj)
+{
+        X509_CERT_AUX *aux;
+        ASN1_OBJECT *objtmp;
+        if(!(objtmp = OBJ_dup(obj))) return 0;
+        if(!(aux = aux_get(x))) return 0;
+        if(!aux->trust
+                && !(aux->trust = sk_ASN1_OBJECT_new_null())) return 0;
+        return sk_ASN1_OBJECT_push(aux->trust, objtmp);
+}
+
+int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj)
+{
+        X509_CERT_AUX *aux;
+        ASN1_OBJECT *objtmp;
+        if(!(objtmp = OBJ_dup(obj))) return 0;
+        if(!(aux = aux_get(x))) return 0;
+        if(!aux->reject
+                && !(aux->reject = sk_ASN1_OBJECT_new_null())) return 0;
+        return sk_ASN1_OBJECT_push(aux->reject, objtmp);
+}
+
+void X509_trust_clear(X509 *x)
+{
+        if(x->aux && x->aux->trust) {
+                sk_ASN1_OBJECT_pop_free(x->aux->trust, ASN1_OBJECT_free);
+                x->aux->trust = NULL;
+        }
+}
+
+void X509_reject_clear(X509 *x)
+{
+        if(x->aux && x->aux->reject) {
+                sk_ASN1_OBJECT_pop_free(x->aux->reject, ASN1_OBJECT_free);
+                x->aux->reject = NULL;
+        }
+}
+
diff --git a/src/lib/libcrypto/bf/bf_locl.h b/src/lib/libcrypto/bf/bf_locl.h
new file mode 100644
index 0000000000..05756b5d3b
--- /dev/null
+++ b/src/lib/libcrypto/bf/bf_locl.h
@@ -0,0 +1,219 @@
+/* crypto/bf/bf_locl.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BF_LOCL_H
+#define HEADER_BF_LOCL_H
+#include <openssl/opensslconf.h> /* BF_PTR, BF_PTR2 */
+
+#undef c2l
+#define c2l(c,l)        (l =((unsigned long)(*((c)++)))    , \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#undef c2ln
+#define c2ln(c,l1,l2,n) { \
+                        c+=n; \
+                        l1=l2=0; \
+                        switch (n) { \
+                        case 8: l2 =((unsigned long)(*(--(c))))<<24L; \
+                        case 7: l2|=((unsigned long)(*(--(c))))<<16L; \
+                        case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \
+                        case 5: l2|=((unsigned long)(*(--(c))));     \
+                        case 4: l1 =((unsigned long)(*(--(c))))<<24L; \
+                        case 3: l1|=((unsigned long)(*(--(c))))<<16L; \
+                        case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \
+                        case 1: l1|=((unsigned long)(*(--(c))));     \
+                                } \
+                        }
+
+#undef l2c
+#define l2c(l,c)        (*((c)++)=(unsigned char)(((l)     )&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#undef l2cn
+#define l2cn(l1,l2,c,n) { \
+                        c+=n; \
+                        switch (n) { \
+                        case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+                        case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+                        case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+                        case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+                        case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+                        case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+                        case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+                        case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+                                } \
+                        }
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c,l1,l2,n) { \
+                        c+=n; \
+                        l1=l2=0; \
+                        switch (n) { \
+                        case 8: l2 =((unsigned long)(*(--(c))))    ; \
+                        case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
+                        case 6: l2|=((unsigned long)(*(--(c))))<<16; \
+                        case 5: l2|=((unsigned long)(*(--(c))))<<24; \
+                        case 4: l1 =((unsigned long)(*(--(c))))    ; \
+                        case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
+                        case 2: l1|=((unsigned long)(*(--(c))))<<16; \
+                        case 1: l1|=((unsigned long)(*(--(c))))<<24; \
+                                } \
+                        }
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1,l2,c,n) { \
+                        c+=n; \
+                        switch (n) { \
+                        case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+                        case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+                        case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+                        case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+                        case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+                        case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+                        case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+                        case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+                                } \
+                        }
+
+#undef n2l
+#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++))))
+
+#undef l2n
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* This is actually a big endian algorithm, the most significate byte
+ * is used to lookup array 0 */
+
+#if defined(BF_PTR2)
+
+/*
+ * This is basically a special Intel version. Point is that Intel
+ * doesn't have many registers, but offers a reach choice of addressing
+ * modes. So we spare some registers by directly traversing BF_KEY
+ * structure and hiring the most decorated addressing mode. The code
+ * generated by EGCS is *perfectly* competitive with assembler
+ * implementation!
+ */
+#define BF_ENC(LL,R,KEY,Pi) (\
+        LL^=KEY[Pi], \
+        t=  KEY[BF_ROUNDS+2 +   0 + ((R>>24)&0xFF)], \
+        t+= KEY[BF_ROUNDS+2 + 256 + ((R>>16)&0xFF)], \
+        t^= KEY[BF_ROUNDS+2 + 512 + ((R>>8 )&0xFF)], \
+        t+= KEY[BF_ROUNDS+2 + 768 + ((R    )&0xFF)], \
+        LL^=t \
+        )
+
+#elif defined(BF_PTR)
+
+#ifndef BF_LONG_LOG2
+#define BF_LONG_LOG2  2       /* default to BF_LONG being 32 bits */
+#endif
+#define BF_M  (0xFF<<BF_LONG_LOG2)
+#define BF_0  (24-BF_LONG_LOG2)
+#define BF_1  (16-BF_LONG_LOG2)
+#define BF_2  ( 8-BF_LONG_LOG2)
+#define BF_3  BF_LONG_LOG2 /* left shift */
+
+/*
+ * This is normally very good on RISC platforms where normally you
+ * have to explicitely "multiplicate" array index by sizeof(BF_LONG)
+ * in order to caclulate the effective address. This implementation
+ * excuses CPU from this extra work. Power[PC] uses should have most
+ * fun as (R>>BF_i)&BF_M gets folded into a single instruction, namely
+ * rlwinm. So let'em double-check if their compiler does it.
+ */
+
+#define BF_ENC(LL,R,S,P) ( \
+        LL^=P, \
+        LL^= (((*(BF_LONG *)((unsigned char *)&(S[  0])+((R>>BF_0)&BF_M))+ \
+                *(BF_LONG *)((unsigned char *)&(S[256])+((R>>BF_1)&BF_M)))^ \
+                *(BF_LONG *)((unsigned char *)&(S[512])+((R>>BF_2)&BF_M)))+ \
+                *(BF_LONG *)((unsigned char *)&(S[768])+((R<<BF_3)&BF_M))) \
+        )
+#else
+
+/*
+ * This is a *generic* version. Seem to perform best on platforms that
+ * offer explicit support for extraction of 8-bit nibbles preferably
+ * complemented with "multiplying" of array index by sizeof(BF_LONG).
+ * For the moment of this writing the list comprises Alpha CPU featuring
+ * extbl and s[48]addq instructions.
+ */
+
+#define BF_ENC(LL,R,S,P) ( \
+        LL^=P, \
+        LL^=((( S[       ((int)(R>>24)&0xff)] + \
+                S[0x0100+((int)(R>>16)&0xff)])^ \
+                S[0x0200+((int)(R>> 8)&0xff)])+ \
+                S[0x0300+((int)(R    )&0xff)])&0xffffffffL \
+        )
+#endif
+
+#endif
diff --git a/src/lib/libcrypto/bio/bf_lbuf.c b/src/lib/libcrypto/bio/bf_lbuf.c
new file mode 100644
index 0000000000..7bcf8ed941
--- /dev/null
+++ b/src/lib/libcrypto/bio/bf_lbuf.c
@@ -0,0 +1,397 @@
+/* crypto/bio/bf_buff.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+
+static int linebuffer_write(BIO *h, const char *buf,int num);
+static int linebuffer_read(BIO *h, char *buf, int size);
+static int linebuffer_puts(BIO *h, const char *str);
+static int linebuffer_gets(BIO *h, char *str, int size);
+static long linebuffer_ctrl(BIO *h, int cmd, long arg1, void *arg2);
+static int linebuffer_new(BIO *h);
+static int linebuffer_free(BIO *data);
+static long linebuffer_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
+
+/* A 10k maximum should be enough for most purposes */
+#define DEFAULT_LINEBUFFER_SIZE 1024*10
+
+/* #define DEBUG */
+
+static BIO_METHOD methods_linebuffer=
+        {
+        BIO_TYPE_LINEBUFFER,
+        "linebuffer",
+        linebuffer_write,
+        linebuffer_read,
+        linebuffer_puts,
+        linebuffer_gets,
+        linebuffer_ctrl,
+        linebuffer_new,
+        linebuffer_free,
+        linebuffer_callback_ctrl,
+        };
+
+BIO_METHOD *BIO_f_linebuffer(void)
+        {
+        return(&methods_linebuffer);
+        }
+
+typedef struct bio_linebuffer_ctx_struct
+        {
+        char *obuf;             /* the output char array */
+        int obuf_size;          /* how big is the output buffer */
+        int obuf_len;           /* how many bytes are in it */
+        } BIO_LINEBUFFER_CTX;
+
+static int linebuffer_new(BIO *bi)
+        {
+        BIO_LINEBUFFER_CTX *ctx;
+
+        ctx=(BIO_LINEBUFFER_CTX *)OPENSSL_malloc(sizeof(BIO_LINEBUFFER_CTX));
+        if (ctx == NULL) return(0);
+        ctx->obuf=(char *)OPENSSL_malloc(DEFAULT_LINEBUFFER_SIZE);
+        if (ctx->obuf == NULL) { OPENSSL_free(ctx); return(0); }
+        ctx->obuf_size=DEFAULT_LINEBUFFER_SIZE;
+        ctx->obuf_len=0;
+
+        bi->init=1;
+        bi->ptr=(char *)ctx;
+        bi->flags=0;
+        return(1);
+        }
+
+static int linebuffer_free(BIO *a)
+        {
+        BIO_LINEBUFFER_CTX *b;
+
+        if (a == NULL) return(0);
+        b=(BIO_LINEBUFFER_CTX *)a->ptr;
+        if (b->obuf != NULL) OPENSSL_free(b->obuf);
+        OPENSSL_free(a->ptr);
+        a->ptr=NULL;
+        a->init=0;
+        a->flags=0;
+        return(1);
+        }
+        
+static int linebuffer_read(BIO *b, char *out, int outl)
+        {
+        int ret=0;
+ 
+        if (out == NULL) return(0);
+        if (b->next_bio == NULL) return(0);
+        ret=BIO_read(b->next_bio,out,outl);
+        BIO_clear_retry_flags(b);
+        BIO_copy_next_retry(b);
+        return(ret);
+        }
+
+static int linebuffer_write(BIO *b, const char *in, int inl)
+        {
+        int i,num=0,foundnl;
+        BIO_LINEBUFFER_CTX *ctx;
+
+        if ((in == NULL) || (inl <= 0)) return(0);
+        ctx=(BIO_LINEBUFFER_CTX *)b->ptr;
+        if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
+
+        BIO_clear_retry_flags(b);
+
+        do
+                {
+                const char *p;
+
+                for(p = in; p < in + inl && *p != '\n'; p++)
+                        ;
+                if (*p == '\n')
+                        {
+                        p++;
+                        foundnl = 1;
+                        }
+                else
+                        foundnl = 0;
+
+                /* If a NL was found and we already have text in the save
+                   buffer, concatenate them and write */
+                while ((foundnl || p - in > ctx->obuf_size - ctx->obuf_len)
+                        && ctx->obuf_len > 0)
+                        {
+                        int orig_olen = ctx->obuf_len;
+                        
+                        i = ctx->obuf_size - ctx->obuf_len;
+                        if (p - in > 0)
+                                {
+                                if (i >= p - in)
+                                        {
+                                        memcpy(&(ctx->obuf[ctx->obuf_len]),
+                                                in,p - in);
+                                        ctx->obuf_len += p - in;
+                                        inl -= p - in;
+                                        num += p - in;
+                                        in = p;
+                                        }
+                                else
+                                        {
+                                        memcpy(&(ctx->obuf[ctx->obuf_len]),
+                                                in,i);
+                                        ctx->obuf_len += i;
+                                        inl -= i;
+                                        in += i;
+                                        num += i;
+                                        }
+                                }
+
+#ifdef DEBUG
+BIO_write(b->next_bio, "<*<", 3);
+#endif
+                        i=BIO_write(b->next_bio,
+                                ctx->obuf, ctx->obuf_len);
+                        if (i <= 0)
+                                {
+                                ctx->obuf_len = orig_olen;
+                                BIO_copy_next_retry(b);
+
+#ifdef DEBUG
+BIO_write(b->next_bio, ">*>", 3);
+#endif
+                                if (i < 0) return((num > 0)?num:i);
+                                if (i == 0) return(num);
+                                }
+#ifdef DEBUG
+BIO_write(b->next_bio, ">*>", 3);
+#endif
+                        if (i < ctx->obuf_len)
+                                memmove(ctx->obuf, ctx->obuf + i,
+                                        ctx->obuf_len - i);
+                        ctx->obuf_len-=i;
+                        }
+
+                /* Now that the save buffer is emptied, let's write the input
+                   buffer if a NL was found and there is anything to write. */
+                if ((foundnl || p - in > ctx->obuf_size) && p - in > 0)
+                        {
+#ifdef DEBUG
+BIO_write(b->next_bio, "<*<", 3);
+#endif
+                        i=BIO_write(b->next_bio,in,p - in);
+                        if (i <= 0)
+                                {
+                                BIO_copy_next_retry(b);
+#ifdef DEBUG
+BIO_write(b->next_bio, ">*>", 3);
+#endif
+                                if (i < 0) return((num > 0)?num:i);
+                                if (i == 0) return(num);
+                                }
+#ifdef DEBUG
+BIO_write(b->next_bio, ">*>", 3);
+#endif
+                        num+=i;
+                        in+=i;
+                        inl-=i;
+                        }
+                }
+        while(foundnl && inl > 0);
+        /* We've written as much as we can.  The rest of the input buffer, if
+           any, is text that doesn't and with a NL and therefore needs to be
+           saved for the next trip. */
+        if (inl > 0)
+                {
+                memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl);
+                ctx->obuf_len += inl;
+                num += inl;
+                }
+        return num;
+        }
+
+static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr)
+        {
+        BIO *dbio;
+        BIO_LINEBUFFER_CTX *ctx;
+        long ret=1;
+        char *p;
+        int r;
+        int obs;
+
+        ctx=(BIO_LINEBUFFER_CTX *)b->ptr;
+
+        switch (cmd)
+                {
+        case BIO_CTRL_RESET:
+                ctx->obuf_len=0;
+                if (b->next_bio == NULL) return(0);
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_INFO:
+                ret=(long)ctx->obuf_len;
+                break;
+        case BIO_CTRL_WPENDING:
+                ret=(long)ctx->obuf_len;
+                if (ret == 0)
+                        {
+                        if (b->next_bio == NULL) return(0);
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                        }
+                break;
+        case BIO_C_SET_BUFF_SIZE:
+                obs=(int)num;
+                p=ctx->obuf;
+                if ((obs > DEFAULT_LINEBUFFER_SIZE) && (obs != ctx->obuf_size))
+                        {
+                        p=(char *)OPENSSL_malloc((int)num);
+                        if (p == NULL)
+                                goto malloc_error;
+                        }
+                if (ctx->obuf != p)
+                        {
+                        if (ctx->obuf_len > obs)
+                                {
+                                ctx->obuf_len = obs;
+                                }
+                        memcpy(p, ctx->obuf, ctx->obuf_len);
+                        OPENSSL_free(ctx->obuf);
+                        ctx->obuf=p;
+                        ctx->obuf_size=obs;
+                        }
+                break;
+        case BIO_C_DO_STATE_MACHINE:
+                if (b->next_bio == NULL) return(0);
+                BIO_clear_retry_flags(b);
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                BIO_copy_next_retry(b);
+                break;
+
+        case BIO_CTRL_FLUSH:
+                if (b->next_bio == NULL) return(0);
+                if (ctx->obuf_len <= 0)
+                        {
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                        break;
+                        }
+
+                for (;;)
+                        {
+                        BIO_clear_retry_flags(b);
+                        if (ctx->obuf_len > 0)
+                                {
+                                r=BIO_write(b->next_bio,
+                                        ctx->obuf, ctx->obuf_len);
+#if 0
+fprintf(stderr,"FLUSH %3d -> %3d\n",ctx->obuf_len,r);
+#endif
+                                BIO_copy_next_retry(b);
+                                if (r <= 0) return((long)r);
+                                if (r < ctx->obuf_len)
+                                        memmove(ctx->obuf, ctx->obuf + r,
+                                                ctx->obuf_len - r);
+                                ctx->obuf_len-=r;
+                                }
+                        else
+                                {
+                                ctx->obuf_len=0;
+                                ret=1;
+                                break;
+                                }
+                        }
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_DUP:
+                dbio=(BIO *)ptr;
+                if (    !BIO_set_write_buffer_size(dbio,ctx->obuf_size))
+                        ret=0;
+                break;
+        default:
+                if (b->next_bio == NULL) return(0);
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+                }
+        return(ret);
+malloc_error:
+        BIOerr(BIO_F_LINEBUFFER_CTRL,ERR_R_MALLOC_FAILURE);
+        return(0);
+        }
+
+static long linebuffer_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
+        {
+        long ret=1;
+
+        if (b->next_bio == NULL) return(0);
+        switch (cmd)
+                {
+        default:
+                ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+                break;
+                }
+        return(ret);
+        }
+
+static int linebuffer_gets(BIO *b, char *buf, int size)
+        {
+        if (b->next_bio == NULL) return(0);
+        return(BIO_gets(b->next_bio,buf,size));
+        }
+
+static int linebuffer_puts(BIO *b, const char *str)
+        {
+        return(linebuffer_write(b,str,strlen(str)));
+        }
+
diff --git a/src/lib/libcrypto/bio/bss_bio.c b/src/lib/libcrypto/bio/bss_bio.c
new file mode 100644
index 0000000000..562e9d8de2
--- /dev/null
+++ b/src/lib/libcrypto/bio/bss_bio.c
@@ -0,0 +1,588 @@
+/* crypto/bio/bss_bio.c  -*- Mode: C; c-file-style: "eay" -*- */
+
+/* Special method for a BIO where the other endpoint is also a BIO
+ * of this kind, handled by the same thread (i.e. the "peer" is actually
+ * ourselves, wearing a different hat).
+ * Such "BIO pairs" are mainly for using the SSL library with I/O interfaces
+ * for which no specific BIO method is available.
+ * See ssl/ssltest.c for some hints on how this can be used. */
+
+#ifndef BIO_PAIR_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/crypto.h>
+
+static int bio_new(BIO *bio);
+static int bio_free(BIO *bio);
+static int bio_read(BIO *bio, char *buf, int size);
+static int bio_write(BIO *bio, char *buf, int num);
+static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr);
+static int bio_puts(BIO *bio, char *str);
+
+static int bio_make_pair(BIO *bio1, BIO *bio2);
+static void bio_destroy_pair(BIO *bio);
+
+static BIO_METHOD methods_biop =
+{
+        BIO_TYPE_BIO,
+        "BIO pair",
+        bio_write,
+        bio_read,
+        bio_puts,
+        NULL /* no bio_gets */,
+        bio_ctrl,
+        bio_new,
+        bio_free
+};
+
+BIO_METHOD *BIO_s_bio(void)
+        {
+        return &methods_biop;
+        }
+
+struct bio_bio_st
+{
+        BIO *peer;     /* NULL if buf == NULL.
+                        * If peer != NULL, then peer->ptr is also a bio_bio_st,
+                        * and its "peer" member points back to us.
+                        * peer != NULL iff init != 0 in the BIO. */
+        
+        /* This is for what we write (i.e. reading uses peer's struct): */
+        int closed;     /* valid iff peer != NULL */
+        size_t len;     /* valid iff buf != NULL; 0 if peer == NULL */
+        size_t offset;  /* valid iff buf != NULL; 0 if len == 0 */
+        size_t size;
+        char *buf;      /* "size" elements (if != NULL) */
+
+        size_t request; /* valid iff peer != NULL; 0 if len != 0,
+                         * otherwise set by peer to number of bytes
+                         * it (unsuccesfully) tried to read,
+                         * never more than buffer space (size-len) warrants. */
+};
+
+static int bio_new(BIO *bio)
+        {
+        struct bio_bio_st *b;
+        
+        b = Malloc(sizeof *b);
+        if (b == NULL)
+                return 0;
+
+        b->peer = NULL;
+        b->size = 17*1024; /* enough for one TLS record (just a default) */
+        b->buf = NULL;
+
+        bio->ptr = b;
+        return 1;
+        }
+
+
+static int bio_free(BIO *bio)
+        {
+        struct bio_bio_st *b;
+
+        if (bio == NULL)
+                return 0;
+        b = bio->ptr;
+
+        assert(b != NULL);
+
+        if (b->peer)
+                bio_destroy_pair(bio);
+        
+        if (b->buf != NULL)
+                {
+                Free(b->buf);
+                }
+
+        Free(b);
+
+        return 1;
+        }
+
+
+
+static int bio_read(BIO *bio, char *buf, int size_)
+        {
+        size_t size = size_;
+        size_t rest;
+        struct bio_bio_st *b, *peer_b;
+
+        BIO_clear_retry_flags(bio);
+
+        if (!bio->init)
+                return 0;
+
+        b = bio->ptr;
+        assert(b != NULL);
+        assert(b->peer != NULL);
+        peer_b = b->peer->ptr;
+        assert(peer_b != NULL);
+        assert(peer_b->buf != NULL);
+
+        peer_b->request = 0; /* will be set in "retry_read" situation */
+
+        if (buf == NULL || size == 0)
+                return 0;
+
+        if (peer_b->len == 0)
+                {
+                if (peer_b->closed)
+                        return 0; /* writer has closed, and no data is left */
+                else
+                        {
+                        BIO_set_retry_read(bio); /* buffer is empty */
+                        if (size <= peer_b->size)
+                                peer_b->request = size;
+                        else
+                                /* don't ask for more than the peer can
+                                 * deliver in one write */
+                                peer_b->request = peer_b->size;
+                        return -1;
+                        }
+                }
+
+        /* we can read */
+        if (peer_b->len < size)
+                size = peer_b->len;
+
+        /* now read "size" bytes */
+        
+        rest = size;
+        
+        assert(rest > 0);
+        do /* one or two iterations */
+                {
+                size_t chunk;
+                
+                assert(rest <= peer_b->len);
+                if (peer_b->offset + rest <= peer_b->size)
+                        chunk = rest;
+                else
+                        /* wrap around ring buffer */
+                        chunk = peer_b->size - peer_b->offset;
+                assert(peer_b->offset + chunk <= peer_b->size);
+                
+                memcpy(buf, peer_b->buf + peer_b->offset, chunk);
+                
+                peer_b->len -= chunk;
+                if (peer_b->len)
+                        {
+                        peer_b->offset += chunk;
+                        assert(peer_b->offset <= peer_b->size);
+                        if (peer_b->offset == peer_b->size)
+                                peer_b->offset = 0;
+                        buf += chunk;
+                        }
+                else
+                        {
+                        /* buffer now empty, no need to advance "buf" */
+                        assert(chunk == rest);
+                        peer_b->offset = 0;
+                        }
+                rest -= chunk;
+                }
+        while (rest);
+        
+        return size;
+        }
+
+static int bio_write(BIO *bio, char *buf, int num_)
+        {
+        size_t num = num_;
+        size_t rest;
+        struct bio_bio_st *b;
+
+        BIO_clear_retry_flags(bio);
+
+        if (!bio->init || buf == NULL || num == 0)
+                return 0;
+
+        b = bio->ptr;           
+        assert(b != NULL);
+        assert(b->peer != NULL);
+        assert(b->buf != NULL);
+
+        b->request = 0;
+        if (b->closed)
+                {
+                /* we already closed */
+                BIOerr(BIO_F_BIO_WRITE, BIO_R_BROKEN_PIPE);
+                return -1;
+                }
+
+        assert(b->len <= b->size);
+
+        if (b->len == b->size)
+                {
+                BIO_set_retry_write(bio); /* buffer is full */
+                return -1;
+                }
+
+        /* we can write */
+        if (num > b->size - b->len)
+                num = b->size - b->len;
+        
+        /* now write "num" bytes */
+
+        rest = num;
+        
+        assert(rest > 0);
+        do /* one or two iterations */
+                {
+                size_t write_offset;
+                size_t chunk;
+
+                assert(b->len + rest <= b->size);
+
+                write_offset = b->offset + b->len;
+                if (write_offset >= b->size)
+                        write_offset -= b->size;
+                /* b->buf[write_offset] is the first byte we can write to. */
+
+                if (write_offset + rest <= b->size)
+                        chunk = rest;
+                else
+                        /* wrap around ring buffer */
+                        chunk = b->size - write_offset;
+                
+                memcpy(b->buf + write_offset, buf, chunk);
+                
+                b->len += chunk;
+
+                assert(b->len <= b->size);
+                
+                rest -= chunk;
+                buf += chunk;
+                }
+        while (rest);
+
+        return num;
+        }
+
+
+static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
+        {
+        long ret;
+        struct bio_bio_st *b = bio->ptr;
+        
+        assert(b != NULL);
+
+        switch (cmd)
+                {
+        /* specific CTRL codes */
+
+        case BIO_C_SET_WRITE_BUF_SIZE:
+                if (b->peer)
+                        {
+                        BIOerr(BIO_F_BIO_CTRL, BIO_R_IN_USE);
+                        ret = 0;
+                        }
+                else if (num == 0)
+                        {
+                        BIOerr(BIO_F_BIO_CTRL, BIO_R_INVALID_ARGUMENT);
+                        ret = 0;
+                        }
+                else
+                        {
+                        size_t new_size = num;
+
+                        if (b->size != new_size)
+                                {
+                                if (b->buf) 
+                                        {
+                                        Free(b->buf);
+                                        b->buf = NULL;
+                                        }
+                                b->size = new_size;
+                                }
+                        ret = 1;
+                        }
+                break;
+
+        case BIO_C_GET_WRITE_BUF_SIZE:
+                num = (long) b->size;
+
+        case BIO_C_MAKE_BIO_PAIR:
+                {
+                BIO *other_bio = ptr;
+                
+                if (bio_make_pair(bio, other_bio))
+                        ret = 1;
+                else
+                        ret = 0;
+                }
+                break;
+                
+        case BIO_C_DESTROY_BIO_PAIR:
+                /* Effects both BIOs in the pair -- call just once!
+                 * Or let BIO_free(bio1); BIO_free(bio2); do the job. */
+                bio_destroy_pair(bio);
+                ret = 1;
+                break;
+
+        case BIO_C_GET_WRITE_GUARANTEE:
+                /* How many bytes can the caller feed to the next write
+                 * withouth having to keep any? */
+                if (b->peer == NULL || b->closed)
+                        ret = 0;
+                else
+                        ret = (long) b->size - b->len;
+                break;
+
+        case BIO_C_GET_READ_REQUEST:
+                /* If the peer unsuccesfully tried to read, how many bytes
+                 * were requested?  (As with BIO_CTRL_PENDING, that number
+                 * can usually be treated as boolean.) */
+                ret = (long) b->request;
+                break;
+
+        case BIO_C_SHUTDOWN_WR:
+                /* similar to shutdown(..., SHUT_WR) */
+                b->closed = 1;
+                ret = 1;
+                break;
+
+
+        /* standard CTRL codes follow */
+
+        case BIO_CTRL_RESET:
+                if (b->buf != NULL)
+                        {
+                        b->len = 0;
+                        b->offset = 0;
+                        }
+                ret = 0;
+                break;          
+
+        case BIO_CTRL_GET_CLOSE:
+                ret = bio->shutdown;
+                break;
+
+        case BIO_CTRL_SET_CLOSE:
+                bio->shutdown = (int) num;
+                ret = 1;
+                break;
+
+        case BIO_CTRL_PENDING:
+                if (b->peer != NULL)
+                        {
+                        struct bio_bio_st *peer_b = b->peer->ptr;
+                        
+                        ret = (long) peer_b->len;
+                        }
+                else
+                        ret = 0;
+                break;
+
+        case BIO_CTRL_WPENDING:
+                if (b->buf != NULL)
+                        ret = (long) b->len;
+                else
+                        ret = 0;
+                break;
+
+        case BIO_CTRL_DUP:
+                /* See BIO_dup_chain for circumstances we have to expect. */
+                {
+                BIO *other_bio = ptr;
+                struct bio_bio_st *other_b;
+                
+                assert(other_bio != NULL);
+                other_b = other_bio->ptr;
+                assert(other_b != NULL);
+                
+                assert(other_b->buf == NULL); /* other_bio is always fresh */
+
+                other_b->size = b->size;
+                }
+
+                ret = 1;
+                break;
+
+        case BIO_CTRL_FLUSH:
+                ret = 1;
+                break;
+
+        case BIO_CTRL_EOF:
+                {
+                BIO *other_bio = ptr;
+                
+                if (other_bio)
+                        {
+                        struct bio_bio_st *other_b = other_bio->ptr;
+                        
+                        assert(other_b != NULL);
+                        ret = other_b->len == 0 && other_b->closed;
+                        }
+                else
+                        ret = 1;
+                }
+                break;
+
+        default:
+                ret = 0;
+                }
+        return ret;
+        }
+
+static int bio_puts(BIO *bio, char *str)
+        {
+        return bio_write(bio, str, strlen(str));
+        }
+
+
+static int bio_make_pair(BIO *bio1, BIO *bio2)
+        {
+        struct bio_bio_st *b1, *b2;
+
+        assert(bio1 != NULL);
+        assert(bio2 != NULL);
+
+        b1 = bio1->ptr;
+        b2 = bio2->ptr;
+        
+        if (b1->peer != NULL || b2->peer != NULL)
+                {
+                BIOerr(BIO_F_BIO_MAKE_PAIR, BIO_R_IN_USE);
+                return 0;
+                }
+        
+        if (b1->buf == NULL)
+                {
+                b1->buf = Malloc(b1->size);
+                if (b1->buf == NULL)
+                        {
+                        BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                b1->len = 0;
+                b1->offset = 0;
+                }
+        
+        if (b2->buf == NULL)
+                {
+                b2->buf = Malloc(b2->size);
+                if (b2->buf == NULL)
+                        {
+                        BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                b2->len = 0;
+                b2->offset = 0;
+                }
+        
+        b1->peer = bio2;
+        b1->closed = 0;
+        b1->request = 0;
+        b2->peer = bio1;
+        b2->closed = 0;
+        b2->request = 0;
+
+        bio1->init = 1;
+        bio2->init = 1;
+
+        return 1;
+        }
+
+static void bio_destroy_pair(BIO *bio)
+        {
+        struct bio_bio_st *b = bio->ptr;
+
+        if (b != NULL)
+                {
+                BIO *peer_bio = b->peer;
+
+                if (peer_bio != NULL)
+                        {
+                        struct bio_bio_st *peer_b = peer_bio->ptr;
+
+                        assert(peer_b != NULL);
+                        assert(peer_b->peer == bio);
+
+                        peer_b->peer = NULL;
+                        peer_bio->init = 0;
+                        assert(peer_b->buf != NULL);
+                        peer_b->len = 0;
+                        peer_b->offset = 0;
+                        
+                        b->peer = NULL;
+                        bio->init = 0;
+                        assert(b->buf != NULL);
+                        b->len = 0;
+                        b->offset = 0;
+                        }
+                }
+        }
+ 
+
+/* Exported convenience functions */
+int BIO_new_bio_pair(BIO **bio1_p, size_t writebuf1,
+        BIO **bio2_p, size_t writebuf2)
+         {
+         BIO *bio1 = NULL, *bio2 = NULL;
+         long r;
+         int ret = 0;
+
+         bio1 = BIO_new(BIO_s_bio());
+         if (bio1 == NULL)
+                 goto err;
+         bio2 = BIO_new(BIO_s_bio());
+         if (bio2 == NULL)
+                 goto err;
+
+         if (writebuf1)
+                 {
+                 r = BIO_set_write_buf_size(bio1, writebuf1);
+                 if (!r)
+                         goto err;
+                 }
+         if (writebuf2)
+                 {
+                 r = BIO_set_write_buf_size(bio2, writebuf2);
+                 if (!r)
+                         goto err;
+                 }
+
+         r = BIO_make_bio_pair(bio1, bio2);
+         if (!r)
+                 goto err;
+         ret = 1;
+
+ err:
+         if (ret == 0)
+                 {
+                 if (bio1)
+                         {
+                         BIO_free(bio1);
+                         bio1 = NULL;
+                         }
+                 if (bio2)
+                         {
+                         BIO_free(bio2);
+                         bio2 = NULL;
+                         }
+                 }
+
+         *bio1_p = bio1;
+         *bio2_p = bio2;
+         return ret;
+         }
+
+size_t BIO_ctrl_get_write_guarantee(BIO *bio)
+        {
+        return BIO_ctrl(bio, BIO_C_GET_WRITE_GUARANTEE, 0, NULL);
+        }
+
+size_t BIO_ctrl_get_read_request(BIO *bio)
+        {
+        return BIO_ctrl(bio, BIO_C_GET_READ_REQUEST, 0, NULL);
+        }
diff --git a/src/lib/libcrypto/bio/bss_log.c b/src/lib/libcrypto/bio/bss_log.c
new file mode 100644
index 0000000000..db82e757e7
--- /dev/null
+++ b/src/lib/libcrypto/bio/bss_log.c
@@ -0,0 +1,232 @@
+/* crypto/bio/bss_log.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+        Why BIO_s_log?
+
+        BIO_s_log is useful for system daemons (or services under NT).
+        It is one-way BIO, it sends all stuff to syslogd (or event log
+        under NT).
+
+*/
+
+
+#include <stdio.h>
+#include <errno.h>
+
+#ifndef WIN32
+#ifdef __ultrix
+#include <sys/syslog.h>
+#else
+#include <syslog.h>
+#endif
+#endif
+
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#ifndef NO_SYSLOG
+
+
+static int MS_CALLBACK slg_write(BIO *h,char *buf,int num);
+static int MS_CALLBACK slg_puts(BIO *h,char *str);
+static long MS_CALLBACK slg_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int MS_CALLBACK slg_new(BIO *h);
+static int MS_CALLBACK slg_free(BIO *data);
+static int xopenlog(BIO* bp, const char* name, int level);
+static int xcloselog(BIO* bp);
+
+static BIO_METHOD methods_slg=
+        {
+        BIO_TYPE_MEM,"syslog",
+        slg_write,
+        NULL,
+        slg_puts,
+        NULL,
+        slg_ctrl,
+        slg_new,
+        slg_free,
+        };
+
+BIO_METHOD *BIO_s_log(void)
+        {
+        return(&methods_slg);
+        }
+
+static int MS_CALLBACK slg_new(BIO *bi)
+        {
+        bi->init=1;
+        bi->num=0;
+        bi->ptr=NULL;
+#ifndef WIN32
+        xopenlog(bi, "application", LOG_DAEMON);
+#else
+        xopenlog(bi, "application", 0);
+#endif
+        return(1);
+        }
+
+static int MS_CALLBACK slg_free(BIO *a)
+        {
+        if (a == NULL) return(0);
+        xcloselog(a);
+        return(1);
+        }
+        
+static int MS_CALLBACK slg_write(BIO *b, char *in, int inl)
+        {
+        int ret= inl;
+        char* buf= in;
+        char* pp;
+#if defined(WIN32)
+        LPTSTR lpszStrings[1];
+        WORD evtype= EVENTLOG_ERROR_TYPE;
+#else
+        int priority;
+#endif
+
+        if((buf= (char *)Malloc(inl+ 1)) == NULL){
+                return(0);
+        }
+        strncpy(buf, in, inl);
+        buf[inl]= '\0';
+#if defined(WIN32)
+        if(strncmp(buf, "ERR ", 4) == 0){
+                evtype= EVENTLOG_ERROR_TYPE;
+                pp= buf+ 4;
+        }else if(strncmp(buf, "WAR ", 4) == 0){
+                evtype= EVENTLOG_WARNING_TYPE;
+                pp= buf+ 4;
+        }else if(strncmp(buf, "INF ", 4) == 0){
+                evtype= EVENTLOG_INFORMATION_TYPE;
+                pp= buf+ 4;
+        }else{
+                evtype= EVENTLOG_ERROR_TYPE;
+                pp= buf;
+        }
+        lpszStrings[0]= pp;
+
+        if(b->ptr)
+                ReportEvent(b->ptr, evtype, 0, 1024, NULL, 1, 0,
+                                lpszStrings, NULL);
+#else
+        if(strncmp(buf, "ERR ", 4) == 0){
+                priority= LOG_ERR;
+                pp= buf+ 4;
+        }else if(strncmp(buf, "WAR ", 4) == 0){
+                priority= LOG_WARNING;
+                pp= buf+ 4;
+        }else if(strncmp(buf, "INF ", 4) == 0){
+                priority= LOG_INFO;
+                pp= buf+ 4;
+        }else{
+                priority= LOG_ERR;
+                pp= buf;
+        }
+
+        syslog(priority, "%s", pp);
+#endif
+        Free(buf);
+        return(ret);
+        }
+
+static long MS_CALLBACK slg_ctrl(BIO *b, int cmd, long num, char *ptr)
+        {
+        switch (cmd)
+                {
+        case BIO_CTRL_SET:
+                xcloselog(b);
+                xopenlog(b, ptr, num);
+                break;
+        default:
+                break;
+                }
+        return(0);
+        }
+
+static int MS_CALLBACK slg_puts(BIO *bp, char *str)
+        {
+        int n,ret;
+
+        n=strlen(str);
+        ret=slg_write(bp,str,n);
+        return(ret);
+        }
+
+static int xopenlog(BIO* bp, const char* name, int level)
+{
+#if defined(WIN32)
+        if((bp->ptr= (char *)RegisterEventSource(NULL, name)) == NULL){
+                return(0);
+        }
+#else
+        openlog(name, LOG_PID|LOG_CONS, level);
+#endif
+        return(1);
+}
+
+static int xcloselog(BIO* bp)
+{
+#if defined(WIN32)
+        if(bp->ptr)
+                DeregisterEventSource((HANDLE)(bp->ptr));
+        bp->ptr= NULL;
+#else
+        closelog();
+#endif
+        return(1);
+}
+
+#endif
diff --git a/src/lib/libcrypto/bn/asm/co-586.pl b/src/lib/libcrypto/bn/asm/co-586.pl
new file mode 100644
index 0000000000..5d962cb957
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/co-586.pl
@@ -0,0 +1,286 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],$0);
+
+&bn_mul_comba("bn_mul_comba8",8);
+&bn_mul_comba("bn_mul_comba4",4);
+&bn_sqr_comba("bn_sqr_comba8",8);
+&bn_sqr_comba("bn_sqr_comba4",4);
+
+&asm_finish();
+
+sub mul_add_c
+        {
+        local($a,$ai,$b,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("mul a[$ai]*b[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$b,"",0));
+
+        &mul("edx");
+        &add($c0,"eax");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # laod next a
+         &mov("eax",&wparam(0)) if $pos > 0;                    # load r[]
+         ###
+        &adc($c1,"edx");
+         &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 0;        # laod next b
+         &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 1;        # laod next b
+         ###
+        &adc($c2,0);
+         # is pos > 1, it means it is the last loop 
+         &mov(&DWP($i*4,"eax","",0),$c0) if $pos > 0;           # save r[];
+        &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;         # laod next a
+        }
+
+sub sqr_add_c
+        {
+        local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("sqr a[$ai]*a[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$b,"",0));
+
+        if ($ai == $bi)
+                { &mul("eax");}
+        else
+                { &mul("edx");}
+        &add($c0,"eax");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # load next a
+         ###
+        &adc($c1,"edx");
+         &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos == 1) && ($na != $nb);
+         ###
+        &adc($c2,0);
+         # is pos > 1, it means it is the last loop 
+         &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;              # save r[];
+        &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;         # load next b
+        }
+
+sub sqr_add_c2
+        {
+        local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("sqr a[$ai]*a[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$a,"",0));
+
+        if ($ai == $bi)
+                { &mul("eax");}
+        else
+                { &mul("edx");}
+        &add("eax","eax");
+         ###
+        &adc("edx","edx");
+         ###
+        &adc($c2,0);
+         &add($c0,"eax");
+        &adc($c1,"edx");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # load next a
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;        # load next b
+        &adc($c2,0);
+        &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;               # save r[];
+         &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos <= 1) && ($na != $nb);
+         ###
+        }
+
+sub bn_mul_comba
+        {
+        local($name,$num)=@_;
+        local($a,$b,$c0,$c1,$c2);
+        local($i,$as,$ae,$bs,$be,$ai,$bi);
+        local($tot,$end);
+
+        &function_begin_B($name,"");
+
+        $c0="ebx";
+        $c1="ecx";
+        $c2="ebp";
+        $a="esi";
+        $b="edi";
+        
+        $as=0;
+        $ae=0;
+        $bs=0;
+        $be=0;
+        $tot=$num+$num-1;
+
+        &push("esi");
+         &mov($a,&wparam(1));
+        &push("edi");
+         &mov($b,&wparam(2));
+        &push("ebp");
+         &push("ebx");
+
+        &xor($c0,$c0);
+         &mov("eax",&DWP(0,$a,"",0));   # load the first word 
+        &xor($c1,$c1);
+         &mov("edx",&DWP(0,$b,"",0));   # load the first second 
+
+        for ($i=0; $i<$tot; $i++)
+                {
+                $ai=$as;
+                $bi=$bs;
+                $end=$be+1;
+
+                &comment("################## Calculate word $i"); 
+
+                for ($j=$bs; $j<$end; $j++)
+                        {
+                        &xor($c2,$c2) if ($j == $bs);
+                        if (($j+1) == $end)
+                                {
+                                $v=1;
+                                $v=2 if (($i+1) == $tot);
+                                }
+                        else
+                                { $v=0; }
+                        if (($j+1) != $end)
+                                {
+                                $na=($ai-1);
+                                $nb=($bi+1);
+                                }
+                        else
+                                {
+                                $na=$as+($i < ($num-1));
+                                $nb=$bs+($i >= ($num-1));
+                                }
+#printf STDERR "[$ai,$bi] -> [$na,$nb]\n";
+                        &mul_add_c($a,$ai,$b,$bi,$c0,$c1,$c2,$v,$i,$na,$nb);
+                        if ($v)
+                                {
+                                &comment("saved r[$i]");
+                                # &mov("eax",&wparam(0));
+                                # &mov(&DWP($i*4,"eax","",0),$c0);
+                                ($c0,$c1,$c2)=($c1,$c2,$c0);
+                                }
+                        $ai--;
+                        $bi++;
+                        }
+                $as++ if ($i < ($num-1));
+                $ae++ if ($i >= ($num-1));
+
+                $bs++ if ($i >= ($num-1));
+                $be++ if ($i < ($num-1));
+                }
+        &comment("save r[$i]");
+        # &mov("eax",&wparam(0));
+        &mov(&DWP($i*4,"eax","",0),$c0);
+
+        &pop("ebx");
+        &pop("ebp");
+        &pop("edi");
+        &pop("esi");
+        &ret();
+        &function_end_B($name);
+        }
+
+sub bn_sqr_comba
+        {
+        local($name,$num)=@_;
+        local($r,$a,$c0,$c1,$c2)=@_;
+        local($i,$as,$ae,$bs,$be,$ai,$bi);
+        local($b,$tot,$end,$half);
+
+        &function_begin_B($name,"");
+
+        $c0="ebx";
+        $c1="ecx";
+        $c2="ebp";
+        $a="esi";
+        $r="edi";
+
+        &push("esi");
+         &push("edi");
+        &push("ebp");
+         &push("ebx");
+        &mov($r,&wparam(0));
+         &mov($a,&wparam(1));
+        &xor($c0,$c0);
+         &xor($c1,$c1);
+        &mov("eax",&DWP(0,$a,"",0)); # load the first word
+
+        $as=0;
+        $ae=0;
+        $bs=0;
+        $be=0;
+        $tot=$num+$num-1;
+
+        for ($i=0; $i<$tot; $i++)
+                {
+                $ai=$as;
+                $bi=$bs;
+                $end=$be+1;
+
+                &comment("############### Calculate word $i");
+                for ($j=$bs; $j<$end; $j++)
+                        {
+                        &xor($c2,$c2) if ($j == $bs);
+                        if (($ai-1) < ($bi+1))
+                                {
+                                $v=1;
+                                $v=2 if ($i+1) == $tot;
+                                }
+                        else
+                                { $v=0; }
+                        if (!$v)
+                                {
+                                $na=$ai-1;
+                                $nb=$bi+1;
+                                }
+                        else
+                                {
+                                $na=$as+($i < ($num-1));
+                                $nb=$bs+($i >= ($num-1));
+                                }
+                        if ($ai == $bi)
+                                {
+                                &sqr_add_c($r,$a,$ai,$bi,
+                                        $c0,$c1,$c2,$v,$i,$na,$nb);
+                                }
+                        else
+                                {
+                                &sqr_add_c2($r,$a,$ai,$bi,
+                                        $c0,$c1,$c2,$v,$i,$na,$nb);
+                                }
+                        if ($v)
+                                {
+                                &comment("saved r[$i]");
+                                #&mov(&DWP($i*4,$r,"",0),$c0);
+                                ($c0,$c1,$c2)=($c1,$c2,$c0);
+                                last;
+                                }
+                        $ai--;
+                        $bi++;
+                        }
+                $as++ if ($i < ($num-1));
+                $ae++ if ($i >= ($num-1));
+
+                $bs++ if ($i >= ($num-1));
+                $be++ if ($i < ($num-1));
+                }
+        &mov(&DWP($i*4,$r,"",0),$c0);
+        &pop("ebx");
+        &pop("ebp");
+        &pop("edi");
+        &pop("esi");
+        &ret();
+        &function_end_B($name);
+        }
diff --git a/src/lib/libcrypto/bn/asm/ia64.S b/src/lib/libcrypto/bn/asm/ia64.S
new file mode 100644
index 0000000000..ae56066310
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/ia64.S
@@ -0,0 +1,1498 @@
+.explicit
+.text
+.ident  "ia64.S, Version 1.1"
+.ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+//
+// ====================================================================
+// Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+// project.
+//
+// Rights for redistribution and usage in source and binary forms are
+// granted according to the OpenSSL license. Warranty of any kind is
+// disclaimed.
+// ====================================================================
+//
+
+// Q.   How much faster does it get?
+// A.   Here is the output from 'openssl speed rsa dsa' for vanilla
+//      0.9.6a compiled with gcc version 2.96 20000731 (Red Hat
+//      Linux 7.1 2.96-81):
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0036s   0.0003s    275.3   2999.2
+//      rsa 1024 bits   0.0203s   0.0011s     49.3    894.1
+//      rsa 2048 bits   0.1331s   0.0040s      7.5    250.9
+//      rsa 4096 bits   0.9270s   0.0147s      1.1     68.1
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0035s   0.0043s    288.3    234.8
+//      dsa 1024 bits   0.0111s   0.0135s     90.0     74.2
+//
+//      And here is similar output but for this assembler
+//      implementation:-)
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0021s   0.0001s    549.4   9638.5
+//      rsa 1024 bits   0.0055s   0.0002s    183.8   4481.1
+//      rsa 2048 bits   0.0244s   0.0006s     41.4   1726.3
+//      rsa 4096 bits   0.1295s   0.0018s      7.7    561.5
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0012s   0.0013s    891.9    756.6
+//      dsa 1024 bits   0.0023s   0.0028s    440.4    376.2
+//      
+//      Yes, you may argue that it's not fair comparison as it's
+//      possible to craft the C implementation with BN_UMULT_HIGH
+//      inline assembler macro. But of course! Here is the output
+//      with the macro:
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0020s   0.0002s    495.0   6561.0
+//      rsa 1024 bits   0.0086s   0.0004s    116.2   2235.7
+//      rsa 2048 bits   0.0519s   0.0015s     19.3    667.3
+//      rsa 4096 bits   0.3464s   0.0053s      2.9    187.7
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0016s   0.0020s    613.1    510.5
+//      dsa 1024 bits   0.0045s   0.0054s    221.0    183.9
+//
+//      My code is still way faster, huh:-) And I believe that even
+//      higher performance can be achieved. Note that as keys get
+//      longer, performance gain is larger. Why? According to the
+//      profiler there is another player in the field, namely
+//      BN_from_montgomery consuming larger and larger portion of CPU
+//      time as keysize decreases. I therefore consider putting effort
+//      to assembler implementation of the following routine:
+//
+//      void bn_mul_add_mont (BN_ULONG *rp,BN_ULONG *np,int nl,BN_ULONG n0)
+//      {
+//      int      i,j;
+//      BN_ULONG v;
+//
+//      for (i=0; i<nl; i++)
+//              {
+//              v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
+//              nrp++;
+//              rp++;
+//              if (((nrp[-1]+=v)&BN_MASK2) < v)
+//                      for (j=0; ((++nrp[j])&BN_MASK2) == 0; j++) ;
+//              }
+//      }
+//
+//      It might as well be beneficial to implement even combaX
+//      variants, as it appears as it can literally unleash the
+//      performance (see comment section to bn_mul_comba8 below).
+//
+//      And finally for your reference the output for 0.9.6a compiled
+//      with SGIcc version 0.01.0-12 (keep in mind that for the moment
+//      of this writing it's not possible to convince SGIcc to use
+//      BN_UMULT_HIGH inline assembler macro, yet the code is fast,
+//      i.e. for a compiler generated one:-):
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0022s   0.0002s    452.7   5894.3
+//      rsa 1024 bits   0.0097s   0.0005s    102.7   2002.9
+//      rsa 2048 bits   0.0578s   0.0017s     17.3    600.2
+//      rsa 4096 bits   0.3838s   0.0061s      2.6    164.5
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0018s   0.0022s    547.3    459.6
+//      dsa 1024 bits   0.0051s   0.0062s    196.6    161.3
+//
+//      Oh! Benchmarks were performed on 733MHz Lion-class Itanium
+//      system running Redhat Linux 7.1 (very special thanks to Ray
+//      McCaffity of Williams Communications for providing an account).
+//
+// Q.   What's the heck with 'rum 1<<5' at the end of every function?
+// A.   Well, by clearing the "upper FP registers written" bit of the
+//      User Mask I want to excuse the kernel from preserving upper
+//      (f32-f128) FP register bank over process context switch, thus
+//      minimizing bus bandwidth consumption during the switch (i.e.
+//      after PKI opration completes and the program is off doing
+//      something else like bulk symmetric encryption). Having said
+//      this, I also want to point out that it might be good idea
+//      to compile the whole toolkit (as well as majority of the
+//      programs for that matter) with -mfixed-range=f32-f127 command
+//      line option. No, it doesn't prevent the compiler from writing
+//      to upper bank, but at least discourages to do so. If you don't
+//      like the idea you have the option to compile the module with
+//      -Drum=nop.m in command line.
+//
+
+#if 1
+//
+// bn_[add|sub]_words routines.
+//
+// Loops are spinning in 2*(n+5) ticks on Itanuim (provided that the
+// data reside in L1 cache, i.e. 2 ticks away). It's possible to
+// compress the epilogue and get down to 2*n+6, but at the cost of
+// scalability (the neat feature of this implementation is that it
+// shall automagically spin in n+5 on "wider" IA-64 implementations:-)
+// I consider that the epilogue is short enough as it is to trade tiny
+// performance loss on Itanium for scalability.
+//
+// BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num)
+//
+.global bn_add_words#
+.proc   bn_add_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary
+bn_add_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,4,12,0,16
+        cmp4.le         p6,p0=r35,r0    };;
+{ .mfb; mov             r8=r0                   // return value
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mib; sub             r10=r35,r0,1
+        mov             r3=ar.lc
+        brp.loop.imp    .L_bn_add_words_ctop,.L_bn_add_words_cend-16
+                                        }
+        .body
+{ .mib; mov             r14=r32                 // rp
+        mov             r9=pr           };;
+{ .mii; mov             r15=r33                 // ap
+        mov             ar.lc=r10
+        mov             ar.ec=6         }
+{ .mib; mov             r16=r34                 // bp
+        mov             pr.rot=1<<16    };;
+
+.L_bn_add_words_ctop:
+{ .mii; (p16)   ld8             r32=[r16],8       // b=*(bp++)
+        (p18)   add             r39=r37,r34
+        (p19)   cmp.ltu.unc     p56,p0=r40,r38  }
+{ .mfb; (p0)    nop.m           0x0
+        (p0)    nop.f           0x0
+        (p0)    nop.b           0x0             }
+{ .mii; (p16)   ld8             r35=[r15],8       // a=*(ap++)
+        (p58)   cmp.eq.or       p57,p0=-1,r41     // (p20)
+        (p58)   add             r41=1,r41       } // (p20)
+{ .mfb; (p21)   st8             [r14]=r42,8       // *(rp++)=r
+        (p0)    nop.f           0x0
+        br.ctop.sptk    .L_bn_add_words_ctop    };;
+.L_bn_add_words_cend:
+
+{ .mii;
+(p59)   add             r8=1,r8         // return value
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mbb; nop.b           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_add_words#
+
+//
+// BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num)
+//
+.global bn_sub_words#
+.proc   bn_sub_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary
+bn_sub_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,4,12,0,16
+        cmp4.le         p6,p0=r35,r0    };;
+{ .mfb; mov             r8=r0                   // return value
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mib; sub             r10=r35,r0,1
+        mov             r3=ar.lc
+        brp.loop.imp    .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
+                                        }
+        .body
+{ .mib; mov             r14=r32                 // rp
+        mov             r9=pr           };;
+{ .mii; mov             r15=r33                 // ap
+        mov             ar.lc=r10
+        mov             ar.ec=6         }
+{ .mib; mov             r16=r34                 // bp
+        mov             pr.rot=1<<16    };;
+
+.L_bn_sub_words_ctop:
+{ .mii; (p16)   ld8             r32=[r16],8       // b=*(bp++)
+        (p18)   sub             r39=r37,r34
+        (p19)   cmp.gtu.unc     p56,p0=r40,r38  }
+{ .mfb; (p0)    nop.m           0x0
+        (p0)    nop.f           0x0
+        (p0)    nop.b           0x0             }
+{ .mii; (p16)   ld8             r35=[r15],8       // a=*(ap++)
+        (p58)   cmp.eq.or       p57,p0=0,r41      // (p20)
+        (p58)   add             r41=-1,r41      } // (p20)
+{ .mbb; (p21)   st8             [r14]=r42,8       // *(rp++)=r
+        (p0)    nop.b           0x0
+        br.ctop.sptk    .L_bn_sub_words_ctop    };;
+.L_bn_sub_words_cend:
+
+{ .mii;
+(p59)   add             r8=1,r8         // return value
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mbb; nop.b           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_sub_words#
+#endif
+
+#if 0
+#define XMA_TEMPTATION
+#endif
+
+#if 1
+//
+// BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+//
+.global bn_mul_words#
+.proc   bn_mul_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary
+bn_mul_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+#ifdef XMA_TEMPTATION
+{ .mfi; alloc           r2=ar.pfs,4,0,0,0       };;
+#else
+{ .mfi; alloc           r2=ar.pfs,4,4,0,8       };;
+#endif
+{ .mib; mov             r8=r0                   // return value
+        cmp4.le         p6,p0=r34,r0
+(p6)    br.ret.spnt.many        b0              };;
+
+        .save   ar.lc,r3
+{ .mii; sub     r10=r34,r0,1
+        mov     r3=ar.lc
+        mov     r9=pr                   };;
+
+        .body
+{ .mib; setf.sig        f8=r35  // w
+        mov             pr.rot=0x400001<<16
+                        // ------^----- serves as (p48) at first (p26)
+        brp.loop.imp    .L_bn_mul_words_ctop,.L_bn_mul_words_cend-16
+                                        }
+
+#ifndef XMA_TEMPTATION
+
+{ .mii; mov             r14=r32 // rp
+        mov             r15=r33 // ap
+        mov             ar.lc=r10       }
+{ .mii; mov             r39=0   // serves as r33 at first (p26)
+        mov             ar.ec=12        };;
+
+// This loop spins in 2*(n+11) ticks. It's scheduled for data in L2
+// cache (i.e. 9 ticks away) as floating point load/store instructions
+// bypass L1 cache and L2 latency is actually best-case scenario for
+// ldf8. The loop is not scalable and shall run in 2*(n+11) even on
+// "wider" IA-64 implementations. It's a trade-off here. n+22 loop
+// would give us ~5% in *overall* performance improvement on "wider"
+// IA-64, but would hurt Itanium for about same because of longer
+// epilogue. As it's a matter of few percents in either case I've
+// chosen to trade the scalability for development time (you can see
+// this very instruction sequence in bn_mul_add_words loop which in
+// turn is scalable).
+.L_bn_mul_words_ctop:
+{ .mfi; (p25)   getf.sig        r36=f49                 // low
+        (p21)   xmpy.lu         f45=f37,f8
+        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p16)   ldf8            f32=[r15],8
+        (p21)   xmpy.hu         f38=f37,f8
+        (p0)    nop.i           0x0             };;
+{ .mii; (p26)   getf.sig        r32=f43                 // high
+        .pred.rel       "mutex",p48,p52
+        (p48)   add             r38=r37,r33             // (p26)
+        (p52)   add             r38=r37,r33,1   }       // (p26)
+{ .mfb; (p27)   st8             [r14]=r39,8
+        (p0)    nop.f           0x0
+        br.ctop.sptk    .L_bn_mul_words_ctop    };;
+.L_bn_mul_words_cend:
+
+{ .mii; nop.m           0x0
+.pred.rel       "mutex",p49,p53
+(p49)   add             r8=r34,r0
+(p53)   add             r8=r34,r0,1     }
+{ .mfb; nop.m   0x0
+        nop.f   0x0
+        nop.b   0x0                     }
+
+#else   // XMA_TEMPTATION
+
+        setf.sig        f37=r0  // serves as carry at (p18) tick
+        mov             ar.lc=r10
+        mov             ar.ec=5;;
+
+// Most of you examining this code very likely wonder why in the name
+// of Intel the following loop is commented out? Indeed, it looks so
+// neat that you find it hard to believe that it's something wrong
+// with it, right? The catch is that every iteration depends on the
+// result from previous one and the latter isn't available instantly.
+// The loop therefore spins at the latency of xma minus 1, or in other
+// words at 6*(n+4) ticks:-( Compare to the "production" loop above
+// that runs in 2*(n+11) where the low latency problem is worked around
+// by moving the dependency to one-tick latent interger ALU. Note that
+// "distance" between ldf8 and xma is not latency of ldf8, but the
+// *difference* between xma and ldf8 latencies.
+.L_bn_mul_words_ctop:
+{ .mfi; (p16)   ldf8            f32=[r33],8
+        (p18)   xma.hu          f38=f34,f8,f39  }
+{ .mfb; (p20)   stf8            [r32]=f37,8
+        (p18)   xma.lu          f35=f34,f8,f39
+        br.ctop.sptk    .L_bn_mul_words_ctop    };;
+.L_bn_mul_words_cend:
+
+        getf.sig        r8=f41          // the return value
+
+#endif  // XMA_TEMPTATION
+
+{ .mii; nop.m           0x0
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mfb; rum             1<<5            // clear um.mfh
+        nop.f           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_words#
+#endif
+
+#if 1
+//
+// BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+//
+.global bn_mul_add_words#
+.proc   bn_mul_add_words#
+.align  64
+//.skip 0       // makes the loop split at 64-byte boundary
+bn_mul_add_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,4,12,0,16
+        cmp4.le         p6,p0=r34,r0    };;
+{ .mfb; mov             r8=r0                   // return value
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mii; sub     r10=r34,r0,1
+        mov     r3=ar.lc
+        mov     r9=pr                   };;
+
+        .body
+{ .mib; setf.sig        f8=r35  // w
+        mov             pr.rot=0x400001<<16
+                        // ------^----- serves as (p48) at first (p26)
+        brp.loop.imp    .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
+                                        }
+{ .mii; mov             r14=r32 // rp
+        mov             r15=r33 // ap
+        mov             ar.lc=r10       }
+{ .mii; mov             r39=0   // serves as r33 at first (p26)
+        mov             r18=r32 // rp copy
+        mov             ar.ec=14        };;
+
+// This loop spins in 3*(n+13) ticks on Itanium and should spin in
+// 2*(n+13) on "wider" IA-64 implementations (to be verified with new
+// µ-architecture manuals as they become available). As usual it's
+// possible to compress the epilogue, down to 10 in this case, at the
+// cost of scalability. Compressed (and therefore non-scalable) loop
+// running at 3*(n+10) would buy you ~10% on Itanium but take ~35%
+// from "wider" IA-64 so let it be scalable! Special attention was
+// paid for having the loop body split at 64-byte boundary. ld8 is
+// scheduled for L1 cache as the data is more than likely there.
+// Indeed, bn_mul_words has put it there a moment ago:-)
+.L_bn_mul_add_words_ctop:
+{ .mfi; (p25)   getf.sig        r36=f49                 // low
+        (p21)   xmpy.lu         f45=f37,f8
+        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p16)   ldf8            f32=[r15],8
+        (p21)   xmpy.hu         f38=f37,f8
+        (p27)   add             r43=r43,r39     };;
+{ .mii; (p26)   getf.sig        r32=f43                 // high
+        .pred.rel       "mutex",p48,p52
+        (p48)   add             r38=r37,r33             // (p26)
+        (p52)   add             r38=r37,r33,1   }       // (p26)
+{ .mfb; (p27)   cmp.ltu.unc     p56,p0=r43,r39
+        (p0)    nop.f           0x0
+        (p0)    nop.b           0x0             }
+{ .mii; (p26)   ld8             r42=[r18],8
+        (p58)   cmp.eq.or       p57,p0=-1,r44
+        (p58)   add             r44=1,r44       }
+{ .mfb; (p29)   st8             [r14]=r45,8
+        (p0)    nop.f           0x0
+        br.ctop.sptk    .L_bn_mul_add_words_ctop};;
+.L_bn_mul_add_words_cend:
+
+{ .mii; nop.m           0x0
+.pred.rel       "mutex",p51,p55
+(p51)   add             r8=r36,r0
+(p55)   add             r8=r36,r0,1     }
+{ .mfb; nop.m   0x0
+        nop.f   0x0
+        nop.b   0x0                     };;
+{ .mii;
+(p59)   add             r8=1,r8
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mfb; rum             1<<5            // clear um.mfh
+        nop.f           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_add_words#
+#endif
+
+#if 1
+//
+// void bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num)
+//
+.global bn_sqr_words#
+.proc   bn_sqr_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary 
+bn_sqr_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,3,0,0,0
+        sxt4            r34=r34         };;
+{ .mii; cmp.le          p6,p0=r34,r0
+        mov             r8=r0           }       // return value
+{ .mfb; nop.f           0x0
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mii; sub     r10=r34,r0,1
+        mov     r3=ar.lc
+        mov     r9=pr                   };;
+
+        .body
+{ .mib;
+        mov             pr.rot=1<<16
+        brp.loop.imp    .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
+                                        }
+{ .mii; add             r34=8,r32
+        mov             ar.lc=r10
+        mov             ar.ec=18        };;
+
+// 2*(n+17) on Itanium, (n+17) on "wider" IA-64 implementations. It's
+// possible to compress the epilogue (I'm getting tired to write this
+// comment over and over) and get down to 2*n+16 at the cost of
+// scalability. The decision will very likely be reconsidered after the
+// benchmark program is profiled. I.e. if perfomance gain on Itanium
+// will appear larger than loss on "wider" IA-64, then the loop should
+// be explicitely split and the epilogue compressed.
+.L_bn_sqr_words_ctop:
+{ .mfi; (p16)   ldf8            f32=[r33],8
+        (p25)   xmpy.lu         f42=f41,f41
+        (p0)    nop.i           0x0             }
+{ .mib; (p33)   stf8            [r32]=f50,16
+        (p0)    nop.i           0x0
+        (p0)    nop.b           0x0             }
+{ .mfi; (p0)    nop.m           0x0
+        (p25)   xmpy.hu         f52=f41,f41
+        (p0)    nop.i           0x0             }
+{ .mib; (p33)   stf8            [r34]=f60,16
+        (p0)    nop.i           0x0
+        br.ctop.sptk    .L_bn_sqr_words_ctop    };;
+.L_bn_sqr_words_cend:
+
+{ .mii; nop.m           0x0
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mfb; rum             1<<5            // clear um.mfh
+        nop.f           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_sqr_words#
+#endif
+
+#if 1
+// Apparently we win nothing by implementing special bn_sqr_comba8.
+// Yes, it is possible to reduce the number of multiplications by
+// almost factor of two, but then the amount of additions would
+// increase by factor of two (as we would have to perform those
+// otherwise performed by xma ourselves). Normally we would trade
+// anyway as multiplications are way more expensive, but not this
+// time... Multiplication kernel is fully pipelined and as we drain
+// one 128-bit multiplication result per clock cycle multiplications
+// are effectively as inexpensive as additions. Special implementation
+// might become of interest for "wider" IA-64 implementation as you'll
+// be able to get through the multiplication phase faster (there won't
+// be any stall issues as discussed in the commentary section below and
+// you therefore will be able to employ all 4 FP units)... But these
+// Itanium days it's simply too hard to justify the effort so I just
+// drop down to bn_mul_comba8 code:-)
+//
+// void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+//
+.global bn_sqr_comba8#
+.proc   bn_sqr_comba8#
+.align  64
+bn_sqr_comba8:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+        mov     r34=r33
+        add     r14=8,r33               };;
+        .body
+{ .mii; add     r17=8,r34
+        add     r15=16,r33
+        add     r18=16,r34              }
+{ .mfb; add     r16=24,r33
+        br      .L_cheat_entry_point8   };;
+.endp   bn_sqr_comba8#
+#endif
+
+#if 1
+// I've estimated this routine to run in ~120 ticks, but in reality
+// (i.e. according to ar.itc) it takes ~160 ticks. Are those extra
+// cycles consumed for instructions fetch? Or did I misinterpret some
+// clause in Itanium µ-architecture manual? Comments are welcomed and
+// highly appreciated.
+//
+// However! It should be noted that even 160 ticks is darn good result
+// as it's over 10 (yes, ten, spelled as t-e-n) times faster than the
+// C version (compiled with gcc with inline assembler). I really
+// kicked compiler's butt here, didn't I? Yeah! This brings us to the
+// following statement. It's damn shame that this routine isn't called
+// very often nowadays! According to the profiler most CPU time is
+// consumed by bn_mul_add_words called from BN_from_montgomery. In
+// order to estimate what we're missing, I've compared the performance
+// of this routine against "traditional" implementation, i.e. against
+// following routine:
+//
+// void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+// {    r[ 8]=bn_mul_words(    &(r[0]),a,8,b[0]);
+//      r[ 9]=bn_mul_add_words(&(r[1]),a,8,b[1]);
+//      r[10]=bn_mul_add_words(&(r[2]),a,8,b[2]);
+//      r[11]=bn_mul_add_words(&(r[3]),a,8,b[3]);
+//      r[12]=bn_mul_add_words(&(r[4]),a,8,b[4]);
+//      r[13]=bn_mul_add_words(&(r[5]),a,8,b[5]);
+//      r[14]=bn_mul_add_words(&(r[6]),a,8,b[6]);
+//      r[15]=bn_mul_add_words(&(r[7]),a,8,b[7]);
+// }
+//
+// The one below is over 8 times faster than the one above:-( Even
+// more reasons to "combafy" bn_mul_add_mont...
+//
+// And yes, this routine really made me wish there were an optimizing
+// assembler! It also feels like it deserves a dedication.
+//
+//      To my wife for being there and to my kids...
+//
+// void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+//
+#define carry1  r14
+#define carry2  r15
+#define carry3  r34
+.global bn_mul_comba8#
+.proc   bn_mul_comba8#
+.align  64
+bn_mul_comba8:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+        add     r14=8,r33
+        add     r17=8,r34               }
+        .body
+{ .mii; add     r15=16,r33
+        add     r18=16,r34
+        add     r16=24,r33              }
+.L_cheat_entry_point8:
+{ .mmi; add     r19=24,r34
+
+        ldf8    f32=[r33],32            };;
+
+{ .mmi; ldf8    f120=[r34],32
+        ldf8    f121=[r17],32           }
+{ .mmi; ldf8    f122=[r18],32
+        ldf8    f123=[r19],32           };;
+{ .mmi; ldf8    f124=[r34]
+        ldf8    f125=[r17]              }
+{ .mmi; ldf8    f126=[r18]
+        ldf8    f127=[r19]              }
+
+{ .mmi; ldf8    f33=[r14],32
+        ldf8    f34=[r15],32            }
+{ .mmi; ldf8    f35=[r16],32;;
+        ldf8    f36=[r33]               }
+{ .mmi; ldf8    f37=[r14]
+        ldf8    f38=[r15]               }
+{ .mfi; ldf8    f39=[r16]
+// -------\ Entering multiplier's heaven /-------
+// ------------\                    /------------
+// -----------------\          /-----------------
+// ----------------------\/----------------------
+                xma.hu  f41=f32,f120,f0         }
+{ .mfi;         xma.lu  f40=f32,f120,f0         };; // (*)
+{ .mfi;         xma.hu  f51=f32,f121,f0         }
+{ .mfi;         xma.lu  f50=f32,f121,f0         };;
+{ .mfi;         xma.hu  f61=f32,f122,f0         }
+{ .mfi;         xma.lu  f60=f32,f122,f0         };;
+{ .mfi;         xma.hu  f71=f32,f123,f0         }
+{ .mfi;         xma.lu  f70=f32,f123,f0         };;
+{ .mfi;         xma.hu  f81=f32,f124,f0         }
+{ .mfi;         xma.lu  f80=f32,f124,f0         };;
+{ .mfi;         xma.hu  f91=f32,f125,f0         }
+{ .mfi;         xma.lu  f90=f32,f125,f0         };;
+{ .mfi;         xma.hu  f101=f32,f126,f0        }
+{ .mfi;         xma.lu  f100=f32,f126,f0        };;
+{ .mfi;         xma.hu  f111=f32,f127,f0        }
+{ .mfi;         xma.lu  f110=f32,f127,f0        };;//
+// (*)  You can argue that splitting at every second bundle would
+//      prevent "wider" IA-64 implementations from achieving the peak
+//      performance. Well, not really... The catch is that if you
+//      intend to keep 4 FP units busy by splitting at every fourth
+//      bundle and thus perform these 16 multiplications in 4 ticks,
+//      the first bundle *below* would stall because the result from
+//      the first xma bundle *above* won't be available for another 3
+//      ticks (if not more, being an optimist, I assume that "wider"
+//      implementation will have same latency:-). This stall will hold
+//      you back and the performance would be as if every second bundle
+//      were split *anyway*...
+{ .mfi; getf.sig        r16=f40
+                xma.hu  f42=f33,f120,f41
+        add             r33=8,r32               }
+{ .mfi;         xma.lu  f41=f33,f120,f41        };;
+{ .mfi; getf.sig        r24=f50
+                xma.hu  f52=f33,f121,f51        }
+{ .mfi;         xma.lu  f51=f33,f121,f51        };;
+{ .mfi; st8             [r32]=r16,16
+                xma.hu  f62=f33,f122,f61        }
+{ .mfi;         xma.lu  f61=f33,f122,f61        };;
+{ .mfi;         xma.hu  f72=f33,f123,f71        }
+{ .mfi;         xma.lu  f71=f33,f123,f71        };;
+{ .mfi;         xma.hu  f82=f33,f124,f81        }
+{ .mfi;         xma.lu  f81=f33,f124,f81        };;
+{ .mfi;         xma.hu  f92=f33,f125,f91        }
+{ .mfi;         xma.lu  f91=f33,f125,f91        };;
+{ .mfi;         xma.hu  f102=f33,f126,f101      }
+{ .mfi;         xma.lu  f101=f33,f126,f101      };;
+{ .mfi;         xma.hu  f112=f33,f127,f111      }
+{ .mfi;         xma.lu  f111=f33,f127,f111      };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r25=f41
+                xma.hu  f43=f34,f120,f42        }
+{ .mfi;         xma.lu  f42=f34,f120,f42        };;
+{ .mfi; getf.sig        r16=f60
+                xma.hu  f53=f34,f121,f52        }
+{ .mfi;         xma.lu  f52=f34,f121,f52        };;
+{ .mfi; getf.sig        r17=f51
+                xma.hu  f63=f34,f122,f62
+        add             r25=r25,r24             }
+{ .mfi;         xma.lu  f62=f34,f122,f62
+        mov             carry1=0                };;
+{ .mfi; cmp.ltu         p6,p0=r25,r24
+                xma.hu  f73=f34,f123,f72        }
+{ .mfi;         xma.lu  f72=f34,f123,f72        };;
+{ .mfi; st8             [r33]=r25,16
+                xma.hu  f83=f34,f124,f82
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f82=f34,f124,f82        };;
+{ .mfi;         xma.hu  f93=f34,f125,f92        }
+{ .mfi;         xma.lu  f92=f34,f125,f92        };;
+{ .mfi;         xma.hu  f103=f34,f126,f102      }
+{ .mfi;         xma.lu  f102=f34,f126,f102      };;
+{ .mfi;         xma.hu  f113=f34,f127,f112      }
+{ .mfi;         xma.lu  f112=f34,f127,f112      };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r18=f42
+                xma.hu  f44=f35,f120,f43
+        add             r17=r17,r16             }
+{ .mfi;         xma.lu  f43=f35,f120,f43        };;
+{ .mfi; getf.sig        r24=f70
+                xma.hu  f54=f35,f121,f53        }
+{ .mfi; mov             carry2=0
+                xma.lu  f53=f35,f121,f53        };;
+{ .mfi; getf.sig        r25=f61
+                xma.hu  f64=f35,f122,f63
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi; add             r18=r18,r17
+                xma.lu  f63=f35,f122,f63        };;
+{ .mfi; getf.sig        r26=f52
+                xma.hu  f74=f35,f123,f73
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,r17
+                xma.lu  f73=f35,f123,f73
+        add             r18=r18,carry1          };;
+{ .mfi;
+                xma.hu  f84=f35,f124,f83
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,carry1
+                xma.lu  f83=f35,f124,f83        };;
+{ .mfi; st8             [r32]=r18,16
+                xma.hu  f94=f35,f125,f93
+(p7)    add             carry2=1,carry2         }
+{ .mfi;         xma.lu  f93=f35,f125,f93        };;
+{ .mfi;         xma.hu  f104=f35,f126,f103      }
+{ .mfi;         xma.lu  f103=f35,f126,f103      };;
+{ .mfi;         xma.hu  f114=f35,f127,f113      }
+{ .mfi; mov             carry1=0
+                xma.lu  f113=f35,f127,f113
+        add             r25=r25,r24             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r27=f43
+                xma.hu  f45=f36,f120,f44
+        cmp.ltu         p6,p0=r25,r24           }
+{ .mfi;         xma.lu  f44=f36,f120,f44        
+        add             r26=r26,r25             };;
+{ .mfi; getf.sig        r16=f80
+                xma.hu  f55=f36,f121,f54
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f54=f36,f121,f54        };;
+{ .mfi; getf.sig        r17=f71
+                xma.hu  f65=f36,f122,f64
+        cmp.ltu         p6,p0=r26,r25           }
+{ .mfi;         xma.lu  f64=f36,f122,f64
+        add             r27=r27,r26             };;
+{ .mfi; getf.sig        r18=f62
+                xma.hu  f75=f36,f123,f74
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r27,r26
+                xma.lu  f74=f36,f123,f74
+        add             r27=r27,carry2          };;
+{ .mfi; getf.sig        r19=f53
+                xma.hu  f85=f36,f124,f84
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f84=f36,f124,f84
+        cmp.ltu         p6,p0=r27,carry2        };;
+{ .mfi; st8             [r33]=r27,16
+                xma.hu  f95=f36,f125,f94
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f94=f36,f125,f94        };;
+{ .mfi;         xma.hu  f105=f36,f126,f104      }
+{ .mfi; mov             carry2=0
+                xma.lu  f104=f36,f126,f104
+        add             r17=r17,r16             };;
+{ .mfi;         xma.hu  f115=f36,f127,f114
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi;         xma.lu  f114=f36,f127,f114
+        add             r18=r18,r17             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r20=f44
+                xma.hu  f46=f37,f120,f45
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,r17
+                xma.lu  f45=f37,f120,f45
+        add             r19=r19,r18             };;
+{ .mfi; getf.sig        r24=f90
+                xma.hu  f56=f37,f121,f55        }
+{ .mfi;         xma.lu  f55=f37,f121,f55        };;
+{ .mfi; getf.sig        r25=f81
+                xma.hu  f66=f37,f122,f65
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r19,r18
+                xma.lu  f65=f37,f122,f65
+        add             r20=r20,r19             };;
+{ .mfi; getf.sig        r26=f72
+                xma.hu  f76=f37,f123,f75
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r20,r19
+                xma.lu  f75=f37,f123,f75
+        add             r20=r20,carry1          };;
+{ .mfi; getf.sig        r27=f63
+                xma.hu  f86=f37,f124,f85
+(p7)    add             carry2=1,carry2         }
+{ .mfi;         xma.lu  f85=f37,f124,f85
+        cmp.ltu         p7,p0=r20,carry1        };;
+{ .mfi; getf.sig        r28=f54
+                xma.hu  f96=f37,f125,f95
+(p7)    add             carry2=1,carry2         }
+{ .mfi; st8             [r32]=r20,16
+                xma.lu  f95=f37,f125,f95        };;
+{ .mfi;         xma.hu  f106=f37,f126,f105      }
+{ .mfi; mov             carry1=0
+                xma.lu  f105=f37,f126,f105
+        add             r25=r25,r24             };;
+{ .mfi;         xma.hu  f116=f37,f127,f115
+        cmp.ltu         p6,p0=r25,r24           }
+{ .mfi;         xma.lu  f115=f37,f127,f115
+        add             r26=r26,r25             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r29=f45
+                xma.hu  f47=f38,f120,f46
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r26,r25
+                xma.lu  f46=f38,f120,f46
+        add             r27=r27,r26             };;
+{ .mfi; getf.sig        r16=f100
+                xma.hu  f57=f38,f121,f56
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r27,r26
+                xma.lu  f56=f38,f121,f56
+        add             r28=r28,r27             };;
+{ .mfi; getf.sig        r17=f91
+                xma.hu  f67=f38,f122,f66
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r28,r27
+                xma.lu  f66=f38,f122,f66
+        add             r29=r29,r28             };;
+{ .mfi; getf.sig        r18=f82
+                xma.hu  f77=f38,f123,f76
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r29,r28
+                xma.lu  f76=f38,f123,f76
+        add             r29=r29,carry2          };;
+{ .mfi; getf.sig        r19=f73
+                xma.hu  f87=f38,f124,f86
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f86=f38,f124,f86
+        cmp.ltu         p6,p0=r29,carry2        };;
+{ .mfi; getf.sig        r20=f64
+                xma.hu  f97=f38,f125,f96
+(p6)    add             carry1=1,carry1         }
+{ .mfi; st8             [r33]=r29,16
+                xma.lu  f96=f38,f125,f96        };;
+{ .mfi; getf.sig        r21=f55
+                xma.hu  f107=f38,f126,f106      }
+{ .mfi; mov             carry2=0
+                xma.lu  f106=f38,f126,f106
+        add             r17=r17,r16             };;
+{ .mfi;         xma.hu  f117=f38,f127,f116
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi;         xma.lu  f116=f38,f127,f116
+        add             r18=r18,r17             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r22=f46
+                xma.hu  f48=f39,f120,f47
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,r17
+                xma.lu  f47=f39,f120,f47
+        add             r19=r19,r18             };;
+{ .mfi; getf.sig        r24=f110
+                xma.hu  f58=f39,f121,f57
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r19,r18
+                xma.lu  f57=f39,f121,f57
+        add             r20=r20,r19             };;
+{ .mfi; getf.sig        r25=f101
+                xma.hu  f68=f39,f122,f67
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r20,r19
+                xma.lu  f67=f39,f122,f67
+        add             r21=r21,r20             };;
+{ .mfi; getf.sig        r26=f92
+                xma.hu  f78=f39,f123,f77
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r21,r20
+                xma.lu  f77=f39,f123,f77
+        add             r22=r22,r21             };;
+{ .mfi; getf.sig        r27=f83
+                xma.hu  f88=f39,f124,f87
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r22,r21
+                xma.lu  f87=f39,f124,f87
+        add             r22=r22,carry1          };;
+{ .mfi; getf.sig        r28=f74
+                xma.hu  f98=f39,f125,f97
+(p7)    add             carry2=1,carry2         }
+{ .mfi;         xma.lu  f97=f39,f125,f97
+        cmp.ltu         p7,p0=r22,carry1        };;
+{ .mfi; getf.sig        r29=f65
+                xma.hu  f108=f39,f126,f107
+(p7)    add             carry2=1,carry2         }
+{ .mfi; st8             [r32]=r22,16
+                xma.lu  f107=f39,f126,f107      };;
+{ .mfi; getf.sig        r30=f56
+                xma.hu  f118=f39,f127,f117      }
+{ .mfi;         xma.lu  f117=f39,f127,f117      };;//
+//-------------------------------------------------//
+// Leaving muliplier's heaven... Quite a ride, huh?
+
+{ .mii; getf.sig        r31=f47
+        add             r25=r25,r24
+        mov             carry1=0                };;
+{ .mii;         getf.sig        r16=f111
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb;         getf.sig        r17=f102        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r28=r28,r27             };;
+{ .mii;         getf.sig        r18=f93
+                add             r17=r17,r16
+                mov             carry3=0        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,r27
+        add             r29=r29,r28             };;
+{ .mii;         getf.sig        r19=f84
+                cmp.ltu         p7,p0=r17,r16   }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r29,r28
+        add             r30=r30,r29             };;
+{ .mii;         getf.sig        r20=f75
+                add             r18=r18,r17     }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r30,r29
+        add             r31=r31,r30             };;
+{ .mfb;         getf.sig        r21=f66         }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     }
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r31,r30
+        add             r31=r31,carry2          };;
+{ .mfb;         getf.sig        r22=f57         }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r19,r18
+                add             r20=r20,r19     }
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r31,carry2        };;
+{ .mfb;         getf.sig        r23=f48         }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r20,r19
+                add             r21=r21,r20     }
+{ .mii;
+(p6)    add             carry1=1,carry1         }
+{ .mfb; st8             [r33]=r31,16            };;
+
+{ .mfb; getf.sig        r24=f112                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r21,r20
+                add             r22=r22,r21     };;
+{ .mfb; getf.sig        r25=f103                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r22,r21
+                add             r23=r23,r22     };;
+{ .mfb; getf.sig        r26=f94                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r23,r22
+                add             r23=r23,carry1  };;
+{ .mfb; getf.sig        r27=f85                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p8=r23,carry1};;
+{ .mii; getf.sig        r28=f76
+        add             r25=r25,r24
+        mov             carry1=0                }
+{ .mii;         st8             [r32]=r23,16
+        (p7)    add             carry2=1,carry3
+        (p8)    add             carry2=0,carry3 };;
+
+{ .mfb; nop.m   0x0                             }
+{ .mii; getf.sig        r29=f67
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb; getf.sig        r30=f58                 }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mfb;         getf.sig        r16=f113        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r28=r28,r27             };;
+{ .mfb;         getf.sig        r17=f104        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,r27
+        add             r29=r29,r28             };;
+{ .mfb;         getf.sig        r18=f95         }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r29,r28
+        add             r30=r30,r29             };;
+{ .mii;         getf.sig        r19=f86
+                add             r17=r17,r16
+                mov             carry3=0        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r30,r29
+        add             r30=r30,carry2          };;
+{ .mii;         getf.sig        r20=f77
+                cmp.ltu         p7,p0=r17,r16
+                add             r18=r18,r17     }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r30,carry2        };;
+{ .mfb;         getf.sig        r21=f68         }
+{ .mii; st8             [r33]=r30,16
+(p6)    add             carry1=1,carry1         };;
+
+{ .mfb; getf.sig        r24=f114                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     };;
+{ .mfb; getf.sig        r25=f105                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r19,r18
+                add             r20=r20,r19     };;
+{ .mfb; getf.sig        r26=f96                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r20,r19
+                add             r21=r21,r20     };;
+{ .mfb; getf.sig        r27=f87                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r21,r20
+                add             r21=r21,carry1  };;
+{ .mib; getf.sig        r28=f78                 
+        add             r25=r25,r24             }
+{ .mib; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p8=r21,carry1};;
+{ .mii;         st8             [r32]=r21,16
+        (p7)    add             carry2=1,carry3
+        (p8)    add             carry2=0,carry3 }
+
+{ .mii; mov             carry1=0
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb;         getf.sig        r16=f115        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mfb;         getf.sig        r17=f106        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r28=r28,r27             };;
+{ .mfb;         getf.sig        r18=f97         }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,r27
+        add             r28=r28,carry2          };;
+{ .mib;         getf.sig        r19=f88
+                add             r17=r17,r16     }
+{ .mib;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,carry2        };;
+{ .mii; st8             [r33]=r28,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mii;         mov             carry2=0
+                cmp.ltu         p7,p0=r17,r16
+                add             r18=r18,r17     };;
+{ .mfb; getf.sig        r24=f116                }
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     };;
+{ .mfb; getf.sig        r25=f107                }
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,r18
+                add             r19=r19,carry1  };;
+{ .mfb; getf.sig        r26=f98                 }
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,carry1};;
+{ .mii;         st8             [r32]=r19,16
+        (p7)    add             carry2=1,carry2 }
+
+{ .mfb; add             r25=r25,r24             };;
+
+{ .mfb;         getf.sig        r16=f117        }
+{ .mii; mov             carry1=0
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb;         getf.sig        r17=f108        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r26=r26,carry2          };;
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,carry2        };;
+{ .mii; st8             [r33]=r26,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mfb;         add             r17=r17,r16     };;
+{ .mfb; getf.sig        r24=f118                }
+{ .mii;         mov             carry2=0
+                cmp.ltu         p7,p0=r17,r16
+                add             r17=r17,carry1  };;
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r17,carry1};;
+{ .mii;         st8             [r32]=r17
+        (p7)    add             carry2=1,carry2 };;
+{ .mfb; add             r24=r24,carry2          };;
+{ .mib; st8             [r33]=r24               }
+
+{ .mib; rum             1<<5            // clear um.mfh
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_comba8#
+#undef  carry3
+#undef  carry2
+#undef  carry1
+#endif
+
+#if 1
+// It's possible to make it faster (see comment to bn_sqr_comba8), but
+// I reckon it doesn't worth the effort. Basically because the routine
+// (actually both of them) practically never called... So I just play
+// same trick as with bn_sqr_comba8.
+//
+// void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+//
+.global bn_sqr_comba4#
+.proc   bn_sqr_comba4#
+.align  64
+bn_sqr_comba4:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+        mov     r34=r33
+        add     r14=8,r33               };;
+        .body
+{ .mii; add     r17=8,r34
+        add     r15=16,r33
+        add     r18=16,r34              }
+{ .mfb; add     r16=24,r33
+        br      .L_cheat_entry_point4   };;
+.endp   bn_sqr_comba4#
+#endif
+
+#if 1
+// Runs in ~115 cycles and ~4.5 times faster than C. Well, whatever...
+//
+// void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+//
+#define carry1  r14
+#define carry2  r15
+.global bn_mul_comba4#
+.proc   bn_mul_comba4#
+.align  64
+bn_mul_comba4:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+        add     r14=8,r33
+        add     r17=8,r34               }
+        .body
+{ .mii; add     r15=16,r33
+        add     r18=16,r34
+        add     r16=24,r33              };;
+.L_cheat_entry_point4:
+{ .mmi; add     r19=24,r34
+
+        ldf8    f32=[r33]               }
+
+{ .mmi; ldf8    f120=[r34]
+        ldf8    f121=[r17]              };;
+{ .mmi; ldf8    f122=[r18]
+        ldf8    f123=[r19]              }
+
+{ .mmi; ldf8    f33=[r14]
+        ldf8    f34=[r15]               }
+{ .mfi; ldf8    f35=[r16]
+
+                xma.hu  f41=f32,f120,f0         }
+{ .mfi;         xma.lu  f40=f32,f120,f0         };;
+{ .mfi;         xma.hu  f51=f32,f121,f0         }
+{ .mfi;         xma.lu  f50=f32,f121,f0         };;
+{ .mfi;         xma.hu  f61=f32,f122,f0         }
+{ .mfi;         xma.lu  f60=f32,f122,f0         };;
+{ .mfi;         xma.hu  f71=f32,f123,f0         }
+{ .mfi;         xma.lu  f70=f32,f123,f0         };;//
+// Major stall takes place here, and 3 more places below. Result from
+// first xma is not available for another 3 ticks.
+{ .mfi; getf.sig        r16=f40
+                xma.hu  f42=f33,f120,f41
+        add             r33=8,r32               }
+{ .mfi;         xma.lu  f41=f33,f120,f41        };;
+{ .mfi; getf.sig        r24=f50
+                xma.hu  f52=f33,f121,f51        }
+{ .mfi;         xma.lu  f51=f33,f121,f51        };;
+{ .mfi; st8             [r32]=r16,16
+                xma.hu  f62=f33,f122,f61        }
+{ .mfi;         xma.lu  f61=f33,f122,f61        };;
+{ .mfi;         xma.hu  f72=f33,f123,f71        }
+{ .mfi;         xma.lu  f71=f33,f123,f71        };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r25=f41
+                xma.hu  f43=f34,f120,f42        }
+{ .mfi;         xma.lu  f42=f34,f120,f42        };;
+{ .mfi; getf.sig        r16=f60
+                xma.hu  f53=f34,f121,f52        }
+{ .mfi;         xma.lu  f52=f34,f121,f52        };;
+{ .mfi; getf.sig        r17=f51
+                xma.hu  f63=f34,f122,f62
+        add             r25=r25,r24             }
+{ .mfi; mov             carry1=0
+                xma.lu  f62=f34,f122,f62        };;
+{ .mfi; st8             [r33]=r25,16
+                xma.hu  f73=f34,f123,f72
+        cmp.ltu         p6,p0=r25,r24           }
+{ .mfi;         xma.lu  f72=f34,f123,f72        };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r18=f42
+                xma.hu  f44=f35,f120,f43
+(p6)    add             carry1=1,carry1         }
+{ .mfi; add             r17=r17,r16
+                xma.lu  f43=f35,f120,f43
+        mov             carry2=0                };;
+{ .mfi; getf.sig        r24=f70
+                xma.hu  f54=f35,f121,f53
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi;         xma.lu  f53=f35,f121,f53        };;
+{ .mfi; getf.sig        r25=f61
+                xma.hu  f64=f35,f122,f63
+        add             r18=r18,r17             }
+{ .mfi;         xma.lu  f63=f35,f122,f63
+(p7)    add             carry2=1,carry2         };;
+{ .mfi; getf.sig        r26=f52
+                xma.hu  f74=f35,f123,f73
+        cmp.ltu         p7,p0=r18,r17           }
+{ .mfi;         xma.lu  f73=f35,f123,f73
+        add             r18=r18,carry1          };;
+//-------------------------------------------------//
+{ .mii; st8             [r32]=r18,16
+(p7)    add             carry2=1,carry2
+        cmp.ltu         p7,p0=r18,carry1        };;
+
+{ .mfi; getf.sig        r27=f43 // last major stall
+(p7)    add             carry2=1,carry2         };;
+{ .mii;         getf.sig        r16=f71
+        add             r25=r25,r24
+        mov             carry1=0                };;
+{ .mii;         getf.sig        r17=f62 
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r27=r27,carry2          };;
+{ .mii;         getf.sig        r18=f53
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,carry2        };;
+{ .mfi; st8             [r33]=r27,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mii;         getf.sig        r19=f44
+                add             r17=r17,r16
+                mov             carry2=0        };;
+{ .mii; getf.sig        r24=f72
+                cmp.ltu         p7,p0=r17,r16
+                add             r18=r18,r17     };;
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     };;
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,r18
+                add             r19=r19,carry1  };;
+{ .mii; getf.sig        r25=f63
+        (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,carry1};;
+{ .mii;         st8             [r32]=r19,16
+        (p7)    add             carry2=1,carry2 }
+
+{ .mii; getf.sig        r26=f54
+        add             r25=r25,r24
+        mov             carry1=0                };;
+{ .mii;         getf.sig        r16=f73
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r26=r26,carry2          };;
+{ .mii;         getf.sig        r17=f64
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,carry2        };;
+{ .mii; st8             [r33]=r26,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mii; getf.sig        r24=f74
+                add             r17=r17,r16     
+                mov             carry2=0        };;
+{ .mii;         cmp.ltu         p7,p0=r17,r16
+                add             r17=r17,carry1  };;
+
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r17,carry1};;
+{ .mii;         st8             [r32]=r17,16
+        (p7)    add             carry2=1,carry2 };;
+
+{ .mii; add             r24=r24,carry2          };;
+{ .mii; st8             [r33]=r24               }
+
+{ .mib; rum             1<<5            // clear um.mfh
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_comba4#
+#undef  carry2
+#undef  carry1
+#endif
+
+#if 1
+//
+// BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
+//
+// In the nutshell it's a port of my MIPS III/IV implementation.
+//
+#define AT      r14
+#define H       r16
+#define HH      r20
+#define L       r17
+#define D       r18
+#define DH      r22
+#define I       r21
+
+#if 0
+// Some preprocessors (most notably HP-UX) apper to be allergic to
+// macros enclosed to parenthesis as these three will be.
+#define cont    p16
+#define break   p0      // p20
+#define equ     p24
+#else
+cont=p16
+break=p0
+equ=p24
+#endif
+
+.global abort#
+.global bn_div_words#
+.proc   bn_div_words#
+.align  64
+bn_div_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+        .save   b0,r3
+{ .mii; alloc           r2=ar.pfs,3,5,0,8
+        mov             r3=b0
+        mov             r10=pr          };;
+{ .mmb; cmp.eq          p6,p0=r34,r0
+        mov             r8=-1
+(p6)    br.ret.spnt.many        b0      };;
+
+        .body
+{ .mii; mov             H=r32           // save h
+        mov             ar.ec=0         // don't rotate at exit
+        mov             pr.rot=0        }
+{ .mii; mov             L=r33           // save l
+        mov             r36=r0          };;
+
+.L_divw_shift:  // -vv- note signed comparison
+{ .mfi; (p0)    cmp.lt          p16,p0=r0,r34   // d
+        (p0)    shladd          r33=r34,1,r0    }
+{ .mfb; (p0)    add             r35=1,r36
+        (p0)    nop.f           0x0
+(p16)   br.wtop.dpnt            .L_divw_shift   };;
+
+{ .mii; mov             D=r34
+        shr.u           DH=r34,32
+        sub             r35=64,r36              };;
+{ .mii; setf.sig        f7=DH
+        shr.u           AT=H,r35
+        mov             I=r36                   };;
+{ .mib; cmp.ne          p6,p0=r0,AT
+        shl             H=H,r36
+(p6)    br.call.spnt.clr        b0=abort        };;     // overflow, die...
+
+{ .mfi; fcvt.xuf.s1     f7=f7
+        shr.u           AT=L,r35                };;
+{ .mii; shl             L=L,r36
+        or              H=H,AT                  };;
+
+{ .mii; nop.m           0x0
+        cmp.leu         p6,p0=D,H;;
+(p6)    sub             H=H,D                   }
+
+{ .mlx; setf.sig        f14=D
+        movl            AT=0xffffffff           };;
+///////////////////////////////////////////////////////////
+{ .mii; setf.sig        f6=H
+        shr.u           HH=H,32;;
+        cmp.eq          p6,p7=HH,DH             };;
+{ .mfb;
+(p6)    setf.sig        f8=AT
+(p7)    fcvt.xuf.s1     f6=f6
+(p7)    br.call.sptk    b6=.L_udiv64_32_b6      };;
+
+{ .mfi; getf.sig        r33=f8                          // q
+        xmpy.lu         f9=f8,f14               }
+{ .mfi; xmpy.hu         f10=f8,f14
+        shrp            H=H,L,32                };;
+
+{ .mmi; getf.sig        r35=f9                          // tl
+        getf.sig        r31=f10                 };;     // th
+
+.L_divw_1st_iter:
+{ .mii; (p0)    add             r32=-1,r33
+        (p0)    cmp.eq          equ,cont=HH,r31         };;
+{ .mii; (p0)    cmp.ltu         p8,p0=r35,D
+        (p0)    sub             r34=r35,D
+        (equ)   cmp.leu         break,cont=r35,H        };;
+{ .mib; (cont)  cmp.leu         cont,break=HH,r31
+        (p8)    add             r31=-1,r31
+(cont)  br.wtop.spnt            .L_divw_1st_iter        };;
+///////////////////////////////////////////////////////////
+{ .mii; sub             H=H,r35
+        shl             r8=r33,32
+        shl             L=L,32                  };;
+///////////////////////////////////////////////////////////
+{ .mii; setf.sig        f6=H
+        shr.u           HH=H,32;;
+        cmp.eq          p6,p7=HH,DH             };;
+{ .mfb;
+(p6)    setf.sig        f8=AT
+(p7)    fcvt.xuf.s1     f6=f6
+(p7)    br.call.sptk    b6=.L_udiv64_32_b6      };;
+
+{ .mfi; getf.sig        r33=f8                          // q
+        xmpy.lu         f9=f8,f14               }
+{ .mfi; xmpy.hu         f10=f8,f14
+        shrp            H=H,L,32                };;
+
+{ .mmi; getf.sig        r35=f9                          // tl
+        getf.sig        r31=f10                 };;     // th
+
+.L_divw_2nd_iter:
+{ .mii; (p0)    add             r32=-1,r33
+        (p0)    cmp.eq          equ,cont=HH,r31         };;
+{ .mii; (p0)    cmp.ltu         p8,p0=r35,D
+        (p0)    sub             r34=r35,D
+        (equ)   cmp.leu         break,cont=r35,H        };;
+{ .mib; (cont)  cmp.leu         cont,break=HH,r31
+        (p8)    add             r31=-1,r31
+(cont)  br.wtop.spnt            .L_divw_2nd_iter        };;
+///////////////////////////////////////////////////////////
+{ .mii; sub     H=H,r35
+        or      r8=r8,r33
+        mov     ar.pfs=r2               };;
+{ .mii; shr.u   r9=H,I                  // remainder if anybody wants it
+        mov     pr=r10,-1               }
+{ .mfb; br.ret.sptk.many        b0      };;
+
+// Unsigned 64 by 32 (well, by 64 for the moment) bit integer division
+// procedure.
+//
+// inputs:      f6 = (double)a, f7 = (double)b
+// output:      f8 = (int)(a/b)
+// clobbered:   f8,f9,f10,f11,pred
+pred=p15
+// This procedure is essentially Intel code and therefore is
+// copyrighted to Intel Corporation (I suppose...). It's sligtly
+// modified for specific needs.
+.align  32
+.skip   16
+.L_udiv64_32_b6:
+        frcpa.s1        f8,pred=f6,f7;;         // [0]  y0 = 1 / b
+
+(pred)  fnma.s1         f9=f7,f8,f1             // [5]  e0 = 1 - b * y0
+(pred)  fmpy.s1         f10=f6,f8;;             // [5]  q0 = a * y0
+(pred)  fmpy.s1         f11=f9,f9               // [10] e1 = e0 * e0
+(pred)  fma.s1          f10=f9,f10,f10;;        // [10] q1 = q0 + e0 * q0
+(pred)  fma.s1          f8=f9,f8,f8     //;;    // [15] y1 = y0 + e0 * y0
+(pred)  fma.s1          f9=f11,f10,f10;;        // [15] q2 = q1 + e1 * q1
+(pred)  fma.s1          f8=f11,f8,f8    //;;    // [20] y2 = y1 + e1 * y1
+(pred)  fnma.s1         f10=f7,f9,f6;;          // [20] r2 = a - b * q2
+(pred)  fma.s1          f8=f10,f8,f9;;          // [25] q3 = q2 + r2 * y2
+
+        fcvt.fxu.trunc.s1       f8=f8           // [30] q = trunc(q3)
+        br.ret.sptk.many        b6;;
+.endp   bn_div_words#
+#endif
diff --git a/src/lib/libcrypto/bn/asm/pa-risc2W.s b/src/lib/libcrypto/bn/asm/pa-risc2W.s
new file mode 100644
index 0000000000..54b6606252
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/pa-risc2W.s
@@ -0,0 +1,1605 @@
+;
+; PA-RISC 64-bit implementation of bn_asm code
+;
+; This code is approximately 2x faster than the C version
+; for RSA/DSA.
+;
+; See http://devresource.hp.com/  for more details on the PA-RISC
+; architecture.  Also see the book "PA-RISC 2.0 Architecture"
+; by Gerry Kane for information on the instruction set architecture.
+;
+; Code written by Chris Ruemmler (with some help from the HP C
+; compiler).
+;
+; The code compiles with HP's assembler
+;
+
+        .level  2.0W
+        .space  $TEXT$
+        .subspa $CODE$,QUAD=0,ALIGN=8,ACCESS=0x2c,CODE_ONLY
+
+;
+; Global Register definitions used for the routines.
+;
+; Some information about HP's runtime architecture for 64-bits.
+;
+; "Caller save" means the calling function must save the register
+; if it wants the register to be preserved.
+; "Callee save" means if a function uses the register, it must save
+; the value before using it.
+;
+; For the floating point registers 
+;
+;    "caller save" registers: fr4-fr11, fr22-fr31
+;    "callee save" registers: fr12-fr21
+;    "special" registers: fr0-fr3 (status and exception registers)
+;
+; For the integer registers
+;     value zero             :  r0
+;     "caller save" registers: r1,r19-r26
+;     "callee save" registers: r3-r18
+;     return register        :  r2  (rp)
+;     return values          ; r28  (ret0,ret1)
+;     Stack pointer          ; r30  (sp) 
+;     global data pointer    ; r27  (dp)
+;     argument pointer       ; r29  (ap)
+;     millicode return ptr   ; r31  (also a caller save register)
+
+
+;
+; Arguments to the routines
+;
+r_ptr       .reg %r26
+a_ptr       .reg %r25
+b_ptr       .reg %r24
+num         .reg %r24
+w           .reg %r23
+n           .reg %r23
+
+
+;
+; Globals used in some routines
+;
+
+top_overflow .reg %r29
+high_mask    .reg %r22    ; value 0xffffffff80000000L
+
+
+;------------------------------------------------------------------------------
+;
+; bn_mul_add_words
+;
+;BN_ULONG bn_mul_add_words(BN_ULONG *r_ptr, BN_ULONG *a_ptr, 
+;                                                               int num, BN_ULONG w)
+;
+; arg0 = r_ptr
+; arg1 = a_ptr
+; arg2 = num
+; arg3 = w
+;
+; Local register definitions
+;
+
+fm1          .reg %fr22
+fm           .reg %fr23
+ht_temp      .reg %fr24
+ht_temp_1    .reg %fr25
+lt_temp      .reg %fr26
+lt_temp_1    .reg %fr27
+fm1_1        .reg %fr28
+fm_1         .reg %fr29
+
+fw_h         .reg %fr7L
+fw_l         .reg %fr7R
+fw           .reg %fr7
+
+fht_0        .reg %fr8L
+flt_0        .reg %fr8R
+t_float_0    .reg %fr8
+
+fht_1        .reg %fr9L
+flt_1        .reg %fr9R
+t_float_1    .reg %fr9
+
+tmp_0        .reg %r31
+tmp_1        .reg %r21
+m_0          .reg %r20 
+m_1          .reg %r19 
+ht_0         .reg %r1  
+ht_1         .reg %r3
+lt_0         .reg %r4
+lt_1         .reg %r5
+m1_0         .reg %r6 
+m1_1         .reg %r7 
+rp_val       .reg %r8
+rp_val_1     .reg %r9
+
+bn_mul_add_words
+        .export bn_mul_add_words,entry,NO_RELOCATION,LONG_RETURN
+        .proc
+        .callinfo frame=128
+    .entry
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3  
+    STD     %r4,8(%sp)          ; save r4  
+        NOP                         ; Needed to make the loop 16-byte aligned
+        NOP                         ; Needed to make the loop 16-byte aligned
+
+    STD     %r5,16(%sp)         ; save r5  
+    STD     %r6,24(%sp)         ; save r6  
+    STD     %r7,32(%sp)         ; save r7  
+    STD     %r8,40(%sp)         ; save r8  
+
+    STD     %r9,48(%sp)         ; save r9  
+    COPY    %r0,%ret0           ; return 0 by default
+    DEPDI,Z 1,31,1,top_overflow ; top_overflow = 1 << 32    
+        STD     w,56(%sp)           ; store w on stack
+
+    CMPIB,>= 0,num,bn_mul_add_words_exit  ; if (num <= 0) then exit
+        LDO     128(%sp),%sp       ; bump stack
+
+        ;
+        ; The loop is unrolled twice, so if there is only 1 number
+    ; then go straight to the cleanup code.
+        ;
+        CMPIB,= 1,num,bn_mul_add_words_single_top
+        FLDD    -72(%sp),fw     ; load up w into fp register fw (fw_h/fw_l)
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+        ; PA-RISC 2.0 chips have two fully pipelined multipliers, thus
+    ; two 32-bit mutiplies can be issued per cycle.
+    ; 
+bn_mul_add_words_unroll2
+
+    FLDD    0(a_ptr),t_float_0       ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    FLDD    8(a_ptr),t_float_1       ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    LDD     0(r_ptr),rp_val          ; rp[0]
+    LDD     8(r_ptr),rp_val_1        ; rp[1]
+
+    XMPYU   fht_0,fw_l,fm1           ; m1[0] = fht_0*fw_l
+    XMPYU   fht_1,fw_l,fm1_1         ; m1[1] = fht_1*fw_l
+    FSTD    fm1,-16(%sp)             ; -16(sp) = m1[0]
+    FSTD    fm1_1,-48(%sp)           ; -48(sp) = m1[1]
+
+    XMPYU   flt_0,fw_h,fm            ; m[0] = flt_0*fw_h
+    XMPYU   flt_1,fw_h,fm_1          ; m[1] = flt_1*fw_h
+    FSTD    fm,-8(%sp)               ; -8(sp) = m[0]
+    FSTD    fm_1,-40(%sp)            ; -40(sp) = m[1]
+
+    XMPYU   fht_0,fw_h,ht_temp       ; ht_temp   = fht_0*fw_h
+    XMPYU   fht_1,fw_h,ht_temp_1     ; ht_temp_1 = fht_1*fw_h
+    FSTD    ht_temp,-24(%sp)         ; -24(sp)   = ht_temp
+    FSTD    ht_temp_1,-56(%sp)       ; -56(sp)   = ht_temp_1
+
+    XMPYU   flt_0,fw_l,lt_temp       ; lt_temp = lt*fw_l
+    XMPYU   flt_1,fw_l,lt_temp_1     ; lt_temp = lt*fw_l
+    FSTD    lt_temp,-32(%sp)         ; -32(sp) = lt_temp 
+    FSTD    lt_temp_1,-64(%sp)       ; -64(sp) = lt_temp_1 
+
+    LDD     -8(%sp),m_0              ; m[0] 
+    LDD     -40(%sp),m_1             ; m[1]
+    LDD     -16(%sp),m1_0            ; m1[0]
+    LDD     -48(%sp),m1_1            ; m1[1]
+
+    LDD     -24(%sp),ht_0            ; ht[0]
+    LDD     -56(%sp),ht_1            ; ht[1]
+    ADD,L   m1_0,m_0,tmp_0           ; tmp_0 = m[0] + m1[0]; 
+    ADD,L   m1_1,m_1,tmp_1           ; tmp_1 = m[1] + m1[1]; 
+
+    LDD     -32(%sp),lt_0            
+    LDD     -64(%sp),lt_1            
+    CMPCLR,*>>= tmp_0,m1_0, %r0      ; if (m[0] < m1[0])
+    ADD,L   ht_0,top_overflow,ht_0   ; ht[0] += (1<<32)
+
+    CMPCLR,*>>= tmp_1,m1_1,%r0       ; if (m[1] < m1[1])
+    ADD,L   ht_1,top_overflow,ht_1   ; ht[1] += (1<<32)
+    EXTRD,U tmp_0,31,32,m_0          ; m[0]>>32  
+    DEPD,Z  tmp_0,31,32,m1_0         ; m1[0] = m[0]<<32 
+
+    EXTRD,U tmp_1,31,32,m_1          ; m[1]>>32  
+    DEPD,Z  tmp_1,31,32,m1_1         ; m1[1] = m[1]<<32 
+    ADD,L   ht_0,m_0,ht_0            ; ht[0]+= (m[0]>>32)
+    ADD,L   ht_1,m_1,ht_1            ; ht[1]+= (m[1]>>32)
+
+    ADD     lt_0,m1_0,lt_0           ; lt[0] = lt[0]+m1[0];
+        ADD,DC  ht_0,%r0,ht_0            ; ht[0]++
+    ADD     lt_1,m1_1,lt_1           ; lt[1] = lt[1]+m1[1];
+    ADD,DC  ht_1,%r0,ht_1            ; ht[1]++
+
+    ADD    %ret0,lt_0,lt_0           ; lt[0] = lt[0] + c;
+        ADD,DC  ht_0,%r0,ht_0            ; ht[0]++
+    ADD     lt_0,rp_val,lt_0         ; lt[0] = lt[0]+rp[0]
+    ADD,DC  ht_0,%r0,ht_0            ; ht[0]++
+
+        LDO    -2(num),num               ; num = num - 2;
+    ADD     ht_0,lt_1,lt_1           ; lt[1] = lt[1] + ht_0 (c);
+    ADD,DC  ht_1,%r0,ht_1            ; ht[1]++
+    STD     lt_0,0(r_ptr)            ; rp[0] = lt[0]
+
+    ADD     lt_1,rp_val_1,lt_1       ; lt[1] = lt[1]+rp[1]
+    ADD,DC  ht_1,%r0,%ret0           ; ht[1]++
+    LDO     16(a_ptr),a_ptr          ; a_ptr += 2
+
+    STD     lt_1,8(r_ptr)            ; rp[1] = lt[1]
+        CMPIB,<= 2,num,bn_mul_add_words_unroll2 ; go again if more to do
+    LDO     16(r_ptr),r_ptr          ; r_ptr += 2
+
+    CMPIB,=,N 0,num,bn_mul_add_words_exit ; are we done, or cleanup last one
+
+        ;
+        ; Top of loop aligned on 64-byte boundary
+        ;
+bn_mul_add_words_single_top
+    FLDD    0(a_ptr),t_float_0        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    LDD     0(r_ptr),rp_val           ; rp[0]
+    LDO     8(a_ptr),a_ptr            ; a_ptr++
+    XMPYU   fht_0,fw_l,fm1            ; m1 = ht*fw_l
+    FSTD    fm1,-16(%sp)              ; -16(sp) = m1
+    XMPYU   flt_0,fw_h,fm             ; m = lt*fw_h
+    FSTD    fm,-8(%sp)                ; -8(sp) = m
+    XMPYU   fht_0,fw_h,ht_temp        ; ht_temp = ht*fw_h
+    FSTD    ht_temp,-24(%sp)          ; -24(sp) = ht
+    XMPYU   flt_0,fw_l,lt_temp        ; lt_temp = lt*fw_l
+    FSTD    lt_temp,-32(%sp)          ; -32(sp) = lt 
+
+    LDD     -8(%sp),m_0               
+    LDD    -16(%sp),m1_0              ; m1 = temp1 
+    ADD,L   m_0,m1_0,tmp_0            ; tmp_0 = m + m1; 
+    LDD     -24(%sp),ht_0             
+    LDD     -32(%sp),lt_0             
+
+    CMPCLR,*>>= tmp_0,m1_0,%r0        ; if (m < m1)
+    ADD,L   ht_0,top_overflow,ht_0    ; ht += (1<<32)
+
+    EXTRD,U tmp_0,31,32,m_0           ; m>>32  
+    DEPD,Z  tmp_0,31,32,m1_0          ; m1 = m<<32 
+
+    ADD,L   ht_0,m_0,ht_0             ; ht+= (m>>32)
+    ADD     lt_0,m1_0,tmp_0           ; tmp_0 = lt+m1;
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+    ADD     %ret0,tmp_0,lt_0          ; lt = lt + c;
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+    ADD     lt_0,rp_val,lt_0          ; lt = lt+rp[0]
+    ADD,DC  ht_0,%r0,%ret0            ; ht++
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt
+
+bn_mul_add_words_exit
+    .EXIT
+    LDD     -80(%sp),%r9              ; restore r9  
+    LDD     -88(%sp),%r8              ; restore r8  
+    LDD     -96(%sp),%r7              ; restore r7  
+    LDD     -104(%sp),%r6             ; restore r6  
+    LDD     -112(%sp),%r5             ; restore r5  
+    LDD     -120(%sp),%r4             ; restore r4  
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3             ; restore r3
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+;----------------------------------------------------------------------------
+;
+;BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+;
+; arg0 = rp
+; arg1 = ap
+; arg2 = num
+; arg3 = w
+
+bn_mul_words
+        .proc
+        .callinfo frame=128
+    .entry
+        .EXPORT bn_mul_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3  
+    STD     %r4,8(%sp)          ; save r4  
+    STD     %r5,16(%sp)         ; save r5  
+    STD     %r6,24(%sp)         ; save r6  
+
+    STD     %r7,32(%sp)         ; save r7  
+    COPY    %r0,%ret0           ; return 0 by default
+    DEPDI,Z 1,31,1,top_overflow ; top_overflow = 1 << 32    
+        STD     w,56(%sp)           ; w on stack
+
+    CMPIB,>= 0,num,bn_mul_words_exit
+        LDO     128(%sp),%sp       ; bump stack
+
+        ;
+        ; See if only 1 word to do, thus just do cleanup
+        ;
+        CMPIB,= 1,num,bn_mul_words_single_top
+        FLDD    -72(%sp),fw     ; load up w into fp register fw (fw_h/fw_l)
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+        ; PA-RISC 2.0 chips have two fully pipelined multipliers, thus
+    ; two 32-bit mutiplies can be issued per cycle.
+    ; 
+bn_mul_words_unroll2
+
+    FLDD    0(a_ptr),t_float_0        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    FLDD    8(a_ptr),t_float_1        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    XMPYU   fht_0,fw_l,fm1            ; m1[0] = fht_0*fw_l
+    XMPYU   fht_1,fw_l,fm1_1          ; m1[1] = ht*fw_l
+
+    FSTD    fm1,-16(%sp)              ; -16(sp) = m1
+    FSTD    fm1_1,-48(%sp)            ; -48(sp) = m1
+    XMPYU   flt_0,fw_h,fm             ; m = lt*fw_h
+    XMPYU   flt_1,fw_h,fm_1           ; m = lt*fw_h
+
+    FSTD    fm,-8(%sp)                ; -8(sp) = m
+    FSTD    fm_1,-40(%sp)             ; -40(sp) = m
+    XMPYU   fht_0,fw_h,ht_temp        ; ht_temp = fht_0*fw_h
+    XMPYU   fht_1,fw_h,ht_temp_1      ; ht_temp = ht*fw_h
+
+    FSTD    ht_temp,-24(%sp)          ; -24(sp) = ht
+    FSTD    ht_temp_1,-56(%sp)        ; -56(sp) = ht
+    XMPYU   flt_0,fw_l,lt_temp        ; lt_temp = lt*fw_l
+    XMPYU   flt_1,fw_l,lt_temp_1      ; lt_temp = lt*fw_l
+
+    FSTD    lt_temp,-32(%sp)          ; -32(sp) = lt 
+    FSTD    lt_temp_1,-64(%sp)        ; -64(sp) = lt 
+    LDD     -8(%sp),m_0               
+    LDD     -40(%sp),m_1              
+
+    LDD    -16(%sp),m1_0              
+    LDD    -48(%sp),m1_1              
+    LDD     -24(%sp),ht_0             
+    LDD     -56(%sp),ht_1             
+
+    ADD,L   m1_0,m_0,tmp_0            ; tmp_0 = m + m1; 
+    ADD,L   m1_1,m_1,tmp_1            ; tmp_1 = m + m1; 
+    LDD     -32(%sp),lt_0             
+    LDD     -64(%sp),lt_1             
+
+    CMPCLR,*>>= tmp_0,m1_0, %r0       ; if (m < m1)
+    ADD,L   ht_0,top_overflow,ht_0    ; ht += (1<<32)
+    CMPCLR,*>>= tmp_1,m1_1,%r0        ; if (m < m1)
+    ADD,L   ht_1,top_overflow,ht_1    ; ht += (1<<32)
+
+    EXTRD,U tmp_0,31,32,m_0           ; m>>32  
+    DEPD,Z  tmp_0,31,32,m1_0          ; m1 = m<<32 
+    EXTRD,U tmp_1,31,32,m_1           ; m>>32  
+    DEPD,Z  tmp_1,31,32,m1_1          ; m1 = m<<32 
+
+    ADD,L   ht_0,m_0,ht_0             ; ht+= (m>>32)
+    ADD,L   ht_1,m_1,ht_1             ; ht+= (m>>32)
+    ADD     lt_0,m1_0,lt_0            ; lt = lt+m1;
+        ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    ADD     lt_1,m1_1,lt_1            ; lt = lt+m1;
+    ADD,DC  ht_1,%r0,ht_1             ; ht++
+    ADD    %ret0,lt_0,lt_0            ; lt = lt + c (ret0);
+        ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    ADD     ht_0,lt_1,lt_1            ; lt = lt + c (ht_0)
+    ADD,DC  ht_1,%r0,ht_1             ; ht++
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt
+    STD     lt_1,8(r_ptr)             ; rp[1] = lt
+
+        COPY    ht_1,%ret0                ; carry = ht
+        LDO    -2(num),num                ; num = num - 2;
+    LDO     16(a_ptr),a_ptr           ; ap += 2
+        CMPIB,<= 2,num,bn_mul_words_unroll2
+    LDO     16(r_ptr),r_ptr           ; rp++
+
+    CMPIB,=,N 0,num,bn_mul_words_exit ; are we done?
+
+        ;
+        ; Top of loop aligned on 64-byte boundary
+        ;
+bn_mul_words_single_top
+    FLDD    0(a_ptr),t_float_0        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+
+    XMPYU   fht_0,fw_l,fm1            ; m1 = ht*fw_l
+    FSTD    fm1,-16(%sp)              ; -16(sp) = m1
+    XMPYU   flt_0,fw_h,fm             ; m = lt*fw_h
+    FSTD    fm,-8(%sp)                ; -8(sp) = m
+    XMPYU   fht_0,fw_h,ht_temp        ; ht_temp = ht*fw_h
+    FSTD    ht_temp,-24(%sp)          ; -24(sp) = ht
+    XMPYU   flt_0,fw_l,lt_temp        ; lt_temp = lt*fw_l
+    FSTD    lt_temp,-32(%sp)          ; -32(sp) = lt 
+
+    LDD     -8(%sp),m_0               
+    LDD    -16(%sp),m1_0              
+    ADD,L   m_0,m1_0,tmp_0            ; tmp_0 = m + m1; 
+    LDD     -24(%sp),ht_0             
+    LDD     -32(%sp),lt_0             
+
+    CMPCLR,*>>= tmp_0,m1_0,%r0        ; if (m < m1)
+    ADD,L   ht_0,top_overflow,ht_0    ; ht += (1<<32)
+
+    EXTRD,U tmp_0,31,32,m_0           ; m>>32  
+    DEPD,Z  tmp_0,31,32,m1_0          ; m1 = m<<32 
+
+    ADD,L   ht_0,m_0,ht_0             ; ht+= (m>>32)
+    ADD     lt_0,m1_0,lt_0            ; lt= lt+m1;
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    ADD     %ret0,lt_0,lt_0           ; lt = lt + c;
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    COPY    ht_0,%ret0                ; copy carry
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt
+
+bn_mul_words_exit
+    .EXIT
+    LDD     -96(%sp),%r7              ; restore r7  
+    LDD     -104(%sp),%r6             ; restore r6  
+    LDD     -112(%sp),%r5             ; restore r5  
+    LDD     -120(%sp),%r4             ; restore r4  
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3             ; restore r3
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+;----------------------------------------------------------------------------
+;
+;void bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num)
+;
+; arg0 = rp
+; arg1 = ap
+; arg2 = num
+;
+
+bn_sqr_words
+        .proc
+        .callinfo FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_sqr_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3  
+    STD     %r4,8(%sp)          ; save r4  
+        NOP
+    STD     %r5,16(%sp)         ; save r5  
+
+    CMPIB,>= 0,num,bn_sqr_words_exit
+        LDO     128(%sp),%sp       ; bump stack
+
+        ;
+        ; If only 1, the goto straight to cleanup
+        ;
+        CMPIB,= 1,num,bn_sqr_words_single_top
+    DEPDI,Z -1,32,33,high_mask   ; Create Mask 0xffffffff80000000L
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+
+bn_sqr_words_unroll2
+    FLDD    0(a_ptr),t_float_0        ; a[0]
+    FLDD    8(a_ptr),t_float_1        ; a[1]
+    XMPYU   fht_0,flt_0,fm            ; m[0]
+    XMPYU   fht_1,flt_1,fm_1          ; m[1]
+
+    FSTD    fm,-24(%sp)               ; store m[0]
+    FSTD    fm_1,-56(%sp)             ; store m[1]
+    XMPYU   flt_0,flt_0,lt_temp       ; lt[0]
+    XMPYU   flt_1,flt_1,lt_temp_1     ; lt[1]
+
+    FSTD    lt_temp,-16(%sp)          ; store lt[0]
+    FSTD    lt_temp_1,-48(%sp)        ; store lt[1]
+    XMPYU   fht_0,fht_0,ht_temp       ; ht[0]
+    XMPYU   fht_1,fht_1,ht_temp_1     ; ht[1]
+
+    FSTD    ht_temp,-8(%sp)           ; store ht[0]
+    FSTD    ht_temp_1,-40(%sp)        ; store ht[1]
+    LDD     -24(%sp),m_0             
+    LDD     -56(%sp),m_1              
+
+    AND     m_0,high_mask,tmp_0       ; m[0] & Mask
+    AND     m_1,high_mask,tmp_1       ; m[1] & Mask
+    DEPD,Z  m_0,30,31,m_0             ; m[0] << 32+1
+    DEPD,Z  m_1,30,31,m_1             ; m[1] << 32+1
+
+    LDD     -16(%sp),lt_0        
+    LDD     -48(%sp),lt_1        
+    EXTRD,U tmp_0,32,33,tmp_0         ; tmp_0 = m[0]&Mask >> 32-1
+    EXTRD,U tmp_1,32,33,tmp_1         ; tmp_1 = m[1]&Mask >> 32-1
+
+    LDD     -8(%sp),ht_0            
+    LDD     -40(%sp),ht_1           
+    ADD,L   ht_0,tmp_0,ht_0           ; ht[0] += tmp_0
+    ADD,L   ht_1,tmp_1,ht_1           ; ht[1] += tmp_1
+
+    ADD     lt_0,m_0,lt_0             ; lt = lt+m
+    ADD,DC  ht_0,%r0,ht_0             ; ht[0]++
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt[0]
+    STD     ht_0,8(r_ptr)             ; rp[1] = ht[1]
+
+    ADD     lt_1,m_1,lt_1             ; lt = lt+m
+    ADD,DC  ht_1,%r0,ht_1             ; ht[1]++
+    STD     lt_1,16(r_ptr)            ; rp[2] = lt[1]
+    STD     ht_1,24(r_ptr)            ; rp[3] = ht[1]
+
+        LDO    -2(num),num                ; num = num - 2;
+    LDO     16(a_ptr),a_ptr           ; ap += 2
+        CMPIB,<= 2,num,bn_sqr_words_unroll2
+    LDO     32(r_ptr),r_ptr           ; rp += 4
+
+    CMPIB,=,N 0,num,bn_sqr_words_exit ; are we done?
+
+        ;
+        ; Top of loop aligned on 64-byte boundary
+        ;
+bn_sqr_words_single_top
+    FLDD    0(a_ptr),t_float_0        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+
+    XMPYU   fht_0,flt_0,fm            ; m
+    FSTD    fm,-24(%sp)               ; store m
+
+    XMPYU   flt_0,flt_0,lt_temp       ; lt
+    FSTD    lt_temp,-16(%sp)          ; store lt
+
+    XMPYU   fht_0,fht_0,ht_temp       ; ht
+    FSTD    ht_temp,-8(%sp)           ; store ht
+
+    LDD     -24(%sp),m_0              ; load m
+    AND     m_0,high_mask,tmp_0       ; m & Mask
+    DEPD,Z  m_0,30,31,m_0             ; m << 32+1
+    LDD     -16(%sp),lt_0             ; lt
+
+    LDD     -8(%sp),ht_0              ; ht
+    EXTRD,U tmp_0,32,33,tmp_0         ; tmp_0 = m&Mask >> 32-1
+    ADD     m_0,lt_0,lt_0             ; lt = lt+m
+    ADD,L   ht_0,tmp_0,ht_0           ; ht += tmp_0
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt
+    STD     ht_0,8(r_ptr)             ; rp[1] = ht
+
+bn_sqr_words_exit
+    .EXIT
+    LDD     -112(%sp),%r5       ; restore r5  
+    LDD     -120(%sp),%r4       ; restore r4  
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3 
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+
+;----------------------------------------------------------------------------
+;
+;BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+;
+; arg0 = rp 
+; arg1 = ap
+; arg2 = bp 
+; arg3 = n
+
+t  .reg %r22
+b  .reg %r21
+l  .reg %r20
+
+bn_add_words
+        .proc
+    .entry
+        .callinfo
+        .EXPORT bn_add_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+        .align 64
+
+    CMPIB,>= 0,n,bn_add_words_exit
+    COPY    %r0,%ret0           ; return 0 by default
+
+        ;
+        ; If 2 or more numbers do the loop
+        ;
+        CMPIB,= 1,n,bn_add_words_single_top
+        NOP
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+bn_add_words_unroll2
+        LDD     0(a_ptr),t
+        LDD     0(b_ptr),b
+        ADD     t,%ret0,t                    ; t = t+c;
+        ADD,DC  %r0,%r0,%ret0                ; set c to carry
+        ADD     t,b,l                        ; l = t + b[0]
+        ADD,DC  %ret0,%r0,%ret0              ; c+= carry
+        STD     l,0(r_ptr)
+
+        LDD     8(a_ptr),t
+        LDD     8(b_ptr),b
+        ADD     t,%ret0,t                     ; t = t+c;
+        ADD,DC  %r0,%r0,%ret0                 ; set c to carry
+        ADD     t,b,l                         ; l = t + b[0]
+        ADD,DC  %ret0,%r0,%ret0               ; c+= carry
+        STD     l,8(r_ptr)
+
+        LDO     -2(n),n
+        LDO     16(a_ptr),a_ptr
+        LDO     16(b_ptr),b_ptr
+
+        CMPIB,<= 2,n,bn_add_words_unroll2
+        LDO     16(r_ptr),r_ptr
+
+    CMPIB,=,N 0,n,bn_add_words_exit ; are we done?
+
+bn_add_words_single_top
+        LDD     0(a_ptr),t
+        LDD     0(b_ptr),b
+
+        ADD     t,%ret0,t                 ; t = t+c;
+        ADD,DC  %r0,%r0,%ret0             ; set c to carry (could use CMPCLR??)
+        ADD     t,b,l                     ; l = t + b[0]
+        ADD,DC  %ret0,%r0,%ret0           ; c+= carry
+        STD     l,0(r_ptr)
+
+bn_add_words_exit
+    .EXIT
+    BVE     (%rp)
+        NOP
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+;----------------------------------------------------------------------------
+;
+;BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+;
+; arg0 = rp 
+; arg1 = ap
+; arg2 = bp 
+; arg3 = n
+
+t1       .reg %r22
+t2       .reg %r21
+sub_tmp1 .reg %r20
+sub_tmp2 .reg %r19
+
+
+bn_sub_words
+        .proc
+        .callinfo 
+        .EXPORT bn_sub_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+
+    CMPIB,>=  0,n,bn_sub_words_exit
+    COPY    %r0,%ret0           ; return 0 by default
+
+        ;
+        ; If 2 or more numbers do the loop
+        ;
+        CMPIB,= 1,n,bn_sub_words_single_top
+        NOP
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+bn_sub_words_unroll2
+        LDD     0(a_ptr),t1
+        LDD     0(b_ptr),t2
+        SUB     t1,t2,sub_tmp1           ; t3 = t1-t2; 
+        SUB     sub_tmp1,%ret0,sub_tmp1  ; t3 = t3- c; 
+
+        CMPCLR,*>> t1,t2,sub_tmp2        ; clear if t1 > t2
+        LDO      1(%r0),sub_tmp2
+        
+        CMPCLR,*= t1,t2,%r0
+        COPY    sub_tmp2,%ret0
+        STD     sub_tmp1,0(r_ptr)
+
+        LDD     8(a_ptr),t1
+        LDD     8(b_ptr),t2
+        SUB     t1,t2,sub_tmp1            ; t3 = t1-t2; 
+        SUB     sub_tmp1,%ret0,sub_tmp1   ; t3 = t3- c; 
+        CMPCLR,*>> t1,t2,sub_tmp2         ; clear if t1 > t2
+        LDO      1(%r0),sub_tmp2
+        
+        CMPCLR,*= t1,t2,%r0
+        COPY    sub_tmp2,%ret0
+        STD     sub_tmp1,8(r_ptr)
+
+        LDO     -2(n),n
+        LDO     16(a_ptr),a_ptr
+        LDO     16(b_ptr),b_ptr
+
+        CMPIB,<= 2,n,bn_sub_words_unroll2
+        LDO     16(r_ptr),r_ptr
+
+    CMPIB,=,N 0,n,bn_sub_words_exit ; are we done?
+
+bn_sub_words_single_top
+        LDD     0(a_ptr),t1
+        LDD     0(b_ptr),t2
+        SUB     t1,t2,sub_tmp1            ; t3 = t1-t2; 
+        SUB     sub_tmp1,%ret0,sub_tmp1   ; t3 = t3- c; 
+        CMPCLR,*>> t1,t2,sub_tmp2         ; clear if t1 > t2
+        LDO      1(%r0),sub_tmp2
+        
+        CMPCLR,*= t1,t2,%r0
+        COPY    sub_tmp2,%ret0
+
+        STD     sub_tmp1,0(r_ptr)
+
+bn_sub_words_exit
+    .EXIT
+    BVE     (%rp)
+        NOP
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+;------------------------------------------------------------------------------
+;
+; unsigned long bn_div_words(unsigned long h, unsigned long l, unsigned long d)
+;
+; arg0 = h
+; arg1 = l
+; arg2 = d
+;
+; This is mainly just modified assembly from the compiler, thus the
+; lack of variable names.
+;
+;------------------------------------------------------------------------------
+bn_div_words
+        .proc
+        .callinfo CALLER,FRAME=272,ENTRY_GR=%r10,SAVE_RP,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_div_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+        .IMPORT BN_num_bits_word,CODE,NO_RELOCATION
+        .IMPORT __iob,DATA
+        .IMPORT fprintf,CODE,NO_RELOCATION
+        .IMPORT abort,CODE,NO_RELOCATION
+        .IMPORT $$div2U,MILLICODE
+    .entry
+    STD     %r2,-16(%r30)   
+    STD,MA  %r3,352(%r30)   
+    STD     %r4,-344(%r30)  
+    STD     %r5,-336(%r30)  
+    STD     %r6,-328(%r30)  
+    STD     %r7,-320(%r30)  
+    STD     %r8,-312(%r30)  
+    STD     %r9,-304(%r30)  
+    STD     %r10,-296(%r30)
+
+    STD     %r27,-288(%r30)             ; save gp
+
+    COPY    %r24,%r3           ; save d 
+    COPY    %r26,%r4           ; save h (high 64-bits)
+    LDO      -1(%r0),%ret0     ; return -1 by default   
+
+    CMPB,*=  %r0,%arg2,$D3     ; if (d == 0)
+    COPY    %r25,%r5           ; save l (low 64-bits)
+
+    LDO     -48(%r30),%r29     ; create ap 
+    .CALL   ;in=26,29;out=28;
+    B,L     BN_num_bits_word,%r2 
+    COPY    %r3,%r26        
+    LDD     -288(%r30),%r27    ; restore gp 
+    LDI     64,%r21 
+
+    CMPB,=  %r21,%ret0,$00000012   ;if (i == 64) (forward) 
+    COPY    %ret0,%r24             ; i   
+    MTSARCM %r24    
+    DEPDI,Z -1,%sar,1,%r29  
+    CMPB,*<<,N %r29,%r4,bn_div_err_case ; if (h > 1<<i) (forward) 
+
+$00000012
+    SUBI    64,%r24,%r31                       ; i = 64 - i;
+    CMPCLR,*<< %r4,%r3,%r0                     ; if (h >= d)
+    SUB     %r4,%r3,%r4                        ; h -= d
+    CMPB,=  %r31,%r0,$0000001A                 ; if (i)
+    COPY    %r0,%r10                           ; ret = 0
+    MTSARCM %r31                               ; i to shift
+    DEPD,Z  %r3,%sar,64,%r3                    ; d <<= i;
+    SUBI    64,%r31,%r19                       ; 64 - i; redundent
+    MTSAR   %r19                               ; (64 -i) to shift
+    SHRPD   %r4,%r5,%sar,%r4                   ; l>> (64-i)
+    MTSARCM %r31                               ; i to shift
+    DEPD,Z  %r5,%sar,64,%r5                    ; l <<= i;
+
+$0000001A
+    DEPDI,Z -1,31,32,%r19                      
+    EXTRD,U %r3,31,32,%r6                      ; dh=(d&0xfff)>>32
+    EXTRD,U %r3,63,32,%r8                      ; dl = d&0xffffff
+    LDO     2(%r0),%r9
+    STD    %r3,-280(%r30)                      ; "d" to stack
+
+$0000001C
+    DEPDI,Z -1,63,32,%r29                      ; 
+    EXTRD,U %r4,31,32,%r31                     ; h >> 32
+    CMPB,*=,N  %r31,%r6,$D2                    ; if ((h>>32) != dh)(forward) div
+    COPY    %r4,%r26       
+    EXTRD,U %r4,31,32,%r25 
+    COPY    %r6,%r24      
+    .CALL   ;in=23,24,25,26;out=20,21,22,28,29; (MILLICALL)
+    B,L     $$div2U,%r2     
+    EXTRD,U %r6,31,32,%r23  
+    DEPD    %r28,31,32,%r29 
+$D2
+    STD     %r29,-272(%r30)                   ; q
+    AND     %r5,%r19,%r24                   ; t & 0xffffffff00000000;
+    EXTRD,U %r24,31,32,%r24                 ; ??? 
+    FLDD    -272(%r30),%fr7                 ; q
+    FLDD    -280(%r30),%fr8                 ; d
+    XMPYU   %fr8L,%fr7L,%fr10  
+    FSTD    %fr10,-256(%r30)   
+    XMPYU   %fr8L,%fr7R,%fr22  
+    FSTD    %fr22,-264(%r30)   
+    XMPYU   %fr8R,%fr7L,%fr11 
+    XMPYU   %fr8R,%fr7R,%fr23
+    FSTD    %fr11,-232(%r30)
+    FSTD    %fr23,-240(%r30)
+    LDD     -256(%r30),%r28
+    DEPD,Z  %r28,31,32,%r2 
+    LDD     -264(%r30),%r20
+    ADD,L   %r20,%r2,%r31   
+    LDD     -232(%r30),%r22 
+    DEPD,Z  %r22,31,32,%r22 
+    LDD     -240(%r30),%r21 
+    B       $00000024       ; enter loop  
+    ADD,L   %r21,%r22,%r23 
+
+$0000002A
+    LDO     -1(%r29),%r29   
+    SUB     %r23,%r8,%r23   
+$00000024
+    SUB     %r4,%r31,%r25   
+    AND     %r25,%r19,%r26  
+    CMPB,*<>,N      %r0,%r26,$00000046  ; (forward)
+    DEPD,Z  %r25,31,32,%r20 
+    OR      %r20,%r24,%r21  
+    CMPB,*<<,N  %r21,%r23,$0000002A ;(backward) 
+    SUB     %r31,%r6,%r31   
+;-------------Break path---------------------
+
+$00000046
+    DEPD,Z  %r23,31,32,%r25              ;tl
+    EXTRD,U %r23,31,32,%r26              ;t
+    AND     %r25,%r19,%r24               ;tl = (tl<<32)&0xfffffff0000000L
+    ADD,L   %r31,%r26,%r31               ;th += t; 
+    CMPCLR,*>>=     %r5,%r24,%r0         ;if (l<tl)
+    LDO     1(%r31),%r31                 ; th++;
+    CMPB,*<<=,N     %r31,%r4,$00000036   ;if (n < th) (forward)
+    LDO     -1(%r29),%r29                ;q--; 
+    ADD,L   %r4,%r3,%r4                  ;h += d;
+$00000036
+    ADDIB,=,N       -1,%r9,$D1 ;if (--count == 0) break (forward) 
+    SUB     %r5,%r24,%r28                ; l -= tl;
+    SUB     %r4,%r31,%r24                ; h -= th;
+    SHRPD   %r24,%r28,32,%r4             ; h = ((h<<32)|(l>>32));
+    DEPD,Z  %r29,31,32,%r10              ; ret = q<<32
+    b      $0000001C
+    DEPD,Z  %r28,31,32,%r5               ; l = l << 32 
+
+$D1
+    OR      %r10,%r29,%r28           ; ret |= q
+$D3
+    LDD     -368(%r30),%r2  
+$D0
+    LDD     -296(%r30),%r10 
+    LDD     -304(%r30),%r9  
+    LDD     -312(%r30),%r8  
+    LDD     -320(%r30),%r7  
+    LDD     -328(%r30),%r6  
+    LDD     -336(%r30),%r5  
+    LDD     -344(%r30),%r4  
+    BVE     (%r2)   
+        .EXIT
+    LDD,MB  -352(%r30),%r3 
+
+bn_div_err_case
+    MFIA    %r6     
+    ADDIL   L'bn_div_words-bn_div_err_case,%r6,%r1 
+    LDO     R'bn_div_words-bn_div_err_case(%r1),%r6  
+    ADDIL   LT'__iob,%r27,%r1       
+    LDD     RT'__iob(%r1),%r26      
+    ADDIL   L'C$4-bn_div_words,%r6,%r1    
+    LDO     R'C$4-bn_div_words(%r1),%r25  
+    LDO     64(%r26),%r26   
+    .CALL           ;in=24,25,26,29;out=28;
+    B,L     fprintf,%r2    
+    LDO     -48(%r30),%r29 
+    LDD     -288(%r30),%r27
+    .CALL           ;in=29;
+    B,L     abort,%r2      
+    LDO     -48(%r30),%r29 
+    LDD     -288(%r30),%r27
+    B       $D0         
+    LDD     -368(%r30),%r2  
+        .PROCEND        ;in=24,25,26,29;out=28;
+
+;----------------------------------------------------------------------------
+;
+; Registers to hold 64-bit values to manipulate.  The "L" part
+; of the register corresponds to the upper 32-bits, while the "R"
+; part corresponds to the lower 32-bits
+; 
+; Note, that when using b6 and b7, the code must save these before
+; using them because they are callee save registers 
+; 
+;
+; Floating point registers to use to save values that
+; are manipulated.  These don't collide with ftemp1-6 and
+; are all caller save registers
+;
+a0        .reg %fr22
+a0L       .reg %fr22L
+a0R       .reg %fr22R
+
+a1        .reg %fr23
+a1L       .reg %fr23L
+a1R       .reg %fr23R
+
+a2        .reg %fr24
+a2L       .reg %fr24L
+a2R       .reg %fr24R
+
+a3        .reg %fr25
+a3L       .reg %fr25L
+a3R       .reg %fr25R
+
+a4        .reg %fr26
+a4L       .reg %fr26L
+a4R       .reg %fr26R
+
+a5        .reg %fr27
+a5L       .reg %fr27L
+a5R       .reg %fr27R
+
+a6        .reg %fr28
+a6L       .reg %fr28L
+a6R       .reg %fr28R
+
+a7        .reg %fr29
+a7L       .reg %fr29L
+a7R       .reg %fr29R
+
+b0        .reg %fr30
+b0L       .reg %fr30L
+b0R       .reg %fr30R
+
+b1        .reg %fr31
+b1L       .reg %fr31L
+b1R       .reg %fr31R
+
+;
+; Temporary floating point variables, these are all caller save
+; registers
+;
+ftemp1    .reg %fr4
+ftemp2    .reg %fr5
+ftemp3    .reg %fr6
+ftemp4    .reg %fr7
+
+;
+; The B set of registers when used.
+;
+
+b2        .reg %fr8
+b2L       .reg %fr8L
+b2R       .reg %fr8R
+
+b3        .reg %fr9
+b3L       .reg %fr9L
+b3R       .reg %fr9R
+
+b4        .reg %fr10
+b4L       .reg %fr10L
+b4R       .reg %fr10R
+
+b5        .reg %fr11
+b5L       .reg %fr11L
+b5R       .reg %fr11R
+
+b6        .reg %fr12
+b6L       .reg %fr12L
+b6R       .reg %fr12R
+
+b7        .reg %fr13
+b7L       .reg %fr13L
+b7R       .reg %fr13R
+
+c1           .reg %r21   ; only reg
+temp1        .reg %r20   ; only reg
+temp2        .reg %r19   ; only reg
+temp3        .reg %r31   ; only reg
+
+m1           .reg %r28   
+c2           .reg %r23   
+high_one     .reg %r1
+ht           .reg %r6
+lt           .reg %r5
+m            .reg %r4
+c3           .reg %r3
+
+SQR_ADD_C  .macro  A0L,A0R,C1,C2,C3
+    XMPYU   A0L,A0R,ftemp1       ; m
+    FSTD    ftemp1,-24(%sp)      ; store m
+
+    XMPYU   A0R,A0R,ftemp2       ; lt
+    FSTD    ftemp2,-16(%sp)      ; store lt
+
+    XMPYU   A0L,A0L,ftemp3       ; ht
+    FSTD    ftemp3,-8(%sp)       ; store ht
+
+    LDD     -24(%sp),m           ; load m
+    AND     m,high_mask,temp2    ; m & Mask
+    DEPD,Z  m,30,31,temp3        ; m << 32+1
+    LDD     -16(%sp),lt          ; lt
+
+    LDD     -8(%sp),ht           ; ht
+    EXTRD,U temp2,32,33,temp1    ; temp1 = m&Mask >> 32-1
+    ADD     temp3,lt,lt          ; lt = lt+m
+    ADD,L   ht,temp1,ht          ; ht += temp1
+    ADD,DC  ht,%r0,ht            ; ht++
+
+    ADD     C1,lt,C1             ; c1=c1+lt
+    ADD,DC  ht,%r0,ht            ; ht++
+
+    ADD     C2,ht,C2             ; c2=c2+ht
+    ADD,DC  C3,%r0,C3            ; c3++
+.endm
+
+SQR_ADD_C2 .macro  A0L,A0R,A1L,A1R,C1,C2,C3
+    XMPYU   A0L,A1R,ftemp1          ; m1 = bl*ht
+    FSTD    ftemp1,-16(%sp)         ;
+    XMPYU   A0R,A1L,ftemp2          ; m = bh*lt
+    FSTD    ftemp2,-8(%sp)          ;
+    XMPYU   A0R,A1R,ftemp3          ; lt = bl*lt
+    FSTD    ftemp3,-32(%sp)
+    XMPYU   A0L,A1L,ftemp4          ; ht = bh*ht
+    FSTD    ftemp4,-24(%sp)         ;
+
+    LDD     -8(%sp),m               ; r21 = m
+    LDD     -16(%sp),m1             ; r19 = m1
+    ADD,L   m,m1,m                  ; m+m1
+
+    DEPD,Z  m,31,32,temp3           ; (m+m1<<32)
+    LDD     -24(%sp),ht             ; r24 = ht
+
+    CMPCLR,*>>= m,m1,%r0            ; if (m < m1)
+    ADD,L   ht,high_one,ht          ; ht+=high_one
+
+    EXTRD,U m,31,32,temp1           ; m >> 32
+    LDD     -32(%sp),lt             ; lt
+    ADD,L   ht,temp1,ht             ; ht+= m>>32
+    ADD     lt,temp3,lt             ; lt = lt+m1
+    ADD,DC  ht,%r0,ht               ; ht++
+
+    ADD     ht,ht,ht                ; ht=ht+ht;
+    ADD,DC  C3,%r0,C3               ; add in carry (c3++)
+
+    ADD     lt,lt,lt                ; lt=lt+lt;
+    ADD,DC  ht,%r0,ht               ; add in carry (ht++)
+
+    ADD     C1,lt,C1                ; c1=c1+lt
+    ADD,DC,*NUV ht,%r0,ht           ; add in carry (ht++)
+    LDO     1(C3),C3              ; bump c3 if overflow,nullify otherwise
+
+    ADD     C2,ht,C2                ; c2 = c2 + ht
+    ADD,DC  C3,%r0,C3             ; add in carry (c3++)
+.endm
+
+;
+;void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+; arg0 = r_ptr
+; arg1 = a_ptr
+;
+
+bn_sqr_comba8
+        .PROC
+        .CALLINFO FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_sqr_comba8,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .ENTRY
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3
+    STD     %r4,8(%sp)          ; save r4
+    STD     %r5,16(%sp)         ; save r5
+    STD     %r6,24(%sp)         ; save r6
+
+        ;
+        ; Zero out carries
+        ;
+        COPY     %r0,c1
+        COPY     %r0,c2
+        COPY     %r0,c3
+
+        LDO      128(%sp),%sp       ; bump stack
+    DEPDI,Z -1,32,33,high_mask   ; Create Mask 0xffffffff80000000L
+    DEPDI,Z  1,31,1,high_one     ; Create Value  1 << 32
+
+        ;
+        ; Load up all of the values we are going to use
+        ;
+    FLDD     0(a_ptr),a0       
+    FLDD     8(a_ptr),a1       
+    FLDD    16(a_ptr),a2       
+    FLDD    24(a_ptr),a3       
+    FLDD    32(a_ptr),a4       
+    FLDD    40(a_ptr),a5       
+    FLDD    48(a_ptr),a6       
+    FLDD    56(a_ptr),a7       
+
+        SQR_ADD_C a0L,a0R,c1,c2,c3
+        STD     c1,0(r_ptr)          ; r[0] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C2 a1L,a1R,a0L,a0R,c2,c3,c1
+        STD     c2,8(r_ptr)          ; r[1] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C a1L,a1R,c3,c1,c2
+        SQR_ADD_C2 a2L,a2R,a0L,a0R,c3,c1,c2
+        STD     c3,16(r_ptr)            ; r[2] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C2 a3L,a3R,a0L,a0R,c1,c2,c3
+        SQR_ADD_C2 a2L,a2R,a1L,a1R,c1,c2,c3
+        STD     c1,24(r_ptr)           ; r[3] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C a2L,a2R,c2,c3,c1
+        SQR_ADD_C2 a3L,a3R,a1L,a1R,c2,c3,c1
+        SQR_ADD_C2 a4L,a4R,a0L,a0R,c2,c3,c1
+        STD     c2,32(r_ptr)          ; r[4] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C2 a5L,a5R,a0L,a0R,c3,c1,c2
+        SQR_ADD_C2 a4L,a4R,a1L,a1R,c3,c1,c2
+        SQR_ADD_C2 a3L,a3R,a2L,a2R,c3,c1,c2
+        STD     c3,40(r_ptr)          ; r[5] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C a3L,a3R,c1,c2,c3
+        SQR_ADD_C2 a4L,a4R,a2L,a2R,c1,c2,c3
+        SQR_ADD_C2 a5L,a5R,a1L,a1R,c1,c2,c3
+        SQR_ADD_C2 a6L,a6R,a0L,a0R,c1,c2,c3
+        STD     c1,48(r_ptr)          ; r[6] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C2 a7L,a7R,a0L,a0R,c2,c3,c1
+        SQR_ADD_C2 a6L,a6R,a1L,a1R,c2,c3,c1
+        SQR_ADD_C2 a5L,a5R,a2L,a2R,c2,c3,c1
+        SQR_ADD_C2 a4L,a4R,a3L,a3R,c2,c3,c1
+        STD     c2,56(r_ptr)          ; r[7] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C a4L,a4R,c3,c1,c2
+        SQR_ADD_C2 a5L,a5R,a3L,a3R,c3,c1,c2
+        SQR_ADD_C2 a6L,a6R,a2L,a2R,c3,c1,c2
+        SQR_ADD_C2 a7L,a7R,a1L,a1R,c3,c1,c2
+        STD     c3,64(r_ptr)          ; r[8] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C2 a7L,a7R,a2L,a2R,c1,c2,c3
+        SQR_ADD_C2 a6L,a6R,a3L,a3R,c1,c2,c3
+        SQR_ADD_C2 a5L,a5R,a4L,a4R,c1,c2,c3
+        STD     c1,72(r_ptr)          ; r[9] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C a5L,a5R,c2,c3,c1
+        SQR_ADD_C2 a6L,a6R,a4L,a4R,c2,c3,c1
+        SQR_ADD_C2 a7L,a7R,a3L,a3R,c2,c3,c1
+        STD     c2,80(r_ptr)          ; r[10] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C2 a7L,a7R,a4L,a4R,c3,c1,c2
+        SQR_ADD_C2 a6L,a6R,a5L,a5R,c3,c1,c2
+        STD     c3,88(r_ptr)          ; r[11] = c3;
+        COPY    %r0,c3
+        
+        SQR_ADD_C a6L,a6R,c1,c2,c3
+        SQR_ADD_C2 a7L,a7R,a5L,a5R,c1,c2,c3
+        STD     c1,96(r_ptr)          ; r[12] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C2 a7L,a7R,a6L,a6R,c2,c3,c1
+        STD     c2,104(r_ptr)         ; r[13] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C a7L,a7R,c3,c1,c2
+        STD     c3, 112(r_ptr)       ; r[14] = c3
+        STD     c1, 120(r_ptr)       ; r[15] = c1
+
+    .EXIT
+    LDD     -104(%sp),%r6        ; restore r6
+    LDD     -112(%sp),%r5        ; restore r5
+    LDD     -120(%sp),%r4        ; restore r4
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3
+
+        .PROCEND        
+
+;-----------------------------------------------------------------------------
+;
+;void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+; arg0 = r_ptr
+; arg1 = a_ptr
+;
+
+bn_sqr_comba4
+        .proc
+        .callinfo FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_sqr_comba4,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+    STD     %r3,0(%sp)          ; save r3
+    STD     %r4,8(%sp)          ; save r4
+    STD     %r5,16(%sp)         ; save r5
+    STD     %r6,24(%sp)         ; save r6
+
+        ;
+        ; Zero out carries
+        ;
+        COPY     %r0,c1
+        COPY     %r0,c2
+        COPY     %r0,c3
+
+        LDO      128(%sp),%sp       ; bump stack
+    DEPDI,Z -1,32,33,high_mask   ; Create Mask 0xffffffff80000000L
+    DEPDI,Z  1,31,1,high_one     ; Create Value  1 << 32
+
+        ;
+        ; Load up all of the values we are going to use
+        ;
+    FLDD     0(a_ptr),a0       
+    FLDD     8(a_ptr),a1       
+    FLDD    16(a_ptr),a2       
+    FLDD    24(a_ptr),a3       
+    FLDD    32(a_ptr),a4       
+    FLDD    40(a_ptr),a5       
+    FLDD    48(a_ptr),a6       
+    FLDD    56(a_ptr),a7       
+
+        SQR_ADD_C a0L,a0R,c1,c2,c3
+
+        STD     c1,0(r_ptr)          ; r[0] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C2 a1L,a1R,a0L,a0R,c2,c3,c1
+
+        STD     c2,8(r_ptr)          ; r[1] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C a1L,a1R,c3,c1,c2
+        SQR_ADD_C2 a2L,a2R,a0L,a0R,c3,c1,c2
+
+        STD     c3,16(r_ptr)            ; r[2] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C2 a3L,a3R,a0L,a0R,c1,c2,c3
+        SQR_ADD_C2 a2L,a2R,a1L,a1R,c1,c2,c3
+
+        STD     c1,24(r_ptr)           ; r[3] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C a2L,a2R,c2,c3,c1
+        SQR_ADD_C2 a3L,a3R,a1L,a1R,c2,c3,c1
+
+        STD     c2,32(r_ptr)           ; r[4] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C2 a3L,a3R,a2L,a2R,c3,c1,c2
+        STD     c3,40(r_ptr)           ; r[5] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C a3L,a3R,c1,c2,c3
+        STD     c1,48(r_ptr)           ; r[6] = c1;
+        STD     c2,56(r_ptr)           ; r[7] = c2;
+
+    .EXIT
+    LDD     -104(%sp),%r6        ; restore r6
+    LDD     -112(%sp),%r5        ; restore r5
+    LDD     -120(%sp),%r4        ; restore r4
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3
+
+        .PROCEND        
+
+
+;---------------------------------------------------------------------------
+
+MUL_ADD_C  .macro  A0L,A0R,B0L,B0R,C1,C2,C3
+    XMPYU   A0L,B0R,ftemp1        ; m1 = bl*ht
+    FSTD    ftemp1,-16(%sp)       ;
+    XMPYU   A0R,B0L,ftemp2        ; m = bh*lt
+    FSTD    ftemp2,-8(%sp)        ;
+    XMPYU   A0R,B0R,ftemp3        ; lt = bl*lt
+    FSTD    ftemp3,-32(%sp)
+    XMPYU   A0L,B0L,ftemp4        ; ht = bh*ht
+    FSTD    ftemp4,-24(%sp)       ;
+
+    LDD     -8(%sp),m             ; r21 = m
+    LDD     -16(%sp),m1           ; r19 = m1
+    ADD,L   m,m1,m                ; m+m1
+
+    DEPD,Z  m,31,32,temp3         ; (m+m1<<32)
+    LDD     -24(%sp),ht           ; r24 = ht
+
+    CMPCLR,*>>= m,m1,%r0          ; if (m < m1)
+    ADD,L   ht,high_one,ht        ; ht+=high_one
+
+    EXTRD,U m,31,32,temp1         ; m >> 32
+    LDD     -32(%sp),lt           ; lt
+    ADD,L   ht,temp1,ht           ; ht+= m>>32
+    ADD     lt,temp3,lt           ; lt = lt+m1
+    ADD,DC  ht,%r0,ht             ; ht++
+
+    ADD     C1,lt,C1              ; c1=c1+lt
+    ADD,DC  ht,%r0,ht             ; bump c3 if overflow,nullify otherwise
+
+    ADD     C2,ht,C2              ; c2 = c2 + ht
+    ADD,DC  C3,%r0,C3             ; add in carry (c3++)
+.endm
+
+
+;
+;void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+; arg0 = r_ptr
+; arg1 = a_ptr
+; arg2 = b_ptr
+;
+
+bn_mul_comba8
+        .proc
+        .callinfo FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_mul_comba8,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3
+    STD     %r4,8(%sp)          ; save r4
+    STD     %r5,16(%sp)         ; save r5
+    STD     %r6,24(%sp)         ; save r6
+    FSTD    %fr12,32(%sp)       ; save r6
+    FSTD    %fr13,40(%sp)       ; save r7
+
+        ;
+        ; Zero out carries
+        ;
+        COPY     %r0,c1
+        COPY     %r0,c2
+        COPY     %r0,c3
+
+        LDO      128(%sp),%sp       ; bump stack
+    DEPDI,Z  1,31,1,high_one     ; Create Value  1 << 32
+
+        ;
+        ; Load up all of the values we are going to use
+        ;
+    FLDD      0(a_ptr),a0       
+    FLDD      8(a_ptr),a1       
+    FLDD     16(a_ptr),a2       
+    FLDD     24(a_ptr),a3       
+    FLDD     32(a_ptr),a4       
+    FLDD     40(a_ptr),a5       
+    FLDD     48(a_ptr),a6       
+    FLDD     56(a_ptr),a7       
+
+    FLDD      0(b_ptr),b0       
+    FLDD      8(b_ptr),b1       
+    FLDD     16(b_ptr),b2       
+    FLDD     24(b_ptr),b3       
+    FLDD     32(b_ptr),b4       
+    FLDD     40(b_ptr),b5       
+    FLDD     48(b_ptr),b6       
+    FLDD     56(b_ptr),b7       
+
+        MUL_ADD_C a0L,a0R,b0L,b0R,c1,c2,c3
+        STD       c1,0(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a0L,a0R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b0L,b0R,c2,c3,c1
+        STD       c2,8(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a2L,a2R,b0L,b0R,c3,c1,c2
+        MUL_ADD_C a1L,a1R,b1L,b1R,c3,c1,c2
+        MUL_ADD_C a0L,a0R,b2L,b2R,c3,c1,c2
+        STD       c3,16(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a0L,a0R,b3L,b3R,c1,c2,c3
+        MUL_ADD_C a1L,a1R,b2L,b2R,c1,c2,c3
+        MUL_ADD_C a2L,a2R,b1L,b1R,c1,c2,c3
+        MUL_ADD_C a3L,a3R,b0L,b0R,c1,c2,c3
+        STD       c1,24(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a4L,a4R,b0L,b0R,c2,c3,c1
+        MUL_ADD_C a3L,a3R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a2L,a2R,b2L,b2R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b3L,b3R,c2,c3,c1
+        MUL_ADD_C a0L,a0R,b4L,b4R,c2,c3,c1
+        STD       c2,32(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a0L,a0R,b5L,b5R,c3,c1,c2
+        MUL_ADD_C a1L,a1R,b4L,b4R,c3,c1,c2
+        MUL_ADD_C a2L,a2R,b3L,b3R,c3,c1,c2
+        MUL_ADD_C a3L,a3R,b2L,b2R,c3,c1,c2
+        MUL_ADD_C a4L,a4R,b1L,b1R,c3,c1,c2
+        MUL_ADD_C a5L,a5R,b0L,b0R,c3,c1,c2
+        STD       c3,40(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a6L,a6R,b0L,b0R,c1,c2,c3
+        MUL_ADD_C a5L,a5R,b1L,b1R,c1,c2,c3
+        MUL_ADD_C a4L,a4R,b2L,b2R,c1,c2,c3
+        MUL_ADD_C a3L,a3R,b3L,b3R,c1,c2,c3
+        MUL_ADD_C a2L,a2R,b4L,b4R,c1,c2,c3
+        MUL_ADD_C a1L,a1R,b5L,b5R,c1,c2,c3
+        MUL_ADD_C a0L,a0R,b6L,b6R,c1,c2,c3
+        STD       c1,48(r_ptr)
+        COPY      %r0,c1
+        
+        MUL_ADD_C a0L,a0R,b7L,b7R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b6L,b6R,c2,c3,c1
+        MUL_ADD_C a2L,a2R,b5L,b5R,c2,c3,c1
+        MUL_ADD_C a3L,a3R,b4L,b4R,c2,c3,c1
+        MUL_ADD_C a4L,a4R,b3L,b3R,c2,c3,c1
+        MUL_ADD_C a5L,a5R,b2L,b2R,c2,c3,c1
+        MUL_ADD_C a6L,a6R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a7L,a7R,b0L,b0R,c2,c3,c1
+        STD       c2,56(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a7L,a7R,b1L,b1R,c3,c1,c2
+        MUL_ADD_C a6L,a6R,b2L,b2R,c3,c1,c2
+        MUL_ADD_C a5L,a5R,b3L,b3R,c3,c1,c2
+        MUL_ADD_C a4L,a4R,b4L,b4R,c3,c1,c2
+        MUL_ADD_C a3L,a3R,b5L,b5R,c3,c1,c2
+        MUL_ADD_C a2L,a2R,b6L,b6R,c3,c1,c2
+        MUL_ADD_C a1L,a1R,b7L,b7R,c3,c1,c2
+        STD       c3,64(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a2L,a2R,b7L,b7R,c1,c2,c3
+        MUL_ADD_C a3L,a3R,b6L,b6R,c1,c2,c3
+        MUL_ADD_C a4L,a4R,b5L,b5R,c1,c2,c3
+        MUL_ADD_C a5L,a5R,b4L,b4R,c1,c2,c3
+        MUL_ADD_C a6L,a6R,b3L,b3R,c1,c2,c3
+        MUL_ADD_C a7L,a7R,b2L,b2R,c1,c2,c3
+        STD       c1,72(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a7L,a7R,b3L,b3R,c2,c3,c1
+        MUL_ADD_C a6L,a6R,b4L,b4R,c2,c3,c1
+        MUL_ADD_C a5L,a5R,b5L,b5R,c2,c3,c1
+        MUL_ADD_C a4L,a4R,b6L,b6R,c2,c3,c1
+        MUL_ADD_C a3L,a3R,b7L,b7R,c2,c3,c1
+        STD       c2,80(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a4L,a4R,b7L,b7R,c3,c1,c2
+        MUL_ADD_C a5L,a5R,b6L,b6R,c3,c1,c2
+        MUL_ADD_C a6L,a6R,b5L,b5R,c3,c1,c2
+        MUL_ADD_C a7L,a7R,b4L,b4R,c3,c1,c2
+        STD       c3,88(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a7L,a7R,b5L,b5R,c1,c2,c3
+        MUL_ADD_C a6L,a6R,b6L,b6R,c1,c2,c3
+        MUL_ADD_C a5L,a5R,b7L,b7R,c1,c2,c3
+        STD       c1,96(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a6L,a6R,b7L,b7R,c2,c3,c1
+        MUL_ADD_C a7L,a7R,b6L,b6R,c2,c3,c1
+        STD       c2,104(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a7L,a7R,b7L,b7R,c3,c1,c2
+        STD       c3,112(r_ptr)
+        STD       c1,120(r_ptr)
+
+    .EXIT
+    FLDD    -88(%sp),%fr13 
+    FLDD    -96(%sp),%fr12 
+    LDD     -104(%sp),%r6        ; restore r6
+    LDD     -112(%sp),%r5        ; restore r5
+    LDD     -120(%sp),%r4        ; restore r4
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3
+
+        .PROCEND        
+
+;-----------------------------------------------------------------------------
+;
+;void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+; arg0 = r_ptr
+; arg1 = a_ptr
+; arg2 = b_ptr
+;
+
+bn_mul_comba4
+        .proc
+        .callinfo FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_mul_comba4,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3
+    STD     %r4,8(%sp)          ; save r4
+    STD     %r5,16(%sp)         ; save r5
+    STD     %r6,24(%sp)         ; save r6
+    FSTD    %fr12,32(%sp)       ; save r6
+    FSTD    %fr13,40(%sp)       ; save r7
+
+        ;
+        ; Zero out carries
+        ;
+        COPY     %r0,c1
+        COPY     %r0,c2
+        COPY     %r0,c3
+
+        LDO      128(%sp),%sp       ; bump stack
+    DEPDI,Z  1,31,1,high_one     ; Create Value  1 << 32
+
+        ;
+        ; Load up all of the values we are going to use
+        ;
+    FLDD      0(a_ptr),a0       
+    FLDD      8(a_ptr),a1       
+    FLDD     16(a_ptr),a2       
+    FLDD     24(a_ptr),a3       
+
+    FLDD      0(b_ptr),b0       
+    FLDD      8(b_ptr),b1       
+    FLDD     16(b_ptr),b2       
+    FLDD     24(b_ptr),b3       
+
+        MUL_ADD_C a0L,a0R,b0L,b0R,c1,c2,c3
+        STD       c1,0(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a0L,a0R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b0L,b0R,c2,c3,c1
+        STD       c2,8(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a2L,a2R,b0L,b0R,c3,c1,c2
+        MUL_ADD_C a1L,a1R,b1L,b1R,c3,c1,c2
+        MUL_ADD_C a0L,a0R,b2L,b2R,c3,c1,c2
+        STD       c3,16(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a0L,a0R,b3L,b3R,c1,c2,c3
+        MUL_ADD_C a1L,a1R,b2L,b2R,c1,c2,c3
+        MUL_ADD_C a2L,a2R,b1L,b1R,c1,c2,c3
+        MUL_ADD_C a3L,a3R,b0L,b0R,c1,c2,c3
+        STD       c1,24(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a3L,a3R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a2L,a2R,b2L,b2R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b3L,b3R,c2,c3,c1
+        STD       c2,32(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a2L,a2R,b3L,b3R,c3,c1,c2
+        MUL_ADD_C a3L,a3R,b2L,b2R,c3,c1,c2
+        STD       c3,40(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a3L,a3R,b3L,b3R,c1,c2,c3
+        STD       c1,48(r_ptr)
+        STD       c2,56(r_ptr)
+
+    .EXIT
+    FLDD    -88(%sp),%fr13 
+    FLDD    -96(%sp),%fr12 
+    LDD     -104(%sp),%r6        ; restore r6
+    LDD     -112(%sp),%r5        ; restore r5
+    LDD     -120(%sp),%r4        ; restore r4
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3
+
+        .PROCEND        
+
+
+        .SPACE  $TEXT$
+        .SUBSPA $CODE$
+        .SPACE  $PRIVATE$,SORT=16
+        .IMPORT $global$,DATA
+        .SPACE  $TEXT$
+        .SUBSPA $CODE$
+        .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16
+C$4
+        .ALIGN  8
+        .STRINGZ        "Division would overflow (%d)\n"
+        .END
diff --git a/src/lib/libcrypto/bn/asm/sparcv8.S b/src/lib/libcrypto/bn/asm/sparcv8.S
new file mode 100644
index 0000000000..88c5dc480a
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/sparcv8.S
@@ -0,0 +1,1458 @@
+.ident  "sparcv8.s, Version 1.4"
+.ident  "SPARC v8 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+/*
+ * ====================================================================
+ * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+ * project.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted according to the OpenSSL license. Warranty of any kind is
+ * disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contributon to OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is
+ * a drop-in SuperSPARC ISA replacement for crypto/bn/bn_asm.c
+ * module. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * See bn_asm.sparc.v8plus.S for more details.
+ */
+
+/*
+ * Revision history.
+ *
+ * 1.1  - new loop unrolling model(*);
+ * 1.2  - made gas friendly;
+ * 1.3  - fixed problem with /usr/ccs/lib/cpp;
+ * 1.4  - some retunes;
+ *
+ * (*)  see bn_asm.sparc.v8plus.S for details
+ */
+
+.section        ".text",#alloc,#execinstr
+.file           "bn_asm.sparc.v8.S"
+
+.align  32
+
+.global bn_mul_add_words
+/*
+ * BN_ULONG bn_mul_add_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_add_words:
+        cmp     %o2,0
+        bg,a    .L_bn_mul_add_words_proceed
+        ld      [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_mul_add_words_proceed:
+        andcc   %o2,-4,%g0
+        bz      .L_bn_mul_add_words_tail
+        clr     %o5
+
+.L_bn_mul_add_words_loop:
+        ld      [%o0],%o4
+        ld      [%o1+4],%g3
+        umul    %o3,%g2,%g2
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        st      %o4,[%o0]
+        addx    %g1,0,%o5
+
+        ld      [%o0+4],%o4
+        ld      [%o1+8],%g2
+        umul    %o3,%g3,%g3
+        dec     4,%o2
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g3,%o4
+        st      %o4,[%o0+4]
+        addx    %g1,0,%o5
+
+        ld      [%o0+8],%o4
+        ld      [%o1+12],%g3
+        umul    %o3,%g2,%g2
+        inc     16,%o1
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        st      %o4,[%o0+8]
+        addx    %g1,0,%o5
+
+        ld      [%o0+12],%o4
+        umul    %o3,%g3,%g3
+        inc     16,%o0
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g3,%o4
+        st      %o4,[%o0-4]
+        addx    %g1,0,%o5
+        andcc   %o2,-4,%g0
+        bnz,a   .L_bn_mul_add_words_loop
+        ld      [%o1],%g2
+
+        tst     %o2
+        bnz,a   .L_bn_mul_add_words_tail
+        ld      [%o1],%g2
+.L_bn_mul_add_words_return:
+        retl
+        mov     %o5,%o0
+        nop
+
+.L_bn_mul_add_words_tail:
+        ld      [%o0],%o4
+        umul    %o3,%g2,%g2
+        addcc   %o4,%o5,%o4
+        rd      %y,%g1
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        addx    %g1,0,%o5
+        deccc   %o2
+        bz      .L_bn_mul_add_words_return
+        st      %o4,[%o0]
+
+        ld      [%o1+4],%g2
+        ld      [%o0+4],%o4
+        umul    %o3,%g2,%g2
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        addx    %g1,0,%o5
+        deccc   %o2
+        bz      .L_bn_mul_add_words_return
+        st      %o4,[%o0+4]
+
+        ld      [%o1+8],%g2
+        ld      [%o0+8],%o4
+        umul    %o3,%g2,%g2
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        st      %o4,[%o0+8]
+        retl
+        addx    %g1,0,%o0
+
+.type   bn_mul_add_words,#function
+.size   bn_mul_add_words,(.-bn_mul_add_words)
+
+.align  32
+
+.global bn_mul_words
+/*
+ * BN_ULONG bn_mul_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_words:
+        cmp     %o2,0
+        bg,a    .L_bn_mul_words_proceeed
+        ld      [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_mul_words_proceeed:
+        andcc   %o2,-4,%g0
+        bz      .L_bn_mul_words_tail
+        clr     %o5
+
+.L_bn_mul_words_loop:
+        ld      [%o1+4],%g3
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        addx    %g1,0,%o5
+        st      %g2,[%o0]
+
+        ld      [%o1+8],%g2
+        umul    %o3,%g3,%g3
+        addcc   %g3,%o5,%g3
+        rd      %y,%g1
+        dec     4,%o2
+        addx    %g1,0,%o5
+        st      %g3,[%o0+4]
+
+        ld      [%o1+12],%g3
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        inc     16,%o1
+        st      %g2,[%o0+8]
+        addx    %g1,0,%o5
+
+        umul    %o3,%g3,%g3
+        addcc   %g3,%o5,%g3
+        rd      %y,%g1
+        inc     16,%o0
+        addx    %g1,0,%o5
+        st      %g3,[%o0-4]
+        andcc   %o2,-4,%g0
+        nop
+        bnz,a   .L_bn_mul_words_loop
+        ld      [%o1],%g2
+
+        tst     %o2
+        bnz,a   .L_bn_mul_words_tail
+        ld      [%o1],%g2
+.L_bn_mul_words_return:
+        retl
+        mov     %o5,%o0
+        nop
+
+.L_bn_mul_words_tail:
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        addx    %g1,0,%o5
+        deccc   %o2
+        bz      .L_bn_mul_words_return
+        st      %g2,[%o0]
+        nop
+
+        ld      [%o1+4],%g2
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        addx    %g1,0,%o5
+        deccc   %o2
+        bz      .L_bn_mul_words_return
+        st      %g2,[%o0+4]
+
+        ld      [%o1+8],%g2
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        st      %g2,[%o0+8]
+        retl
+        addx    %g1,0,%o0
+
+.type   bn_mul_words,#function
+.size   bn_mul_words,(.-bn_mul_words)
+
+.align  32
+.global bn_sqr_words
+/*
+ * void bn_sqr_words(r,a,n)
+ * BN_ULONG *r,*a;
+ * int n;
+ */
+bn_sqr_words:
+        cmp     %o2,0
+        bg,a    .L_bn_sqr_words_proceeed
+        ld      [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_sqr_words_proceeed:
+        andcc   %o2,-4,%g0
+        bz      .L_bn_sqr_words_tail
+        clr     %o5
+
+.L_bn_sqr_words_loop:
+        ld      [%o1+4],%g3
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0]
+        rd      %y,%o5
+        st      %o5,[%o0+4]
+
+        ld      [%o1+8],%g2
+        umul    %g3,%g3,%o4
+        dec     4,%o2
+        st      %o4,[%o0+8]
+        rd      %y,%o5
+        st      %o5,[%o0+12]
+        nop
+
+        ld      [%o1+12],%g3
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0+16]
+        rd      %y,%o5
+        inc     16,%o1
+        st      %o5,[%o0+20]
+
+        umul    %g3,%g3,%o4
+        inc     32,%o0
+        st      %o4,[%o0-8]
+        rd      %y,%o5
+        st      %o5,[%o0-4]
+        andcc   %o2,-4,%g2
+        bnz,a   .L_bn_sqr_words_loop
+        ld      [%o1],%g2
+
+        tst     %o2
+        nop
+        bnz,a   .L_bn_sqr_words_tail
+        ld      [%o1],%g2
+.L_bn_sqr_words_return:
+        retl
+        clr     %o0
+
+.L_bn_sqr_words_tail:
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0]
+        deccc   %o2
+        rd      %y,%o5
+        bz      .L_bn_sqr_words_return
+        st      %o5,[%o0+4]
+
+        ld      [%o1+4],%g2
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0+8]
+        deccc   %o2
+        rd      %y,%o5
+        nop
+        bz      .L_bn_sqr_words_return
+        st      %o5,[%o0+12]
+
+        ld      [%o1+8],%g2
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0+16]
+        rd      %y,%o5
+        st      %o5,[%o0+20]
+        retl
+        clr     %o0
+
+.type   bn_sqr_words,#function
+.size   bn_sqr_words,(.-bn_sqr_words)
+
+.align  32
+
+.global bn_div_words
+/*
+ * BN_ULONG bn_div_words(h,l,d)
+ * BN_ULONG h,l,d;
+ */
+bn_div_words:
+        wr      %o0,%y
+        udiv    %o1,%o2,%o0
+        retl
+        nop
+
+.type   bn_div_words,#function
+.size   bn_div_words,(.-bn_div_words)
+
+.align  32
+
+.global bn_add_words
+/*
+ * BN_ULONG bn_add_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_add_words:
+        cmp     %o3,0
+        bg,a    .L_bn_add_words_proceed
+        ld      [%o1],%o4
+        retl
+        clr     %o0
+
+.L_bn_add_words_proceed:
+        andcc   %o3,-4,%g0
+        bz      .L_bn_add_words_tail
+        clr     %g1
+        ba      .L_bn_add_words_warn_loop
+        addcc   %g0,0,%g0       ! clear carry flag
+
+.L_bn_add_words_loop:
+        ld      [%o1],%o4
+.L_bn_add_words_warn_loop:
+        ld      [%o2],%o5
+        ld      [%o1+4],%g3
+        ld      [%o2+4],%g4
+        dec     4,%o3
+        addxcc  %o5,%o4,%o5
+        st      %o5,[%o0]
+
+        ld      [%o1+8],%o4
+        ld      [%o2+8],%o5
+        inc     16,%o1
+        addxcc  %g3,%g4,%g3
+        st      %g3,[%o0+4]
+        
+        ld      [%o1-4],%g3
+        ld      [%o2+12],%g4
+        inc     16,%o2
+        addxcc  %o5,%o4,%o5
+        st      %o5,[%o0+8]
+
+        inc     16,%o0
+        addxcc  %g3,%g4,%g3
+        st      %g3,[%o0-4]
+        addx    %g0,0,%g1
+        andcc   %o3,-4,%g0
+        bnz,a   .L_bn_add_words_loop
+        addcc   %g1,-1,%g0
+
+        tst     %o3
+        bnz,a   .L_bn_add_words_tail
+        ld      [%o1],%o4
+.L_bn_add_words_return:
+        retl
+        mov     %g1,%o0
+
+.L_bn_add_words_tail:
+        addcc   %g1,-1,%g0
+        ld      [%o2],%o5
+        addxcc  %o5,%o4,%o5
+        addx    %g0,0,%g1
+        deccc   %o3
+        bz      .L_bn_add_words_return
+        st      %o5,[%o0]
+
+        ld      [%o1+4],%o4
+        addcc   %g1,-1,%g0
+        ld      [%o2+4],%o5
+        addxcc  %o5,%o4,%o5
+        addx    %g0,0,%g1
+        deccc   %o3
+        bz      .L_bn_add_words_return
+        st      %o5,[%o0+4]
+
+        ld      [%o1+8],%o4
+        addcc   %g1,-1,%g0
+        ld      [%o2+8],%o5
+        addxcc  %o5,%o4,%o5
+        st      %o5,[%o0+8]
+        retl
+        addx    %g0,0,%o0
+
+.type   bn_add_words,#function
+.size   bn_add_words,(.-bn_add_words)
+
+.align  32
+
+.global bn_sub_words
+/*
+ * BN_ULONG bn_sub_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_sub_words:
+        cmp     %o3,0
+        bg,a    .L_bn_sub_words_proceed
+        ld      [%o1],%o4
+        retl
+        clr     %o0
+
+.L_bn_sub_words_proceed:
+        andcc   %o3,-4,%g0
+        bz      .L_bn_sub_words_tail
+        clr     %g1
+        ba      .L_bn_sub_words_warm_loop
+        addcc   %g0,0,%g0       ! clear carry flag
+
+.L_bn_sub_words_loop:
+        ld      [%o1],%o4
+.L_bn_sub_words_warm_loop:
+        ld      [%o2],%o5
+        ld      [%o1+4],%g3
+        ld      [%o2+4],%g4
+        dec     4,%o3
+        subxcc  %o4,%o5,%o5
+        st      %o5,[%o0]
+
+        ld      [%o1+8],%o4
+        ld      [%o2+8],%o5
+        inc     16,%o1
+        subxcc  %g3,%g4,%g4
+        st      %g4,[%o0+4]
+        
+        ld      [%o1-4],%g3
+        ld      [%o2+12],%g4
+        inc     16,%o2
+        subxcc  %o4,%o5,%o5
+        st      %o5,[%o0+8]
+
+        inc     16,%o0
+        subxcc  %g3,%g4,%g4
+        st      %g4,[%o0-4]
+        addx    %g0,0,%g1
+        andcc   %o3,-4,%g0
+        bnz,a   .L_bn_sub_words_loop
+        addcc   %g1,-1,%g0
+
+        tst     %o3
+        nop
+        bnz,a   .L_bn_sub_words_tail
+        ld      [%o1],%o4
+.L_bn_sub_words_return:
+        retl
+        mov     %g1,%o0
+
+.L_bn_sub_words_tail:
+        addcc   %g1,-1,%g0
+        ld      [%o2],%o5
+        subxcc  %o4,%o5,%o5
+        addx    %g0,0,%g1
+        deccc   %o3
+        bz      .L_bn_sub_words_return
+        st      %o5,[%o0]
+        nop
+
+        ld      [%o1+4],%o4
+        addcc   %g1,-1,%g0
+        ld      [%o2+4],%o5
+        subxcc  %o4,%o5,%o5
+        addx    %g0,0,%g1
+        deccc   %o3
+        bz      .L_bn_sub_words_return
+        st      %o5,[%o0+4]
+
+        ld      [%o1+8],%o4
+        addcc   %g1,-1,%g0
+        ld      [%o2+8],%o5
+        subxcc  %o4,%o5,%o5
+        st      %o5,[%o0+8]
+        retl
+        addx    %g0,0,%o0
+
+.type   bn_sub_words,#function
+.size   bn_sub_words,(.-bn_sub_words)
+
+#define FRAME_SIZE      -96
+
+/*
+ * Here is register usage map for *all* routines below.
+ */
+#define t_1     %o0
+#define t_2     %o1
+#define c_1     %o2
+#define c_2     %o3
+#define c_3     %o4
+
+#define ap(I)   [%i1+4*I]
+#define bp(I)   [%i2+4*I]
+#define rp(I)   [%i0+4*I]
+
+#define a_0     %l0
+#define a_1     %l1
+#define a_2     %l2
+#define a_3     %l3
+#define a_4     %l4
+#define a_5     %l5
+#define a_6     %l6
+#define a_7     %l7
+
+#define b_0     %i3
+#define b_1     %i4
+#define b_2     %i5
+#define b_3     %o5
+#define b_4     %g1
+#define b_5     %g2
+#define b_6     %g3
+#define b_7     %g4
+
+.align  32
+.global bn_mul_comba8
+/*
+ * void bn_mul_comba8(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba8:
+        save    %sp,FRAME_SIZE,%sp
+        ld      ap(0),a_0
+        ld      bp(0),b_0
+        umul    a_0,b_0,c_1     !=!mul_add_c(a[0],b[0],c1,c2,c3);
+        ld      bp(1),b_1
+        rd      %y,c_2
+        st      c_1,rp(0)       !r[0]=c1;
+
+        umul    a_0,b_1,t_1     !=!mul_add_c(a[0],b[1],c2,c3,c1);
+        ld      ap(1),a_1
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  %g0,t_2,c_3     !=
+        addx    %g0,%g0,c_1
+        ld      ap(2),a_2
+        umul    a_1,b_0,t_1     !mul_add_c(a[1],b[0],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        st      c_2,rp(1)       !r[1]=c2;
+        addx    c_1,%g0,c_1     !=
+
+        umul    a_2,b_0,t_1     !mul_add_c(a[2],b[0],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    %g0,%g0,c_2
+        ld      bp(2),b_2
+        umul    a_1,b_1,t_1     !mul_add_c(a[1],b[1],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        ld      bp(3),b_3
+        addx    c_2,%g0,c_2     !=
+        umul    a_0,b_2,t_1     !mul_add_c(a[0],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        st      c_3,rp(2)       !r[2]=c3;
+
+        umul    a_0,b_3,t_1     !mul_add_c(a[0],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3
+        umul    a_1,b_2,t_1     !=!mul_add_c(a[1],b[2],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        ld      ap(3),a_3
+        umul    a_2,b_1,t_1     !mul_add_c(a[2],b[1],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2          !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        ld      ap(4),a_4
+        umul    a_3,b_0,t_1     !mul_add_c(a[3],b[0],c1,c2,c3);!=
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(3)       !r[3]=c1;
+
+        umul    a_4,b_0,t_1     !mul_add_c(a[4],b[0],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        umul    a_3,b_1,t_1     !mul_add_c(a[3],b[1],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_2,b_2,t_1     !=!mul_add_c(a[2],b[2],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        ld      bp(4),b_4
+        umul    a_1,b_3,t_1     !mul_add_c(a[1],b[3],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        ld      bp(5),b_5
+        umul    a_0,b_4,t_1     !=!mul_add_c(a[0],b[4],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        st      c_2,rp(4)       !r[4]=c2;
+
+        umul    a_0,b_5,t_1     !mul_add_c(a[0],b[5],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        umul    a_1,b_4,t_1     !mul_add_c(a[1],b[4],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_2,b_3,t_1     !=!mul_add_c(a[2],b[3],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        umul    a_3,b_2,t_1     !mul_add_c(a[3],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        ld      ap(5),a_5
+        umul    a_4,b_1,t_1     !mul_add_c(a[4],b[1],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        ld      ap(6),a_6
+        addx    c_2,%g0,c_2     !=
+        umul    a_5,b_0,t_1     !mul_add_c(a[5],b[0],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        st      c_3,rp(5)       !r[5]=c3;
+
+        umul    a_6,b_0,t_1     !mul_add_c(a[6],b[0],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3
+        umul    a_5,b_1,t_1     !=!mul_add_c(a[5],b[1],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_4,b_2,t_1     !mul_add_c(a[4],b[2],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        umul    a_3,b_3,t_1     !mul_add_c(a[3],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2          !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_2,b_4,t_1     !mul_add_c(a[2],b[4],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        ld      bp(6),b_6
+        addx    c_3,%g0,c_3     !=
+        umul    a_1,b_5,t_1     !mul_add_c(a[1],b[5],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        ld      bp(7),b_7
+        umul    a_0,b_6,t_1     !mul_add_c(a[0],b[6],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        st      c_1,rp(6)       !r[6]=c1;
+        addx    c_3,%g0,c_3     !=
+
+        umul    a_0,b_7,t_1     !mul_add_c(a[0],b[7],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    %g0,%g0,c_1
+        umul    a_1,b_6,t_1     !mul_add_c(a[1],b[6],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_2,b_5,t_1     !mul_add_c(a[2],b[5],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_3,b_4,t_1     !=!mul_add_c(a[3],b[4],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        umul    a_4,b_3,t_1     !mul_add_c(a[4],b[3],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_5,b_2,t_1     !mul_add_c(a[5],b[2],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        ld      ap(7),a_7
+        umul    a_6,b_1,t_1     !=!mul_add_c(a[6],b[1],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        umul    a_7,b_0,t_1     !mul_add_c(a[7],b[0],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        st      c_2,rp(7)       !r[7]=c2;
+
+        umul    a_7,b_1,t_1     !mul_add_c(a[7],b[1],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        umul    a_6,b_2,t_1     !=!mul_add_c(a[6],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        umul    a_5,b_3,t_1     !mul_add_c(a[5],b[3],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        umul    a_4,b_4,t_1     !mul_add_c(a[4],b[4],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_3,b_5,t_1     !mul_add_c(a[3],b[5],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_2,b_6,t_1     !=!mul_add_c(a[2],b[6],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        umul    a_1,b_7,t_1     !mul_add_c(a[1],b[7],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !
+        addx    c_2,%g0,c_2
+        st      c_3,rp(8)       !r[8]=c3;
+
+        umul    a_2,b_7,t_1     !mul_add_c(a[2],b[7],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3
+        umul    a_3,b_6,t_1     !=!mul_add_c(a[3],b[6],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_4,b_5,t_1     !mul_add_c(a[4],b[5],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        umul    a_5,b_4,t_1     !mul_add_c(a[5],b[4],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2          !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_6,b_3,t_1     !mul_add_c(a[6],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_7,b_2,t_1     !=!mul_add_c(a[7],b[2],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(9)       !r[9]=c1;
+
+        umul    a_7,b_3,t_1     !mul_add_c(a[7],b[3],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        umul    a_6,b_4,t_1     !mul_add_c(a[6],b[4],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_5,b_5,t_1     !=!mul_add_c(a[5],b[5],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        umul    a_4,b_6,t_1     !mul_add_c(a[4],b[6],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_3,b_7,t_1     !mul_add_c(a[3],b[7],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        st      c_2,rp(10)      !r[10]=c2;
+
+        umul    a_4,b_7,t_1     !=!mul_add_c(a[4],b[7],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2     !=
+        umul    a_5,b_6,t_1     !mul_add_c(a[5],b[6],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        umul    a_6,b_5,t_1     !mul_add_c(a[6],b[5],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_7,b_4,t_1     !mul_add_c(a[7],b[4],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(11)      !r[11]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_7,b_5,t_1     !mul_add_c(a[7],b[5],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    %g0,%g0,c_3
+        umul    a_6,b_6,t_1     !mul_add_c(a[6],b[6],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2          !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_5,b_7,t_1     !mul_add_c(a[5],b[7],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        st      c_1,rp(12)      !r[12]=c1;
+        addx    c_3,%g0,c_3     !=
+
+        umul    a_6,b_7,t_1     !mul_add_c(a[6],b[7],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    %g0,%g0,c_1
+        umul    a_7,b_6,t_1     !mul_add_c(a[7],b[6],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        st      c_2,rp(13)      !r[13]=c2;
+
+        umul    a_7,b_7,t_1     !=!mul_add_c(a[7],b[7],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        nop                     !=
+        st      c_3,rp(14)      !r[14]=c3;
+        st      c_1,rp(15)      !r[15]=c1;
+
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_mul_comba8,#function
+.size   bn_mul_comba8,(.-bn_mul_comba8)
+
+.align  32
+
+.global bn_mul_comba4
+/*
+ * void bn_mul_comba4(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba4:
+        save    %sp,FRAME_SIZE,%sp
+        ld      ap(0),a_0
+        ld      bp(0),b_0
+        umul    a_0,b_0,c_1     !=!mul_add_c(a[0],b[0],c1,c2,c3);
+        ld      bp(1),b_1
+        rd      %y,c_2
+        st      c_1,rp(0)       !r[0]=c1;
+
+        umul    a_0,b_1,t_1     !=!mul_add_c(a[0],b[1],c2,c3,c1);
+        ld      ap(1),a_1
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  %g0,t_2,c_3
+        addx    %g0,%g0,c_1
+        ld      ap(2),a_2
+        umul    a_1,b_0,t_1     !=!mul_add_c(a[1],b[0],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        st      c_2,rp(1)       !r[1]=c2;
+
+        umul    a_2,b_0,t_1     !mul_add_c(a[2],b[0],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        ld      bp(2),b_2
+        umul    a_1,b_1,t_1     !=!mul_add_c(a[1],b[1],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        ld      bp(3),b_3
+        umul    a_0,b_2,t_1     !mul_add_c(a[0],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        st      c_3,rp(2)       !r[2]=c3;
+
+        umul    a_0,b_3,t_1     !=!mul_add_c(a[0],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3     !=
+        umul    a_1,b_2,t_1     !mul_add_c(a[1],b[2],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        ld      ap(3),a_3
+        umul    a_2,b_1,t_1     !mul_add_c(a[2],b[1],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_3,b_0,t_1     !=!mul_add_c(a[3],b[0],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(3)       !r[3]=c1;
+
+        umul    a_3,b_1,t_1     !mul_add_c(a[3],b[1],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        umul    a_2,b_2,t_1     !mul_add_c(a[2],b[2],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_1,b_3,t_1     !=!mul_add_c(a[1],b[3],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        st      c_2,rp(4)       !r[4]=c2;
+
+        umul    a_2,b_3,t_1     !mul_add_c(a[2],b[3],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        umul    a_3,b_2,t_1     !mul_add_c(a[3],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(5)       !r[5]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_3,b_3,t_1     !mul_add_c(a[3],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        st      c_1,rp(6)       !r[6]=c1;
+        st      c_2,rp(7)       !r[7]=c2;
+        
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_mul_comba4,#function
+.size   bn_mul_comba4,(.-bn_mul_comba4)
+
+.align  32
+
+.global bn_sqr_comba8
+bn_sqr_comba8:
+        save    %sp,FRAME_SIZE,%sp
+        ld      ap(0),a_0
+        ld      ap(1),a_1
+        umul    a_0,a_0,c_1     !=!sqr_add_c(a,0,c1,c2,c3);
+        rd      %y,c_2
+        st      c_1,rp(0)       !r[0]=c1;
+
+        ld      ap(2),a_2
+        umul    a_0,a_1,t_1     !=!sqr_add_c2(a,1,0,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  %g0,t_2,c_3
+        addx    %g0,%g0,c_1     !=
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3
+        st      c_2,rp(1)       !r[1]=c2;
+        addx    c_1,%g0,c_1     !=
+
+        umul    a_2,a_0,t_1     !sqr_add_c2(a,2,0,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    %g0,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        ld      ap(3),a_3
+        umul    a_1,a_1,t_1     !sqr_add_c(a,1,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        st      c_3,rp(2)       !r[2]=c3;
+
+        umul    a_0,a_3,t_1     !=!sqr_add_c2(a,3,0,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3     !=
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        ld      ap(4),a_4
+        addx    c_3,%g0,c_3     !=
+        umul    a_1,a_2,t_1     !sqr_add_c2(a,2,1,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(3)       !r[3]=c1;
+
+        umul    a_4,a_0,t_1     !sqr_add_c2(a,4,0,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_3,a_1,t_1     !sqr_add_c2(a,3,1,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        ld      ap(5),a_5
+        umul    a_2,a_2,t_1     !sqr_add_c(a,2,c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        st      c_2,rp(4)       !r[4]=c2;
+        addx    c_1,%g0,c_1     !=
+
+        umul    a_0,a_5,t_1     !sqr_add_c2(a,5,0,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    %g0,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        umul    a_1,a_4,t_1     !sqr_add_c2(a,4,1,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        ld      ap(6),a_6
+        umul    a_2,a_3,t_1     !sqr_add_c2(a,3,2,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        st      c_3,rp(5)       !r[5]=c3;
+
+        umul    a_6,a_0,t_1     !sqr_add_c2(a,6,0,c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3
+        addcc   c_1,t_1,c_1     !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_5,a_1,t_1     !sqr_add_c2(a,5,1,c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1     !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_4,a_2,t_1     !sqr_add_c2(a,4,2,c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1     !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        ld      ap(7),a_7
+        umul    a_3,a_3,t_1     !=!sqr_add_c(a,3,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(6)       !r[6]=c1;
+
+        umul    a_0,a_7,t_1     !sqr_add_c2(a,7,0,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_1,a_6,t_1     !sqr_add_c2(a,6,1,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_2,a_5,t_1     !sqr_add_c2(a,5,2,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_3,a_4,t_1     !sqr_add_c2(a,4,3,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        st      c_2,rp(7)       !r[7]=c2;
+
+        umul    a_7,a_1,t_1     !sqr_add_c2(a,7,1,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        addcc   c_3,t_1,c_3     !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_6,a_2,t_1     !sqr_add_c2(a,6,2,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        addcc   c_3,t_1,c_3     !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_5,a_3,t_1     !sqr_add_c2(a,5,3,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        addcc   c_3,t_1,c_3     !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_4,a_4,t_1     !sqr_add_c(a,4,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(8)       !r[8]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_2,a_7,t_1     !sqr_add_c2(a,7,2,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    %g0,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_3,a_6,t_1     !sqr_add_c2(a,6,3,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_4,a_5,t_1     !sqr_add_c2(a,5,4,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(9)       !r[9]=c1;
+
+        umul    a_7,a_3,t_1     !sqr_add_c2(a,7,3,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_6,a_4,t_1     !sqr_add_c2(a,6,4,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_5,a_5,t_1     !sqr_add_c(a,5,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        st      c_2,rp(10)      !r[10]=c2;
+
+        umul    a_4,a_7,t_1     !=!sqr_add_c2(a,7,4,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2     !=
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_5,a_6,t_1     !=!sqr_add_c2(a,6,5,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(11)      !r[11]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_7,a_5,t_1     !sqr_add_c2(a,7,5,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    %g0,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_6,a_6,t_1     !sqr_add_c(a,6,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        st      c_1,rp(12)      !r[12]=c1;
+
+        umul    a_6,a_7,t_1     !sqr_add_c2(a,7,6,c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2     !=
+        addxcc  c_3,t_2,c_3
+        st      c_2,rp(13)      !r[13]=c2;
+        addx    c_1,%g0,c_1     !=
+
+        umul    a_7,a_7,t_1     !sqr_add_c(a,7,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        st      c_3,rp(14)      !r[14]=c3;
+        st      c_1,rp(15)      !r[15]=c1;
+
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_sqr_comba8,#function
+.size   bn_sqr_comba8,(.-bn_sqr_comba8)
+
+.align  32
+
+.global bn_sqr_comba4
+/*
+ * void bn_sqr_comba4(r,a)
+ * BN_ULONG *r,*a;
+ */
+bn_sqr_comba4:
+        save    %sp,FRAME_SIZE,%sp
+        ld      ap(0),a_0
+        umul    a_0,a_0,c_1     !sqr_add_c(a,0,c1,c2,c3);
+        ld      ap(1),a_1       !=
+        rd      %y,c_2
+        st      c_1,rp(0)       !r[0]=c1;
+
+        ld      ap(2),a_2
+        umul    a_0,a_1,t_1     !=!sqr_add_c2(a,1,0,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  %g0,t_2,c_3
+        addx    %g0,%g0,c_1     !=
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        st      c_2,rp(1)       !r[1]=c2;
+
+        umul    a_2,a_0,t_1     !sqr_add_c2(a,2,0,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        ld      ap(3),a_3
+        umul    a_1,a_1,t_1     !sqr_add_c(a,1,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(2)       !r[2]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_0,a_3,t_1     !sqr_add_c2(a,3,0,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    %g0,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_1,a_2,t_1     !sqr_add_c2(a,2,1,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(3)       !r[3]=c1;
+
+        umul    a_3,a_1,t_1     !sqr_add_c2(a,3,1,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_2,a_2,t_1     !sqr_add_c(a,2,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        st      c_2,rp(4)       !r[4]=c2;
+
+        umul    a_2,a_3,t_1     !=!sqr_add_c2(a,3,2,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2     !=
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(5)       !r[5]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_3,a_3,t_1     !sqr_add_c(a,3,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        st      c_1,rp(6)       !r[6]=c1;
+        st      c_2,rp(7)       !r[7]=c2;
+        
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_sqr_comba4,#function
+.size   bn_sqr_comba4,(.-bn_sqr_comba4)
+
+.align  32
diff --git a/src/lib/libcrypto/bn/asm/sparcv8plus.S b/src/lib/libcrypto/bn/asm/sparcv8plus.S
new file mode 100644
index 0000000000..0074dfdb75
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/sparcv8plus.S
@@ -0,0 +1,1535 @@
+.ident  "sparcv8plus.s, Version 1.4"
+.ident  "SPARC v9 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+/*
+ * ====================================================================
+ * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+ * project.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted according to the OpenSSL license. Warranty of any kind is
+ * disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contributon to OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is
+ * a drop-in UltraSPARC ISA replacement for crypto/bn/bn_asm.c
+ * module. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * Questions-n-answers.
+ *
+ * Q. How to compile?
+ * A. With SC4.x/SC5.x:
+ *
+ *      cc -xarch=v8plus -c bn_asm.sparc.v8plus.S -o bn_asm.o
+ *
+ *    and with gcc:
+ *
+ *      gcc -mcpu=ultrasparc -c bn_asm.sparc.v8plus.S -o bn_asm.o
+ *
+ *    or if above fails (it does if you have gas installed):
+ *
+ *      gcc -E bn_asm.sparc.v8plus.S | as -xarch=v8plus /dev/fd/0 -o bn_asm.o
+ *
+ *    Quick-n-dirty way to fuse the module into the library.
+ *    Provided that the library is already configured and built
+ *    (in 0.9.2 case with no-asm option):
+ *
+ *      # cd crypto/bn
+ *      # cp /some/place/bn_asm.sparc.v8plus.S .
+ *      # cc -xarch=v8plus -c bn_asm.sparc.v8plus.S -o bn_asm.o
+ *      # make
+ *      # cd ../..
+ *      # make; make test
+ *
+ *    Quick-n-dirty way to get rid of it:
+ *
+ *      # cd crypto/bn
+ *      # touch bn_asm.c
+ *      # make
+ *      # cd ../..
+ *      # make; make test
+ *
+ * Q. V8plus achitecture? What kind of beast is that?
+ * A. Well, it's rather a programming model than an architecture...
+ *    It's actually v9-compliant, i.e. *any* UltraSPARC, CPU under
+ *    special conditions, namely when kernel doesn't preserve upper
+ *    32 bits of otherwise 64-bit registers during a context switch.
+ *
+ * Q. Why just UltraSPARC? What about SuperSPARC?
+ * A. Original release did target UltraSPARC only. Now SuperSPARC
+ *    version is provided along. Both version share bn_*comba[48]
+ *    implementations (see comment later in code for explanation).
+ *    But what's so special about this UltraSPARC implementation?
+ *    Why didn't I let compiler do the job? Trouble is that most of
+ *    available compilers (well, SC5.0 is the only exception) don't
+ *    attempt to take advantage of UltraSPARC's 64-bitness under
+ *    32-bit kernels even though it's perfectly possible (see next
+ *    question).
+ *
+ * Q. 64-bit registers under 32-bit kernels? Didn't you just say it
+ *    doesn't work?
+ * A. You can't adress *all* registers as 64-bit wide:-( The catch is
+ *    that you actually may rely upon %o0-%o5 and %g1-%g4 being fully
+ *    preserved if you're in a leaf function, i.e. such never calling
+ *    any other functions. All functions in this module are leaf and
+ *    10 registers is a handful. And as a matter of fact none-"comba"
+ *    routines don't require even that much and I could even afford to
+ *    not allocate own stack frame for 'em:-)
+ *
+ * Q. What about 64-bit kernels?
+ * A. What about 'em? Just kidding:-) Pure 64-bit version is currently
+ *    under evaluation and development...
+ *
+ * Q. What about shared libraries?
+ * A. What about 'em? Kidding again:-) Code does *not* contain any
+ *    code position dependencies and it's safe to include it into
+ *    shared library as is.
+ *
+ * Q. How much faster does it go?
+ * A. Do you have a good benchmark? In either case below is what I
+ *    experience with crypto/bn/expspeed.c test program:
+ *
+ *      v8plus module on U10/300MHz against bn_asm.c compiled with:
+ *
+ *      cc-5.0 -xarch=v8plus -xO5 -xdepend      +7-12%
+ *      cc-4.2 -xarch=v8plus -xO5 -xdepend      +25-35%
+ *      egcs-1.1.2 -mcpu=ultrasparc -O3         +35-45%
+ *
+ *      v8 module on SS10/60MHz against bn_asm.c compiled with:
+ *
+ *      cc-5.0 -xarch=v8 -xO5 -xdepend          +7-10%
+ *      cc-4.2 -xarch=v8 -xO5 -xdepend          +10%
+ *      egcs-1.1.2 -mv8 -O3                     +35-45%
+ *
+ *    As you can see it's damn hard to beat the new Sun C compiler
+ *    and it's in first place GNU C users who will appreciate this
+ *    assembler implementation:-)       
+ */
+
+/*
+ * Revision history.
+ *
+ * 1.0  - initial release;
+ * 1.1  - new loop unrolling model(*);
+ *      - some more fine tuning;
+ * 1.2  - made gas friendly;
+ *      - updates to documentation concerning v9;
+ *      - new performance comparison matrix;
+ * 1.3  - fixed problem with /usr/ccs/lib/cpp;
+ * 1.4  - native V9 bn_*_comba[48] implementation (15% more efficient)
+ *        resulting in slight overall performance kick;
+ *      - some retunes;
+ *      - support for GNU as added;
+ *
+ * (*)  Originally unrolled loop looked like this:
+ *          for (;;) {
+ *              op(p+0); if (--n==0) break;
+ *              op(p+1); if (--n==0) break;
+ *              op(p+2); if (--n==0) break;
+ *              op(p+3); if (--n==0) break;
+ *              p+=4;
+ *          }
+ *      I unroll according to following:
+ *          while (n&~3) {
+ *              op(p+0); op(p+1); op(p+2); op(p+3);
+ *              p+=4; n=-4;
+ *          }
+ *          if (n) {
+ *              op(p+0); if (--n==0) return;
+ *              op(p+2); if (--n==0) return;
+ *              op(p+3); return;
+ *          }
+ */
+
+/*
+ * GNU assembler can't stand stuw:-(
+ */
+#define stuw st
+
+.section        ".text",#alloc,#execinstr
+.file           "bn_asm.sparc.v8plus.S"
+
+.align  32
+
+.global bn_mul_add_words
+/*
+ * BN_ULONG bn_mul_add_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_add_words:
+        brgz,a  %o2,.L_bn_mul_add_words_proceed
+        lduw    [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_mul_add_words_proceed:
+        srl     %o3,%g0,%o3     ! clruw %o3
+        andcc   %o2,-4,%g0
+        bz,pn   %icc,.L_bn_mul_add_words_tail
+        clr     %o5
+
+.L_bn_mul_add_words_loop:       ! wow! 32 aligned!
+        lduw    [%o0],%g1
+        lduw    [%o1+4],%g3
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        nop
+        add     %o4,%g2,%o4
+        stuw    %o4,[%o0]
+        srlx    %o4,32,%o5
+
+        lduw    [%o0+4],%g1
+        lduw    [%o1+8],%g2
+        mulx    %o3,%g3,%g3
+        add     %g1,%o5,%o4
+        dec     4,%o2
+        add     %o4,%g3,%o4
+        stuw    %o4,[%o0+4]
+        srlx    %o4,32,%o5
+
+        lduw    [%o0+8],%g1
+        lduw    [%o1+12],%g3
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        inc     16,%o1
+        add     %o4,%g2,%o4
+        stuw    %o4,[%o0+8]
+        srlx    %o4,32,%o5
+
+        lduw    [%o0+12],%g1
+        mulx    %o3,%g3,%g3
+        add     %g1,%o5,%o4
+        inc     16,%o0
+        add     %o4,%g3,%o4
+        andcc   %o2,-4,%g0
+        stuw    %o4,[%o0-4]
+        srlx    %o4,32,%o5
+        bnz,a,pt        %icc,.L_bn_mul_add_words_loop
+        lduw    [%o1],%g2
+
+        brnz,a,pn       %o2,.L_bn_mul_add_words_tail
+        lduw    [%o1],%g2
+.L_bn_mul_add_words_return:
+        retl
+        mov     %o5,%o0
+
+.L_bn_mul_add_words_tail:
+        lduw    [%o0],%g1
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        dec     %o2
+        add     %o4,%g2,%o4
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_mul_add_words_return
+        stuw    %o4,[%o0]
+
+        lduw    [%o1+4],%g2
+        lduw    [%o0+4],%g1
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        dec     %o2
+        add     %o4,%g2,%o4
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_mul_add_words_return
+        stuw    %o4,[%o0+4]
+
+        lduw    [%o1+8],%g2
+        lduw    [%o0+8],%g1
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        add     %o4,%g2,%o4
+        stuw    %o4,[%o0+8]
+        retl
+        srlx    %o4,32,%o0
+
+.type   bn_mul_add_words,#function
+.size   bn_mul_add_words,(.-bn_mul_add_words)
+
+.align  32
+
+.global bn_mul_words
+/*
+ * BN_ULONG bn_mul_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_words:
+        brgz,a  %o2,.L_bn_mul_words_proceeed
+        lduw    [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_mul_words_proceeed:
+        srl     %o3,%g0,%o3     ! clruw %o3
+        andcc   %o2,-4,%g0
+        bz,pn   %icc,.L_bn_mul_words_tail
+        clr     %o5
+
+.L_bn_mul_words_loop:           ! wow! 32 aligned!
+        lduw    [%o1+4],%g3
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        nop
+        stuw    %o4,[%o0]
+        srlx    %o4,32,%o5
+
+        lduw    [%o1+8],%g2
+        mulx    %o3,%g3,%g3
+        add     %g3,%o5,%o4
+        dec     4,%o2
+        stuw    %o4,[%o0+4]
+        srlx    %o4,32,%o5
+
+        lduw    [%o1+12],%g3
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        inc     16,%o1
+        stuw    %o4,[%o0+8]
+        srlx    %o4,32,%o5
+
+        mulx    %o3,%g3,%g3
+        add     %g3,%o5,%o4
+        inc     16,%o0
+        stuw    %o4,[%o0-4]
+        srlx    %o4,32,%o5
+        andcc   %o2,-4,%g0
+        bnz,a,pt        %icc,.L_bn_mul_words_loop
+        lduw    [%o1],%g2
+        nop
+        nop
+
+        brnz,a,pn       %o2,.L_bn_mul_words_tail
+        lduw    [%o1],%g2
+.L_bn_mul_words_return:
+        retl
+        mov     %o5,%o0
+
+.L_bn_mul_words_tail:
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        dec     %o2
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_mul_words_return
+        stuw    %o4,[%o0]
+
+        lduw    [%o1+4],%g2
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        dec     %o2
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_mul_words_return
+        stuw    %o4,[%o0+4]
+
+        lduw    [%o1+8],%g2
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        stuw    %o4,[%o0+8]
+        retl
+        srlx    %o4,32,%o0
+
+.type   bn_mul_words,#function
+.size   bn_mul_words,(.-bn_mul_words)
+
+.align  32
+.global bn_sqr_words
+/*
+ * void bn_sqr_words(r,a,n)
+ * BN_ULONG *r,*a;
+ * int n;
+ */
+bn_sqr_words:
+        brgz,a  %o2,.L_bn_sqr_words_proceeed
+        lduw    [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_sqr_words_proceeed:
+        andcc   %o2,-4,%g0
+        nop
+        bz,pn   %icc,.L_bn_sqr_words_tail
+        nop
+
+.L_bn_sqr_words_loop:           ! wow! 32 aligned!
+        lduw    [%o1+4],%g3
+        mulx    %g2,%g2,%o4
+        stuw    %o4,[%o0]
+        srlx    %o4,32,%o5
+        stuw    %o5,[%o0+4]
+        nop
+
+        lduw    [%o1+8],%g2
+        mulx    %g3,%g3,%o4
+        dec     4,%o2
+        stuw    %o4,[%o0+8]
+        srlx    %o4,32,%o5
+        stuw    %o5,[%o0+12]
+
+        lduw    [%o1+12],%g3
+        mulx    %g2,%g2,%o4
+        srlx    %o4,32,%o5
+        stuw    %o4,[%o0+16]
+        inc     16,%o1
+        stuw    %o5,[%o0+20]
+
+        mulx    %g3,%g3,%o4
+        inc     32,%o0
+        stuw    %o4,[%o0-8]
+        srlx    %o4,32,%o5
+        andcc   %o2,-4,%g2
+        stuw    %o5,[%o0-4]
+        bnz,a,pt        %icc,.L_bn_sqr_words_loop
+        lduw    [%o1],%g2
+        nop
+
+        brnz,a,pn       %o2,.L_bn_sqr_words_tail
+        lduw    [%o1],%g2
+.L_bn_sqr_words_return:
+        retl
+        clr     %o0
+
+.L_bn_sqr_words_tail:
+        mulx    %g2,%g2,%o4
+        dec     %o2
+        stuw    %o4,[%o0]
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_sqr_words_return
+        stuw    %o5,[%o0+4]
+
+        lduw    [%o1+4],%g2
+        mulx    %g2,%g2,%o4
+        dec     %o2
+        stuw    %o4,[%o0+8]
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_sqr_words_return
+        stuw    %o5,[%o0+12]
+
+        lduw    [%o1+8],%g2
+        mulx    %g2,%g2,%o4
+        srlx    %o4,32,%o5
+        stuw    %o4,[%o0+16]
+        stuw    %o5,[%o0+20]
+        retl
+        clr     %o0
+
+.type   bn_sqr_words,#function
+.size   bn_sqr_words,(.-bn_sqr_words)
+
+.align  32
+.global bn_div_words
+/*
+ * BN_ULONG bn_div_words(h,l,d)
+ * BN_ULONG h,l,d;
+ */
+bn_div_words:
+        sllx    %o0,32,%o0
+        or      %o0,%o1,%o0
+        udivx   %o0,%o2,%o0
+        retl
+        srl     %o0,%g0,%o0     ! clruw %o0
+
+.type   bn_div_words,#function
+.size   bn_div_words,(.-bn_div_words)
+
+.align  32
+
+.global bn_add_words
+/*
+ * BN_ULONG bn_add_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_add_words:
+        brgz,a  %o3,.L_bn_add_words_proceed
+        lduw    [%o1],%o4
+        retl
+        clr     %o0
+
+.L_bn_add_words_proceed:
+        andcc   %o3,-4,%g0
+        bz,pn   %icc,.L_bn_add_words_tail
+        addcc   %g0,0,%g0       ! clear carry flag
+        nop
+
+.L_bn_add_words_loop:           ! wow! 32 aligned!
+        dec     4,%o3
+        lduw    [%o2],%o5
+        lduw    [%o1+4],%g1
+        lduw    [%o2+4],%g2
+        lduw    [%o1+8],%g3
+        lduw    [%o2+8],%g4
+        addccc  %o5,%o4,%o5
+        stuw    %o5,[%o0]
+
+        lduw    [%o1+12],%o4
+        lduw    [%o2+12],%o5
+        inc     16,%o1
+        addccc  %g1,%g2,%g1
+        stuw    %g1,[%o0+4]
+        
+        inc     16,%o2
+        addccc  %g3,%g4,%g3
+        stuw    %g3,[%o0+8]
+
+        inc     16,%o0
+        addccc  %o5,%o4,%o5
+        stuw    %o5,[%o0-4]
+        and     %o3,-4,%g1
+        brnz,a,pt       %g1,.L_bn_add_words_loop
+        lduw    [%o1],%o4
+
+        brnz,a,pn       %o3,.L_bn_add_words_tail
+        lduw    [%o1],%o4
+.L_bn_add_words_return:
+        clr     %o0
+        retl
+        movcs   %icc,1,%o0
+        nop
+
+.L_bn_add_words_tail:
+        lduw    [%o2],%o5
+        dec     %o3
+        addccc  %o5,%o4,%o5
+        brz,pt  %o3,.L_bn_add_words_return
+        stuw    %o5,[%o0]
+
+        lduw    [%o1+4],%o4
+        lduw    [%o2+4],%o5
+        dec     %o3
+        addccc  %o5,%o4,%o5
+        brz,pt  %o3,.L_bn_add_words_return
+        stuw    %o5,[%o0+4]
+
+        lduw    [%o1+8],%o4
+        lduw    [%o2+8],%o5
+        addccc  %o5,%o4,%o5
+        stuw    %o5,[%o0+8]
+        clr     %o0
+        retl
+        movcs   %icc,1,%o0
+
+.type   bn_add_words,#function
+.size   bn_add_words,(.-bn_add_words)
+
+.global bn_sub_words
+/*
+ * BN_ULONG bn_sub_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_sub_words:
+        brgz,a  %o3,.L_bn_sub_words_proceed
+        lduw    [%o1],%o4
+        retl
+        clr     %o0
+
+.L_bn_sub_words_proceed:
+        andcc   %o3,-4,%g0
+        bz,pn   %icc,.L_bn_sub_words_tail
+        addcc   %g0,0,%g0       ! clear carry flag
+        nop
+
+.L_bn_sub_words_loop:           ! wow! 32 aligned!
+        dec     4,%o3
+        lduw    [%o2],%o5
+        lduw    [%o1+4],%g1
+        lduw    [%o2+4],%g2
+        lduw    [%o1+8],%g3
+        lduw    [%o2+8],%g4
+        subccc  %o4,%o5,%o5
+        stuw    %o5,[%o0]
+
+        lduw    [%o1+12],%o4
+        lduw    [%o2+12],%o5
+        inc     16,%o1
+        subccc  %g1,%g2,%g2
+        stuw    %g2,[%o0+4]
+
+        inc     16,%o2
+        subccc  %g3,%g4,%g4
+        stuw    %g4,[%o0+8]
+
+        inc     16,%o0
+        subccc  %o4,%o5,%o5
+        stuw    %o5,[%o0-4]
+        and     %o3,-4,%g1
+        brnz,a,pt       %g1,.L_bn_sub_words_loop
+        lduw    [%o1],%o4
+
+        brnz,a,pn       %o3,.L_bn_sub_words_tail
+        lduw    [%o1],%o4
+.L_bn_sub_words_return:
+        clr     %o0
+        retl
+        movcs   %icc,1,%o0
+        nop
+
+.L_bn_sub_words_tail:           ! wow! 32 aligned!
+        lduw    [%o2],%o5
+        dec     %o3
+        subccc  %o4,%o5,%o5
+        brz,pt  %o3,.L_bn_sub_words_return
+        stuw    %o5,[%o0]
+
+        lduw    [%o1+4],%o4
+        lduw    [%o2+4],%o5
+        dec     %o3
+        subccc  %o4,%o5,%o5
+        brz,pt  %o3,.L_bn_sub_words_return
+        stuw    %o5,[%o0+4]
+
+        lduw    [%o1+8],%o4
+        lduw    [%o2+8],%o5
+        subccc  %o4,%o5,%o5
+        stuw    %o5,[%o0+8]
+        clr     %o0
+        retl
+        movcs   %icc,1,%o0
+
+.type   bn_sub_words,#function
+.size   bn_sub_words,(.-bn_sub_words)
+
+/*
+ * Code below depends on the fact that upper parts of the %l0-%l7
+ * and %i0-%i7 are zeroed by kernel after context switch. In
+ * previous versions this comment stated that "the trouble is that
+ * it's not feasible to implement the mumbo-jumbo in less V9
+ * instructions:-(" which apparently isn't true thanks to
+ * 'bcs,a %xcc,.+8; inc %rd' pair. But the performance improvement
+ * results not from the shorter code, but from elimination of
+ * multicycle none-pairable 'rd %y,%rd' instructions.
+ *
+ *                                                      Andy.
+ */
+
+#define FRAME_SIZE      -96
+
+/*
+ * Here is register usage map for *all* routines below.
+ */
+#define t_1     %o0
+#define t_2     %o1
+#define c_12    %o2
+#define c_3     %o3
+
+#define ap(I)   [%i1+4*I]
+#define bp(I)   [%i2+4*I]
+#define rp(I)   [%i0+4*I]
+
+#define a_0     %l0
+#define a_1     %l1
+#define a_2     %l2
+#define a_3     %l3
+#define a_4     %l4
+#define a_5     %l5
+#define a_6     %l6
+#define a_7     %l7
+
+#define b_0     %i3
+#define b_1     %i4
+#define b_2     %i5
+#define b_3     %o4
+#define b_4     %o5
+#define b_5     %o7
+#define b_6     %g1
+#define b_7     %g4
+
+.align  32
+.global bn_mul_comba8
+/*
+ * void bn_mul_comba8(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba8:
+        save    %sp,FRAME_SIZE,%sp
+        mov     1,t_2
+        lduw    ap(0),a_0
+        sllx    t_2,32,t_2
+        lduw    bp(0),b_0       !=
+        lduw    bp(1),b_1
+        mulx    a_0,b_0,t_1     !mul_add_c(a[0],b[0],c1,c2,c3);
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(0)       !=!r[0]=c1;
+
+        lduw    ap(1),a_1
+        mulx    a_0,b_1,t_1     !mul_add_c(a[0],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3             !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(2),a_2
+        mulx    a_1,b_0,t_1     !=!mul_add_c(a[1],b[0],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(1)       !r[1]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,b_0,t_1     !mul_add_c(a[2],b[0],c3,c1,c2);
+        addcc   c_12,t_1,c_12   !=
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    bp(2),b_2       !=
+        mulx    a_1,b_1,t_1     !mul_add_c(a[1],b[1],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        lduw    bp(3),b_3
+        mulx    a_0,b_2,t_1     !mul_add_c(a[0],b[2],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(2)       !r[2]=c3;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_0,b_3,t_1     !mul_add_c(a[0],b[3],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_1,b_2,t_1     !=!mul_add_c(a[1],b[2],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        lduw    ap(3),a_3
+        mulx    a_2,b_1,t_1     !mul_add_c(a[2],b[1],c1,c2,c3);
+        addcc   c_12,t_1,c_12   !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(4),a_4
+        mulx    a_3,b_0,t_1     !=!mul_add_c(a[3],b[0],c1,c2,c3);!=
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(3)       !r[3]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_4,b_0,t_1     !mul_add_c(a[4],b[0],c2,c3,c1);
+        addcc   c_12,t_1,c_12   !=
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,b_1,t_1     !=!mul_add_c(a[3],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,b_2,t_1     !=!mul_add_c(a[2],b[2],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    bp(4),b_4       !=
+        mulx    a_1,b_3,t_1     !mul_add_c(a[1],b[3],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        lduw    bp(5),b_5
+        mulx    a_0,b_4,t_1     !mul_add_c(a[0],b[4],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(4)       !r[4]=c2;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_0,b_5,t_1     !mul_add_c(a[0],b[5],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_1,b_4,t_1     !mul_add_c(a[1],b[4],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_2,b_3,t_1     !mul_add_c(a[2],b[3],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_3,b_2,t_1     !mul_add_c(a[3],b[2],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        lduw    ap(5),a_5
+        mulx    a_4,b_1,t_1     !mul_add_c(a[4],b[1],c3,c1,c2);
+        addcc   c_12,t_1,c_12   !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(6),a_6
+        mulx    a_5,b_0,t_1     !=!mul_add_c(a[5],b[0],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(5)       !r[5]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_6,b_0,t_1     !mul_add_c(a[6],b[0],c1,c2,c3);
+        addcc   c_12,t_1,c_12   !=
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,b_1,t_1     !=!mul_add_c(a[5],b[1],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_4,b_2,t_1     !=!mul_add_c(a[4],b[2],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,b_3,t_1     !=!mul_add_c(a[3],b[3],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,b_4,t_1     !=!mul_add_c(a[2],b[4],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    bp(6),b_6       !=
+        mulx    a_1,b_5,t_1     !mul_add_c(a[1],b[5],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        lduw    bp(7),b_7
+        mulx    a_0,b_6,t_1     !mul_add_c(a[0],b[6],c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(6)       !r[6]=c1;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_0,b_7,t_1     !mul_add_c(a[0],b[7],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_1,b_6,t_1     !mul_add_c(a[1],b[6],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_2,b_5,t_1     !mul_add_c(a[2],b[5],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_3,b_4,t_1     !mul_add_c(a[3],b[4],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_4,b_3,t_1     !mul_add_c(a[4],b[3],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_2,t_1     !mul_add_c(a[5],b[2],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        lduw    ap(7),a_7
+        mulx    a_6,b_1,t_1     !=!mul_add_c(a[6],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_7,b_0,t_1     !=!mul_add_c(a[7],b[0],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(7)       !r[7]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,b_1,t_1     !=!mul_add_c(a[7],b[1],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_6,b_2,t_1     !mul_add_c(a[6],b[2],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_5,b_3,t_1     !mul_add_c(a[5],b[3],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_4,b_4,t_1     !mul_add_c(a[4],b[4],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_3,b_5,t_1     !mul_add_c(a[3],b[5],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_2,b_6,t_1     !mul_add_c(a[2],b[6],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_1,b_7,t_1     !mul_add_c(a[1],b[7],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(8)       !r[8]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,b_7,t_1     !=!mul_add_c(a[2],b[7],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_3,b_6,t_1     !mul_add_c(a[3],b[6],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_4,b_5,t_1     !mul_add_c(a[4],b[5],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_4,t_1     !mul_add_c(a[5],b[4],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_6,b_3,t_1     !mul_add_c(a[6],b[3],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_7,b_2,t_1     !mul_add_c(a[7],b[2],c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(9)       !r[9]=c1;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_7,b_3,t_1     !mul_add_c(a[7],b[3],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_6,b_4,t_1     !mul_add_c(a[6],b[4],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_5,t_1     !mul_add_c(a[5],b[5],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_4,b_6,t_1     !mul_add_c(a[4],b[6],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_3,b_7,t_1     !mul_add_c(a[3],b[7],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(10)      !r[10]=c2;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_4,b_7,t_1     !mul_add_c(a[4],b[7],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_6,t_1     !mul_add_c(a[5],b[6],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_6,b_5,t_1     !mul_add_c(a[6],b[5],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_7,b_4,t_1     !mul_add_c(a[7],b[4],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(11)      !r[11]=c3;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_7,b_5,t_1     !mul_add_c(a[7],b[5],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_6,b_6,t_1     !mul_add_c(a[6],b[6],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_7,t_1     !mul_add_c(a[5],b[7],c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(12)      !r[12]=c1;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_6,b_7,t_1     !mul_add_c(a[6],b[7],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_7,b_6,t_1     !mul_add_c(a[7],b[6],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        st      t_1,rp(13)      !r[13]=c2;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_7,b_7,t_1     !mul_add_c(a[7],b[7],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(14)      !r[14]=c3;
+        stuw    c_12,rp(15)     !r[15]=c1;
+
+        ret
+        restore %g0,%g0,%o0     !=
+
+.type   bn_mul_comba8,#function
+.size   bn_mul_comba8,(.-bn_mul_comba8)
+
+.align  32
+
+.global bn_mul_comba4
+/*
+ * void bn_mul_comba4(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba4:
+        save    %sp,FRAME_SIZE,%sp
+        lduw    ap(0),a_0
+        mov     1,t_2
+        lduw    bp(0),b_0
+        sllx    t_2,32,t_2      !=
+        lduw    bp(1),b_1
+        mulx    a_0,b_0,t_1     !mul_add_c(a[0],b[0],c1,c2,c3);
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(0)       !=!r[0]=c1;
+
+        lduw    ap(1),a_1
+        mulx    a_0,b_1,t_1     !mul_add_c(a[0],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3             !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(2),a_2
+        mulx    a_1,b_0,t_1     !=!mul_add_c(a[1],b[0],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(1)       !r[1]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,b_0,t_1     !mul_add_c(a[2],b[0],c3,c1,c2);
+        addcc   c_12,t_1,c_12   !=
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    bp(2),b_2       !=
+        mulx    a_1,b_1,t_1     !mul_add_c(a[1],b[1],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        lduw    bp(3),b_3
+        mulx    a_0,b_2,t_1     !mul_add_c(a[0],b[2],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(2)       !r[2]=c3;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_0,b_3,t_1     !mul_add_c(a[0],b[3],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_1,b_2,t_1     !mul_add_c(a[1],b[2],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        lduw    ap(3),a_3
+        mulx    a_2,b_1,t_1     !mul_add_c(a[2],b[1],c1,c2,c3);
+        addcc   c_12,t_1,c_12   !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,b_0,t_1     !mul_add_c(a[3],b[0],c1,c2,c3);!=
+        addcc   c_12,t_1,t_1    !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(3)       !=!r[3]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_3,b_1,t_1     !mul_add_c(a[3],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3             !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,b_2,t_1     !mul_add_c(a[2],b[2],c2,c3,c1);
+        addcc   c_12,t_1,c_12   !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_1,b_3,t_1     !mul_add_c(a[1],b[3],c2,c3,c1);
+        addcc   c_12,t_1,t_1    !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(4)       !=!r[4]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,b_3,t_1     !mul_add_c(a[2],b[3],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3             !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,b_2,t_1     !mul_add_c(a[3],b[2],c3,c1,c2);
+        addcc   c_12,t_1,t_1    !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(5)       !=!r[5]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_3,b_3,t_1     !mul_add_c(a[3],b[3],c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(6)       !r[6]=c1;
+        stuw    c_12,rp(7)      !r[7]=c2;
+        
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_mul_comba4,#function
+.size   bn_mul_comba4,(.-bn_mul_comba4)
+
+.align  32
+
+.global bn_sqr_comba8
+bn_sqr_comba8:
+        save    %sp,FRAME_SIZE,%sp
+        mov     1,t_2
+        lduw    ap(0),a_0
+        sllx    t_2,32,t_2
+        lduw    ap(1),a_1
+        mulx    a_0,a_0,t_1     !sqr_add_c(a,0,c1,c2,c3);
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(0)       !r[0]=c1;
+
+        lduw    ap(2),a_2
+        mulx    a_0,a_1,t_1     !=!sqr_add_c2(a,1,0,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(1)       !r[1]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,a_0,t_1     !sqr_add_c2(a,2,0,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(3),a_3
+        mulx    a_1,a_1,t_1     !sqr_add_c(a,1,c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(2)       !r[2]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_0,a_3,t_1     !sqr_add_c2(a,3,0,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(4),a_4
+        mulx    a_1,a_2,t_1     !sqr_add_c2(a,2,1,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        st      t_1,rp(3)       !r[3]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_4,a_0,t_1     !sqr_add_c2(a,4,0,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,a_1,t_1     !sqr_add_c2(a,3,1,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(5),a_5
+        mulx    a_2,a_2,t_1     !sqr_add_c(a,2,c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(4)       !r[4]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_0,a_5,t_1     !sqr_add_c2(a,5,0,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_1,a_4,t_1     !sqr_add_c2(a,4,1,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(6),a_6
+        mulx    a_2,a_3,t_1     !sqr_add_c2(a,3,2,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(5)       !r[5]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_6,a_0,t_1     !sqr_add_c2(a,6,0,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,a_1,t_1     !sqr_add_c2(a,5,1,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_4,a_2,t_1     !sqr_add_c2(a,4,2,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(7),a_7
+        mulx    a_3,a_3,t_1     !=!sqr_add_c(a,3,c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(6)       !r[6]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_0,a_7,t_1     !sqr_add_c2(a,7,0,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_1,a_6,t_1     !sqr_add_c2(a,6,1,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,a_5,t_1     !sqr_add_c2(a,5,2,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,a_4,t_1     !sqr_add_c2(a,4,3,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(7)       !r[7]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,a_1,t_1     !sqr_add_c2(a,7,1,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_6,a_2,t_1     !sqr_add_c2(a,6,2,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,a_3,t_1     !sqr_add_c2(a,5,3,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_4,a_4,t_1     !sqr_add_c(a,4,c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(8)       !r[8]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,a_7,t_1     !sqr_add_c2(a,7,2,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,a_6,t_1     !sqr_add_c2(a,6,3,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_4,a_5,t_1     !sqr_add_c2(a,5,4,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(9)       !r[9]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,a_3,t_1     !sqr_add_c2(a,7,3,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_6,a_4,t_1     !sqr_add_c2(a,6,4,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,a_5,t_1     !sqr_add_c(a,5,c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(10)      !r[10]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_4,a_7,t_1     !sqr_add_c2(a,7,4,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,a_6,t_1     !sqr_add_c2(a,6,5,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(11)      !r[11]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,a_5,t_1     !sqr_add_c2(a,7,5,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_6,a_6,t_1     !sqr_add_c(a,6,c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(12)      !r[12]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_6,a_7,t_1     !sqr_add_c2(a,7,6,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(13)      !r[13]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,a_7,t_1     !sqr_add_c(a,7,c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(14)      !r[14]=c3;
+        stuw    c_12,rp(15)     !r[15]=c1;
+
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_sqr_comba8,#function
+.size   bn_sqr_comba8,(.-bn_sqr_comba8)
+
+.align  32
+
+.global bn_sqr_comba4
+/*
+ * void bn_sqr_comba4(r,a)
+ * BN_ULONG *r,*a;
+ */
+bn_sqr_comba4:
+        save    %sp,FRAME_SIZE,%sp
+        mov     1,t_2
+        lduw    ap(0),a_0
+        sllx    t_2,32,t_2
+        lduw    ap(1),a_1
+        mulx    a_0,a_0,t_1     !sqr_add_c(a,0,c1,c2,c3);
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(0)       !r[0]=c1;
+
+        lduw    ap(2),a_2
+        mulx    a_0,a_1,t_1     !sqr_add_c2(a,1,0,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(1)       !r[1]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,a_0,t_1     !sqr_add_c2(a,2,0,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(3),a_3
+        mulx    a_1,a_1,t_1     !sqr_add_c(a,1,c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(2)       !r[2]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_0,a_3,t_1     !sqr_add_c2(a,3,0,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_1,a_2,t_1     !sqr_add_c2(a,2,1,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(3)       !r[3]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_3,a_1,t_1     !sqr_add_c2(a,3,1,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,a_2,t_1     !sqr_add_c(a,2,c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(4)       !r[4]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,a_3,t_1     !sqr_add_c2(a,3,2,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(5)       !r[5]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_3,a_3,t_1     !sqr_add_c(a,3,c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(6)       !r[6]=c1;
+        stuw    c_12,rp(7)      !r[7]=c2;
+        
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_sqr_comba4,#function
+.size   bn_sqr_comba4,(.-bn_sqr_comba4)
+
+.align  32
diff --git a/src/lib/libcrypto/bn/asm/x86.pl b/src/lib/libcrypto/bn/asm/x86.pl
new file mode 100644
index 0000000000..1bc4f1bb27
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/x86.pl
@@ -0,0 +1,28 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+require("x86/mul_add.pl");
+require("x86/mul.pl");
+require("x86/sqr.pl");
+require("x86/div.pl");
+require("x86/add.pl");
+require("x86/sub.pl");
+require("x86/comba.pl");
+
+&asm_init($ARGV[0],$0);
+
+&bn_mul_add_words("bn_mul_add_words");
+&bn_mul_words("bn_mul_words");
+&bn_sqr_words("bn_sqr_words");
+&bn_div_words("bn_div_words");
+&bn_add_words("bn_add_words");
+&bn_sub_words("bn_sub_words");
+&bn_mul_comba("bn_mul_comba8",8);
+&bn_mul_comba("bn_mul_comba4",4);
+&bn_sqr_comba("bn_sqr_comba8",8);
+&bn_sqr_comba("bn_sqr_comba4",4);
+
+&asm_finish();
+
diff --git a/src/lib/libcrypto/bn/asm/x86/add.pl b/src/lib/libcrypto/bn/asm/x86/add.pl
new file mode 100644
index 0000000000..0b5cf583e3
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/x86/add.pl
@@ -0,0 +1,76 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_add_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $a="esi";
+        $b="edi";
+        $c="eax";
+        $r="ebx";
+        $tmp1="ecx";
+        $tmp2="edx";
+        $num="ebp";
+
+        &mov($r,&wparam(0));    # get r
+         &mov($a,&wparam(1));   # get a
+        &mov($b,&wparam(2));    # get b
+         &mov($num,&wparam(3)); # get num
+        &xor($c,$c);            # clear carry
+         &and($num,0xfffffff8); # num / 8
+
+        &jz(&label("aw_finish"));
+
+        &set_label("aw_loop",0);
+        for ($i=0; $i<8; $i++)
+                {
+                &comment("Round $i");
+
+                &mov($tmp1,&DWP($i*4,$a,"",0));         # *a
+                 &mov($tmp2,&DWP($i*4,$b,"",0));        # *b
+                &add($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &add($tmp1,$tmp2);
+                &adc($c,0);
+                 &mov(&DWP($i*4,$r,"",0),$tmp1);        # *r
+                }
+
+        &comment("");
+        &add($a,32);
+         &add($b,32);
+        &add($r,32);
+         &sub($num,8);
+        &jnz(&label("aw_loop"));
+
+        &set_label("aw_finish",0);
+        &mov($num,&wparam(3));  # get num
+        &and($num,7);
+         &jz(&label("aw_end"));
+
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                &mov($tmp1,&DWP($i*4,$a,"",0)); # *a
+                 &mov($tmp2,&DWP($i*4,$b,"",0));# *b
+                &add($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &add($tmp1,$tmp2);
+                &adc($c,0);
+                 &dec($num) if ($i != 6);
+                &mov(&DWP($i*4,$r,"",0),$tmp1); # *a
+                 &jz(&label("aw_end")) if ($i != 6);
+                }
+        &set_label("aw_end",0);
+
+#       &mov("eax",$c);         # $c is "eax"
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libcrypto/bn/asm/x86/comba.pl b/src/lib/libcrypto/bn/asm/x86/comba.pl
new file mode 100644
index 0000000000..2291253629
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/x86/comba.pl
@@ -0,0 +1,277 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub mul_add_c
+        {
+        local($a,$ai,$b,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("mul a[$ai]*b[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$b,"",0));
+
+        &mul("edx");
+        &add($c0,"eax");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # laod next a
+         &mov("eax",&wparam(0)) if $pos > 0;                    # load r[]
+         ###
+        &adc($c1,"edx");
+         &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 0;        # laod next b
+         &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 1;        # laod next b
+         ###
+        &adc($c2,0);
+         # is pos > 1, it means it is the last loop 
+         &mov(&DWP($i*4,"eax","",0),$c0) if $pos > 0;           # save r[];
+        &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;         # laod next a
+        }
+
+sub sqr_add_c
+        {
+        local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("sqr a[$ai]*a[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$b,"",0));
+
+        if ($ai == $bi)
+                { &mul("eax");}
+        else
+                { &mul("edx");}
+        &add($c0,"eax");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # load next a
+         ###
+        &adc($c1,"edx");
+         &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos == 1) && ($na != $nb);
+         ###
+        &adc($c2,0);
+         # is pos > 1, it means it is the last loop 
+         &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;              # save r[];
+        &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;         # load next b
+        }
+
+sub sqr_add_c2
+        {
+        local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("sqr a[$ai]*a[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$a,"",0));
+
+        if ($ai == $bi)
+                { &mul("eax");}
+        else
+                { &mul("edx");}
+        &add("eax","eax");
+         ###
+        &adc("edx","edx");
+         ###
+        &adc($c2,0);
+         &add($c0,"eax");
+        &adc($c1,"edx");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # load next a
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;        # load next b
+        &adc($c2,0);
+        &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;               # save r[];
+         &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos <= 1) && ($na != $nb);
+         ###
+        }
+
+sub bn_mul_comba
+        {
+        local($name,$num)=@_;
+        local($a,$b,$c0,$c1,$c2);
+        local($i,$as,$ae,$bs,$be,$ai,$bi);
+        local($tot,$end);
+
+        &function_begin_B($name,"");
+
+        $c0="ebx";
+        $c1="ecx";
+        $c2="ebp";
+        $a="esi";
+        $b="edi";
+        
+        $as=0;
+        $ae=0;
+        $bs=0;
+        $be=0;
+        $tot=$num+$num-1;
+
+        &push("esi");
+         &mov($a,&wparam(1));
+        &push("edi");
+         &mov($b,&wparam(2));
+        &push("ebp");
+         &push("ebx");
+
+        &xor($c0,$c0);
+         &mov("eax",&DWP(0,$a,"",0));   # load the first word 
+        &xor($c1,$c1);
+         &mov("edx",&DWP(0,$b,"",0));   # load the first second 
+
+        for ($i=0; $i<$tot; $i++)
+                {
+                $ai=$as;
+                $bi=$bs;
+                $end=$be+1;
+
+                &comment("################## Calculate word $i"); 
+
+                for ($j=$bs; $j<$end; $j++)
+                        {
+                        &xor($c2,$c2) if ($j == $bs);
+                        if (($j+1) == $end)
+                                {
+                                $v=1;
+                                $v=2 if (($i+1) == $tot);
+                                }
+                        else
+                                { $v=0; }
+                        if (($j+1) != $end)
+                                {
+                                $na=($ai-1);
+                                $nb=($bi+1);
+                                }
+                        else
+                                {
+                                $na=$as+($i < ($num-1));
+                                $nb=$bs+($i >= ($num-1));
+                                }
+#printf STDERR "[$ai,$bi] -> [$na,$nb]\n";
+                        &mul_add_c($a,$ai,$b,$bi,$c0,$c1,$c2,$v,$i,$na,$nb);
+                        if ($v)
+                                {
+                                &comment("saved r[$i]");
+                                # &mov("eax",&wparam(0));
+                                # &mov(&DWP($i*4,"eax","",0),$c0);
+                                ($c0,$c1,$c2)=($c1,$c2,$c0);
+                                }
+                        $ai--;
+                        $bi++;
+                        }
+                $as++ if ($i < ($num-1));
+                $ae++ if ($i >= ($num-1));
+
+                $bs++ if ($i >= ($num-1));
+                $be++ if ($i < ($num-1));
+                }
+        &comment("save r[$i]");
+        # &mov("eax",&wparam(0));
+        &mov(&DWP($i*4,"eax","",0),$c0);
+
+        &pop("ebx");
+        &pop("ebp");
+        &pop("edi");
+        &pop("esi");
+        &ret();
+        &function_end_B($name);
+        }
+
+sub bn_sqr_comba
+        {
+        local($name,$num)=@_;
+        local($r,$a,$c0,$c1,$c2)=@_;
+        local($i,$as,$ae,$bs,$be,$ai,$bi);
+        local($b,$tot,$end,$half);
+
+        &function_begin_B($name,"");
+
+        $c0="ebx";
+        $c1="ecx";
+        $c2="ebp";
+        $a="esi";
+        $r="edi";
+
+        &push("esi");
+         &push("edi");
+        &push("ebp");
+         &push("ebx");
+        &mov($r,&wparam(0));
+         &mov($a,&wparam(1));
+        &xor($c0,$c0);
+         &xor($c1,$c1);
+        &mov("eax",&DWP(0,$a,"",0)); # load the first word
+
+        $as=0;
+        $ae=0;
+        $bs=0;
+        $be=0;
+        $tot=$num+$num-1;
+
+        for ($i=0; $i<$tot; $i++)
+                {
+                $ai=$as;
+                $bi=$bs;
+                $end=$be+1;
+
+                &comment("############### Calculate word $i");
+                for ($j=$bs; $j<$end; $j++)
+                        {
+                        &xor($c2,$c2) if ($j == $bs);
+                        if (($ai-1) < ($bi+1))
+                                {
+                                $v=1;
+                                $v=2 if ($i+1) == $tot;
+                                }
+                        else
+                                { $v=0; }
+                        if (!$v)
+                                {
+                                $na=$ai-1;
+                                $nb=$bi+1;
+                                }
+                        else
+                                {
+                                $na=$as+($i < ($num-1));
+                                $nb=$bs+($i >= ($num-1));
+                                }
+                        if ($ai == $bi)
+                                {
+                                &sqr_add_c($r,$a,$ai,$bi,
+                                        $c0,$c1,$c2,$v,$i,$na,$nb);
+                                }
+                        else
+                                {
+                                &sqr_add_c2($r,$a,$ai,$bi,
+                                        $c0,$c1,$c2,$v,$i,$na,$nb);
+                                }
+                        if ($v)
+                                {
+                                &comment("saved r[$i]");
+                                #&mov(&DWP($i*4,$r,"",0),$c0);
+                                ($c0,$c1,$c2)=($c1,$c2,$c0);
+                                last;
+                                }
+                        $ai--;
+                        $bi++;
+                        }
+                $as++ if ($i < ($num-1));
+                $ae++ if ($i >= ($num-1));
+
+                $bs++ if ($i >= ($num-1));
+                $be++ if ($i < ($num-1));
+                }
+        &mov(&DWP($i*4,$r,"",0),$c0);
+        &pop("ebx");
+        &pop("ebp");
+        &pop("edi");
+        &pop("esi");
+        &ret();
+        &function_end_B($name);
+        }
+
+1;
diff --git a/src/lib/libcrypto/bn/asm/x86/div.pl b/src/lib/libcrypto/bn/asm/x86/div.pl
new file mode 100644
index 0000000000..0e90152caa
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/x86/div.pl
@@ -0,0 +1,15 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_div_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+        &mov("edx",&wparam(0)); #
+        &mov("eax",&wparam(1)); #
+        &mov("ebx",&wparam(2)); #
+        &div("ebx");
+        &function_end($name);
+        }
+1;
diff --git a/src/lib/libcrypto/bn/asm/x86/mul.pl b/src/lib/libcrypto/bn/asm/x86/mul.pl
new file mode 100644
index 0000000000..674cb9b055
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/x86/mul.pl
@@ -0,0 +1,77 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_mul_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $Low="eax";
+        $High="edx";
+        $a="ebx";
+        $w="ecx";
+        $r="edi";
+        $c="esi";
+        $num="ebp";
+
+        &xor($c,$c);            # clear carry
+        &mov($r,&wparam(0));    #
+        &mov($a,&wparam(1));    #
+        &mov($num,&wparam(2));  #
+        &mov($w,&wparam(3));    #
+
+        &and($num,0xfffffff8);  # num / 8
+        &jz(&label("mw_finish"));
+
+        &set_label("mw_loop",0);
+        for ($i=0; $i<32; $i+=4)
+                {
+                &comment("Round $i");
+
+                 &mov("eax",&DWP($i,$a,"",0));  # *a
+                &mul($w);                       # *a * w
+                &add("eax",$c);                 # L(t)+=c
+                 # XXX
+
+                &adc("edx",0);                  # H(t)+=carry
+                 &mov(&DWP($i,$r,"",0),"eax");  # *r= L(t);
+
+                &mov($c,"edx");                 # c=  H(t);
+                }
+
+        &comment("");
+        &add($a,32);
+        &add($r,32);
+        &sub($num,8);
+        &jz(&label("mw_finish"));
+        &jmp(&label("mw_loop"));
+
+        &set_label("mw_finish",0);
+        &mov($num,&wparam(2));  # get num
+        &and($num,7);
+        &jnz(&label("mw_finish2"));
+        &jmp(&label("mw_end"));
+
+        &set_label("mw_finish2",1);
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                 &mov("eax",&DWP($i*4,$a,"",0));# *a
+                &mul($w);                       # *a * w
+                &add("eax",$c);                 # L(t)+=c
+                 # XXX
+                &adc("edx",0);                  # H(t)+=carry
+                 &mov(&DWP($i*4,$r,"",0),"eax");# *r= L(t);
+                &mov($c,"edx");                 # c=  H(t);
+                 &dec($num) if ($i != 7-1);
+                &jz(&label("mw_end")) if ($i != 7-1);
+                }
+        &set_label("mw_end",0);
+        &mov("eax",$c);
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libcrypto/bn/asm/x86/mul_add.pl b/src/lib/libcrypto/bn/asm/x86/mul_add.pl
new file mode 100644
index 0000000000..61830d3a90
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/x86/mul_add.pl
@@ -0,0 +1,87 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_mul_add_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $Low="eax";
+        $High="edx";
+        $a="ebx";
+        $w="ebp";
+        $r="edi";
+        $c="esi";
+
+        &xor($c,$c);            # clear carry
+        &mov($r,&wparam(0));    #
+
+        &mov("ecx",&wparam(2)); #
+        &mov($a,&wparam(1));    #
+
+        &and("ecx",0xfffffff8); # num / 8
+        &mov($w,&wparam(3));    #
+
+        &push("ecx");           # Up the stack for a tmp variable
+
+        &jz(&label("maw_finish"));
+
+        &set_label("maw_loop",0);
+
+        &mov(&swtmp(0),"ecx");  #
+
+        for ($i=0; $i<32; $i+=4)
+                {
+                &comment("Round $i");
+
+                 &mov("eax",&DWP($i,$a,"",0));  # *a
+                &mul($w);                       # *a * w
+                &add("eax",$c);         # L(t)+= *r
+                 &mov($c,&DWP($i,$r,"",0));     # L(t)+= *r
+                &adc("edx",0);                  # H(t)+=carry
+                 &add("eax",$c);                # L(t)+=c
+                &adc("edx",0);                  # H(t)+=carry
+                 &mov(&DWP($i,$r,"",0),"eax");  # *r= L(t);
+                &mov($c,"edx");                 # c=  H(t);
+                }
+
+        &comment("");
+        &mov("ecx",&swtmp(0));  #
+        &add($a,32);
+        &add($r,32);
+        &sub("ecx",8);
+        &jnz(&label("maw_loop"));
+
+        &set_label("maw_finish",0);
+        &mov("ecx",&wparam(2)); # get num
+        &and("ecx",7);
+        &jnz(&label("maw_finish2"));    # helps branch prediction
+        &jmp(&label("maw_end"));
+
+        &set_label("maw_finish2",1);
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                 &mov("eax",&DWP($i*4,$a,"",0));# *a
+                &mul($w);                       # *a * w
+                &add("eax",$c);                 # L(t)+=c
+                 &mov($c,&DWP($i*4,$r,"",0));   # L(t)+= *r
+                &adc("edx",0);                  # H(t)+=carry
+                 &add("eax",$c);
+                &adc("edx",0);                  # H(t)+=carry
+                 &dec("ecx") if ($i != 7-1);
+                &mov(&DWP($i*4,$r,"",0),"eax"); # *r= L(t);
+                 &mov($c,"edx");                        # c=  H(t);
+                &jz(&label("maw_end")) if ($i != 7-1);
+                }
+        &set_label("maw_end",0);
+        &mov("eax",$c);
+
+        &pop("ecx");    # clear variable from
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libcrypto/bn/asm/x86/sqr.pl b/src/lib/libcrypto/bn/asm/x86/sqr.pl
new file mode 100644
index 0000000000..1f90993cf6
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/x86/sqr.pl
@@ -0,0 +1,60 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_sqr_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $r="esi";
+        $a="edi";
+        $num="ebx";
+
+        &mov($r,&wparam(0));    #
+        &mov($a,&wparam(1));    #
+        &mov($num,&wparam(2));  #
+
+        &and($num,0xfffffff8);  # num / 8
+        &jz(&label("sw_finish"));
+
+        &set_label("sw_loop",0);
+        for ($i=0; $i<32; $i+=4)
+                {
+                &comment("Round $i");
+                &mov("eax",&DWP($i,$a,"",0));   # *a
+                 # XXX
+                &mul("eax");                    # *a * *a
+                &mov(&DWP($i*2,$r,"",0),"eax"); #
+                 &mov(&DWP($i*2+4,$r,"",0),"edx");#
+                }
+
+        &comment("");
+        &add($a,32);
+        &add($r,64);
+        &sub($num,8);
+        &jnz(&label("sw_loop"));
+
+        &set_label("sw_finish",0);
+        &mov($num,&wparam(2));  # get num
+        &and($num,7);
+        &jz(&label("sw_end"));
+
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                &mov("eax",&DWP($i*4,$a,"",0)); # *a
+                 # XXX
+                &mul("eax");                    # *a * *a
+                &mov(&DWP($i*8,$r,"",0),"eax"); #
+                 &dec($num) if ($i != 7-1);
+                &mov(&DWP($i*8+4,$r,"",0),"edx");
+                 &jz(&label("sw_end")) if ($i != 7-1);
+                }
+        &set_label("sw_end",0);
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libcrypto/bn/asm/x86/sub.pl b/src/lib/libcrypto/bn/asm/x86/sub.pl
new file mode 100644
index 0000000000..837b0e1b07
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/x86/sub.pl
@@ -0,0 +1,76 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_sub_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $a="esi";
+        $b="edi";
+        $c="eax";
+        $r="ebx";
+        $tmp1="ecx";
+        $tmp2="edx";
+        $num="ebp";
+
+        &mov($r,&wparam(0));    # get r
+         &mov($a,&wparam(1));   # get a
+        &mov($b,&wparam(2));    # get b
+         &mov($num,&wparam(3)); # get num
+        &xor($c,$c);            # clear carry
+         &and($num,0xfffffff8); # num / 8
+
+        &jz(&label("aw_finish"));
+
+        &set_label("aw_loop",0);
+        for ($i=0; $i<8; $i++)
+                {
+                &comment("Round $i");
+
+                &mov($tmp1,&DWP($i*4,$a,"",0));         # *a
+                 &mov($tmp2,&DWP($i*4,$b,"",0));        # *b
+                &sub($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &sub($tmp1,$tmp2);
+                &adc($c,0);
+                 &mov(&DWP($i*4,$r,"",0),$tmp1);        # *r
+                }
+
+        &comment("");
+        &add($a,32);
+         &add($b,32);
+        &add($r,32);
+         &sub($num,8);
+        &jnz(&label("aw_loop"));
+
+        &set_label("aw_finish",0);
+        &mov($num,&wparam(3));  # get num
+        &and($num,7);
+         &jz(&label("aw_end"));
+
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                &mov($tmp1,&DWP($i*4,$a,"",0)); # *a
+                 &mov($tmp2,&DWP($i*4,$b,"",0));# *b
+                &sub($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &sub($tmp1,$tmp2);
+                &adc($c,0);
+                 &dec($num) if ($i != 6);
+                &mov(&DWP($i*4,$r,"",0),$tmp1); # *a
+                 &jz(&label("aw_end")) if ($i != 6);
+                }
+        &set_label("aw_end",0);
+
+#       &mov("eax",$c);         # $c is "eax"
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
new file mode 100644
index 0000000000..f935e1ca79
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn.h
@@ -0,0 +1,467 @@
+/* crypto/bn/bn.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BN_H
+#define HEADER_BN_H
+
+#ifndef WIN16
+#include <stdio.h> /* FILE */
+#endif
+#include <openssl/opensslconf.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef VMS
+#undef BN_LLONG /* experimental, so far... */
+#endif
+
+#define BN_MUL_COMBA
+#define BN_SQR_COMBA
+#define BN_RECURSION
+#define RECP_MUL_MOD
+#define MONT_MUL_MOD
+
+/* This next option uses the C libraries (2 word)/(1 word) function.
+ * If it is not defined, I use my C version (which is slower).
+ * The reason for this flag is that when the particular C compiler
+ * library routine is used, and the library is linked with a different
+ * compiler, the library is missing.  This mostly happens when the
+ * library is built with gcc and then linked using nornal cc.  This would
+ * be a common occurance because gcc normally produces code that is
+ * 2 times faster than system compilers for the big number stuff.
+ * For machines with only one compiler (or shared libraries), this should
+ * be on.  Again this in only really a problem on machines
+ * using "long long's", are 32bit, and are not using my assember code. */
+#if defined(MSDOS) || defined(WINDOWS) || defined(linux)
+#define BN_DIV2W
+#endif
+
+/* assuming long is 64bit - this is the DEC Alpha
+ * unsigned long long is only 64 bits :-(, don't define
+ * BN_LLONG for the DEC Alpha */
+#ifdef SIXTY_FOUR_BIT_LONG
+#define BN_ULLONG       unsigned long long
+#define BN_ULONG        unsigned long
+#define BN_LONG         long
+#define BN_BITS         128
+#define BN_BYTES        8
+#define BN_BITS2        64
+#define BN_BITS4        32
+#define BN_MASK         (0xffffffffffffffffffffffffffffffffLL)
+#define BN_MASK2        (0xffffffffffffffffL)
+#define BN_MASK2l       (0xffffffffL)
+#define BN_MASK2h       (0xffffffff00000000L)
+#define BN_MASK2h1      (0xffffffff80000000L)
+#define BN_TBIT         (0x8000000000000000L)
+#define BN_DEC_CONV     (10000000000000000000UL)
+#define BN_DEC_FMT1     "%lu"
+#define BN_DEC_FMT2     "%019lu"
+#define BN_DEC_NUM      19
+#endif
+
+/* This is where the long long data type is 64 bits, but long is 32.
+ * For machines where there are 64bit registers, this is the mode to use.
+ * IRIX, on R4000 and above should use this mode, along with the relevent
+ * assember code :-).  Do NOT define BN_LLONG.
+ */
+#ifdef SIXTY_FOUR_BIT
+#undef BN_LLONG
+#undef BN_ULLONG
+#define BN_ULONG        unsigned long long
+#define BN_LONG         long long
+#define BN_BITS         128
+#define BN_BYTES        8
+#define BN_BITS2        64
+#define BN_BITS4        32
+#define BN_MASK2        (0xffffffffffffffffLL)
+#define BN_MASK2l       (0xffffffffL)
+#define BN_MASK2h       (0xffffffff00000000LL)
+#define BN_MASK2h1      (0xffffffff80000000LL)
+#define BN_TBIT         (0x8000000000000000LL)
+#define BN_DEC_CONV     (10000000000000000000LL)
+#define BN_DEC_FMT1     "%llu"
+#define BN_DEC_FMT2     "%019llu"
+#define BN_DEC_NUM      19
+#endif
+
+#ifdef THIRTY_TWO_BIT
+#if defined(WIN32) && !defined(__GNUC__)
+#define BN_ULLONG       unsigned _int64
+#else
+#define BN_ULLONG       unsigned long long
+#endif
+#define BN_ULONG        unsigned long
+#define BN_LONG         long
+#define BN_BITS         64
+#define BN_BYTES        4
+#define BN_BITS2        32
+#define BN_BITS4        16
+#ifdef WIN32
+/* VC++ doesn't like the LL suffix */
+#define BN_MASK         (0xffffffffffffffffL)
+#else
+#define BN_MASK         (0xffffffffffffffffLL)
+#endif
+#define BN_MASK2        (0xffffffffL)
+#define BN_MASK2l       (0xffff)
+#define BN_MASK2h1      (0xffff8000L)
+#define BN_MASK2h       (0xffff0000L)
+#define BN_TBIT         (0x80000000L)
+#define BN_DEC_CONV     (1000000000L)
+#define BN_DEC_FMT1     "%lu"
+#define BN_DEC_FMT2     "%09lu"
+#define BN_DEC_NUM      9
+#endif
+
+#ifdef SIXTEEN_BIT
+#ifndef BN_DIV2W
+#define BN_DIV2W
+#endif
+#define BN_ULLONG       unsigned long
+#define BN_ULONG        unsigned short
+#define BN_LONG         short
+#define BN_BITS         32
+#define BN_BYTES        2
+#define BN_BITS2        16
+#define BN_BITS4        8
+#define BN_MASK         (0xffffffff)
+#define BN_MASK2        (0xffff)
+#define BN_MASK2l       (0xff)
+#define BN_MASK2h1      (0xff80)
+#define BN_MASK2h       (0xff00)
+#define BN_TBIT         (0x8000)
+#define BN_DEC_CONV     (100000)
+#define BN_DEC_FMT1     "%u"
+#define BN_DEC_FMT2     "%05u"
+#define BN_DEC_NUM      5
+#endif
+
+#ifdef EIGHT_BIT
+#ifndef BN_DIV2W
+#define BN_DIV2W
+#endif
+#define BN_ULLONG       unsigned short
+#define BN_ULONG        unsigned char
+#define BN_LONG         char
+#define BN_BITS         16
+#define BN_BYTES        1
+#define BN_BITS2        8
+#define BN_BITS4        4
+#define BN_MASK         (0xffff)
+#define BN_MASK2        (0xff)
+#define BN_MASK2l       (0xf)
+#define BN_MASK2h1      (0xf8)
+#define BN_MASK2h       (0xf0)
+#define BN_TBIT         (0x80)
+#define BN_DEC_CONV     (100)
+#define BN_DEC_FMT1     "%u"
+#define BN_DEC_FMT2     "%02u"
+#define BN_DEC_NUM      2
+#endif
+
+#define BN_DEFAULT_BITS 1280
+
+#ifdef BIGNUM
+#undef BIGNUM
+#endif
+
+#define BN_FLG_MALLOCED         0x01
+#define BN_FLG_STATIC_DATA      0x02
+#define BN_FLG_FREE             0x8000  /* used for debuging */
+#define BN_set_flags(b,n)       ((b)->flags|=(n))
+#define BN_get_flags(b,n)       ((b)->flags&(n))
+
+typedef struct bignum_st
+        {
+        BN_ULONG *d;    /* Pointer to an array of 'BN_BITS2' bit chunks. */
+        int top;        /* Index of last used d +1. */
+        /* The next are internal book keeping for bn_expand. */
+        int max;        /* Size of the d array. */
+        int neg;        /* one if the number is negative */
+        int flags;
+        } BIGNUM;
+
+/* Used for temp variables */
+#define BN_CTX_NUM      12
+typedef struct bignum_ctx
+        {
+        int tos;
+        BIGNUM bn[BN_CTX_NUM+1];
+        int flags;
+        } BN_CTX;
+
+typedef struct bn_blinding_st
+        {
+        int init;
+        BIGNUM *A;
+        BIGNUM *Ai;
+        BIGNUM *mod; /* just a reference */
+        } BN_BLINDING;
+
+/* Used for montgomery multiplication */
+typedef struct bn_mont_ctx_st
+        {
+        int use_word;   /* 0 for word form, 1 for long form */
+        int ri;         /* number of bits in R */
+        BIGNUM RR;     /* used to convert to montgomery form */
+        BIGNUM N;      /* The modulus */
+        BIGNUM Ni;     /* The inverse of N */
+        BN_ULONG n0;    /* word form of inverse, normally only one of
+                         * Ni or n0 is defined */
+        int flags;
+        } BN_MONT_CTX;
+
+/* Used for reciprocal division/mod functions
+ * It cannot be shared between threads
+ */
+typedef struct bn_recp_ctx_st
+        {
+        BIGNUM N;       /* the divisor */
+        BIGNUM Nr;      /* the reciprocal */
+        int num_bits;
+        int shift;
+        int flags;
+        } BN_RECP_CTX;
+
+#define BN_to_montgomery(r,a,mont,ctx)  BN_mod_mul_montgomery(\
+        r,a,&((mont)->RR),(mont),ctx)
+
+#define BN_prime_checks         (5)
+
+#define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
+#define BN_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
+#define BN_is_zero(a)   (((a)->top == 0) || BN_is_word(a,0))
+#define BN_is_one(a)    (BN_is_word((a),1))
+#define BN_is_odd(a)    (((a)->top > 0) && ((a)->d[0] & 1))
+#define BN_one(a)       (BN_set_word((a),1))
+#define BN_zero(a)      (BN_set_word((a),0))
+
+/*#define BN_ascii2bn(a)        BN_hex2bn(a) */
+/*#define BN_bn2ascii(a)        BN_bn2hex(a) */
+
+#define bn_expand(n,b) ((((((b+BN_BITS2-1))/BN_BITS2)) <= (n)->max)?\
+        (n):bn_expand2((n),(b)/BN_BITS2+1))
+#define bn_wexpand(n,b) (((b) <= (n)->max)?(n):bn_expand2((n),(b)))
+
+#define bn_fix_top(a) \
+        { \
+        BN_ULONG *ftl; \
+        if ((a)->top > 0) \
+                { \
+                for (ftl= &((a)->d[(a)->top-1]); (a)->top > 0; (a)->top--) \
+                if (*(ftl--)) break; \
+                } \
+        }
+
+BIGNUM *BN_value_one(void);
+char *  BN_options(void);
+BN_CTX *BN_CTX_new(void);
+void    BN_CTX_init(BN_CTX *c);
+void    BN_CTX_free(BN_CTX *c);
+int     BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
+int     BN_num_bits(const BIGNUM *a);
+int     BN_num_bits_word(BN_ULONG);
+BIGNUM *BN_new(void);
+void    BN_init(BIGNUM *);
+void    BN_clear_free(BIGNUM *a);
+BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
+BIGNUM *BN_bin2bn(const unsigned char *s,int len,BIGNUM *ret);
+int     BN_bn2bin(const BIGNUM *a, unsigned char *to);
+BIGNUM *BN_mpi2bn(unsigned char *s,int len,BIGNUM *ret);
+int     BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+int     BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int     BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int     BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int     BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+int     BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
+int     BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+               BN_CTX *ctx);
+int     BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b,BN_CTX *ctx);
+int     BN_sqr(BIGNUM *r, BIGNUM *a,BN_CTX *ctx);
+BN_ULONG BN_mod_word(BIGNUM *a, BN_ULONG w);
+BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
+int     BN_mul_word(BIGNUM *a, BN_ULONG w);
+int     BN_add_word(BIGNUM *a, BN_ULONG w);
+int     BN_sub_word(BIGNUM *a, BN_ULONG w);
+int     BN_set_word(BIGNUM *a, BN_ULONG w);
+BN_ULONG BN_get_word(BIGNUM *a);
+int     BN_cmp(const BIGNUM *a, const BIGNUM *b);
+void    BN_free(BIGNUM *a);
+int     BN_is_bit_set(const BIGNUM *a, int n);
+int     BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+int     BN_lshift1(BIGNUM *r, BIGNUM *a);
+int     BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p,BN_CTX *ctx);
+int     BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                   const BIGNUM *m,BN_CTX *ctx);
+int     BN_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int     BN_mod_exp2_mont(BIGNUM *r, BIGNUM *a1, BIGNUM *p1,BIGNUM *a2,
+                BIGNUM *p2,BIGNUM *m,BN_CTX *ctx,BN_MONT_CTX *m_ctx);
+int     BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p,
+        BIGNUM *m,BN_CTX *ctx);
+int     BN_mask_bits(BIGNUM *a,int n);
+int     BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
+#ifndef WIN16
+int     BN_print_fp(FILE *fp, BIGNUM *a);
+#endif
+#ifdef HEADER_BIO_H
+int     BN_print(BIO *fp, const BIGNUM *a);
+#else
+int     BN_print(char *fp, const BIGNUM *a);
+#endif
+int     BN_reciprocal(BIGNUM *r, BIGNUM *m, int len, BN_CTX *ctx);
+int     BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+int     BN_rshift1(BIGNUM *r, BIGNUM *a);
+void    BN_clear(BIGNUM *a);
+BIGNUM *bn_expand2(BIGNUM *b, int bits);
+BIGNUM *BN_dup(const BIGNUM *a);
+int     BN_ucmp(const BIGNUM *a, const BIGNUM *b);
+int     BN_set_bit(BIGNUM *a, int n);
+int     BN_clear_bit(BIGNUM *a, int n);
+char *  BN_bn2hex(const BIGNUM *a);
+char *  BN_bn2dec(const BIGNUM *a);
+int     BN_hex2bn(BIGNUM **a, const char *str);
+int     BN_dec2bn(BIGNUM **a, const char *str);
+int     BN_gcd(BIGNUM *r,BIGNUM *in_a,BIGNUM *in_b,BN_CTX *ctx);
+BIGNUM *BN_mod_inverse(BIGNUM *ret,BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int strong,BIGNUM *add,
+                BIGNUM *rem,void (*callback)(int,int,void *),void *cb_arg);
+int     BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int,void *),
+                BN_CTX *ctx,void *cb_arg);
+void    ERR_load_BN_strings(void );
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+void     bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num);
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
+BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
+BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
+
+BN_MONT_CTX *BN_MONT_CTX_new(void );
+void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+int BN_mod_mul_montgomery(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_MONT_CTX *mont,
+                          BN_CTX *ctx);
+int BN_from_montgomery(BIGNUM *r,BIGNUM *a,BN_MONT_CTX *mont,BN_CTX *ctx);
+void BN_MONT_CTX_free(BN_MONT_CTX *mont);
+int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *modulus,BN_CTX *ctx);
+BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
+
+BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
+void BN_BLINDING_free(BN_BLINDING *b);
+int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
+int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *r, BN_CTX *ctx);
+int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+
+void BN_set_params(int mul,int high,int low,int mont);
+int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */
+
+void    BN_RECP_CTX_init(BN_RECP_CTX *recp);
+BN_RECP_CTX *BN_RECP_CTX_new(void);
+void    BN_RECP_CTX_free(BN_RECP_CTX *recp);
+int     BN_RECP_CTX_set(BN_RECP_CTX *recp,const BIGNUM *rdiv,BN_CTX *ctx);
+int     BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y,
+                BN_RECP_CTX *recp,BN_CTX *ctx);
+int     BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *m, BN_CTX *ctx);
+int     BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m,
+                BN_RECP_CTX *recp, BN_CTX *ctx);
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the BN functions. */
+
+/* Function codes. */
+#define BN_F_BN_BLINDING_CONVERT                         100
+#define BN_F_BN_BLINDING_INVERT                          101
+#define BN_F_BN_BLINDING_NEW                             102
+#define BN_F_BN_BLINDING_UPDATE                          103
+#define BN_F_BN_BN2DEC                                   104
+#define BN_F_BN_BN2HEX                                   105
+#define BN_F_BN_CTX_NEW                                  106
+#define BN_F_BN_DIV                                      107
+#define BN_F_BN_EXPAND2                                  108
+#define BN_F_BN_MOD_EXP_MONT                             109
+#define BN_F_BN_MOD_INVERSE                              110
+#define BN_F_BN_MOD_MUL_RECIPROCAL                       111
+#define BN_F_BN_MPI2BN                                   112
+#define BN_F_BN_NEW                                      113
+#define BN_F_BN_RAND                                     114
+#define BN_F_BN_USUB                                     115
+
+/* Reason codes. */
+#define BN_R_ARG2_LT_ARG3                                100
+#define BN_R_BAD_RECIPROCAL                              101
+#define BN_R_CALLED_WITH_EVEN_MODULUS                    102
+#define BN_R_DIV_BY_ZERO                                 103
+#define BN_R_ENCODING_ERROR                              104
+#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA                105
+#define BN_R_INVALID_LENGTH                              106
+#define BN_R_NOT_INITIALIZED                             107
+#define BN_R_NO_INVERSE                                  108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libcrypto/bn/bn_asm.c b/src/lib/libcrypto/bn/bn_asm.c
new file mode 100644
index 0000000000..4d3da16a0c
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_asm.c
@@ -0,0 +1,802 @@
+/* crypto/bn/bn_asm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+#ifdef BN_LLONG 
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+        {
+        BN_ULONG c1=0;
+
+        bn_check_num(num);
+        if (num <= 0) return(c1);
+
+        for (;;)
+                {
+                mul_add(rp[0],ap[0],w,c1);
+                if (--num == 0) break;
+                mul_add(rp[1],ap[1],w,c1);
+                if (--num == 0) break;
+                mul_add(rp[2],ap[2],w,c1);
+                if (--num == 0) break;
+                mul_add(rp[3],ap[3],w,c1);
+                if (--num == 0) break;
+                ap+=4;
+                rp+=4;
+                }
+        
+        return(c1);
+        } 
+
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+        {
+        BN_ULONG c1=0;
+
+        bn_check_num(num);
+        if (num <= 0) return(c1);
+
+        /* for (;;) */
+        while (1) /* circumvent egcs-1.1.2 bug */
+                {
+                mul(rp[0],ap[0],w,c1);
+                if (--num == 0) break;
+                mul(rp[1],ap[1],w,c1);
+                if (--num == 0) break;
+                mul(rp[2],ap[2],w,c1);
+                if (--num == 0) break;
+                mul(rp[3],ap[3],w,c1);
+                if (--num == 0) break;
+                ap+=4;
+                rp+=4;
+                }
+        return(c1);
+        } 
+
+void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+        {
+        bn_check_num(n);
+        if (n <= 0) return;
+        for (;;)
+                {
+                BN_ULLONG t;
+
+                t=(BN_ULLONG)(a[0])*(a[0]);
+                r[0]=Lw(t); r[1]=Hw(t);
+                if (--n == 0) break;
+
+                t=(BN_ULLONG)(a[1])*(a[1]);
+                r[2]=Lw(t); r[3]=Hw(t);
+                if (--n == 0) break;
+
+                t=(BN_ULLONG)(a[2])*(a[2]);
+                r[4]=Lw(t); r[5]=Hw(t);
+                if (--n == 0) break;
+
+                t=(BN_ULLONG)(a[3])*(a[3]);
+                r[6]=Lw(t); r[7]=Hw(t);
+                if (--n == 0) break;
+
+                a+=4;
+                r+=8;
+                }
+        }
+
+#else
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+        {
+        BN_ULONG c=0;
+        BN_ULONG bl,bh;
+
+        bn_check_num(num);
+        if (num <= 0) return((BN_ULONG)0);
+
+        bl=LBITS(w);
+        bh=HBITS(w);
+
+        for (;;)
+                {
+                mul_add(rp[0],ap[0],bl,bh,c);
+                if (--num == 0) break;
+                mul_add(rp[1],ap[1],bl,bh,c);
+                if (--num == 0) break;
+                mul_add(rp[2],ap[2],bl,bh,c);
+                if (--num == 0) break;
+                mul_add(rp[3],ap[3],bl,bh,c);
+                if (--num == 0) break;
+                ap+=4;
+                rp+=4;
+                }
+        return(c);
+        } 
+
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+        {
+        BN_ULONG carry=0;
+        BN_ULONG bl,bh;
+
+        bn_check_num(num);
+        if (num <= 0) return((BN_ULONG)0);
+
+        bl=LBITS(w);
+        bh=HBITS(w);
+
+        for (;;)
+                {
+                mul(rp[0],ap[0],bl,bh,carry);
+                if (--num == 0) break;
+                mul(rp[1],ap[1],bl,bh,carry);
+                if (--num == 0) break;
+                mul(rp[2],ap[2],bl,bh,carry);
+                if (--num == 0) break;
+                mul(rp[3],ap[3],bl,bh,carry);
+                if (--num == 0) break;
+                ap+=4;
+                rp+=4;
+                }
+        return(carry);
+        } 
+
+void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+        {
+        bn_check_num(n);
+        if (n <= 0) return;
+        for (;;)
+                {
+                sqr64(r[0],r[1],a[0]);
+                if (--n == 0) break;
+
+                sqr64(r[2],r[3],a[1]);
+                if (--n == 0) break;
+
+                sqr64(r[4],r[5],a[2]);
+                if (--n == 0) break;
+
+                sqr64(r[6],r[7],a[3]);
+                if (--n == 0) break;
+
+                a+=4;
+                r+=8;
+                }
+        }
+
+#endif
+
+#if defined(BN_LLONG) && defined(BN_DIV2W)
+
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
+        {
+        return((BN_ULONG)(((((BN_ULLONG)h)<<BN_BITS2)|l)/(BN_ULLONG)d));
+        }
+
+#else
+
+/* Divide h-l by d and return the result. */
+/* I need to test this some more :-( */
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
+        {
+        BN_ULONG dh,dl,q,ret=0,th,tl,t;
+        int i,count=2;
+
+        if (d == 0) return(BN_MASK2);
+
+        i=BN_num_bits_word(d);
+        if ((i != BN_BITS2) && (h > (BN_ULONG)1<<i))
+                {
+#if !defined(NO_STDIO) && !defined(WIN16)
+                fprintf(stderr,"Division would overflow (%d)\n",i);
+#endif
+                abort();
+                }
+        i=BN_BITS2-i;
+        if (h >= d) h-=d;
+
+        if (i)
+                {
+                d<<=i;
+                h=(h<<i)|(l>>(BN_BITS2-i));
+                l<<=i;
+                }
+        dh=(d&BN_MASK2h)>>BN_BITS4;
+        dl=(d&BN_MASK2l);
+        for (;;)
+                {
+                if ((h>>BN_BITS4) == dh)
+                        q=BN_MASK2l;
+                else
+                        q=h/dh;
+
+                th=q*dh;
+                tl=dl*q;
+                for (;;)
+                        {
+                        t=h-th;
+                        if ((t&BN_MASK2h) ||
+                                ((tl) <= (
+                                        (t<<BN_BITS4)|
+                                        ((l&BN_MASK2h)>>BN_BITS4))))
+                                break;
+                        q--;
+                        th-=dh;
+                        tl-=dl;
+                        }
+                t=(tl>>BN_BITS4);
+                tl=(tl<<BN_BITS4)&BN_MASK2h;
+                th+=t;
+
+                if (l < tl) th++;
+                l-=tl;
+                if (h < th)
+                        {
+                        h+=d;
+                        q--;
+                        }
+                h-=th;
+
+                if (--count == 0) break;
+
+                ret=q<<BN_BITS4;
+                h=((h<<BN_BITS4)|(l>>BN_BITS4))&BN_MASK2;
+                l=(l&BN_MASK2l)<<BN_BITS4;
+                }
+        ret|=q;
+        return(ret);
+        }
+#endif
+
+#ifdef BN_LLONG
+BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+        {
+        BN_ULLONG ll=0;
+
+        bn_check_num(n);
+        if (n <= 0) return((BN_ULONG)0);
+
+        for (;;)
+                {
+                ll+=(BN_ULLONG)a[0]+b[0];
+                r[0]=(BN_ULONG)ll&BN_MASK2;
+                ll>>=BN_BITS2;
+                if (--n <= 0) break;
+
+                ll+=(BN_ULLONG)a[1]+b[1];
+                r[1]=(BN_ULONG)ll&BN_MASK2;
+                ll>>=BN_BITS2;
+                if (--n <= 0) break;
+
+                ll+=(BN_ULLONG)a[2]+b[2];
+                r[2]=(BN_ULONG)ll&BN_MASK2;
+                ll>>=BN_BITS2;
+                if (--n <= 0) break;
+
+                ll+=(BN_ULLONG)a[3]+b[3];
+                r[3]=(BN_ULONG)ll&BN_MASK2;
+                ll>>=BN_BITS2;
+                if (--n <= 0) break;
+
+                a+=4;
+                b+=4;
+                r+=4;
+                }
+        return((BN_ULONG)ll);
+        }
+#else
+BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+        {
+        BN_ULONG c,l,t;
+
+        bn_check_num(n);
+        if (n <= 0) return((BN_ULONG)0);
+
+        c=0;
+        for (;;)
+                {
+                t=a[0];
+                t=(t+c)&BN_MASK2;
+                c=(t < c);
+                l=(t+b[0])&BN_MASK2;
+                c+=(l < t);
+                r[0]=l;
+                if (--n <= 0) break;
+
+                t=a[1];
+                t=(t+c)&BN_MASK2;
+                c=(t < c);
+                l=(t+b[1])&BN_MASK2;
+                c+=(l < t);
+                r[1]=l;
+                if (--n <= 0) break;
+
+                t=a[2];
+                t=(t+c)&BN_MASK2;
+                c=(t < c);
+                l=(t+b[2])&BN_MASK2;
+                c+=(l < t);
+                r[2]=l;
+                if (--n <= 0) break;
+
+                t=a[3];
+                t=(t+c)&BN_MASK2;
+                c=(t < c);
+                l=(t+b[3])&BN_MASK2;
+                c+=(l < t);
+                r[3]=l;
+                if (--n <= 0) break;
+
+                a+=4;
+                b+=4;
+                r+=4;
+                }
+        return((BN_ULONG)c);
+        }
+#endif
+
+BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+        {
+        BN_ULONG t1,t2;
+        int c=0;
+
+        bn_check_num(n);
+        if (n <= 0) return((BN_ULONG)0);
+
+        for (;;)
+                {
+                t1=a[0]; t2=b[0];
+                r[0]=(t1-t2-c)&BN_MASK2;
+                if (t1 != t2) c=(t1 < t2);
+                if (--n <= 0) break;
+
+                t1=a[1]; t2=b[1];
+                r[1]=(t1-t2-c)&BN_MASK2;
+                if (t1 != t2) c=(t1 < t2);
+                if (--n <= 0) break;
+
+                t1=a[2]; t2=b[2];
+                r[2]=(t1-t2-c)&BN_MASK2;
+                if (t1 != t2) c=(t1 < t2);
+                if (--n <= 0) break;
+
+                t1=a[3]; t2=b[3];
+                r[3]=(t1-t2-c)&BN_MASK2;
+                if (t1 != t2) c=(t1 < t2);
+                if (--n <= 0) break;
+
+                a+=4;
+                b+=4;
+                r+=4;
+                }
+        return(c);
+        }
+
+#ifdef BN_MUL_COMBA
+
+#undef bn_mul_comba8
+#undef bn_mul_comba4
+#undef bn_sqr_comba8
+#undef bn_sqr_comba4
+
+#ifdef BN_LLONG
+#define mul_add_c(a,b,c0,c1,c2) \
+        t=(BN_ULLONG)a*b; \
+        t1=(BN_ULONG)Lw(t); \
+        t2=(BN_ULONG)Hw(t); \
+        c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \
+        t=(BN_ULLONG)a*b; \
+        tt=(t+t)&BN_MASK; \
+        if (tt < t) c2++; \
+        t1=(BN_ULONG)Lw(tt); \
+        t2=(BN_ULONG)Hw(tt); \
+        c0=(c0+t1)&BN_MASK2;  \
+        if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \
+        t=(BN_ULLONG)a[i]*a[i]; \
+        t1=(BN_ULONG)Lw(t); \
+        t2=(BN_ULONG)Hw(t); \
+        c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \
+        mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+#else
+#define mul_add_c(a,b,c0,c1,c2) \
+        t1=LBITS(a); t2=HBITS(a); \
+        bl=LBITS(b); bh=HBITS(b); \
+        mul64(t1,t2,bl,bh); \
+        c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \
+        t1=LBITS(a); t2=HBITS(a); \
+        bl=LBITS(b); bh=HBITS(b); \
+        mul64(t1,t2,bl,bh); \
+        if (t2 & BN_TBIT) c2++; \
+        t2=(t2+t2)&BN_MASK2; \
+        if (t1 & BN_TBIT) t2++; \
+        t1=(t1+t1)&BN_MASK2; \
+        c0=(c0+t1)&BN_MASK2;  \
+        if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \
+        sqr64(t1,t2,(a)[i]); \
+        c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \
+        mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+#endif
+
+void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+        {
+#ifdef BN_LLONG
+        BN_ULLONG t;
+#else
+        BN_ULONG bl,bh;
+#endif
+        BN_ULONG t1,t2;
+        BN_ULONG c1,c2,c3;
+
+        c1=0;
+        c2=0;
+        c3=0;
+        mul_add_c(a[0],b[0],c1,c2,c3);
+        r[0]=c1;
+        c1=0;
+        mul_add_c(a[0],b[1],c2,c3,c1);
+        mul_add_c(a[1],b[0],c2,c3,c1);
+        r[1]=c2;
+        c2=0;
+        mul_add_c(a[2],b[0],c3,c1,c2);
+        mul_add_c(a[1],b[1],c3,c1,c2);
+        mul_add_c(a[0],b[2],c3,c1,c2);
+        r[2]=c3;
+        c3=0;
+        mul_add_c(a[0],b[3],c1,c2,c3);
+        mul_add_c(a[1],b[2],c1,c2,c3);
+        mul_add_c(a[2],b[1],c1,c2,c3);
+        mul_add_c(a[3],b[0],c1,c2,c3);
+        r[3]=c1;
+        c1=0;
+        mul_add_c(a[4],b[0],c2,c3,c1);
+        mul_add_c(a[3],b[1],c2,c3,c1);
+        mul_add_c(a[2],b[2],c2,c3,c1);
+        mul_add_c(a[1],b[3],c2,c3,c1);
+        mul_add_c(a[0],b[4],c2,c3,c1);
+        r[4]=c2;
+        c2=0;
+        mul_add_c(a[0],b[5],c3,c1,c2);
+        mul_add_c(a[1],b[4],c3,c1,c2);
+        mul_add_c(a[2],b[3],c3,c1,c2);
+        mul_add_c(a[3],b[2],c3,c1,c2);
+        mul_add_c(a[4],b[1],c3,c1,c2);
+        mul_add_c(a[5],b[0],c3,c1,c2);
+        r[5]=c3;
+        c3=0;
+        mul_add_c(a[6],b[0],c1,c2,c3);
+        mul_add_c(a[5],b[1],c1,c2,c3);
+        mul_add_c(a[4],b[2],c1,c2,c3);
+        mul_add_c(a[3],b[3],c1,c2,c3);
+        mul_add_c(a[2],b[4],c1,c2,c3);
+        mul_add_c(a[1],b[5],c1,c2,c3);
+        mul_add_c(a[0],b[6],c1,c2,c3);
+        r[6]=c1;
+        c1=0;
+        mul_add_c(a[0],b[7],c2,c3,c1);
+        mul_add_c(a[1],b[6],c2,c3,c1);
+        mul_add_c(a[2],b[5],c2,c3,c1);
+        mul_add_c(a[3],b[4],c2,c3,c1);
+        mul_add_c(a[4],b[3],c2,c3,c1);
+        mul_add_c(a[5],b[2],c2,c3,c1);
+        mul_add_c(a[6],b[1],c2,c3,c1);
+        mul_add_c(a[7],b[0],c2,c3,c1);
+        r[7]=c2;
+        c2=0;
+        mul_add_c(a[7],b[1],c3,c1,c2);
+        mul_add_c(a[6],b[2],c3,c1,c2);
+        mul_add_c(a[5],b[3],c3,c1,c2);
+        mul_add_c(a[4],b[4],c3,c1,c2);
+        mul_add_c(a[3],b[5],c3,c1,c2);
+        mul_add_c(a[2],b[6],c3,c1,c2);
+        mul_add_c(a[1],b[7],c3,c1,c2);
+        r[8]=c3;
+        c3=0;
+        mul_add_c(a[2],b[7],c1,c2,c3);
+        mul_add_c(a[3],b[6],c1,c2,c3);
+        mul_add_c(a[4],b[5],c1,c2,c3);
+        mul_add_c(a[5],b[4],c1,c2,c3);
+        mul_add_c(a[6],b[3],c1,c2,c3);
+        mul_add_c(a[7],b[2],c1,c2,c3);
+        r[9]=c1;
+        c1=0;
+        mul_add_c(a[7],b[3],c2,c3,c1);
+        mul_add_c(a[6],b[4],c2,c3,c1);
+        mul_add_c(a[5],b[5],c2,c3,c1);
+        mul_add_c(a[4],b[6],c2,c3,c1);
+        mul_add_c(a[3],b[7],c2,c3,c1);
+        r[10]=c2;
+        c2=0;
+        mul_add_c(a[4],b[7],c3,c1,c2);
+        mul_add_c(a[5],b[6],c3,c1,c2);
+        mul_add_c(a[6],b[5],c3,c1,c2);
+        mul_add_c(a[7],b[4],c3,c1,c2);
+        r[11]=c3;
+        c3=0;
+        mul_add_c(a[7],b[5],c1,c2,c3);
+        mul_add_c(a[6],b[6],c1,c2,c3);
+        mul_add_c(a[5],b[7],c1,c2,c3);
+        r[12]=c1;
+        c1=0;
+        mul_add_c(a[6],b[7],c2,c3,c1);
+        mul_add_c(a[7],b[6],c2,c3,c1);
+        r[13]=c2;
+        c2=0;
+        mul_add_c(a[7],b[7],c3,c1,c2);
+        r[14]=c3;
+        r[15]=c1;
+        }
+
+void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+        {
+#ifdef BN_LLONG
+        BN_ULLONG t;
+#else
+        BN_ULONG bl,bh;
+#endif
+        BN_ULONG t1,t2;
+        BN_ULONG c1,c2,c3;
+
+        c1=0;
+        c2=0;
+        c3=0;
+        mul_add_c(a[0],b[0],c1,c2,c3);
+        r[0]=c1;
+        c1=0;
+        mul_add_c(a[0],b[1],c2,c3,c1);
+        mul_add_c(a[1],b[0],c2,c3,c1);
+        r[1]=c2;
+        c2=0;
+        mul_add_c(a[2],b[0],c3,c1,c2);
+        mul_add_c(a[1],b[1],c3,c1,c2);
+        mul_add_c(a[0],b[2],c3,c1,c2);
+        r[2]=c3;
+        c3=0;
+        mul_add_c(a[0],b[3],c1,c2,c3);
+        mul_add_c(a[1],b[2],c1,c2,c3);
+        mul_add_c(a[2],b[1],c1,c2,c3);
+        mul_add_c(a[3],b[0],c1,c2,c3);
+        r[3]=c1;
+        c1=0;
+        mul_add_c(a[3],b[1],c2,c3,c1);
+        mul_add_c(a[2],b[2],c2,c3,c1);
+        mul_add_c(a[1],b[3],c2,c3,c1);
+        r[4]=c2;
+        c2=0;
+        mul_add_c(a[2],b[3],c3,c1,c2);
+        mul_add_c(a[3],b[2],c3,c1,c2);
+        r[5]=c3;
+        c3=0;
+        mul_add_c(a[3],b[3],c1,c2,c3);
+        r[6]=c1;
+        r[7]=c2;
+        }
+
+void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+        {
+#ifdef BN_LLONG
+        BN_ULLONG t,tt;
+#else
+        BN_ULONG bl,bh;
+#endif
+        BN_ULONG t1,t2;
+        BN_ULONG c1,c2,c3;
+
+        c1=0;
+        c2=0;
+        c3=0;
+        sqr_add_c(a,0,c1,c2,c3);
+        r[0]=c1;
+        c1=0;
+        sqr_add_c2(a,1,0,c2,c3,c1);
+        r[1]=c2;
+        c2=0;
+        sqr_add_c(a,1,c3,c1,c2);
+        sqr_add_c2(a,2,0,c3,c1,c2);
+        r[2]=c3;
+        c3=0;
+        sqr_add_c2(a,3,0,c1,c2,c3);
+        sqr_add_c2(a,2,1,c1,c2,c3);
+        r[3]=c1;
+        c1=0;
+        sqr_add_c(a,2,c2,c3,c1);
+        sqr_add_c2(a,3,1,c2,c3,c1);
+        sqr_add_c2(a,4,0,c2,c3,c1);
+        r[4]=c2;
+        c2=0;
+        sqr_add_c2(a,5,0,c3,c1,c2);
+        sqr_add_c2(a,4,1,c3,c1,c2);
+        sqr_add_c2(a,3,2,c3,c1,c2);
+        r[5]=c3;
+        c3=0;
+        sqr_add_c(a,3,c1,c2,c3);
+        sqr_add_c2(a,4,2,c1,c2,c3);
+        sqr_add_c2(a,5,1,c1,c2,c3);
+        sqr_add_c2(a,6,0,c1,c2,c3);
+        r[6]=c1;
+        c1=0;
+        sqr_add_c2(a,7,0,c2,c3,c1);
+        sqr_add_c2(a,6,1,c2,c3,c1);
+        sqr_add_c2(a,5,2,c2,c3,c1);
+        sqr_add_c2(a,4,3,c2,c3,c1);
+        r[7]=c2;
+        c2=0;
+        sqr_add_c(a,4,c3,c1,c2);
+        sqr_add_c2(a,5,3,c3,c1,c2);
+        sqr_add_c2(a,6,2,c3,c1,c2);
+        sqr_add_c2(a,7,1,c3,c1,c2);
+        r[8]=c3;
+        c3=0;
+        sqr_add_c2(a,7,2,c1,c2,c3);
+        sqr_add_c2(a,6,3,c1,c2,c3);
+        sqr_add_c2(a,5,4,c1,c2,c3);
+        r[9]=c1;
+        c1=0;
+        sqr_add_c(a,5,c2,c3,c1);
+        sqr_add_c2(a,6,4,c2,c3,c1);
+        sqr_add_c2(a,7,3,c2,c3,c1);
+        r[10]=c2;
+        c2=0;
+        sqr_add_c2(a,7,4,c3,c1,c2);
+        sqr_add_c2(a,6,5,c3,c1,c2);
+        r[11]=c3;
+        c3=0;
+        sqr_add_c(a,6,c1,c2,c3);
+        sqr_add_c2(a,7,5,c1,c2,c3);
+        r[12]=c1;
+        c1=0;
+        sqr_add_c2(a,7,6,c2,c3,c1);
+        r[13]=c2;
+        c2=0;
+        sqr_add_c(a,7,c3,c1,c2);
+        r[14]=c3;
+        r[15]=c1;
+        }
+
+void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+        {
+#ifdef BN_LLONG
+        BN_ULLONG t,tt;
+#else
+        BN_ULONG bl,bh;
+#endif
+        BN_ULONG t1,t2;
+        BN_ULONG c1,c2,c3;
+
+        c1=0;
+        c2=0;
+        c3=0;
+        sqr_add_c(a,0,c1,c2,c3);
+        r[0]=c1;
+        c1=0;
+        sqr_add_c2(a,1,0,c2,c3,c1);
+        r[1]=c2;
+        c2=0;
+        sqr_add_c(a,1,c3,c1,c2);
+        sqr_add_c2(a,2,0,c3,c1,c2);
+        r[2]=c3;
+        c3=0;
+        sqr_add_c2(a,3,0,c1,c2,c3);
+        sqr_add_c2(a,2,1,c1,c2,c3);
+        r[3]=c1;
+        c1=0;
+        sqr_add_c(a,2,c2,c3,c1);
+        sqr_add_c2(a,3,1,c2,c3,c1);
+        r[4]=c2;
+        c2=0;
+        sqr_add_c2(a,3,2,c3,c1,c2);
+        r[5]=c3;
+        c3=0;
+        sqr_add_c(a,3,c1,c2,c3);
+        r[6]=c1;
+        r[7]=c2;
+        }
+#else
+
+/* hmm... is it faster just to do a multiply? */
+#undef bn_sqr_comba4
+void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+        {
+        BN_ULONG t[8];
+        bn_sqr_normal(r,a,4,t);
+        }
+
+#undef bn_sqr_comba8
+void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+        {
+        BN_ULONG t[16];
+        bn_sqr_normal(r,a,8,t);
+        }
+
+void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+        {
+        r[4]=bn_mul_words(    &(r[0]),a,4,b[0]);
+        r[5]=bn_mul_add_words(&(r[1]),a,4,b[1]);
+        r[6]=bn_mul_add_words(&(r[2]),a,4,b[2]);
+        r[7]=bn_mul_add_words(&(r[3]),a,4,b[3]);
+        }
+
+void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+        {
+        r[ 8]=bn_mul_words(    &(r[0]),a,8,b[0]);
+        r[ 9]=bn_mul_add_words(&(r[1]),a,8,b[1]);
+        r[10]=bn_mul_add_words(&(r[2]),a,8,b[2]);
+        r[11]=bn_mul_add_words(&(r[3]),a,8,b[3]);
+        r[12]=bn_mul_add_words(&(r[4]),a,8,b[4]);
+        r[13]=bn_mul_add_words(&(r[5]),a,8,b[5]);
+        r[14]=bn_mul_add_words(&(r[6]),a,8,b[6]);
+        r[15]=bn_mul_add_words(&(r[7]),a,8,b[7]);
+        }
+
+#endif /* BN_COMBA */
diff --git a/src/lib/libcrypto/bn/bn_ctx.c b/src/lib/libcrypto/bn/bn_ctx.c
new file mode 100644
index 0000000000..46132fd180
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_ctx.c
@@ -0,0 +1,144 @@
+/* crypto/bn/bn_ctx.c */
+/* Written by Ulf Moeller for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef BN_CTX_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <stdio.h>
+#include <assert.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+
+
+BN_CTX *BN_CTX_new(void)
+        {
+        BN_CTX *ret;
+
+        ret=(BN_CTX *)Malloc(sizeof(BN_CTX));
+        if (ret == NULL)
+                {
+                BNerr(BN_F_BN_CTX_NEW,ERR_R_MALLOC_FAILURE);
+                return(NULL);
+                }
+
+        BN_CTX_init(ret);
+        ret->flags=BN_FLG_MALLOCED;
+        return(ret);
+        }
+
+void BN_CTX_init(BN_CTX *ctx)
+        {
+        int i;
+        ctx->tos = 0;
+        ctx->flags = 0;
+        ctx->depth = 0;
+        ctx->too_many = 0;
+        for (i = 0; i < BN_CTX_NUM; i++)
+                BN_init(&(ctx->bn[i]));
+        }
+
+void BN_CTX_free(BN_CTX *ctx)
+        {
+        int i;
+
+        if (ctx == NULL) return;
+        assert(ctx->depth == 0);
+
+        for (i=0; i < BN_CTX_NUM; i++)
+                BN_clear_free(&(ctx->bn[i]));
+        if (ctx->flags & BN_FLG_MALLOCED)
+                Free(ctx);
+        }
+
+void BN_CTX_start(BN_CTX *ctx)
+        {
+        if (ctx->depth < BN_CTX_NUM_POS)
+                ctx->pos[ctx->depth] = ctx->tos;
+        ctx->depth++;
+        }
+
+BIGNUM *BN_CTX_get(BN_CTX *ctx)
+        {
+        if (ctx->depth > BN_CTX_NUM_POS || ctx->tos >= BN_CTX_NUM)
+                {
+                if (!ctx->too_many)
+                        {
+                        BNerr(BN_F_BN_CTX_GET,BN_R_TOO_MANY_TEMPORARY_VARIABLES);
+                        /* disable error code until BN_CTX_end is called: */
+                        ctx->too_many = 1;
+                        }
+                return NULL;
+                }
+        return (&(ctx->bn[ctx->tos++]));
+        }
+
+void BN_CTX_end(BN_CTX *ctx)
+        {
+        if (ctx == NULL) return;
+        assert(ctx->depth > 0);
+        if (ctx->depth == 0)
+                /* should never happen, but we can tolerate it if not in
+                 * debug mode (could be a 'goto err' in the calling function
+                 * before BN_CTX_start was reached) */
+                BN_CTX_start(ctx);
+
+        ctx->too_many = 0;
+        ctx->depth--;
+        if (ctx->depth < BN_CTX_NUM_POS)
+                ctx->tos = ctx->pos[ctx->depth];
+        }
diff --git a/src/lib/libcrypto/bn/bn_exp2.c b/src/lib/libcrypto/bn/bn_exp2.c
new file mode 100644
index 0000000000..1132d53365
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_exp2.c
@@ -0,0 +1,195 @@
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+/* I've done some timing with different table sizes.
+ * The main hassle is that even with bits set at 3, this requires
+ * 63 BIGNUMs to store the pre-calculated values.
+ *          512   1024 
+ * bits=1  75.4%  79.4%
+ * bits=2  61.2%  62.4%
+ * bits=3  61.3%  59.3%
+ * The lack of speed improvment is also a function of the pre-calculation
+ * which could be removed.
+ */
+#define EXP2_TABLE_BITS 2 /* 1  2  3  4  5  */
+#define EXP2_TABLE_SIZE 4 /* 2  4  8 16 32  */
+
+int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
+             BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        int i,j,k,bits,bits1,bits2,ret=0,wstart,wend,window,xvalue,yvalue;
+        int start=1,ts=0,x,y;
+        BIGNUM *d,*aa1,*aa2,*r;
+        BIGNUM val[EXP2_TABLE_SIZE][EXP2_TABLE_SIZE];
+        BN_MONT_CTX *mont=NULL;
+
+        bn_check_top(a1);
+        bn_check_top(p1);
+        bn_check_top(a2);
+        bn_check_top(p2);
+        bn_check_top(m);
+
+        if (!(m->d[0] & 1))
+                {
+                BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
+                return(0);
+                }
+        d= &(ctx->bn[ctx->tos++]);
+        r= &(ctx->bn[ctx->tos++]);
+        bits1=BN_num_bits(p1);
+        bits2=BN_num_bits(p2);
+        if ((bits1 == 0) && (bits2 == 0))
+                {
+                BN_one(r);
+                return(1);
+                }
+        bits=(bits1 > bits2)?bits1:bits2;
+
+        /* If this is not done, things will break in the montgomery
+         * part */
+
+        if (in_mont != NULL)
+                mont=in_mont;
+        else
+                {
+                if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+                if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
+                }
+
+        BN_init(&(val[0][0]));
+        BN_init(&(val[1][1]));
+        BN_init(&(val[0][1]));
+        BN_init(&(val[1][0]));
+        ts=1;
+        if (BN_ucmp(a1,m) >= 0)
+                {
+                BN_mod(&(val[1][0]),a1,m,ctx);
+                aa1= &(val[1][0]);
+                }
+        else
+                aa1=a1;
+        if (BN_ucmp(a2,m) >= 0)
+                {
+                BN_mod(&(val[0][1]),a2,m,ctx);
+                aa2= &(val[0][1]);
+                }
+        else
+                aa2=a2;
+        if (!BN_to_montgomery(&(val[1][0]),aa1,mont,ctx)) goto err;
+        if (!BN_to_montgomery(&(val[0][1]),aa2,mont,ctx)) goto err;
+        if (!BN_mod_mul_montgomery(&(val[1][1]),
+                &(val[1][0]),&(val[0][1]),mont,ctx))
+                goto err;
+
+#if 0
+        if (bits <= 20) /* This is probably 3 or 0x10001, so just do singles */
+                window=1;
+        else if (bits > 250)
+                window=5;       /* max size of window */
+        else if (bits >= 120)
+                window=4;
+        else
+                window=3;
+#else
+        window=EXP2_TABLE_BITS;
+#endif
+
+        k=1<<window;
+        for (x=0; x<k; x++)
+                {
+                if (x >= 2)
+                        {
+                        BN_init(&(val[x][0]));
+                        BN_init(&(val[x][1]));
+                        if (!BN_mod_mul_montgomery(&(val[x][0]),
+                                &(val[1][0]),&(val[x-1][0]),mont,ctx)) goto err;
+                        if (!BN_mod_mul_montgomery(&(val[x][1]),
+                                &(val[1][0]),&(val[x-1][1]),mont,ctx)) goto err;
+                        }
+                for (y=2; y<k; y++)
+                        {
+                        BN_init(&(val[x][y]));
+                        if (!BN_mod_mul_montgomery(&(val[x][y]),
+                                &(val[x][y-1]),&(val[0][1]),mont,ctx))
+                                goto err;
+                        }
+                }
+        ts=k;
+
+        start=1;        /* This is used to avoid multiplication etc
+                         * when there is only the value '1' in the
+                         * buffer. */
+        xvalue=0;       /* The 'x value' of the window */
+        yvalue=0;       /* The 'y value' of the window */
+        wstart=bits-1;  /* The top bit of the window */
+        wend=0;         /* The bottom bit of the window */
+
+        if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
+        for (;;)
+                {
+                xvalue=BN_is_bit_set(p1,wstart);
+                yvalue=BN_is_bit_set(p2,wstart);
+                if (!(xvalue || yvalue))
+                        {
+                        if (!start)
+                                {
+                                if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
+                                        goto err;
+                                }
+                        wstart--;
+                        if (wstart < 0) break;
+                        continue;
+                        }
+                /* We now have wstart on a 'set' bit, we now need to work out
+                 * how bit a window to do.  To do this we need to scan
+                 * forward until the last set bit before the end of the
+                 * window */
+                j=wstart;
+                /* xvalue=BN_is_bit_set(p1,wstart); already set */
+                /* yvalue=BN_is_bit_set(p1,wstart); already set */
+                wend=0;
+                for (i=1; i<window; i++)
+                        {
+                        if (wstart-i < 0) break;
+                        xvalue+=xvalue;
+                        xvalue|=BN_is_bit_set(p1,wstart-i);
+                        yvalue+=yvalue;
+                        yvalue|=BN_is_bit_set(p2,wstart-i);
+                        }
+
+                /* i is the size of the current window */
+                /* add the 'bytes above' */
+                if (!start)
+                        for (j=0; j<i; j++)
+                                {
+                                if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
+                                        goto err;
+                                }
+                
+                /* wvalue will be an odd number < 2^window */
+                if (xvalue || yvalue)
+                        {
+                        if (!BN_mod_mul_montgomery(r,r,&(val[xvalue][yvalue]),
+                                mont,ctx)) goto err;
+                        }
+
+                /* move the 'window' down further */
+                wstart-=i;
+                start=0;
+                if (wstart < 0) break;
+                }
+        BN_from_montgomery(rr,r,mont,ctx);
+        ret=1;
+err:
+        if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
+        ctx->tos-=2;
+        for (i=0; i<ts; i++)
+                {
+                for (j=0; j<ts; j++)
+                        {
+                        BN_clear_free(&(val[i][j]));
+                        }
+                }
+        return(ret);
+        }
diff --git a/src/lib/libcrypto/bn/bn_kron.c b/src/lib/libcrypto/bn/bn_kron.c
new file mode 100644
index 0000000000..49f75594ae
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_kron.c
@@ -0,0 +1,182 @@
+/* crypto/bn/bn_kron.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "bn_lcl.h"
+
+
+/* least significant word */
+#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0])
+
+/* Returns -2 for errors because both -1 and 0 are valid results. */
+int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        int i;
+        int ret = -2; /* avoid 'uninitialized' warning */
+        int err = 0;
+        BIGNUM *A, *B, *tmp;
+        /* In 'tab', only odd-indexed entries are relevant:
+         * For any odd BIGNUM n,
+         *     tab[BN_lsw(n) & 7]
+         * is $(-1)^{(n^2-1)/8}$ (using TeX notation).
+         * Note that the sign of n does not matter.
+         */
+        static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1};
+
+        BN_CTX_start(ctx);
+        A = BN_CTX_get(ctx);
+        B = BN_CTX_get(ctx);
+        if (B == NULL) goto end;
+        
+        err = !BN_copy(A, a);
+        if (err) goto end;
+        err = !BN_copy(B, b);
+        if (err) goto end;
+
+        /*
+         * Kronecker symbol, imlemented according to Henri Cohen,
+         * "A Course in Computational Algebraic Number Theory"
+         * (algorithm 1.4.10).
+         */
+
+        /* Cohen's step 1: */
+
+        if (BN_is_zero(B))
+                {
+                ret = BN_abs_is_word(A, 1);
+                goto end;
+                }
+        
+        /* Cohen's step 2: */
+
+        if (!BN_is_odd(A) && !BN_is_odd(B))
+                {
+                ret = 0;
+                goto end;
+                }
+
+        /* now  B  is non-zero */
+        i = 0;
+        while (!BN_is_bit_set(B, i))
+                i++;
+        err = !BN_rshift(B, B, i);
+        if (err) goto end;
+        if (i & 1)
+                {
+                /* i is odd */
+                /* (thus  B  was even, thus  A  must be odd!)  */
+
+                /* set 'ret' to $(-1)^{(A^2-1)/8}$ */
+                ret = tab[BN_lsw(A) & 7];
+                }
+        else
+                {
+                /* i is even */
+                ret = 1;
+                }
+        
+        if (B->neg)
+                {
+                B->neg = 0;
+                if (A->neg)
+                        ret = -ret;
+                }
+
+        /* now  B  is positive and odd, so what remains to be done is
+         * to compute the Jacobi symbol  (A/B)  and multiply it by 'ret' */
+
+        while (1)
+                {
+                /* Cohen's step 3: */
+
+                /*  B  is positive and odd */
+
+                if (BN_is_zero(A))
+                        {
+                        ret = BN_is_one(B) ? ret : 0;
+                        goto end;
+                        }
+
+                /* now  A  is non-zero */
+                i = 0;
+                while (!BN_is_bit_set(A, i))
+                        i++;
+                err = !BN_rshift(A, A, i);
+                if (err) goto end;
+                if (i & 1)
+                        {
+                        /* i is odd */
+                        /* multiply 'ret' by  $(-1)^{(B^2-1)/8}$ */
+                        ret = ret * tab[BN_lsw(B) & 7];
+                        }
+        
+                /* Cohen's step 4: */
+                /* multiply 'ret' by  $(-1)^{(A-1)(B-1)/4}$ */
+                if ((A->neg ? ~BN_lsw(A) : BN_lsw(A)) & BN_lsw(B) & 2)
+                        ret = -ret;
+                
+                /* (A, B) := (B mod |A|, |A|) */
+                err = !BN_nnmod(B, B, A, ctx);
+                if (err) goto end;
+                tmp = A; A = B; B = tmp;
+                tmp->neg = 0;
+                }
+        
+ end:
+        BN_CTX_end(ctx);
+        if (err)
+                return -2;
+        else
+                return ret;
+        }
diff --git a/src/lib/libcrypto/bn/bn_sqrt.c b/src/lib/libcrypto/bn/bn_sqrt.c
new file mode 100644
index 0000000000..e2a1105dc8
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_sqrt.c
@@ -0,0 +1,387 @@
+/* crypto/bn/bn_mod.c */
+/* Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
+ * and Bodo Moeller for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+
+BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) 
+/* Returns 'ret' such that
+ *      ret^2 == a (mod p),
+ * using the Tonelli/Shanks algorithm (cf. Henri Cohen, "A Course
+ * in Algebraic Computational Number Theory", algorithm 1.5.1).
+ * 'p' must be prime!
+ * If 'a' is not a square, this is not necessarily detected by
+ * the algorithms; a bogus result must be expected in this case.
+ */
+        {
+        BIGNUM *ret = in;
+        int err = 1;
+        int r;
+        BIGNUM *b, *q, *t, *x, *y;
+        int e, i, j;
+        
+        if (!BN_is_odd(p) || BN_abs_is_word(p, 1))
+                {
+                if (BN_abs_is_word(p, 2))
+                        {
+                        if (ret == NULL)
+                                ret = BN_new();
+                        if (ret == NULL)
+                                goto end;
+                        if (!BN_set_word(ret, BN_is_bit_set(a, 0)))
+                                {
+                                BN_free(ret);
+                                return NULL;
+                                }
+                        return ret;
+                        }
+
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
+                return(NULL);
+                }
+
+        if (BN_is_zero(a) || BN_is_one(a))
+                {
+                if (ret == NULL)
+                        ret = BN_new();
+                if (ret == NULL)
+                        goto end;
+                if (!BN_set_word(ret, BN_is_one(a)))
+                        {
+                        BN_free(ret);
+                        return NULL;
+                        }
+                return ret;
+                }
+
+#if 0 /* if BN_mod_sqrt is used with correct input, this just wastes time */
+        r = BN_kronecker(a, p, ctx);
+        if (r < -1) return NULL;
+        if (r == -1)
+                {
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+                return(NULL);
+                }
+#endif
+
+        BN_CTX_start(ctx);
+        b = BN_CTX_get(ctx);
+        q = BN_CTX_get(ctx);
+        t = BN_CTX_get(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto end;
+        
+        if (ret == NULL)
+                ret = BN_new();
+        if (ret == NULL) goto end;
+
+        /* now write  |p| - 1  as  2^e*q  where  q  is odd */
+        e = 1;
+        while (!BN_is_bit_set(p, e))
+                e++;
+        /* we'll set  q  later (if needed) */
+
+        if (e == 1)
+                {
+                /* The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
+                 * modulo  (|p|-1)/2,  and square roots can be computed
+                 * directly by modular exponentiation.
+                 * We have
+                 *     2 * (|p|+1)/4 == 1   (mod (|p|-1)/2),
+                 * so we can use exponent  (|p|+1)/4,  i.e.  (|p|-3)/4 + 1.
+                 */
+                if (!BN_rshift(q, p, 2)) goto end;
+                q->neg = 0;
+                if (!BN_add_word(q, 1)) goto end;
+                if (!BN_mod_exp(ret, a, q, p, ctx)) goto end;
+                err = 0;
+                goto end;
+                }
+        
+        if (e == 2)
+                {
+                /* |p| == 5  (mod 8)
+                 *
+                 * In this case  2  is always a non-square since
+                 * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime.
+                 * So if  a  really is a square, then  2*a  is a non-square.
+                 * Thus for
+                 *      b := (2*a)^((|p|-5)/8),
+                 *      i := (2*a)*b^2
+                 * we have
+                 *     i^2 = (2*a)^((1 + (|p|-5)/4)*2)
+                 *         = (2*a)^((p-1)/2)
+                 *         = -1;
+                 * so if we set
+                 *      x := a*b*(i-1),
+                 * then
+                 *     x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
+                 *         = a^2 * b^2 * (-2*i)
+                 *         = a*(-i)*(2*a*b^2)
+                 *         = a*(-i)*i
+                 *         = a.
+                 *
+                 * (This is due to A.O.L. Atkin, 
+                 * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
+                 * November 1992.)
+                 */
+
+                /* make sure that  a  is reduced modulo p */
+                if (a->neg || BN_ucmp(a, p) >= 0)
+                        {
+                        if (!BN_nnmod(x, a, p, ctx)) goto end;
+                        a = x; /* use x as temporary variable */
+                        }
+
+                /* t := 2*a */
+                if (!BN_mod_lshift1_quick(t, a, p)) goto end;
+
+                /* b := (2*a)^((|p|-5)/8) */
+                if (!BN_rshift(q, p, 3)) goto end;
+                q->neg = 0;
+                if (!BN_mod_exp(b, t, q, p, ctx)) goto end;
+
+                /* y := b^2 */
+                if (!BN_mod_sqr(y, b, p, ctx)) goto end;
+
+                /* t := (2*a)*b^2 - 1*/
+                if (!BN_mod_mul(t, t, y, p, ctx)) goto end;
+                if (!BN_sub_word(t, 1)) goto end;
+
+                /* x = a*b*t */
+                if (!BN_mod_mul(x, a, b, p, ctx)) goto end;
+                if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
+
+                if (!BN_copy(ret, x)) goto end;
+                err = 0;
+                goto end;
+                }
+        
+        /* e > 2, so we really have to use the Tonelli/Shanks algorithm.
+         * First, find some  y  that is not a square. */
+        if (!BN_copy(q, p)) goto end; /* use 'q' as temp */
+        q->neg = 0;
+        i = 2;
+        do
+                {
+                /* For efficiency, try small numbers first;
+                 * if this fails, try random numbers.
+                 */
+                if (i < 22)
+                        {
+                        if (!BN_set_word(y, i)) goto end;
+                        }
+                else
+                        {
+                        if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) goto end;
+                        if (BN_ucmp(y, p) >= 0)
+                                {
+                                if (!(p->neg ? BN_add : BN_sub)(y, y, p)) goto end;
+                                }
+                        /* now 0 <= y < |p| */
+                        if (BN_is_zero(y))
+                                if (!BN_set_word(y, i)) goto end;
+                        }
+                
+                r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */
+                if (r < -1) goto end;
+                if (r == 0)
+                        {
+                        /* m divides p */
+                        BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
+                        goto end;
+                        }
+                }
+        while (r == 1 && ++i < 82);
+        
+        if (r != -1)
+                {
+                /* Many rounds and still no non-square -- this is more likely
+                 * a bug than just bad luck.
+                 * Even if  p  is not prime, we should have found some  y
+                 * such that r == -1.
+                 */
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_TOO_MANY_ITERATIONS);
+                goto end;
+                }
+
+        /* Here's our actual 'q': */
+        if (!BN_rshift(q, q, e)) goto end;
+
+        /* Now that we have some non-square, we can find an element
+         * of order  2^e  by computing its q'th power. */
+        if (!BN_mod_exp(y, y, q, p, ctx)) goto end;
+        if (BN_is_one(y))
+                {
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
+                goto end;
+                }
+
+        /* Now we know that (if  p  is indeed prime) there is an integer
+         * k,  0 <= k < 2^e,  such that
+         *
+         *      a^q * y^k == 1   (mod p).
+         *
+         * As  a^q  is a square and  y  is not,  k  must be even.
+         * q+1  is even, too, so there is an element
+         *
+         *     X := a^((q+1)/2) * y^(k/2),
+         *
+         * and it satisfies
+         *
+         *     X^2 = a^q * a     * y^k
+         *         = a,
+         *
+         * so it is the square root that we are looking for.
+         */
+        
+        /* t := (q-1)/2  (note that  q  is odd) */
+        if (!BN_rshift1(t, q)) goto end;
+        
+        /* x := a^((q-1)/2) */
+        if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
+                {
+                if (!BN_nnmod(t, a, p, ctx)) goto end;
+                if (BN_is_zero(t))
+                        {
+                        /* special case: a == 0  (mod p) */
+                        if (!BN_zero(ret)) goto end;
+                        err = 0;
+                        goto end;
+                        }
+                else
+                        if (!BN_one(x)) goto end;
+                }
+        else
+                {
+                if (!BN_mod_exp(x, a, t, p, ctx)) goto end;
+                if (BN_is_zero(x))
+                        {
+                        /* special case: a == 0  (mod p) */
+                        if (!BN_zero(ret)) goto end;
+                        err = 0;
+                        goto end;
+                        }
+                }
+
+        /* b := a*x^2  (= a^q) */
+        if (!BN_mod_sqr(b, x, p, ctx)) goto end;
+        if (!BN_mod_mul(b, b, a, p, ctx)) goto end;
+        
+        /* x := a*x    (= a^((q+1)/2)) */
+        if (!BN_mod_mul(x, x, a, p, ctx)) goto end;
+
+        while (1)
+                {
+                /* Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
+                 * where  E  refers to the original value of  e,  which we
+                 * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).
+                 *
+                 * We have  a*b = x^2,
+                 *    y^2^(e-1) = -1,
+                 *    b^2^(e-1) = 1.
+                 */
+
+                if (BN_is_one(b))
+                        {
+                        if (!BN_copy(ret, x)) goto end;
+                        err = 0;
+                        goto end;
+                        }
+
+
+                /* find smallest  i  such that  b^(2^i) = 1 */
+                i = 1;
+                if (!BN_mod_sqr(t, b, p, ctx)) goto end;
+                while (!BN_is_one(t))
+                        {
+                        i++;
+                        if (i == e)
+                                {
+                                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+                                goto end;
+                                }
+                        if (!BN_mod_mul(t, t, t, p, ctx)) goto end;
+                        }
+                
+
+                /* t := y^2^(e - i - 1) */
+                if (!BN_copy(t, y)) goto end;
+                for (j = e - i - 1; j > 0; j--)
+                        {
+                        if (!BN_mod_sqr(t, t, p, ctx)) goto end;
+                        }
+                if (!BN_mod_mul(y, t, t, p, ctx)) goto end;
+                if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
+                if (!BN_mod_mul(b, b, y, p, ctx)) goto end;
+                e = i;
+                }
+
+ end:
+        if (err)
+                {
+                if (ret != NULL && ret != in)
+                        {
+                        BN_clear_free(ret);
+                        }
+                ret = NULL;
+                }
+        BN_CTX_end(ctx);
+        return ret;
+        }
diff --git a/src/lib/libcrypto/comp/c_rle.c b/src/lib/libcrypto/comp/c_rle.c
new file mode 100644
index 0000000000..1a819e3737
--- /dev/null
+++ b/src/lib/libcrypto/comp/c_rle.c
@@ -0,0 +1,61 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+static int rle_compress_block(COMP_CTX *ctx, unsigned char *out,
+        unsigned int olen, unsigned char *in, unsigned int ilen);
+static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
+        unsigned int olen, unsigned char *in, unsigned int ilen);
+
+static COMP_METHOD rle_method={
+        NID_rle_compression,
+        LN_rle_compression,
+        NULL,
+        NULL,
+        rle_compress_block,
+        rle_expand_block,
+        NULL,
+        };
+
+COMP_METHOD *COMP_rle(void)
+        {
+        return(&rle_method);
+        }
+
+static int rle_compress_block(COMP_CTX *ctx, unsigned char *out,
+             unsigned int olen, unsigned char *in, unsigned int ilen)
+        {
+        /* int i; */
+
+        if (olen < (ilen+1))
+                {
+                /* ZZZZZZZZZZZZZZZZZZZZZZ */
+                return(-1);
+                }
+
+        *(out++)=0;
+        memcpy(out,in,ilen);
+        return(ilen+1);
+        }
+
+static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
+             unsigned int olen, unsigned char *in, unsigned int ilen)
+        {
+        int i;
+
+        if (olen < (ilen-1))
+                {
+                /* ZZZZZZZZZZZZZZZZZZZZZZ */
+                return(-1);
+                }
+
+        i= *(in++);
+        if (i == 0)
+                {
+                memcpy(out,in,ilen-1);
+                }
+        return(ilen-1);
+        }
+
diff --git a/src/lib/libcrypto/comp/c_zlib.c b/src/lib/libcrypto/comp/c_zlib.c
new file mode 100644
index 0000000000..6684ab4841
--- /dev/null
+++ b/src/lib/libcrypto/comp/c_zlib.c
@@ -0,0 +1,133 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+COMP_METHOD *COMP_zlib(void );
+
+#ifndef ZLIB
+
+static COMP_METHOD zlib_method={
+        NID_undef,
+        "(null)",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        };
+
+#else
+
+#include <zlib.h>
+
+static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
+        unsigned int olen, unsigned char *in, unsigned int ilen);
+static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
+        unsigned int olen, unsigned char *in, unsigned int ilen);
+
+static int zz_uncompress(Bytef *dest, uLongf *destLen, const Bytef *source,
+        uLong sourceLen);
+
+static COMP_METHOD zlib_method={
+        NID_zlib_compression,
+        LN_zlib_compression,
+        NULL,
+        NULL,
+        zlib_compress_block,
+        zlib_expand_block,
+        NULL,
+        };
+
+static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
+             unsigned int olen, unsigned char *in, unsigned int ilen)
+        {
+        unsigned long l;
+        int i;
+        int clear=1;
+
+        if (ilen > 128)
+                {
+                out[0]=1;
+                l=olen-1;
+                i=compress(&(out[1]),&l,in,(unsigned long)ilen);
+                if (i != Z_OK)
+                        return(-1);
+                if (ilen > l)
+                        {
+                        clear=0;
+                        l++;
+                        }
+                }
+        if (clear)
+                {
+                out[0]=0;
+                memcpy(&(out[1]),in,ilen);
+                l=ilen+1;
+                }
+fprintf(stderr,"compress(%4d)->%4d %s\n",ilen,(int)l,(clear)?"clear":"zlib");
+        return((int)l);
+        }
+
+static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
+             unsigned int olen, unsigned char *in, unsigned int ilen)
+        {
+        unsigned long l;
+        int i;
+
+        if (in[0])
+                {
+                l=olen;
+                i=zz_uncompress(out,&l,&(in[1]),(unsigned long)ilen-1);
+                if (i != Z_OK)
+                        return(-1);
+                }
+        else
+                {
+                memcpy(out,&(in[1]),ilen-1);
+                l=ilen-1;
+                }
+        fprintf(stderr,"expand  (%4d)->%4d %s\n",ilen,(int)l,in[0]?"zlib":"clear");
+        return((int)l);
+        }
+
+static int zz_uncompress (Bytef *dest, uLongf *destLen, const Bytef *source,
+             uLong sourceLen)
+{
+    z_stream stream;
+    int err;
+
+    stream.next_in = (Bytef*)source;
+    stream.avail_in = (uInt)sourceLen;
+    /* Check for source > 64K on 16-bit machine: */
+    if ((uLong)stream.avail_in != sourceLen) return Z_BUF_ERROR;
+
+    stream.next_out = dest;
+    stream.avail_out = (uInt)*destLen;
+    if ((uLong)stream.avail_out != *destLen) return Z_BUF_ERROR;
+
+    stream.zalloc = (alloc_func)0;
+    stream.zfree = (free_func)0;
+
+    err = inflateInit(&stream);
+    if (err != Z_OK) return err;
+
+    err = inflate(&stream, Z_FINISH);
+    if (err != Z_STREAM_END) {
+        inflateEnd(&stream);
+        return err;
+    }
+    *destLen = stream.total_out;
+
+    err = inflateEnd(&stream);
+    return err;
+}
+
+#endif
+
+COMP_METHOD *COMP_zlib(void)
+        {
+        return(&zlib_method);
+        }
+
diff --git a/src/lib/libcrypto/comp/comp.h b/src/lib/libcrypto/comp/comp.h
new file mode 100644
index 0000000000..93bd9c34c8
--- /dev/null
+++ b/src/lib/libcrypto/comp/comp.h
@@ -0,0 +1,60 @@
+
+#ifndef HEADER_COMP_H
+#define HEADER_COMP_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/crypto.h>
+
+typedef struct comp_method_st
+        {
+        int type;               /* NID for compression library */
+        const char *name;       /* A text string to identify the library */
+        int (*init)();
+        void (*finish)();
+        int (*compress)();
+        int (*expand)();
+        long (*ctrl)();
+        } COMP_METHOD;
+
+typedef struct comp_ctx_st
+        {
+        COMP_METHOD *meth;
+        unsigned long compress_in;
+        unsigned long compress_out;
+        unsigned long expand_in;
+        unsigned long expand_out;
+
+        CRYPTO_EX_DATA  ex_data;
+        } COMP_CTX;
+
+
+COMP_CTX *COMP_CTX_new(COMP_METHOD *meth);
+void COMP_CTX_free(COMP_CTX *ctx);
+int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen,
+        unsigned char *in, int ilen);
+int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
+        unsigned char *in, int ilen);
+COMP_METHOD *COMP_rle(void );
+#ifdef ZLIB
+COMP_METHOD *COMP_zlib(void );
+#endif
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the COMP functions. */
+
+/* Function codes. */
+
+/* Reason codes. */
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libcrypto/comp/comp_err.c b/src/lib/libcrypto/comp/comp_err.c
new file mode 100644
index 0000000000..77a3f7070c
--- /dev/null
+++ b/src/lib/libcrypto/comp/comp_err.c
@@ -0,0 +1,91 @@
+/* crypto/comp/comp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/comp.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA COMP_str_functs[]=
+        {
+{0,NULL}
+        };
+
+static ERR_STRING_DATA COMP_str_reasons[]=
+        {
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_COMP_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_COMP,COMP_str_functs);
+                ERR_load_strings(ERR_LIB_COMP,COMP_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/comp/comp_lib.c b/src/lib/libcrypto/comp/comp_lib.c
new file mode 100644
index 0000000000..a67ef23bc0
--- /dev/null
+++ b/src/lib/libcrypto/comp/comp_lib.c
@@ -0,0 +1,78 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+COMP_CTX *COMP_CTX_new(COMP_METHOD *meth)
+        {
+        COMP_CTX *ret;
+
+        if ((ret=(COMP_CTX *)Malloc(sizeof(COMP_CTX))) == NULL)
+                {
+                /* ZZZZZZZZZZZZZZZZ */
+                return(NULL);
+                }
+        memset(ret,0,sizeof(COMP_CTX));
+        ret->meth=meth;
+        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+                {
+                Free(ret);
+                ret=NULL;
+                }
+#if 0
+        else
+                CRYPTO_new_ex_data(rsa_meth,(char *)ret,&ret->ex_data);
+#endif
+        return(ret);
+        }
+
+void COMP_CTX_free(COMP_CTX *ctx)
+        {
+        /* CRYPTO_free_ex_data(rsa_meth,(char *)ctx,&ctx->ex_data); */
+
+        if(ctx == NULL)
+            return;
+
+        if (ctx->meth->finish != NULL)
+                ctx->meth->finish(ctx);
+
+        Free(ctx);
+        }
+
+int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen,
+             unsigned char *in, int ilen)
+        {
+        int ret;
+        if (ctx->meth->compress == NULL)
+                {
+                /* ZZZZZZZZZZZZZZZZZ */
+                return(-1);
+                }
+        ret=ctx->meth->compress(ctx,out,olen,in,ilen);
+        if (ret > 0)
+                {
+                ctx->compress_in+=ilen;
+                ctx->compress_out+=ret;
+                }
+        return(ret);
+        }
+
+int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
+             unsigned char *in, int ilen)
+        {
+        int ret;
+
+        if (ctx->meth->expand == NULL)
+                {
+                /* ZZZZZZZZZZZZZZZZZ */
+                return(-1);
+                }
+        ret=ctx->meth->expand(ctx,out,olen,in,ilen);
+        if (ret > 0)
+                {
+                ctx->expand_in+=ilen;
+                ctx->expand_out+=ret;
+                }
+        return(ret);
+        }
diff --git a/src/lib/libcrypto/conf/README b/src/lib/libcrypto/conf/README
new file mode 100644
index 0000000000..ca58d0240f
--- /dev/null
+++ b/src/lib/libcrypto/conf/README
@@ -0,0 +1,78 @@
+WARNING WARNING WARNING!!!
+
+This stuff is experimental, may change radically or be deleted altogether
+before OpenSSL 0.9.7 release. You have been warned!
+
+Configuration modules. These are a set of modules which can perform
+various configuration functions.
+
+Currently the routines should be called at most once when an application
+starts up: that is before it starts any threads.
+
+The routines read a configuration file set up like this:
+
+-----
+#default section
+openssl_init=init_section
+
+[init_section]
+
+module1=value1
+#Second instance of module1
+module1.1=valueX
+module2=value2
+module3=dso_literal
+module4=dso_section
+
+[dso_section]
+
+path=/some/path/to/some/dso.so
+other_stuff=other_value
+----
+
+When this file is loaded a configuration module with the specified
+string (module* in the above example) is looked up and its init
+function called as:
+
+int conf_init_func(CONF_IMODULE *md, CONF *cnf);
+
+The function can then take whatever action is appropriate, for example
+further lookups based on the value. Multiple instances of the same 
+config module can be loaded.
+
+When the application closes down the modules are cleaned up by calling
+an optional finish function:
+
+void conf_finish_func(CONF_IMODULE *md);
+
+The finish functions are called in reverse order: that is the last module
+loaded is the first one cleaned up.
+
+If no module exists with a given name then an attempt is made to load
+a DSO with the supplied name. This might mean that "module3" attempts
+to load a DSO called libmodule3.so or module3.dll for example. An explicit
+DSO name can be given by including a separate section as in the module4 example
+above.
+
+The DSO is expected to at least contain an initialization function:
+
+int OPENSSL_init(CONF_IMODULE *md, CONF *cnf);
+
+and may also include a finish function:
+
+void OPENSSL_finish(CONF_IMODULE *md);
+
+Static modules can also be added using,
+
+int CONF_module_add(char *name, dso_mod_init_func *ifunc, dso_mod_finish_func *ffunc);
+
+where "name" is the name in the configuration file this function corresponds to.
+
+A set of builtin modules (currently only an ASN1 non functional test module) can be 
+added by calling OPENSSL_load_builtin_modules(). 
+
+The function OPENSSL_config() is intended as a simple configuration function that
+any application can call to perform various default configuration tasks. It uses the
+file openssl.cnf in the usual locations.
+
+
diff --git a/src/lib/libcrypto/conf/conf_api.c b/src/lib/libcrypto/conf/conf_api.c
new file mode 100644
index 0000000000..d05a778ff6
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_api.c
@@ -0,0 +1,289 @@
+/* conf_api.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Part of the code in here was originally in conf.c, which is now removed */
+
+#ifndef CONF_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <assert.h>
+#include <string.h>
+#include <openssl/conf.h>
+#include <openssl/conf_api.h>
+
+static void value_free_hash(CONF_VALUE *a, LHASH *conf);
+static void value_free_stack(CONF_VALUE *a,LHASH *conf);
+static unsigned long hash(CONF_VALUE *v);
+static int cmp_conf(CONF_VALUE *a,CONF_VALUE *b);
+
+/* Up until OpenSSL 0.9.5a, this was get_section */
+CONF_VALUE *_CONF_get_section(CONF *conf, char *section)
+        {
+        CONF_VALUE *v,vv;
+
+        if ((conf == NULL) || (section == NULL)) return(NULL);
+        vv.name=NULL;
+        vv.section=section;
+        v=(CONF_VALUE *)lh_retrieve(conf->data,&vv);
+        return(v);
+        }
+
+/* Up until OpenSSL 0.9.5a, this was CONF_get_section */
+STACK_OF(CONF_VALUE) *_CONF_get_section_values(CONF *conf, char *section)
+        {
+        CONF_VALUE *v;
+
+        v=_CONF_get_section(conf,section);
+        if (v != NULL)
+                return((STACK_OF(CONF_VALUE) *)v->value);
+        else
+                return(NULL);
+        }
+
+int _CONF_add_string(CONF *conf, CONF_VALUE *section, CONF_VALUE *value)
+        {
+        CONF_VALUE *v = NULL;
+        STACK_OF(CONF_VALUE) *ts;
+
+        ts = (STACK_OF(CONF_VALUE) *)section->value;
+
+        value->section=section->section;        
+        if (!sk_CONF_VALUE_push(ts,value))
+                {
+                return 0;
+                }
+
+        v = (CONF_VALUE *)lh_insert(conf->data, value);
+        if (v != NULL)
+                {
+                sk_CONF_VALUE_delete_ptr(ts,v);
+                OPENSSL_free(v->name);
+                OPENSSL_free(v->value);
+                OPENSSL_free(v);
+                }
+        return 1;
+        }
+
+char *_CONF_get_string(CONF *conf, char *section, char *name)
+        {
+        CONF_VALUE *v,vv;
+        char *p;
+
+        if (name == NULL) return(NULL);
+        if (conf != NULL)
+                {
+                if (section != NULL)
+                        {
+                        vv.name=name;
+                        vv.section=section;
+                        v=(CONF_VALUE *)lh_retrieve(conf->data,&vv);
+                        if (v != NULL) return(v->value);
+                        if (strcmp(section,"ENV") == 0)
+                                {
+                                p=Getenv(name);
+                                if (p != NULL) return(p);
+                                }
+                        }
+                vv.section="default";
+                vv.name=name;
+                v=(CONF_VALUE *)lh_retrieve(conf->data,&vv);
+                if (v != NULL)
+                        return(v->value);
+                else
+                        return(NULL);
+                }
+        else
+                return(Getenv(name));
+        }
+
+long _CONF_get_number(CONF *conf, char *section, char *name)
+        {
+        char *str;
+        long ret=0;
+
+        str=_CONF_get_string(conf,section,name);
+        if (str == NULL) return(0);
+        for (;;)
+                {
+                if (conf->meth->is_number(conf, *str))
+                        ret=ret*10+conf->meth->to_int(conf, *str);
+                else
+                        return(ret);
+                str++;
+                }
+        }
+
+int _CONF_new_data(CONF *conf)
+        {
+        if (conf == NULL)
+                {
+                return 0;
+                }
+        if (conf->data == NULL)
+                if ((conf->data = lh_new(hash,cmp_conf)) == NULL)
+                        {
+                        return 0;
+                        }
+        return 1;
+        }
+
+void _CONF_free_data(CONF *conf)
+        {
+        if (conf == NULL || conf->data == NULL) return;
+
+        conf->data->down_load=0; /* evil thing to make sure the 'OPENSSL_free()'
+                                  * works as expected */
+        lh_doall_arg(conf->data,(void (*)())value_free_hash,conf->data);
+
+        /* We now have only 'section' entries in the hash table.
+         * Due to problems with */
+
+        lh_doall_arg(conf->data,(void (*)())value_free_stack,conf->data);
+        lh_free(conf->data);
+        }
+
+static void value_free_hash(CONF_VALUE *a, LHASH *conf)
+        {
+        if (a->name != NULL)
+                {
+                a=(CONF_VALUE *)lh_delete(conf,a);
+                }
+        }
+
+static void value_free_stack(CONF_VALUE *a, LHASH *conf)
+        {
+        CONF_VALUE *vv;
+        STACK *sk;
+        int i;
+
+        if (a->name != NULL) return;
+
+        sk=(STACK *)a->value;
+        for (i=sk_num(sk)-1; i>=0; i--)
+                {
+                vv=(CONF_VALUE *)sk_value(sk,i);
+                OPENSSL_free(vv->value);
+                OPENSSL_free(vv->name);
+                OPENSSL_free(vv);
+                }
+        if (sk != NULL) sk_free(sk);
+        OPENSSL_free(a->section);
+        OPENSSL_free(a);
+        }
+
+static unsigned long hash(CONF_VALUE *v)
+        {
+        return((lh_strhash(v->section)<<2)^lh_strhash(v->name));
+        }
+
+static int cmp_conf(CONF_VALUE *a, CONF_VALUE *b)
+        {
+        int i;
+
+        if (a->section != b->section)
+                {
+                i=strcmp(a->section,b->section);
+                if (i) return(i);
+                }
+
+        if ((a->name != NULL) && (b->name != NULL))
+                {
+                i=strcmp(a->name,b->name);
+                return(i);
+                }
+        else if (a->name == b->name)
+                return(0);
+        else
+                return((a->name == NULL)?-1:1);
+        }
+
+/* Up until OpenSSL 0.9.5a, this was new_section */
+CONF_VALUE *_CONF_new_section(CONF *conf, char *section)
+        {
+        STACK *sk=NULL;
+        int ok=0,i;
+        CONF_VALUE *v=NULL,*vv;
+
+        if ((sk=sk_new_null()) == NULL)
+                goto err;
+        if ((v=(CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE))) == NULL)
+                goto err;
+        i=strlen(section)+1;
+        if ((v->section=(char *)OPENSSL_malloc(i)) == NULL)
+                goto err;
+
+        memcpy(v->section,section,i);
+        v->name=NULL;
+        v->value=(char *)sk;
+        
+        vv=(CONF_VALUE *)lh_insert(conf->data,v);
+        assert(vv == NULL);
+        ok=1;
+err:
+        if (!ok)
+                {
+                if (sk != NULL) sk_free(sk);
+                if (v != NULL) OPENSSL_free(v);
+                v=NULL;
+                }
+        return(v);
+        }
+
+IMPLEMENT_STACK_OF(CONF_VALUE)
diff --git a/src/lib/libcrypto/conf/conf_api.h b/src/lib/libcrypto/conf/conf_api.h
new file mode 100644
index 0000000000..a5cc17b233
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_api.h
@@ -0,0 +1,87 @@
+/* conf_api.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef  HEADER_CONF_API_H
+#define HEADER_CONF_API_H
+
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Up until OpenSSL 0.9.5a, this was new_section */
+CONF_VALUE *_CONF_new_section(CONF *conf, char *section);
+/* Up until OpenSSL 0.9.5a, this was get_section */
+CONF_VALUE *_CONF_get_section(CONF *conf, char *section);
+/* Up until OpenSSL 0.9.5a, this was CONF_get_section */
+STACK_OF(CONF_VALUE) *_CONF_get_section_values(CONF *conf, char *section);
+
+int _CONF_add_string(CONF *conf, CONF_VALUE *section, CONF_VALUE *value);
+char *_CONF_get_string(CONF *conf, char *section, char *name);
+long _CONF_get_number(CONF *conf, char *section, char *name);
+
+int _CONF_new_data(CONF *conf);
+void _CONF_free_data(CONF *conf);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
new file mode 100644
index 0000000000..773df32c68
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -0,0 +1,703 @@
+/* crypto/conf/conf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Part of the code in here was originally in conf.c, which is now removed */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/stack.h>
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
+#include <openssl/conf_api.h>
+#include "conf_def.h"
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+
+static char *eat_ws(CONF *conf, char *p);
+static char *eat_alpha_numeric(CONF *conf, char *p);
+static void clear_comments(CONF *conf, char *p);
+static int str_copy(CONF *conf,char *section,char **to, char *from);
+static char *scan_quote(CONF *conf, char *p);
+static char *scan_dquote(CONF *conf, char *p);
+#define scan_esc(conf,p)        (((IS_EOF((conf),(p)[1]))?((p)+1):((p)+2)))
+
+static CONF *def_create(CONF_METHOD *meth);
+static int def_init_default(CONF *conf);
+static int def_init_WIN32(CONF *conf);
+static int def_destroy(CONF *conf);
+static int def_destroy_data(CONF *conf);
+static int def_load(CONF *conf, BIO *bp, long *eline);
+static int def_dump(CONF *conf, BIO *bp);
+static int def_is_number(CONF *conf, char c);
+static int def_to_int(CONF *conf, char c);
+
+const char *CONF_def_version="CONF_def" OPENSSL_VERSION_PTEXT;
+
+static CONF_METHOD default_method = {
+        "OpenSSL default",
+        def_create,
+        def_init_default,
+        def_destroy,
+        def_destroy_data,
+        def_load,
+        def_dump,
+        def_is_number,
+        def_to_int
+        };
+
+static CONF_METHOD WIN32_method = {
+        "WIN32",
+        def_create,
+        def_init_WIN32,
+        def_destroy,
+        def_destroy_data,
+        def_load,
+        def_dump,
+        def_is_number,
+        def_to_int
+        };
+
+CONF_METHOD *NCONF_default()
+        {
+        return &default_method;
+        }
+CONF_METHOD *NCONF_WIN32()
+        {
+        return &WIN32_method;
+        }
+
+static CONF *def_create(CONF_METHOD *meth)
+        {
+        CONF *ret;
+
+        ret = (CONF *)OPENSSL_malloc(sizeof(CONF) + sizeof(unsigned short *));
+        if (ret)
+                if (meth->init(ret) == 0)
+                        {
+                        OPENSSL_free(ret);
+                        ret = NULL;
+                        }
+        return ret;
+        }
+        
+static int def_init_default(CONF *conf)
+        {
+        if (conf == NULL)
+                return 0;
+
+        conf->meth = &default_method;
+        conf->meth_data = (void *)CONF_type_default;
+        conf->data = NULL;
+
+        return 1;
+        }
+
+static int def_init_WIN32(CONF *conf)
+        {
+        if (conf == NULL)
+                return 0;
+
+        conf->meth = &WIN32_method;
+        conf->meth_data = (void *)CONF_type_win32;
+        conf->data = NULL;
+
+        return 1;
+        }
+
+static int def_destroy(CONF *conf)
+        {
+        if (def_destroy_data(conf))
+                {
+                OPENSSL_free(conf);
+                return 1;
+                }
+        return 0;
+        }
+
+static int def_destroy_data(CONF *conf)
+        {
+        if (conf == NULL)
+                return 0;
+        _CONF_free_data(conf);
+        return 1;
+        }
+
+static int def_load(CONF *conf, BIO *in, long *line)
+        {
+#define BUFSIZE 512
+        char btmp[16];
+        int bufnum=0,i,ii;
+        BUF_MEM *buff=NULL;
+        char *s,*p,*end;
+        int again,n;
+        long eline=0;
+        CONF_VALUE *v=NULL,*tv;
+        CONF_VALUE *sv=NULL;
+        char *section=NULL,*buf;
+        STACK_OF(CONF_VALUE) *section_sk=NULL,*ts;
+        char *start,*psection,*pname;
+        void *h = (void *)(conf->data);
+
+        if ((buff=BUF_MEM_new()) == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+                goto err;
+                }
+
+        section=(char *)OPENSSL_malloc(10);
+        if (section == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        strcpy(section,"default");
+
+        if (_CONF_new_data(conf) == 0)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        sv=_CONF_new_section(conf,section);
+        if (sv == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                        CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+                goto err;
+                }
+        section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
+
+        bufnum=0;
+        for (;;)
+                {
+                again=0;
+                if (!BUF_MEM_grow(buff,bufnum+BUFSIZE))
+                        {
+                        CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+                        goto err;
+                        }
+                p= &(buff->data[bufnum]);
+                *p='\0';
+                BIO_gets(in, p, BUFSIZE-1);
+                p[BUFSIZE-1]='\0';
+                ii=i=strlen(p);
+                if (i == 0) break;
+                while (i > 0)
+                        {
+                        if ((p[i-1] != '\r') && (p[i-1] != '\n'))
+                                break;
+                        else
+                                i--;
+                        }
+                /* we removed some trailing stuff so there is a new
+                 * line on the end. */
+                if (i == ii)
+                        again=1; /* long line */
+                else
+                        {
+                        p[i]='\0';
+                        eline++; /* another input line */
+                        }
+
+                /* we now have a line with trailing \r\n removed */
+
+                /* i is the number of bytes */
+                bufnum+=i;
+
+                v=NULL;
+                /* check for line continuation */
+                if (bufnum >= 1)
+                        {
+                        /* If we have bytes and the last char '\\' and
+                         * second last char is not '\\' */
+                        p= &(buff->data[bufnum-1]);
+                        if (IS_ESC(conf,p[0]) &&
+                                ((bufnum <= 1) || !IS_ESC(conf,p[-1])))
+                                {
+                                bufnum--;
+                                again=1;
+                                }
+                        }
+                if (again) continue;
+                bufnum=0;
+                buf=buff->data;
+
+                clear_comments(conf, buf);
+                n=strlen(buf);
+                s=eat_ws(conf, buf);
+                if (IS_EOF(conf,*s)) continue; /* blank line */
+                if (*s == '[')
+                        {
+                        char *ss;
+
+                        s++;
+                        start=eat_ws(conf, s);
+                        ss=start;
+again:
+                        end=eat_alpha_numeric(conf, ss);
+                        p=eat_ws(conf, end);
+                        if (*p != ']')
+                                {
+                                if (*p != '\0')
+                                        {
+                                        ss=p;
+                                        goto again;
+                                        }
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                        CONF_R_MISSING_CLOSE_SQUARE_BRACKET);
+                                goto err;
+                                }
+                        *end='\0';
+                        if (!str_copy(conf,NULL,&section,start)) goto err;
+                        if ((sv=_CONF_get_section(conf,section)) == NULL)
+                                sv=_CONF_new_section(conf,section);
+                        if (sv == NULL)
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                        CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+                                goto err;
+                                }
+                        section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
+                        continue;
+                        }
+                else
+                        {
+                        pname=s;
+                        psection=NULL;
+                        end=eat_alpha_numeric(conf, s);
+                        if ((end[0] == ':') && (end[1] == ':'))
+                                {
+                                *end='\0';
+                                end+=2;
+                                psection=pname;
+                                pname=end;
+                                end=eat_alpha_numeric(conf, end);
+                                }
+                        p=eat_ws(conf, end);
+                        if (*p != '=')
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                CONF_R_MISSING_EQUAL_SIGN);
+                                goto err;
+                                }
+                        *end='\0';
+                        p++;
+                        start=eat_ws(conf, p);
+                        while (!IS_EOF(conf,*p))
+                                p++;
+                        p--;
+                        while ((p != start) && (IS_WS(conf,*p)))
+                                p--;
+                        p++;
+                        *p='\0';
+
+                        if (!(v=(CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE))))
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        if (psection == NULL) psection=section;
+                        v->name=(char *)OPENSSL_malloc(strlen(pname)+1);
+                        v->value=NULL;
+                        if (v->name == NULL)
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        strcpy(v->name,pname);
+                        if (!str_copy(conf,psection,&(v->value),start)) goto err;
+
+                        if (strcmp(psection,section) != 0)
+                                {
+                                if ((tv=_CONF_get_section(conf,psection))
+                                        == NULL)
+                                        tv=_CONF_new_section(conf,psection);
+                                if (tv == NULL)
+                                        {
+                                        CONFerr(CONF_F_CONF_LOAD_BIO,
+                                           CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+                                        goto err;
+                                        }
+                                ts=(STACK_OF(CONF_VALUE) *)tv->value;
+                                }
+                        else
+                                {
+                                tv=sv;
+                                ts=section_sk;
+                                }
+#if 1
+                        if (_CONF_add_string(conf, tv, v) == 0)
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+#else
+                        v->section=tv->section; 
+                        if (!sk_CONF_VALUE_push(ts,v))
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        vv=(CONF_VALUE *)lh_insert(conf->data,v);
+                        if (vv != NULL)
+                                {
+                                sk_CONF_VALUE_delete_ptr(ts,vv);
+                                OPENSSL_free(vv->name);
+                                OPENSSL_free(vv->value);
+                                OPENSSL_free(vv);
+                                }
+#endif
+                        v=NULL;
+                        }
+                }
+        if (buff != NULL) BUF_MEM_free(buff);
+        if (section != NULL) OPENSSL_free(section);
+        return(1);
+err:
+        if (buff != NULL) BUF_MEM_free(buff);
+        if (section != NULL) OPENSSL_free(section);
+        if (line != NULL) *line=eline;
+        sprintf(btmp,"%ld",eline);
+        ERR_add_error_data(2,"line ",btmp);
+        if ((h != conf->data) && (conf->data != NULL)) CONF_free(conf->data);
+        if (v != NULL)
+                {
+                if (v->name != NULL) OPENSSL_free(v->name);
+                if (v->value != NULL) OPENSSL_free(v->value);
+                if (v != NULL) OPENSSL_free(v);
+                }
+        return(0);
+        }
+
+static void clear_comments(CONF *conf, char *p)
+        {
+        char *to;
+
+        to=p;
+        for (;;)
+                {
+                if (IS_FCOMMENT(conf,*p))
+                        {
+                        *p='\0';
+                        return;
+                        }
+                if (!IS_WS(conf,*p))
+                        {
+                        break;
+                        }
+                p++;
+                }
+
+        for (;;)
+                {
+                if (IS_COMMENT(conf,*p))
+                        {
+                        *p='\0';
+                        return;
+                        }
+                if (IS_DQUOTE(conf,*p))
+                        {
+                        p=scan_dquote(conf, p);
+                        continue;
+                        }
+                if (IS_QUOTE(conf,*p))
+                        {
+                        p=scan_quote(conf, p);
+                        continue;
+                        }
+                if (IS_ESC(conf,*p))
+                        {
+                        p=scan_esc(conf,p);
+                        continue;
+                        }
+                if (IS_EOF(conf,*p))
+                        return;
+                else
+                        p++;
+                }
+        }
+
+static int str_copy(CONF *conf, char *section, char **pto, char *from)
+        {
+        int q,r,rr=0,to=0,len=0;
+        char *s,*e,*rp,*p,*rrp,*np,*cp,v;
+        BUF_MEM *buf;
+
+        if ((buf=BUF_MEM_new()) == NULL) return(0);
+
+        len=strlen(from)+1;
+        if (!BUF_MEM_grow(buf,len)) goto err;
+
+        for (;;)
+                {
+                if (IS_QUOTE(conf,*from))
+                        {
+                        q= *from;
+                        from++;
+                        while (!IS_EOF(conf,*from) && (*from != q))
+                                {
+                                if (IS_ESC(conf,*from))
+                                        {
+                                        from++;
+                                        if (IS_EOF(conf,*from)) break;
+                                        }
+                                buf->data[to++]= *(from++);
+                                }
+                        if (*from == q) from++;
+                        }
+                else if (IS_DQUOTE(conf,*from))
+                        {
+                        q= *from;
+                        from++;
+                        while (!IS_EOF(conf,*from))
+                                {
+                                if (*from == q)
+                                        {
+                                        if (*(from+1) == q)
+                                                {
+                                                from++;
+                                                }
+                                        else
+                                                {
+                                                break;
+                                                }
+                                        }
+                                buf->data[to++]= *(from++);
+                                }
+                        if (*from == q) from++;
+                        }
+                else if (IS_ESC(conf,*from))
+                        {
+                        from++;
+                        v= *(from++);
+                        if (IS_EOF(conf,v)) break;
+                        else if (v == 'r') v='\r';
+                        else if (v == 'n') v='\n';
+                        else if (v == 'b') v='\b';
+                        else if (v == 't') v='\t';
+                        buf->data[to++]= v;
+                        }
+                else if (IS_EOF(conf,*from))
+                        break;
+                else if (*from == '$')
+                        {
+                        /* try to expand it */
+                        rrp=NULL;
+                        s= &(from[1]);
+                        if (*s == '{')
+                                q='}';
+                        else if (*s == '(')
+                                q=')';
+                        else q=0;
+
+                        if (q) s++;
+                        cp=section;
+                        e=np=s;
+                        while (IS_ALPHA_NUMERIC(conf,*e))
+                                e++;
+                        if ((e[0] == ':') && (e[1] == ':'))
+                                {
+                                cp=np;
+                                rrp=e;
+                                rr= *e;
+                                *rrp='\0';
+                                e+=2;
+                                np=e;
+                                while (IS_ALPHA_NUMERIC(conf,*e))
+                                        e++;
+                                }
+                        r= *e;
+                        *e='\0';
+                        rp=e;
+                        if (q)
+                                {
+                                if (r != q)
+                                        {
+                                        CONFerr(CONF_F_STR_COPY,CONF_R_NO_CLOSE_BRACE);
+                                        goto err;
+                                        }
+                                e++;
+                                }
+                        /* So at this point we have
+                         * ns which is the start of the name string which is
+                         *   '\0' terminated. 
+                         * cs which is the start of the section string which is
+                         *   '\0' terminated.
+                         * e is the 'next point after'.
+                         * r and s are the chars replaced by the '\0'
+                         * rp and sp is where 'r' and 's' came from.
+                         */
+                        p=_CONF_get_string(conf,cp,np);
+                        if (rrp != NULL) *rrp=rr;
+                        *rp=r;
+                        if (p == NULL)
+                                {
+                                CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE);
+                                goto err;
+                                }
+                        BUF_MEM_grow(buf,(strlen(p)+len-(e-from)));
+                        while (*p)
+                                buf->data[to++]= *(p++);
+                        from=e;
+                        }
+                else
+                        buf->data[to++]= *(from++);
+                }
+        buf->data[to]='\0';
+        if (*pto != NULL) OPENSSL_free(*pto);
+        *pto=buf->data;
+        OPENSSL_free(buf);
+        return(1);
+err:
+        if (buf != NULL) BUF_MEM_free(buf);
+        return(0);
+        }
+
+static char *eat_ws(CONF *conf, char *p)
+        {
+        while (IS_WS(conf,*p) && (!IS_EOF(conf,*p)))
+                p++;
+        return(p);
+        }
+
+static char *eat_alpha_numeric(CONF *conf, char *p)
+        {
+        for (;;)
+                {
+                if (IS_ESC(conf,*p))
+                        {
+                        p=scan_esc(conf,p);
+                        continue;
+                        }
+                if (!IS_ALPHA_NUMERIC_PUNCT(conf,*p))
+                        return(p);
+                p++;
+                }
+        }
+
+static char *scan_quote(CONF *conf, char *p)
+        {
+        int q= *p;
+
+        p++;
+        while (!(IS_EOF(conf,*p)) && (*p != q))
+                {
+                if (IS_ESC(conf,*p))
+                        {
+                        p++;
+                        if (IS_EOF(conf,*p)) return(p);
+                        }
+                p++;
+                }
+        if (*p == q) p++;
+        return(p);
+        }
+
+
+static char *scan_dquote(CONF *conf, char *p)
+        {
+        int q= *p;
+
+        p++;
+        while (!(IS_EOF(conf,*p)))
+                {
+                if (*p == q)
+                        {
+                        if (*(p+1) == q)
+                                {
+                                p++;
+                                }
+                        else
+                                {
+                                break;
+                                }
+                        }
+                p++;
+                }
+        if (*p == q) p++;
+        return(p);
+        }
+
+static void dump_value(CONF_VALUE *a, BIO *out)
+        {
+        if (a->name)
+                BIO_printf(out, "[%s] %s=%s\n", a->section, a->name, a->value);
+        else
+                BIO_printf(out, "[[%s]]\n", a->section);
+        }
+
+static int def_dump(CONF *conf, BIO *out)
+        {
+        lh_doall_arg(conf->data, (void (*)())dump_value, out);
+        return 1;
+        }
+
+static int def_is_number(CONF *conf, char c)
+        {
+        return IS_NUMBER(conf,c);
+        }
+
+static int def_to_int(CONF *conf, char c)
+        {
+        return c - '0';
+        }
+
diff --git a/src/lib/libcrypto/conf/conf_def.h b/src/lib/libcrypto/conf/conf_def.h
new file mode 100644
index 0000000000..3244d9a331
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_def.h
@@ -0,0 +1,145 @@
+/* crypto/conf/conf_def.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* THIS FILE WAS AUTOMAGICALLY GENERATED!
+   Please modify and use keysets.pl to regenerate it. */
+
+#define CONF_NUMBER             1
+#define CONF_UPPER              2
+#define CONF_LOWER              4
+#define CONF_UNDER              256
+#define CONF_PUNCTUATION        512
+#define CONF_WS                 16
+#define CONF_ESC                32
+#define CONF_QUOTE              64
+#define CONF_DQUOTE             1024
+#define CONF_COMMENT            128
+#define CONF_FCOMMENT           2048
+#define CONF_EOF                8
+#define CONF_ALPHA              (CONF_UPPER|CONF_LOWER)
+#define CONF_ALPHA_NUMERIC      (CONF_ALPHA|CONF_NUMBER|CONF_UNDER)
+#define CONF_ALPHA_NUMERIC_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER| \
+                                        CONF_PUNCTUATION)
+
+#define KEYTYPES(c)             ((unsigned short *)((c)->meth_data))
+#ifndef CHARSET_EBCDIC
+#define IS_COMMENT(c,a)         (KEYTYPES(c)[(a)&0x7f]&CONF_COMMENT)
+#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[(a)&0x7f]&CONF_FCOMMENT)
+#define IS_EOF(c,a)             (KEYTYPES(c)[(a)&0x7f]&CONF_EOF)
+#define IS_ESC(c,a)             (KEYTYPES(c)[(a)&0x7f]&CONF_ESC)
+#define IS_NUMBER(c,a)          (KEYTYPES(c)[(a)&0x7f]&CONF_NUMBER)
+#define IS_WS(c,a)              (KEYTYPES(c)[(a)&0x7f]&CONF_WS)
+#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[(a)&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_ALPHA_NUMERIC_PUNCT(c,a) \
+                                (KEYTYPES(c)[(a)&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(c,a)           (KEYTYPES(c)[(a)&0x7f]&CONF_QUOTE)
+#define IS_DQUOTE(c,a)          (KEYTYPES(c)[(a)&0x7f]&CONF_DQUOTE)
+
+#else /*CHARSET_EBCDIC*/
+
+#define IS_COMMENT(c,a)         (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_COMMENT)
+#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_FCOMMENT)
+#define IS_EOF(c,a)             (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_EOF)
+#define IS_ESC(c,a)             (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ESC)
+#define IS_NUMBER(c,a)          (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_NUMBER)
+#define IS_WS(c,a)              (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_WS)
+#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_ALPHA_NUMERIC_PUNCT(c,a) \
+                                (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(c,a)           (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_QUOTE)
+#define IS_DQUOTE(c,a)          (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_DQUOTE)
+#endif /*CHARSET_EBCDIC*/
+
+static unsigned short CONF_type_default[128]={
+        0x008,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x000,0x010,0x010,0x000,0x000,0x010,0x000,0x000,
+        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x010,0x200,0x040,0x080,0x000,0x200,0x200,0x040,
+        0x000,0x000,0x200,0x200,0x200,0x200,0x200,0x200,
+        0x001,0x001,0x001,0x001,0x001,0x001,0x001,0x001,
+        0x001,0x001,0x000,0x200,0x000,0x000,0x000,0x200,
+        0x200,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x000,0x020,0x000,0x200,0x100,
+        0x040,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x000,0x200,0x000,0x200,0x000,
+        };
+
+static unsigned short CONF_type_win32[128]={
+        0x008,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x000,0x010,0x010,0x000,0x000,0x010,0x000,0x000,
+        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x010,0x200,0x400,0x000,0x000,0x200,0x200,0x000,
+        0x000,0x000,0x200,0x200,0x200,0x200,0x200,0x200,
+        0x001,0x001,0x001,0x001,0x001,0x001,0x001,0x001,
+        0x001,0x001,0x000,0xA00,0x000,0x000,0x000,0x200,
+        0x200,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x000,0x000,0x000,0x200,0x100,
+        0x000,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x000,0x200,0x000,0x200,0x000,
+        };
+
diff --git a/src/lib/libcrypto/conf/conf_lib.c b/src/lib/libcrypto/conf/conf_lib.c
new file mode 100644
index 0000000000..4c8ca9e9ae
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_lib.c
@@ -0,0 +1,352 @@
+/* conf_lib.c */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/conf.h>
+#include <openssl/conf_api.h>
+#include <openssl/lhash.h>
+
+const char *CONF_version="CONF" OPENSSL_VERSION_PTEXT;
+
+static CONF_METHOD *default_CONF_method=NULL;
+
+/* The following section contains the "CONF classic" functions,
+   rewritten in terms of the new CONF interface. */
+
+int CONF_set_default_method(CONF_METHOD *meth)
+        {
+        default_CONF_method = meth;
+        return 1;
+        }
+
+LHASH *CONF_load(LHASH *conf, const char *file, long *eline)
+        {
+        LHASH *ltmp;
+        BIO *in=NULL;
+
+#ifdef VMS
+        in=BIO_new_file(file, "r");
+#else
+        in=BIO_new_file(file, "rb");
+#endif
+        if (in == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+                return NULL;
+                }
+
+        ltmp = CONF_load_bio(conf, in, eline);
+        BIO_free(in);
+
+        return ltmp;
+        }
+
+#ifndef NO_FP_API
+LHASH *CONF_load_fp(LHASH *conf, FILE *fp,long *eline)
+        {
+        BIO *btmp;
+        LHASH *ltmp;
+        if(!(btmp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+                CONFerr(CONF_F_CONF_LOAD_FP,ERR_R_BUF_LIB);
+                return NULL;
+        }
+        ltmp = CONF_load_bio(conf, btmp, eline);
+        BIO_free(btmp);
+        return ltmp;
+        }
+#endif
+
+LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline)
+        {
+        CONF ctmp;
+        int ret;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        ret = NCONF_load_bio(&ctmp, bp, eline);
+        if (ret)
+                return ctmp.data;
+        return NULL;
+        }
+
+STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        return NCONF_get_section(&ctmp, section);
+        }
+
+char *CONF_get_string(LHASH *conf,char *group,char *name)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        return NCONF_get_string(&ctmp, group, name);
+        }
+
+long CONF_get_number(LHASH *conf,char *group,char *name)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        return NCONF_get_number(&ctmp, group, name);
+        }
+
+void CONF_free(LHASH *conf)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        NCONF_free_data(&ctmp);
+        }
+
+#ifndef NO_FP_API
+int CONF_dump_fp(LHASH *conf, FILE *out)
+        {
+        BIO *btmp;
+        int ret;
+
+        if(!(btmp = BIO_new_fp(out, BIO_NOCLOSE))) {
+                CONFerr(CONF_F_CONF_DUMP_FP,ERR_R_BUF_LIB);
+                return 0;
+        }
+        ret = CONF_dump_bio(conf, btmp);
+        BIO_free(btmp);
+        return ret;
+        }
+#endif
+
+int CONF_dump_bio(LHASH *conf, BIO *out)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        return NCONF_dump_bio(&ctmp, out);
+        }
+
+/* The following section contains the "New CONF" functions.  They are
+   completely centralised around a new CONF structure that may contain
+   basically anything, but at least a method pointer and a table of data.
+   These functions are also written in terms of the bridge functions used
+   by the "CONF classic" functions, for consistency.  */
+
+CONF *NCONF_new(CONF_METHOD *meth)
+        {
+        CONF *ret;
+
+        if (meth == NULL)
+                meth = NCONF_default();
+
+        ret = meth->create(meth);
+        if (ret == NULL)
+                {
+                CONFerr(CONF_F_NCONF_NEW,ERR_R_MALLOC_FAILURE);
+                return(NULL);
+                }
+
+        return ret;
+        }
+
+void NCONF_free(CONF *conf)
+        {
+        if (conf == NULL)
+                return;
+        conf->meth->destroy(conf);
+        }
+
+void NCONF_free_data(CONF *conf)
+        {
+        if (conf == NULL)
+                return;
+        conf->meth->destroy_data(conf);
+        }
+
+int NCONF_load(CONF *conf, const char *file, long *eline)
+        {
+        int ret;
+        BIO *in=NULL;
+
+#ifdef VMS
+        in=BIO_new_file(file, "r");
+#else
+        in=BIO_new_file(file, "rb");
+#endif
+        if (in == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+                return 0;
+                }
+
+        ret = NCONF_load_bio(conf, in, eline);
+        BIO_free(in);
+
+        return ret;
+        }
+
+#ifndef NO_FP_API
+int NCONF_load_fp(CONF *conf, FILE *fp,long *eline)
+        {
+        BIO *btmp;
+        int ret;
+        if(!(btmp = BIO_new_fp(fp, BIO_NOCLOSE)))
+                {
+                CONFerr(CONF_F_CONF_LOAD_FP,ERR_R_BUF_LIB);
+                return 0;
+                }
+        ret = NCONF_load_bio(conf, btmp, eline);
+        BIO_free(btmp);
+        return ret;
+        }
+#endif
+
+int NCONF_load_bio(CONF *conf, BIO *bp,long *eline)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_LOAD_BIO,CONF_R_NO_CONF);
+                return 0;
+                }
+
+        return conf->meth->load(conf, bp, eline);
+        }
+
+STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_GET_SECTION,CONF_R_NO_CONF);
+                return NULL;
+                }
+
+        return _CONF_get_section_values(conf, section);
+        }
+
+char *NCONF_get_string(CONF *conf,char *group,char *name)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_GET_STRING,CONF_R_NO_CONF);
+                return NULL;
+                }
+
+        return _CONF_get_string(conf, group, name);
+        }
+
+long NCONF_get_number(CONF *conf,char *group,char *name)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_GET_NUMBER,CONF_R_NO_CONF);
+                return 0;
+                }
+        
+        return _CONF_get_number(conf, group, name);
+        }
+
+#ifndef NO_FP_API
+int NCONF_dump_fp(CONF *conf, FILE *out)
+        {
+        BIO *btmp;
+        int ret;
+        if(!(btmp = BIO_new_fp(out, BIO_NOCLOSE))) {
+                CONFerr(CONF_F_NCONF_DUMP_FP,ERR_R_BUF_LIB);
+                return 0;
+        }
+        ret = NCONF_dump_bio(conf, btmp);
+        BIO_free(btmp);
+        return ret;
+        }
+#endif
+
+int NCONF_dump_bio(CONF *conf, BIO *out)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_DUMP_BIO,CONF_R_NO_CONF);
+                return 0;
+                }
+
+        return conf->meth->dump(conf, out);
+        }
+
diff --git a/src/lib/libcrypto/conf/conf_mall.c b/src/lib/libcrypto/conf/conf_mall.c
new file mode 100644
index 0000000000..d702af689b
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_mall.c
@@ -0,0 +1,76 @@
+/* conf_mall.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/engine.h>
+
+/* Load all OpenSSL builtin modules */
+
+void OPENSSL_load_builtin_modules(void)
+        {
+        /* Add builtin modules here */
+        ASN1_add_oid_module();
+        ENGINE_add_conf_module();
+        }
+
diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
new file mode 100644
index 0000000000..f92babc2e2
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -0,0 +1,616 @@
+/* conf_mod.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+
+
+#define DSO_mod_init_name "OPENSSL_init"
+#define DSO_mod_finish_name "OPENSSL_finish"
+
+
+/* This structure contains a data about supported modules.
+ * entries in this table correspond to either dynamic or
+ * static modules.
+ */
+
+struct conf_module_st
+        {
+        /* DSO of this module or NULL if static */
+        DSO *dso;
+        /* Name of the module */
+        char *name;
+        /* Init function */
+        conf_init_func *init; 
+        /* Finish function */
+        conf_finish_func *finish;
+        /* Number of successfully initialized modules */
+        int links;
+        void *usr_data;
+        };
+
+
+/* This structure contains information about modules that have been
+ * successfully initialized. There may be more than one entry for a
+ * given module.
+ */
+
+struct conf_imodule_st
+        {
+        CONF_MODULE *pmod;
+        char *name;
+        char *value;
+        unsigned long flags;
+        void *usr_data;
+        };
+
+static STACK_OF(CONF_MODULE) *supported_modules = NULL;
+static STACK_OF(CONF_IMODULE) *initialized_modules = NULL;
+
+static void module_free(CONF_MODULE *md);
+static void module_finish(CONF_IMODULE *imod);
+static int module_run(const CONF *cnf, char *name, char *value,
+                                          unsigned long flags);
+static CONF_MODULE *module_add(DSO *dso, const char *name,
+                        conf_init_func *ifunc, conf_finish_func *ffunc);
+static CONF_MODULE *module_find(char *name);
+static int module_init(CONF_MODULE *pmod, char *name, char *value,
+                                           const CONF *cnf);
+static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
+                                                                        unsigned long flags);
+
+/* Main function: load modules from a CONF structure */
+
+int CONF_modules_load(const CONF *cnf, const char *appname,
+                      unsigned long flags)
+        {
+        STACK_OF(CONF_VALUE) *values;
+        CONF_VALUE *vl;
+        char *vsection;
+
+        int ret, i;
+
+        if (!cnf)
+                return 1;
+
+        if (appname == NULL)
+                appname = "openssl_conf";
+
+        vsection = NCONF_get_string(cnf, NULL, appname); 
+
+        if (!vsection)
+                {
+                ERR_clear_error();
+                return 1;
+                }
+
+        values = NCONF_get_section(cnf, vsection);
+
+        if (!values)
+                return 0;
+
+        for (i = 0; i < sk_CONF_VALUE_num(values); i++)
+                {
+                vl = sk_CONF_VALUE_value(values, i);
+                ret = module_run(cnf, vl->name, vl->value, flags);
+                if (ret <= 0)
+                        if(!(flags & CONF_MFLAGS_IGNORE_ERRORS))
+                                return ret;
+                }
+
+        return 1;
+
+        }
+
+int CONF_modules_load_file(const char *filename, const char *appname,
+                           unsigned long flags)
+        {
+        char *file = NULL;
+        CONF *conf = NULL;
+        int ret = 0;
+        conf = NCONF_new(NULL);
+        if (!conf)
+                goto err;
+
+        if (filename == NULL)
+                {
+                file = CONF_get1_default_config_file();
+                if (!file)
+                        goto err;
+                }
+        else
+                file = (char *)filename;
+
+        if (NCONF_load(conf, file, NULL) <= 0)
+                {
+                if ((flags & CONF_MFLAGS_IGNORE_MISSING_FILE) &&
+                  (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE))
+                        {
+                        ERR_clear_error();
+                        ret = 1;
+                        }
+                goto err;
+                }
+
+        ret = CONF_modules_load(conf, appname, flags);
+
+        err:
+        if (filename == NULL)
+                OPENSSL_free(file);
+        NCONF_free(conf);
+
+        return ret;
+        }
+
+static int module_run(const CONF *cnf, char *name, char *value,
+                      unsigned long flags)
+        {
+        CONF_MODULE *md;
+        int ret;
+
+        md = module_find(name);
+
+        /* Module not found: try to load DSO */
+        if (!md && !(flags & CONF_MFLAGS_NO_DSO))
+                md = module_load_dso(cnf, name, value, flags);
+
+        if (!md)
+                {
+                if (!(flags & CONF_MFLAGS_SILENT))
+                        {
+                        CONFerr(CONF_F_MODULE_RUN, CONF_R_UNKNOWN_MODULE_NAME);
+                        ERR_add_error_data(2, "module=", name);
+                        }
+                return -1;
+                }
+
+        ret = module_init(md, name, value, cnf);
+
+        if (ret <= 0)
+                {
+                if (!(flags & CONF_MFLAGS_SILENT))
+                        {
+                        char rcode[10];
+                        CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
+                        sprintf(rcode, "%-8d", ret);
+                        ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
+                        }
+                }
+
+        return ret;
+        }
+
+/* Load a module from a DSO */
+static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
+                                    unsigned long flags)
+        {
+        DSO *dso = NULL;
+        conf_init_func *ifunc;
+        conf_finish_func *ffunc;
+        char *path = NULL;
+        int errcode = 0;
+        CONF_MODULE *md;
+        /* Look for alternative path in module section */
+        path = NCONF_get_string(cnf, value, "path");
+        if (!path)
+                {
+                ERR_get_error();
+                path = name;
+                }
+        dso = DSO_load(NULL, path, NULL, 0);
+        if (!dso)
+                {
+                errcode = CONF_R_ERROR_LOADING_DSO;
+                goto err;
+                }
+        ifunc = (conf_init_func *)DSO_bind_func(dso, DSO_mod_init_name);
+        if (!ifunc)
+                {
+                errcode = CONF_R_MISSING_INIT_FUNCTION;
+                goto err;
+                }
+        ffunc = (conf_finish_func *)DSO_bind_func(dso, DSO_mod_finish_name);
+        /* All OK, add module */
+        md = module_add(dso, name, ifunc, ffunc);
+
+        if (!md)
+                goto err;
+
+        return md;
+
+        err:
+        if (dso)
+                DSO_free(dso);
+        CONFerr(CONF_F_MODULE_LOAD_DSO, errcode);
+        ERR_add_error_data(4, "module=", name, ", path=", path);
+        return NULL;
+        }
+
+/* add module to list */
+static CONF_MODULE *module_add(DSO *dso, const char *name,
+                               conf_init_func *ifunc, conf_finish_func *ffunc)
+        {
+        CONF_MODULE *tmod = NULL;
+        if (supported_modules == NULL)
+                supported_modules = sk_CONF_MODULE_new_null();
+        if (supported_modules == NULL)
+                return NULL;
+        tmod = OPENSSL_malloc(sizeof(CONF_MODULE));
+        if (tmod == NULL)
+                return NULL;
+
+        tmod->dso = dso;
+        tmod->name = BUF_strdup(name);
+        tmod->init = ifunc;
+        tmod->finish = ffunc;
+        tmod->links = 0;
+
+        if (!sk_CONF_MODULE_push(supported_modules, tmod))
+                {
+                OPENSSL_free(tmod);
+                return NULL;
+                }
+
+        return tmod;
+        }
+
+/* Find a module from the list. We allow module names of the
+ * form modname.XXXX to just search for modname to allow the
+ * same module to be initialized more than once.
+ */
+
+static CONF_MODULE *module_find(char *name)
+        {
+        CONF_MODULE *tmod;
+        int i, nchar;
+        char *p;
+        p = strrchr(name, '.');
+
+        if (p)
+                nchar = p - name;
+        else 
+                nchar = strlen(name);
+
+        for (i = 0; i < sk_CONF_MODULE_num(supported_modules); i++)
+                {
+                tmod = sk_CONF_MODULE_value(supported_modules, i);
+                if (!strncmp(tmod->name, name, nchar))
+                        return tmod;
+                }
+
+        return NULL;
+
+        }
+
+/* initialize a module */
+static int module_init(CONF_MODULE *pmod, char *name, char *value,
+                       const CONF *cnf)
+        {
+        int ret = 1;
+        int init_called = 0;
+        CONF_IMODULE *imod = NULL;
+
+        /* Otherwise add initialized module to list */
+        imod = OPENSSL_malloc(sizeof(CONF_IMODULE));
+        if (!imod)
+                goto err;
+
+        imod->pmod = pmod;
+        imod->name = BUF_strdup(name);
+        imod->value = BUF_strdup(value);
+        imod->usr_data = NULL;
+
+        if (!imod->name || !imod->value)
+                goto memerr;
+
+        /* Try to initialize module */
+        if(pmod->init)
+                {
+                ret = pmod->init(imod, cnf);
+                init_called = 1;
+                /* Error occurred, exit */
+                if (ret <= 0)
+                        goto err;
+                }
+
+        if (initialized_modules == NULL)
+                {
+                initialized_modules = sk_CONF_IMODULE_new_null();
+                if (!initialized_modules)
+                        {
+                        CONFerr(CONF_F_MODULE_INIT, ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+
+        if (!sk_CONF_IMODULE_push(initialized_modules, imod))
+                {
+                CONFerr(CONF_F_MODULE_INIT, ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        pmod->links++;
+
+        return ret;
+
+        err:
+
+        /* We've started the module so we'd better finish it */
+        if (pmod->finish && init_called)
+                pmod->finish(imod);
+
+        memerr:
+        if (imod)
+                {
+                if (imod->name)
+                        OPENSSL_free(imod->name);
+                if (imod->value)
+                        OPENSSL_free(imod->value);
+                OPENSSL_free(imod);
+                }
+
+        return -1;
+
+        }
+
+/* Unload any dynamic modules that have a link count of zero:
+ * i.e. have no active initialized modules. If 'all' is set
+ * then all modules are unloaded including static ones.
+ */
+
+void CONF_modules_unload(int all)
+        {
+        int i;
+        CONF_MODULE *md;
+        CONF_modules_finish();
+        /* unload modules in reverse order */
+        for (i = sk_CONF_MODULE_num(supported_modules) - 1; i >= 0; i--)
+                {
+                md = sk_CONF_MODULE_value(supported_modules, i);
+                /* If static or in use and 'all' not set ignore it */
+                if (((md->links > 0) || !md->dso) && !all)
+                        continue;
+                /* Since we're working in reverse this is OK */
+                sk_CONF_MODULE_delete(supported_modules, i);
+                module_free(md);
+                }
+        if (sk_CONF_MODULE_num(supported_modules) == 0)
+                {
+                sk_CONF_MODULE_free(supported_modules);
+                supported_modules = NULL;
+                }
+        }
+
+/* unload a single module */
+static void module_free(CONF_MODULE *md)
+        {
+        if (md->dso)
+                DSO_free(md->dso);
+        OPENSSL_free(md->name);
+        OPENSSL_free(md);
+        }
+
+/* finish and free up all modules instances */
+
+void CONF_modules_finish(void)
+        {
+        CONF_IMODULE *imod;
+        while (sk_CONF_IMODULE_num(initialized_modules) > 0)
+                {
+                imod = sk_CONF_IMODULE_pop(initialized_modules);
+                module_finish(imod);
+                }
+        sk_CONF_IMODULE_free(initialized_modules);
+        initialized_modules = NULL;
+        }
+
+/* finish a module instance */
+
+static void module_finish(CONF_IMODULE *imod)
+        {
+        if (imod->pmod->finish)
+                imod->pmod->finish(imod);
+        imod->pmod->links--;
+        OPENSSL_free(imod->name);
+        OPENSSL_free(imod->value);
+        OPENSSL_free(imod);
+        }
+
+/* Add a static module to OpenSSL */
+
+int CONF_module_add(const char *name, conf_init_func *ifunc, 
+                    conf_finish_func *ffunc)
+        {
+        if (module_add(NULL, name, ifunc, ffunc))
+                return 1;
+        else
+                return 0;
+        }
+
+void CONF_modules_free(void)
+        {
+        CONF_modules_finish();
+        CONF_modules_unload(1);
+        }
+
+/* Utility functions */
+
+const char *CONF_imodule_get_name(const CONF_IMODULE *md)
+        {
+        return md->name;
+        }
+
+const char *CONF_imodule_get_value(const CONF_IMODULE *md)
+        {
+        return md->value;
+        }
+
+void *CONF_imodule_get_usr_data(const CONF_IMODULE *md)
+        {
+        return md->usr_data;
+        }
+
+void CONF_imodule_set_usr_data(CONF_IMODULE *md, void *usr_data)
+        {
+        md->usr_data = usr_data;
+        }
+
+CONF_MODULE *CONF_imodule_get_module(const CONF_IMODULE *md)
+        {
+        return md->pmod;
+        }
+
+unsigned long CONF_imodule_get_flags(const CONF_IMODULE *md)
+        {
+        return md->flags;
+        }
+
+void CONF_imodule_set_flags(CONF_IMODULE *md, unsigned long flags)
+        {
+        md->flags = flags;
+        }
+
+void *CONF_module_get_usr_data(CONF_MODULE *pmod)
+        {
+        return pmod->usr_data;
+        }
+
+void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
+        {
+        pmod->usr_data = usr_data;
+        }
+
+/* Return default config file name */
+
+char *CONF_get1_default_config_file(void)
+        {
+        char *file;
+        int len;
+
+        file = getenv("OPENSSL_CONF");
+        if (file) 
+                return BUF_strdup(file);
+
+        len = strlen(X509_get_default_cert_area());
+#ifndef OPENSSL_SYS_VMS
+        len++;
+#endif
+        len += strlen(OPENSSL_CONF);
+
+        file = OPENSSL_malloc(len + 1);
+
+        if (!file)
+                return NULL;
+        strcpy(file,X509_get_default_cert_area());
+#ifndef OPENSSL_SYS_VMS
+        strcat(file,"/");
+#endif
+        strcat(file,OPENSSL_CONF);
+
+        return file;
+        }
+
+/* This function takes a list separated by 'sep' and calls the
+ * callback function giving the start and length of each member
+ * optionally stripping leading and trailing whitespace. This can
+ * be used to parse comma separated lists for example.
+ */
+
+int CONF_parse_list(const char *list, int sep, int nospc,
+        int (*list_cb)(const char *elem, int len, void *usr), void *arg)
+        {
+        int ret;
+        const char *lstart, *tmpend, *p;
+        lstart = list;
+
+        for(;;)
+                {
+                if (nospc)
+                        {
+                        while(*lstart && isspace((unsigned char)*lstart))
+                                lstart++;
+                        }
+                p = strchr(lstart, sep);
+                if (p == lstart || !*lstart)
+                        ret = list_cb(NULL, 0, arg);
+                else
+                        {
+                        if (p)
+                                tmpend = p - 1;
+                        else 
+                                tmpend = lstart + strlen(lstart) - 1;
+                        if (nospc)
+                                {
+                                while(isspace((unsigned char)*tmpend))
+                                        tmpend--;
+                                }
+                        ret = list_cb(lstart, tmpend - lstart + 1, arg);
+                        }
+                if (ret <= 0)
+                        return ret;
+                if (p == NULL)
+                        return 1;
+                lstart = p + 1;
+                }
+        }
+
diff --git a/src/lib/libcrypto/conf/conf_sap.c b/src/lib/libcrypto/conf/conf_sap.c
new file mode 100644
index 0000000000..97fb174303
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_sap.c
@@ -0,0 +1,107 @@
+/* conf_sap.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/engine.h>
+
+/* This is the automatic configuration loader: it is called automatically by
+ * OpenSSL when any of a number of standard initialisation functions are called,
+ * unless this is overridden by calling OPENSSL_no_config()
+ */
+
+static int openssl_configured = 0;
+
+void OPENSSL_config(const char *config_name)
+        {
+        if (openssl_configured)
+                return;
+
+        OPENSSL_load_builtin_modules();
+        /* Need to load ENGINEs */
+        ENGINE_load_builtin_engines();
+        /* Add others here? */
+
+
+        ERR_clear_error();
+        if (CONF_modules_load_file(NULL, NULL,
+                                        CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0)
+                {
+                BIO *bio_err;
+                ERR_load_crypto_strings();
+                if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
+                        {
+                        BIO_printf(bio_err,"Auto configuration failed\n");
+                        ERR_print_errors(bio_err);
+                        BIO_free(bio_err);
+                        }
+                exit(1);
+                }
+
+        return;
+        }
+
+void OPENSSL_no_config()
+        {
+        openssl_configured = 1;
+        }
diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h
new file mode 100644
index 0000000000..67f90aaf17
--- /dev/null
+++ b/src/lib/libcrypto/des/des.h
@@ -0,0 +1,249 @@
+/* crypto/des/des.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_DES_H
+#define HEADER_DES_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_DES
+#error DES is disabled.
+#endif
+
+#ifdef _KERBEROS_DES_H
+#error <openssl/des.h> replaces <kerberos/des.h>.
+#endif
+
+#include <stdio.h>
+#include <openssl/opensslconf.h> /* DES_LONG */
+#include <openssl/e_os2.h>      /* OPENSSL_EXTERN */
+
+typedef unsigned char des_cblock[8];
+typedef /* const */ unsigned char const_des_cblock[8];
+/* With "const", gcc 2.8.1 on Solaris thinks that des_cblock *
+ * and const_des_cblock * are incompatible pointer types.
+ * I haven't seen that warning on other systems ... I'll look
+ * what the standard says. */
+
+
+typedef struct des_ks_struct
+        {
+        union   {
+                des_cblock cblock;
+                /* make sure things are correct size on machines with
+                 * 8 byte longs */
+                DES_LONG deslong[2];
+                } ks;
+        int weak_key;
+        } des_key_schedule[16];
+
+#define DES_KEY_SZ      (sizeof(des_cblock))
+#define DES_SCHEDULE_SZ (sizeof(des_key_schedule))
+
+#define DES_ENCRYPT     1
+#define DES_DECRYPT     0
+
+#define DES_CBC_MODE    0
+#define DES_PCBC_MODE   1
+
+#define des_ecb2_encrypt(i,o,k1,k2,e) \
+        des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+        des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+        des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+        des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+OPENSSL_EXTERN int des_check_key;       /* defaults to false */
+OPENSSL_EXTERN int des_rw_mode;         /* defaults to DES_PCBC_MODE */
+OPENSSL_EXTERN int des_set_weak_key_flag; /* set the weak key flag */
+
+const char *des_options(void);
+void des_ecb3_encrypt(const_des_cblock *input, des_cblock *output,
+                      des_key_schedule ks1,des_key_schedule ks2,
+                      des_key_schedule ks3, int enc);
+DES_LONG des_cbc_cksum(const unsigned char *input,des_cblock *output,
+                       long length,des_key_schedule schedule,
+                       const_des_cblock *ivec);
+/* des_cbc_encrypt does not update the IV!  Use des_ncbc_encrypt instead. */
+void des_cbc_encrypt(const unsigned char *input,unsigned char *output,
+                     long length,des_key_schedule schedule,des_cblock *ivec,
+                     int enc);
+void des_ncbc_encrypt(const unsigned char *input,unsigned char *output,
+                      long length,des_key_schedule schedule,des_cblock *ivec,
+                      int enc);
+void des_xcbc_encrypt(const unsigned char *input,unsigned char *output,
+                      long length,des_key_schedule schedule,des_cblock *ivec,
+                      const_des_cblock *inw,const_des_cblock *outw,int enc);
+void des_cfb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
+                     long length,des_key_schedule schedule,des_cblock *ivec,
+                     int enc);
+void des_ecb_encrypt(const_des_cblock *input,des_cblock *output,
+                     des_key_schedule ks,int enc);
+void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc);
+void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc);
+void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3);
+void des_decrypt3(DES_LONG *data, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3);
+void des_ede3_cbc_encrypt(const unsigned char *input,unsigned char *output, 
+                          long length,
+                          des_key_schedule ks1,des_key_schedule ks2,
+                          des_key_schedule ks3,des_cblock *ivec,int enc);
+void des_ede3_cbcm_encrypt(const unsigned char *in,unsigned char *out,
+                           long length,
+                           des_key_schedule ks1,des_key_schedule ks2,
+                           des_key_schedule ks3,
+                           des_cblock *ivec1,des_cblock *ivec2,
+                           int enc);
+void des_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out,
+                            long length,des_key_schedule ks1,
+                            des_key_schedule ks2,des_key_schedule ks3,
+                            des_cblock *ivec,int *num,int enc);
+void des_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out,
+                            long length,des_key_schedule ks1,
+                            des_key_schedule ks2,des_key_schedule ks3,
+                            des_cblock *ivec,int *num);
+
+void des_xwhite_in2out(const_des_cblock *des_key,const_des_cblock *in_white,
+                       des_cblock *out_white);
+
+int des_enc_read(int fd,void *buf,int len,des_key_schedule sched,
+                 des_cblock *iv);
+int des_enc_write(int fd,const void *buf,int len,des_key_schedule sched,
+                  des_cblock *iv);
+char *des_fcrypt(const char *buf,const char *salt, char *ret);
+char *des_crypt(const char *buf,const char *salt);
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+char *crypt(const char *buf,const char *salt);
+#endif
+void des_ofb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
+                     long length,des_key_schedule schedule,des_cblock *ivec);
+void des_pcbc_encrypt(const unsigned char *input,unsigned char *output,
+                      long length,des_key_schedule schedule,des_cblock *ivec,
+                      int enc);
+DES_LONG des_quad_cksum(const unsigned char *input,des_cblock output[],
+                        long length,int out_count,des_cblock *seed);
+void des_random_seed(des_cblock *key);
+void des_random_key(des_cblock *ret);
+int des_read_password(des_cblock *key,const char *prompt,int verify);
+int des_read_2passwords(des_cblock *key1,des_cblock *key2,
+                        const char *prompt,int verify);
+int des_read_pw_string(char *buf,int length,const char *prompt,int verify);
+void des_set_odd_parity(des_cblock *key);
+int des_is_weak_key(const_des_cblock *key);
+int des_set_key(const_des_cblock *key,des_key_schedule schedule);
+int des_key_sched(const_des_cblock *key,des_key_schedule schedule);
+void des_string_to_key(const char *str,des_cblock *key);
+void des_string_to_2keys(const char *str,des_cblock *key1,des_cblock *key2);
+void des_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
+                       des_key_schedule schedule,des_cblock *ivec,int *num,
+                       int enc);
+void des_ofb64_encrypt(const unsigned char *in,unsigned char *out,long length,
+                       des_key_schedule schedule,des_cblock *ivec,int *num);
+int des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+/* Extra functions from Mark Murray <mark@grondar.za> */
+void des_cblock_print_file(const_des_cblock *cb, FILE *fp);
+
+/* The following definitions provide compatibility with the MIT Kerberos
+ * library. The des_key_schedule structure is not binary compatible. */
+
+#define _KERBEROS_DES_H
+
+#define KRBDES_ENCRYPT DES_ENCRYPT
+#define KRBDES_DECRYPT DES_DECRYPT
+
+#ifdef KERBEROS
+#  define ENCRYPT DES_ENCRYPT
+#  define DECRYPT DES_DECRYPT
+#endif
+
+#ifndef NCOMPAT
+#  define C_Block des_cblock
+#  define Key_schedule des_key_schedule
+#  define KEY_SZ DES_KEY_SZ
+#  define string_to_key des_string_to_key
+#  define read_pw_string des_read_pw_string
+#  define random_key des_random_key
+#  define pcbc_encrypt des_pcbc_encrypt
+#  define set_key des_set_key
+#  define key_sched des_key_sched
+#  define ecb_encrypt des_ecb_encrypt
+#  define cbc_encrypt des_cbc_encrypt
+#  define ncbc_encrypt des_ncbc_encrypt
+#  define xcbc_encrypt des_xcbc_encrypt
+#  define cbc_cksum des_cbc_cksum
+#  define quad_cksum des_quad_cksum
+#endif
+
+typedef des_key_schedule bit_64;
+#define des_fixup_key_parity des_set_odd_parity
+#define des_check_key_parity check_parity
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libcrypto/des/des_locl.h b/src/lib/libcrypto/des/des_locl.h
new file mode 100644
index 0000000000..d6ea17cb68
--- /dev/null
+++ b/src/lib/libcrypto/des/des_locl.h
@@ -0,0 +1,408 @@
+/* crypto/des/des_locl.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_DES_LOCL_H
+#define HEADER_DES_LOCL_H
+
+#if defined(WIN32) || defined(WIN16)
+#ifndef MSDOS
+#define MSDOS
+#endif
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <openssl/opensslconf.h>
+
+#ifndef MSDOS
+#if !defined(VMS) || defined(__DECC)
+#include OPENSSL_UNISTD
+#include <math.h>
+#endif
+#endif
+#include <openssl/des.h>
+
+#ifdef MSDOS            /* Visual C++ 2.1 (Windows NT/95) */
+#include <stdlib.h>
+#include <errno.h>
+#include <time.h>
+#include <io.h>
+#endif
+
+#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS)
+#include <string.h>
+#endif
+
+#define ITERATIONS 16
+#define HALF_ITERATIONS 8
+
+/* used in des_read and des_write */
+#define MAXWRITE        (1024*16)
+#define BSIZE           (MAXWRITE+4)
+
+#define c2l(c,l)        (l =((DES_LONG)(*((c)++)))    , \
+                         l|=((DES_LONG)(*((c)++)))<< 8L, \
+                         l|=((DES_LONG)(*((c)++)))<<16L, \
+                         l|=((DES_LONG)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#define c2ln(c,l1,l2,n) { \
+                        c+=n; \
+                        l1=l2=0; \
+                        switch (n) { \
+                        case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \
+                        case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \
+                        case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \
+                        case 5: l2|=((DES_LONG)(*(--(c))));     \
+                        case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \
+                        case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \
+                        case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \
+                        case 1: l1|=((DES_LONG)(*(--(c))));     \
+                                } \
+                        }
+
+#define l2c(l,c)        (*((c)++)=(unsigned char)(((l)     )&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* replacements for htonl and ntohl since I have no idea what to do
+ * when faced with machines with 8 byte longs. */
+#define HDRSIZE 4
+
+#define n2l(c,l)        (l =((DES_LONG)(*((c)++)))<<24L, \
+                         l|=((DES_LONG)(*((c)++)))<<16L, \
+                         l|=((DES_LONG)(*((c)++)))<< 8L, \
+                         l|=((DES_LONG)(*((c)++))))
+
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#define l2cn(l1,l2,c,n) { \
+                        c+=n; \
+                        switch (n) { \
+                        case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+                        case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+                        case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+                        case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+                        case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+                        case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+                        case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+                        case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+                                } \
+                        }
+
+#if defined(WIN32)
+#define ROTATE(a,n)     (_lrotr(a,n))
+#else
+#define ROTATE(a,n)     (((a)>>(n))+((a)<<(32-(n))))
+#endif
+
+/* Don't worry about the LOAD_DATA() stuff, that is used by
+ * fcrypt() to add it's little bit to the front */
+
+#ifdef DES_FCRYPT
+
+#define LOAD_DATA_tmp(R,S,u,t,E0,E1) \
+        { DES_LONG tmp; LOAD_DATA(R,S,u,t,E0,E1,tmp); }
+
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+        t=R^(R>>16L); \
+        u=t&E0; t&=E1; \
+        tmp=(u<<16); u^=R^s[S  ]; u^=tmp; \
+        tmp=(t<<16); t^=R^s[S+1]; t^=tmp
+#else
+#define LOAD_DATA_tmp(a,b,c,d,e,f) LOAD_DATA(a,b,c,d,e,f,g)
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+        u=R^s[S  ]; \
+        t=R^s[S+1]
+#endif
+
+/* The changes to this macro may help or hinder, depending on the
+ * compiler and the achitecture.  gcc2 always seems to do well :-).
+ * Inspired by Dana How <how@isl.stanford.edu>
+ * DO NOT use the alternative version on machines with 8 byte longs.
+ * It does not seem to work on the Alpha, even when DES_LONG is 4
+ * bytes, probably an issue of accessing non-word aligned objects :-( */
+#ifdef DES_PTR
+
+/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there
+ * is no reason to not xor all the sub items together.  This potentially
+ * saves a register since things can be xored directly into L */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) { \
+        unsigned int u1,u2,u3; \
+        LOAD_DATA(R,S,u,t,E0,E1,u1); \
+        u2=(int)u>>8L; \
+        u1=(int)u&0xfc; \
+        u2&=0xfc; \
+        t=ROTATE(t,4); \
+        u>>=16L; \
+        LL^= *(const DES_LONG *)(des_SP      +u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x200+u2); \
+        u3=(int)(u>>8L); \
+        u1=(int)u&0xfc; \
+        u3&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x400+u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x600+u3); \
+        u2=(int)t>>8L; \
+        u1=(int)t&0xfc; \
+        u2&=0xfc; \
+        t>>=16L; \
+        LL^= *(const DES_LONG *)(des_SP+0x100+u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x300+u2); \
+        u3=(int)t>>8L; \
+        u1=(int)t&0xfc; \
+        u3&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x500+u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x700+u3); }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) { \
+        unsigned int u1,u2,s1,s2; \
+        LOAD_DATA(R,S,u,t,E0,E1,u1); \
+        u2=(int)u>>8L; \
+        u1=(int)u&0xfc; \
+        u2&=0xfc; \
+        t=ROTATE(t,4); \
+        LL^= *(const DES_LONG *)(des_SP      +u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x200+u2); \
+        s1=(int)(u>>16L); \
+        s2=(int)(u>>24L); \
+        s1&=0xfc; \
+        s2&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x400+s1); \
+        LL^= *(const DES_LONG *)(des_SP+0x600+s2); \
+        u2=(int)t>>8L; \
+        u1=(int)t&0xfc; \
+        u2&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x100+u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x300+u2); \
+        s1=(int)(t>>16L); \
+        s2=(int)(t>>24L); \
+        s1&=0xfc; \
+        s2&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x500+s1); \
+        LL^= *(const DES_LONG *)(des_SP+0x700+s2); }
+#endif
+#else
+#define D_ENCRYPT(LL,R,S) { \
+        LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+        t=ROTATE(t,4); \
+        LL^= \
+        *(const DES_LONG *)(des_SP      +((u     )&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x200+((u>> 8L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x400+((u>>16L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x600+((u>>24L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x100+((t     )&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x300+((t>> 8L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x500+((t>>16L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x700+((t>>24L)&0xfc)); }
+#endif
+
+#else /* original version */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) {\
+        unsigned int u1,u2,u3; \
+        LOAD_DATA(R,S,u,t,E0,E1,u1); \
+        u>>=2L; \
+        t=ROTATE(t,6); \
+        u2=(int)u>>8L; \
+        u1=(int)u&0x3f; \
+        u2&=0x3f; \
+        u>>=16L; \
+        LL^=des_SPtrans[0][u1]; \
+        LL^=des_SPtrans[2][u2]; \
+        u3=(int)u>>8L; \
+        u1=(int)u&0x3f; \
+        u3&=0x3f; \
+        LL^=des_SPtrans[4][u1]; \
+        LL^=des_SPtrans[6][u3]; \
+        u2=(int)t>>8L; \
+        u1=(int)t&0x3f; \
+        u2&=0x3f; \
+        t>>=16L; \
+        LL^=des_SPtrans[1][u1]; \
+        LL^=des_SPtrans[3][u2]; \
+        u3=(int)t>>8L; \
+        u1=(int)t&0x3f; \
+        u3&=0x3f; \
+        LL^=des_SPtrans[5][u1]; \
+        LL^=des_SPtrans[7][u3]; }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) {\
+        unsigned int u1,u2,s1,s2; \
+        LOAD_DATA(R,S,u,t,E0,E1,u1); \
+        u>>=2L; \
+        t=ROTATE(t,6); \
+        u2=(int)u>>8L; \
+        u1=(int)u&0x3f; \
+        u2&=0x3f; \
+        LL^=des_SPtrans[0][u1]; \
+        LL^=des_SPtrans[2][u2]; \
+        s1=(int)u>>16L; \
+        s2=(int)u>>24L; \
+        s1&=0x3f; \
+        s2&=0x3f; \
+        LL^=des_SPtrans[4][s1]; \
+        LL^=des_SPtrans[6][s2]; \
+        u2=(int)t>>8L; \
+        u1=(int)t&0x3f; \
+        u2&=0x3f; \
+        LL^=des_SPtrans[1][u1]; \
+        LL^=des_SPtrans[3][u2]; \
+        s1=(int)t>>16; \
+        s2=(int)t>>24L; \
+        s1&=0x3f; \
+        s2&=0x3f; \
+        LL^=des_SPtrans[5][s1]; \
+        LL^=des_SPtrans[7][s2]; }
+#endif
+
+#else
+
+#define D_ENCRYPT(LL,R,S) {\
+        LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+        t=ROTATE(t,4); \
+        LL^=\
+                des_SPtrans[0][(u>> 2L)&0x3f]^ \
+                des_SPtrans[2][(u>>10L)&0x3f]^ \
+                des_SPtrans[4][(u>>18L)&0x3f]^ \
+                des_SPtrans[6][(u>>26L)&0x3f]^ \
+                des_SPtrans[1][(t>> 2L)&0x3f]^ \
+                des_SPtrans[3][(t>>10L)&0x3f]^ \
+                des_SPtrans[5][(t>>18L)&0x3f]^ \
+                des_SPtrans[7][(t>>26L)&0x3f]; }
+#endif
+#endif
+
+        /* IP and FP
+         * The problem is more of a geometric problem that random bit fiddling.
+         0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
+         8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
+        16 17 18 19 20 21 22 23      58 50 42 34 26 18 10  2
+        24 25 26 27 28 29 30 31  to  56 48 40 32 24 16  8  0
+
+        32 33 34 35 36 37 38 39      63 55 47 39 31 23 15  7
+        40 41 42 43 44 45 46 47      61 53 45 37 29 21 13  5
+        48 49 50 51 52 53 54 55      59 51 43 35 27 19 11  3
+        56 57 58 59 60 61 62 63      57 49 41 33 25 17  9  1
+
+        The output has been subject to swaps of the form
+        0 1 -> 3 1 but the odd and even bits have been put into
+        2 3    2 0
+        different words.  The main trick is to remember that
+        t=((l>>size)^r)&(mask);
+        r^=t;
+        l^=(t<<size);
+        can be used to swap and move bits between words.
+
+        So l =  0  1  2  3  r = 16 17 18 19
+                4  5  6  7      20 21 22 23
+                8  9 10 11      24 25 26 27
+               12 13 14 15      28 29 30 31
+        becomes (for size == 2 and mask == 0x3333)
+           t =   2^16  3^17 -- --   l =  0  1 16 17  r =  2  3 18 19
+                 6^20  7^21 -- --        4  5 20 21       6  7 22 23
+                10^24 11^25 -- --        8  9 24 25      10 11 24 25
+                14^28 15^29 -- --       12 13 28 29      14 15 28 29
+
+        Thanks for hints from Richard Outerbridge - he told me IP&FP
+        could be done in 15 xor, 10 shifts and 5 ands.
+        When I finally started to think of the problem in 2D
+        I first got ~42 operations without xors.  When I remembered
+        how to use xors :-) I got it to its final state.
+        */
+#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
+        (b)^=(t),\
+        (a)^=((t)<<(n)))
+
+#define IP(l,r) \
+        { \
+        register DES_LONG tt; \
+        PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \
+        PERM_OP(l,r,tt,16,0x0000ffffL); \
+        PERM_OP(r,l,tt, 2,0x33333333L); \
+        PERM_OP(l,r,tt, 8,0x00ff00ffL); \
+        PERM_OP(r,l,tt, 1,0x55555555L); \
+        }
+
+#define FP(l,r) \
+        { \
+        register DES_LONG tt; \
+        PERM_OP(l,r,tt, 1,0x55555555L); \
+        PERM_OP(r,l,tt, 8,0x00ff00ffL); \
+        PERM_OP(l,r,tt, 2,0x33333333L); \
+        PERM_OP(r,l,tt,16,0x0000ffffL); \
+        PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
+        }
+
+OPENSSL_EXTERN const DES_LONG des_SPtrans[8][64];
+
+void fcrypt_body(DES_LONG *out,des_key_schedule ks,
+        DES_LONG Eswap0, DES_LONG Eswap1);
+#endif
diff --git a/src/lib/libcrypto/des/ede_cbcm_enc.c b/src/lib/libcrypto/des/ede_cbcm_enc.c
new file mode 100644
index 0000000000..c53062481d
--- /dev/null
+++ b/src/lib/libcrypto/des/ede_cbcm_enc.c
@@ -0,0 +1,197 @@
+/* ede_cbcm_enc.c */
+/* Written by Ben Laurie <ben@algroup.co.uk> for the OpenSSL
+ * project 13 Feb 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+
+This is an implementation of Triple DES Cipher Block Chaining with Output
+Feedback Masking, by Coppersmith, Johnson and Matyas, (IBM and Certicom).
+
+Note that there is a known attack on this by Biham and Knudsen but it takes
+a lot of work:
+
+http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1998/CS/CS0928.ps.gz
+
+*/
+
+#ifndef NO_DESCBCM
+#include "des_locl.h"
+
+void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
+             long length, des_key_schedule ks1, des_key_schedule ks2,
+             des_key_schedule ks3, des_cblock *ivec1, des_cblock *ivec2,
+             int enc)
+    {
+    register DES_LONG tin0,tin1;
+    register DES_LONG tout0,tout1,xor0,xor1,m0,m1;
+    register long l=length;
+    DES_LONG tin[2];
+    unsigned char *iv1,*iv2;
+
+    iv1 = &(*ivec1)[0];
+    iv2 = &(*ivec2)[0];
+
+    if (enc)
+        {
+        c2l(iv1,m0);
+        c2l(iv1,m1);
+        c2l(iv2,tout0);
+        c2l(iv2,tout1);
+        for (l-=8; l>=-7; l-=8)
+            {
+            tin[0]=m0;
+            tin[1]=m1;
+            des_encrypt(tin,ks3,1);
+            m0=tin[0];
+            m1=tin[1];
+
+            if(l < 0)
+                {
+                c2ln(in,tin0,tin1,l+8);
+                }
+            else
+                {
+                c2l(in,tin0);
+                c2l(in,tin1);
+                }
+            tin0^=tout0;
+            tin1^=tout1;
+
+            tin[0]=tin0;
+            tin[1]=tin1;
+            des_encrypt(tin,ks1,1);
+            tin[0]^=m0;
+            tin[1]^=m1;
+            des_encrypt(tin,ks2,0);
+            tin[0]^=m0;
+            tin[1]^=m1;
+            des_encrypt(tin,ks1,1);
+            tout0=tin[0];
+            tout1=tin[1];
+
+            l2c(tout0,out);
+            l2c(tout1,out);
+            }
+        iv1=&(*ivec1)[0];
+        l2c(m0,iv1);
+        l2c(m1,iv1);
+
+        iv2=&(*ivec2)[0];
+        l2c(tout0,iv2);
+        l2c(tout1,iv2);
+        }
+    else
+        {
+        register DES_LONG t0,t1;
+
+        c2l(iv1,m0);
+        c2l(iv1,m1);
+        c2l(iv2,xor0);
+        c2l(iv2,xor1);
+        for (l-=8; l>=-7; l-=8)
+            {
+            tin[0]=m0;
+            tin[1]=m1;
+            des_encrypt(tin,ks3,1);
+            m0=tin[0];
+            m1=tin[1];
+
+            c2l(in,tin0);
+            c2l(in,tin1);
+
+            t0=tin0;
+            t1=tin1;
+
+            tin[0]=tin0;
+            tin[1]=tin1;
+            des_encrypt(tin,ks1,0);
+            tin[0]^=m0;
+            tin[1]^=m1;
+            des_encrypt(tin,ks2,1);
+            tin[0]^=m0;
+            tin[1]^=m1;
+            des_encrypt(tin,ks1,0);
+            tout0=tin[0];
+            tout1=tin[1];
+
+            tout0^=xor0;
+            tout1^=xor1;
+            if(l < 0)
+                {
+                l2cn(tout0,tout1,out,l+8);
+                }
+            else
+                {
+                l2c(tout0,out);
+                l2c(tout1,out);
+                }
+            xor0=t0;
+            xor1=t1;
+            }
+
+        iv1=&(*ivec1)[0];
+        l2c(m0,iv1);
+        l2c(m1,iv1);
+
+        iv2=&(*ivec2)[0];
+        l2c(xor0,iv2);
+        l2c(xor1,iv2);
+        }
+    tin0=tin1=tout0=tout1=xor0=xor1=0;
+    tin[0]=tin[1]=0;
+    }
+#endif
diff --git a/src/lib/libcrypto/dh/dh_asn1.c b/src/lib/libcrypto/dh/dh_asn1.c
new file mode 100644
index 0000000000..769b5b68c5
--- /dev/null
+++ b/src/lib/libcrypto/dh/dh_asn1.c
@@ -0,0 +1,87 @@
+/* dh_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/objects.h>
+#include <openssl/asn1t.h>
+
+/* Override the default free and new methods */
+static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_NEW_PRE) {
+                *pval = (ASN1_VALUE *)DH_new();
+                if(*pval) return 2;
+                return 0;
+        } else if(operation == ASN1_OP_FREE_PRE) {
+                DH_free((DH *)*pval);
+                *pval = NULL;
+                return 2;
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(DHparams, dh_cb) = {
+        ASN1_SIMPLE(DH, p, BIGNUM),
+        ASN1_SIMPLE(DH, g, BIGNUM),
+        ASN1_OPT(DH, length, ZLONG),
+} ASN1_SEQUENCE_END_cb(DH, DHparams)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DH, DHparams, DHparams)
diff --git a/src/lib/libcrypto/doc/DH_generate_key.pod b/src/lib/libcrypto/doc/DH_generate_key.pod
new file mode 100644
index 0000000000..920995b2e5
--- /dev/null
+++ b/src/lib/libcrypto/doc/DH_generate_key.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ int DH_generate_key(DH *dh);
+
+ int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
+
+=head1 DESCRIPTION
+
+DH_generate_key() performs the first step of a Diffie-Hellman key
+exchange by generating private and public DH values. By calling
+DH_compute_key(), these are combined with the other party's public
+value to compute the shared key.
+
+DH_generate_key() expects B<dh> to contain the shared parameters
+B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value
+unless B<dh-E<gt>priv_key> is already set, and computes the
+corresponding public value B<dh-E<gt>pub_key>, which can then be
+published.
+
+DH_compute_key() computes the shared secret from the private DH value
+in B<dh> and the other party's public value in B<pub_key> and stores
+it in B<key>. B<key> must point to B<DH_size(dh)> bytes of memory.
+
+=head1 RETURN VALUES
+
+DH_generate_key() returns 1 on success, 0 otherwise.
+
+DH_compute_key() returns the size of the shared secret on success, -1
+on error.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
+
+=head1 HISTORY
+
+DH_generate_key() and DH_compute_key() are available in all versions
+of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DH_generate_parameters.pod b/src/lib/libcrypto/doc/DH_generate_parameters.pod
new file mode 100644
index 0000000000..a7d0c75f0c
--- /dev/null
+++ b/src/lib/libcrypto/doc/DH_generate_parameters.pod
@@ -0,0 +1,72 @@
+=pod
+
+=head1 NAME
+
+DH_generate_parameters, DH_check - generate and check Diffie-Hellman parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH *DH_generate_parameters(int prime_len, int generator,
+     void (*callback)(int, int, void *), void *cb_arg);
+
+ int DH_check(DH *dh, int *codes);
+
+=head1 DESCRIPTION
+
+DH_generate_parameters() generates Diffie-Hellman parameters that can
+be shared among a group of users, and returns them in a newly
+allocated B<DH> structure. The pseudo-random number generator must be
+seeded prior to calling DH_generate_parameters().
+
+B<prime_len> is the length in bits of the safe prime to be generated.
+B<generator> is a small number E<gt> 1, typically 2 or 5. 
+
+A callback function may be used to provide feedback about the progress
+of the key generation. If B<callback> is not B<NULL>, it will be
+called as described in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime
+number is generated, and when a prime has been found, B<callback(3,
+0, cb_arg)> is called.
+
+DH_check() validates Diffie-Hellman parameters. It checks that B<p> is
+a safe prime, and that B<g> is a suitable generator. In the case of an
+error, the bit flags DH_CHECK_P_NOT_SAFE_PRIME or
+DH_NOT_SUITABLE_GENERATOR are set in B<*codes>.
+DH_UNABLE_TO_CHECK_GENERATOR is set if the generator cannot be
+checked, i.e. it does not equal 2 or 5.
+
+=head1 RETURN VALUES
+
+DH_generate_parameters() returns a pointer to the DH structure, or
+NULL if the parameter generation fails. The error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+DH_check() returns 1 if the check could be performed, 0 otherwise.
+
+=head1 NOTES
+
+DH_generate_parameters() may run for several hours before finding a
+suitable prime.
+
+The parameters generated by DH_generate_parameters() are not to be
+used in signature schemes.
+
+=head1 BUGS
+
+If B<generator> is not 2 or 5, B<dh-E<gt>g>=B<generator> is not
+a usable generator.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_free(3)|DH_free(3)>
+
+=head1 HISTORY
+
+DH_check() is available in all versions of SSLeay and OpenSSL.
+The B<cb_arg> argument to DH_generate_parameters() was added in SSLeay 0.9.0.
+
+In versions before OpenSSL 0.9.5, DH_CHECK_P_NOT_STRONG_PRIME is used
+instead of DH_CHECK_P_NOT_SAFE_PRIME.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
new file mode 100644
index 0000000000..82e2548bcd
--- /dev/null
+++ b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific data to DH structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ int DH_get_ex_new_index(long argl, void *argp,
+                CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+
+ int DH_set_ex_data(DH *d, int idx, void *arg);
+
+ char *DH_get_ex_data(DH *d, int idx);
+
+=head1 DESCRIPTION
+
+These functions handle application specific data in DH
+structures. Their usage is identical to that of
+RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
+as described in L<RSA_get_ex_new_index(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_get_ex_new_index()|RSA_get_ex_new_index()>, L<dh(3)|dh(3)>
+
+=head1 HISTORY
+
+DH_get_ex_new_index(), DH_set_ex_data() and DH_get_ex_data() are
+available since OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DH_new.pod b/src/lib/libcrypto/doc/DH_new.pod
new file mode 100644
index 0000000000..64624b9d15
--- /dev/null
+++ b/src/lib/libcrypto/doc/DH_new.pod
@@ -0,0 +1,40 @@
+=pod
+
+=head1 NAME
+
+DH_new, DH_free - allocate and free DH objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH* DH_new(void);
+
+ void DH_free(DH *dh);
+
+=head1 DESCRIPTION
+
+DH_new() allocates and initializes a B<DH> structure.
+
+DH_free() frees the B<DH> structure and its components. The values are
+erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, DH_new() returns B<NULL> and sets an error
+code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+a pointer to the newly allocated structure.
+
+DH_free() returns no value.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<err(3)|err(3)>,
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
+L<DH_generate_key(3)|DH_generate_key(3)>
+
+=head1 HISTORY
+
+DH_new() and DH_free() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DH_set_method.pod b/src/lib/libcrypto/doc/DH_set_method.pod
new file mode 100644
index 0000000000..dca41d8dbc
--- /dev/null
+++ b/src/lib/libcrypto/doc/DH_set_method.pod
@@ -0,0 +1,99 @@
+=pod
+
+=head1 NAME
+
+DH_set_default_method, DH_get_default_method, DH_set_method,
+DH_new_method, DH_OpenSSL - select DH method
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ void DH_set_default_method(DH_METHOD *meth);
+
+ DH_METHOD *DH_get_default_method(void);
+
+ DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
+
+ DH *DH_new_method(DH_METHOD *meth);
+
+ DH_METHOD *DH_OpenSSL(void);
+
+=head1 DESCRIPTION
+
+A B<DH_METHOD> specifies the functions that OpenSSL uses for Diffie-Hellman
+operations. By modifying the method, alternative implementations
+such as hardware accelerators may be used.
+
+Initially, the default is to use the OpenSSL internal implementation.
+DH_OpenSSL() returns a pointer to that method.
+
+DH_set_default_method() makes B<meth> the default method for all B<DH>
+structures created later.
+
+DH_get_default_method() returns a pointer to the current default
+method.
+
+DH_set_method() selects B<meth> for all operations using the structure B<dh>.
+
+DH_get_method() returns a pointer to the method currently selected
+for B<dh>.
+
+DH_new_method() allocates and initializes a B<DH> structure so that
+B<method> will be used for the DH operations. If B<method> is B<NULL>,
+the default method is used.
+
+=head1 THE DH_METHOD STRUCTURE
+
+ typedef struct dh_meth_st
+ {
+     /* name of the implementation */
+        const char *name;
+
+     /* generate private and public DH values for key agreement */
+        int (*generate_key)(DH *dh);
+
+     /* compute shared secret */
+        int (*compute_key)(unsigned char *key, BIGNUM *pub_key, DH *dh);
+
+     /* compute r = a ^ p mod m. May be NULL */
+        int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                                const BIGNUM *m, BN_CTX *ctx,
+                                BN_MONT_CTX *m_ctx);
+
+     /* called at DH_new */
+        int (*init)(DH *dh);
+
+     /* called at DH_free */
+        int (*finish)(DH *dh);
+
+        int flags;
+
+        char *app_data; /* ?? */
+
+ } DH_METHOD;
+
+=head1 RETURN VALUES
+
+DH_OpenSSL(), DH_get_default_method() and DH_get_method() return
+pointers to the respective B<DH_METHOD>s.
+
+DH_set_default_method() returns no value.
+
+DH_set_method() returns a pointer to the B<DH_METHOD> previously
+associated with B<dh>.
+
+DH_new_method() returns B<NULL> and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
+returns a pointer to the newly allocated structure.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<DH_new(3)|DH_new(3)>
+
+=head1 HISTORY
+
+DH_set_default_method(), DH_get_default_method(), DH_set_method(),
+DH_new_method() and DH_OpenSSL() were added in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DH_size.pod b/src/lib/libcrypto/doc/DH_size.pod
new file mode 100644
index 0000000000..97f26fda78
--- /dev/null
+++ b/src/lib/libcrypto/doc/DH_size.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+DH_size - get Diffie-Hellman prime size
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ int DH_size(DH *dh);
+
+=head1 DESCRIPTION
+
+This function returns the Diffie-Hellman size in bytes. It can be used
+to determine how much memory must be allocated for the shared secret
+computed by DH_compute_key().
+
+B<dh-E<gt>p> must not be B<NULL>.
+
+=head1 RETURN VALUE
+
+The size in bytes.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<DH_generate_key(3)|DH_generate_key(3)>
+
+=head1 HISTORY
+
+DH_size() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_SIG_new.pod b/src/lib/libcrypto/doc/DSA_SIG_new.pod
new file mode 100644
index 0000000000..671655554a
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_SIG_new.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+DSA_SIG_new, DSA_SIG_free - allocate and free DSA signature objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA_SIG *DSA_SIG_new(void);
+
+ void   DSA_SIG_free(DSA_SIG *a);
+
+=head1 DESCRIPTION
+
+DSA_SIG_new() allocates and initializes a B<DSA_SIG> structure.
+
+DSA_SIG_free() frees the B<DSA_SIG> structure and its components. The
+values are erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, DSA_SIG_new() returns B<NULL> and sets an
+error code that can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
+to the newly allocated structure.
+
+DSA_SIG_free() returns no value.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)>
+
+=head1 HISTORY
+
+DSA_SIG_new() and DSA_SIG_free() were added in OpenSSL 0.9.3.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_do_sign.pod b/src/lib/libcrypto/doc/DSA_do_sign.pod
new file mode 100644
index 0000000000..a24fd5714e
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_do_sign.pod
@@ -0,0 +1,47 @@
+=pod
+
+=head1 NAME
+
+DSA_do_sign, DSA_do_verify - raw DSA signature operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+
+ int DSA_do_verify(const unsigned char *dgst, int dgst_len,
+             DSA_SIG *sig, DSA *dsa);
+
+=head1 DESCRIPTION
+
+DSA_do_sign() computes a digital signature on the B<len> byte message
+digest B<dgst> using the private key B<dsa> and returns it in a
+newly allocated B<DSA_SIG> structure.
+
+L<DSA_sign_setup(3)|DSA_sign_setup(3)> may be used to precompute part
+of the signing operation in case signature generation is
+time-critical.
+
+DSA_do_verify() verifies that the signature B<sig> matches a given
+message digest B<dgst> of size B<len>.  B<dsa> is the signer's public
+key.
+
+=head1 RETURN VALUES
+
+DSA_do_sign() returns the signature, NULL on error.  DSA_do_verify()
+returns 1 for a valid signature, 0 for an incorrect signature and -1
+on error. The error codes can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<DSA_SIG_new(3)|DSA_SIG_new(3)>,
+L<DSA_sign(3)|DSA_sign(3)>
+
+=head1 HISTORY
+
+DSA_do_sign() and DSA_do_verify() were added in OpenSSL 0.9.3.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_dup_DH.pod b/src/lib/libcrypto/doc/DSA_dup_DH.pod
new file mode 100644
index 0000000000..29cb1075d1
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_dup_DH.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+DSA_dup_DH - create a DH structure out of DSA structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DH * DSA_dup_DH(DSA *r);
+
+=head1 DESCRIPTION
+
+DSA_dup_DH() duplicates DSA parameters/keys as DH parameters/keys. q
+is lost during that conversion, but the resulting DH parameters
+contain its length.
+
+=head1 RETURN VALUE
+
+DSA_dup_DH() returns the new B<DH> structure, and NULL on error. The
+error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTE
+
+Be careful to avoid small subgroup attacks when using this.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+DSA_dup_DH() was added in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_generate_key.pod b/src/lib/libcrypto/doc/DSA_generate_key.pod
new file mode 100644
index 0000000000..52890db5be
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_generate_key.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+DSA_generate_key - generate DSA key pair
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ int DSA_generate_key(DSA *a);
+
+=head1 DESCRIPTION
+
+DSA_generate_key() expects B<a> to contain DSA parameters. It generates
+a new key pair and stores it in B<a-E<gt>pub_key> and B<a-E<gt>priv_key>.
+
+The PRNG must be seeded prior to calling DSA_generate_key().
+
+=head1 RETURN VALUE
+
+DSA_generate_key() returns 1 on success, 0 otherwise.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
+
+=head1 HISTORY
+
+DSA_generate_key() is available since SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_generate_parameters.pod b/src/lib/libcrypto/doc/DSA_generate_parameters.pod
new file mode 100644
index 0000000000..43f60b0eb9
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_generate_parameters.pod
@@ -0,0 +1,105 @@
+=pod
+
+=head1 NAME
+
+DSA_generate_parameters - generate DSA parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA *DSA_generate_parameters(int bits, unsigned char *seed,
+                int seed_len, int *counter_ret, unsigned long *h_ret,
+                void (*callback)(int, int, void *), void *cb_arg);
+
+=head1 DESCRIPTION
+
+DSA_generate_parameters() generates primes p and q and a generator g
+for use in the DSA.
+
+B<bits> is the length of the prime to be generated; the DSS allows a
+maximum of 1024 bits.
+
+If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
+generated at random. Otherwise, the seed is used to generate
+them. If the given seed does not yield a prime q, a new random
+seed is chosen and placed at B<seed>.
+
+DSA_generate_parameters() places the iteration count in
+*B<counter_ret> and a counter used for finding a generator in
+*B<h_ret>, unless these are B<NULL>.
+
+A callback function may be used to provide feedback about the progress
+of the key generation. If B<callback> is not B<NULL>, it will be
+called as follows:
+
+=over 4
+
+=item *
+
+When a candidate for q is generated, B<callback(0, m++, cb_arg)> is called
+(m is 0 for the first candidate).
+
+=item *
+
+When a candidate for q has passed a test by trial division,
+B<callback(1, -1, cb_arg)> is called.
+While a candidate for q is tested by Miller-Rabin primality tests,
+B<callback(1, i, cb_arg)> is called in the outer loop
+(once for each witness that confirms that the candidate may be prime);
+i is the loop counter (starting at 0).
+
+=item *
+
+When a prime q has been found, B<callback(2, 0, cb_arg)> and
+B<callback(3, 0, cb_arg)> are called.
+
+=item *
+
+Before a candidate for p (other than the first) is generated and tested,
+B<callback(0, counter, cb_arg)> is called.
+
+=item *
+
+When a candidate for p has passed the test by trial division,
+B<callback(1, -1, cb_arg)> is called.
+While it is tested by the Miller-Rabin primality test,
+B<callback(1, i, cb_arg)> is called in the outer loop
+(once for each witness that confirms that the candidate may be prime).
+i is the loop counter (starting at 0).
+
+=item *
+
+When p has been found, B<callback(2, 1, cb_arg)> is called.
+
+=item *
+
+When the generator has been found, B<callback(3, 1, cb_arg)> is called.
+
+=back
+
+=head1 RETURN VALUE
+
+DSA_generate_parameters() returns a pointer to the DSA structure, or
+B<NULL> if the parameter generation fails. The error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+Seed lengths E<gt> 20 are not supported.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<DSA_free(3)|DSA_free(3)>
+
+=head1 HISTORY
+
+DSA_generate_parameters() appeared in SSLeay 0.8. The B<cb_arg>
+argument was added in SSLeay 0.9.0.
+In versions up to OpenSSL 0.9.4, B<callback(1, ...)> was called
+in the inner loop of the Miller-Rabin test whenever it reached the
+squaring step (the parameters to B<callback> did not reveal how many
+witnesses had been tested); since OpenSSL 0.9.5, B<callback(1, ...)>
+is called as in BN_is_prime(3), i.e. once for each witness.
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod b/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod
new file mode 100644
index 0000000000..4612e708ec
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application specific data to DSA structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/DSA.h>
+
+ int DSA_get_ex_new_index(long argl, void *argp,
+                CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+
+ int DSA_set_ex_data(DSA *d, int idx, void *arg);
+
+ char *DSA_get_ex_data(DSA *d, int idx);
+
+=head1 DESCRIPTION
+
+These functions handle application specific data in DSA
+structures. Their usage is identical to that of
+RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
+as described in L<RSA_get_ex_new_index(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dsa(3)|dsa(3)>
+
+=head1 HISTORY
+
+DSA_get_ex_new_index(), DSA_set_ex_data() and DSA_get_ex_data() are
+available since OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_new.pod b/src/lib/libcrypto/doc/DSA_new.pod
new file mode 100644
index 0000000000..7dde54445b
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_new.pod
@@ -0,0 +1,41 @@
+=pod
+
+=head1 NAME
+
+DSA_new, DSA_free - allocate and free DSA objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA* DSA_new(void);
+
+ void DSA_free(DSA *dsa);
+
+=head1 DESCRIPTION
+
+DSA_new() allocates and initializes a B<DSA> structure.
+
+DSA_free() frees the B<DSA> structure and its components. The values are
+erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, DSA_new() returns B<NULL> and sets an error
+code that can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
+to the newly allocated structure.
+
+DSA_free() returns no value.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
+L<DSA_generate_key(3)|DSA_generate_key(3)>
+
+=head1 HISTORY
+
+DSA_new() and DSA_free() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_set_method.pod b/src/lib/libcrypto/doc/DSA_set_method.pod
new file mode 100644
index 0000000000..0b13ec9237
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_set_method.pod
@@ -0,0 +1,111 @@
+=pod
+
+=head1 NAME
+
+DSA_set_default_method, DSA_get_default_method, DSA_set_method,
+DSA_new_method, DSA_OpenSSL - select RSA method
+
+=head1 SYNOPSIS
+
+ #include <openssl/DSA.h>
+
+ void DSA_set_default_method(DSA_METHOD *meth);
+
+ DSA_METHOD *DSA_get_default_method(void);
+
+ DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth);
+
+ DSA *DSA_new_method(DSA_METHOD *meth);
+
+ DSA_METHOD *DSA_OpenSSL(void);
+
+=head1 DESCRIPTION
+
+A B<DSA_METHOD> specifies the functions that OpenSSL uses for DSA
+operations. By modifying the method, alternative implementations
+such as hardware accelerators may be used.
+
+Initially, the default is to use the OpenSSL internal implementation.
+DSA_OpenSSL() returns a pointer to that method.
+
+DSA_set_default_method() makes B<meth> the default method for all B<DSA>
+structures created later.
+
+DSA_get_default_method() returns a pointer to the current default
+method.
+
+DSA_set_method() selects B<meth> for all operations using the structure B<DSA>.
+
+DSA_get_method() returns a pointer to the method currently selected
+for B<DSA>.
+
+DSA_new_method() allocates and initializes a B<DSA> structure so that
+B<method> will be used for the DSA operations. If B<method> is B<NULL>,
+the default method is used.
+
+=head1 THE DSA_METHOD STRUCTURE
+
+struct
+ {
+     /* name of the implementation */
+        const char *name;
+
+     /* sign */
+        DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen,
+                                 DSA *dsa);
+
+     /* pre-compute k^-1 and r */
+        int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+                                 BIGNUM **rp);
+
+     /* verify */
+        int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
+                                 DSA_SIG *sig, DSA *dsa);
+
+     /* compute rr = a1^p1 * a2^p2 mod m. May be NULL */
+        int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+                                 BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                                 BN_CTX *ctx, BN_MONT_CTX *in_mont);
+
+     /* compute r = a ^ p mod m. May be NULL */
+        int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                                 const BIGNUM *p, const BIGNUM *m,
+                                 BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+     /* called at DSA_new */
+        int (*init)(DSA *DSA);
+
+     /* called at DSA_free */
+        int (*finish)(DSA *DSA);
+
+        int flags;
+
+        char *app_data; /* ?? */
+
+ } DSA_METHOD;
+
+=head1 RETURN VALUES
+
+DSA_OpenSSL(), DSA_get_default_method() and DSA_get_method() return
+pointers to the respective B<DSA_METHOD>s.
+
+DSA_set_default_method() returns no value.
+
+DSA_set_method() returns a pointer to the B<DSA_METHOD> previously
+associated with B<dsa>.
+
+DSA_new_method() returns B<NULL> and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation
+fails. Otherwise it returns a pointer to the newly allocated
+structure.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<DSA_new(3)|DSA_new(3)>
+
+=head1 HISTORY
+
+DSA_set_default_method(), DSA_get_default_method(), DSA_set_method(),
+DSA_new_method() and DSA_OpenSSL() were added in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_sign.pod b/src/lib/libcrypto/doc/DSA_sign.pod
new file mode 100644
index 0000000000..f6e60a8ca3
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_sign.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+DSA_sign, DSA_sign_setup, DSA_verify - DSA signatures
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ int    DSA_sign(int type, const unsigned char *dgst, int len,
+                unsigned char *sigret, unsigned int *siglen, DSA *dsa);
+
+ int    DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
+                BIGNUM **rp);
+
+ int    DSA_verify(int type, const unsigned char *dgst, int len,
+                unsigned char *sigbuf, int siglen, DSA *dsa);
+
+=head1 DESCRIPTION
+
+DSA_sign() computes a digital signature on the B<len> byte message
+digest B<dgst> using the private key B<dsa> and places its ASN.1 DER
+encoding at B<sigret>. The length of the signature is places in
+*B<siglen>. B<sigret> must point to DSA_size(B<dsa>) bytes of memory.
+
+DSA_sign_setup() may be used to precompute part of the signing
+operation in case signature generation is time-critical. It expects
+B<dsa> to contain DSA parameters. It places the precomputed values
+in newly allocated B<BIGNUM>s at *B<kinvp> and *B<rp>, after freeing
+the old ones unless *B<kinvp> and *B<rp> are NULL. These values may
+be passed to DSA_sign() in B<dsa-E<gt>kinv> and B<dsa-E<gt>r>.
+B<ctx> is a pre-allocated B<BN_CTX> or NULL.
+
+DSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
+matches a given message digest B<dgst> of size B<len>.
+B<dsa> is the signer's public key.
+
+The B<type> parameter is ignored.
+
+The PRNG must be seeded before DSA_sign() (or DSA_sign_setup())
+is called.
+
+=head1 RETURN VALUES
+
+DSA_sign() and DSA_sign_setup() return 1 on success, 0 on error.
+DSA_verify() returns 1 for a valid signature, 0 for an incorrect
+signature and -1 on error. The error codes can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 CONFORMING TO
+
+US Federal Information Processing Standard FIPS 186 (Digital Signature
+Standard, DSS), ANSI X9.30
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<DSA_do_sign(3)|DSA_do_sign(3)>
+
+=head1 HISTORY
+
+DSA_sign() and DSA_verify() are available in all versions of SSLeay.
+DSA_sign_setup() was added in SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libcrypto/doc/DSA_size.pod b/src/lib/libcrypto/doc/DSA_size.pod
new file mode 100644
index 0000000000..23b6320a4d
--- /dev/null
+++ b/src/lib/libcrypto/doc/DSA_size.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+DSA_size - get DSA signature size
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ int DSA_size(DSA *dsa);
+
+=head1 DESCRIPTION
+
+This function returns the size of an ASN.1 encoded DSA signature in
+bytes. It can be used to determine how much memory must be allocated
+for a DSA signature.
+
+B<dsa-E<gt>q> must not be B<NULL>.
+
+=head1 RETURN VALUE
+
+The size in bytes.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<DSA_sign(3)|DSA_sign(3)>
+
+=head1 HISTORY
+
+DSA_size() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/ERR_GET_LIB.pod b/src/lib/libcrypto/doc/ERR_GET_LIB.pod
new file mode 100644
index 0000000000..2a129da036
--- /dev/null
+++ b/src/lib/libcrypto/doc/ERR_GET_LIB.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON - get library, function and
+reason code
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ int ERR_GET_LIB(unsigned long e);
+
+ int ERR_GET_FUNC(unsigned long e);
+
+ int ERR_GET_REASON(unsigned long e);
+
+=head1 DESCRIPTION
+
+The error code returned by ERR_get_error() consists of a library
+number, function code and reason code. ERR_GET_LIB(), ERR_GET_FUNC()
+and ERR_GET_REASON() can be used to extract these.
+
+The library number and function code describe where the error
+occurred, the reason code is the information about what went wrong.
+
+Each sub-library of OpenSSL has a unique library number; function and
+reason codes are unique within each sub-library.  Note that different
+libraries may use the same value to signal different functions and
+reasons.
+
+B<ERR_R_...> reason codes such as B<ERR_R_MALLOC_FAILURE> are globally
+unique. However, when checking for sub-library specific reason codes,
+be sure to also compare the library number.
+
+ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are macros.
+
+=head1 RETURN VALUES
+
+The library number, function code and reason code respectively.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+
+=head1 HISTORY
+
+ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are available in
+all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/ERR_clear_error.pod b/src/lib/libcrypto/doc/ERR_clear_error.pod
new file mode 100644
index 0000000000..566e1f4e31
--- /dev/null
+++ b/src/lib/libcrypto/doc/ERR_clear_error.pod
@@ -0,0 +1,29 @@
+=pod
+
+=head1 NAME
+
+ERR_clear_error - clear the error queue
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_clear_error(void);
+
+=head1 DESCRIPTION
+
+ERR_clear_error() empties the current thread's error queue.
+
+=head1 RETURN VALUES
+
+ERR_clear_error() has no return value.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+
+=head1 HISTORY
+
+ERR_clear_error() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/ERR_error_string.pod b/src/lib/libcrypto/doc/ERR_error_string.pod
new file mode 100644
index 0000000000..0d2417599c
--- /dev/null
+++ b/src/lib/libcrypto/doc/ERR_error_string.pod
@@ -0,0 +1,65 @@
+=pod
+
+=head1 NAME
+
+ERR_error_string - obtain human-readable error message
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ char *ERR_error_string(unsigned long e, char *buf);
+
+ const char *ERR_lib_error_string(unsigned long e);
+ const char *ERR_func_error_string(unsigned long e);
+ const char *ERR_reason_error_string(unsigned long e);
+
+=head1 DESCRIPTION
+
+ERR_error_string() generates a human-readable string representing the
+error code B<e>, and places it at B<buf>. B<buf> must be at least 120
+bytes long. If B<buf> is B<NULL>, the error string is placed in a
+static buffer.
+
+The string will have the following format:
+
+ error:[error code]:[library name]:[function name]:[reason string]
+
+I<error code> is an 8 digit hexadecimal number, I<library name>,
+I<function name> and I<reason string> are ASCII text.
+
+ERR_lib_error_string(), ERR_func_error_string() and
+ERR_reason_error_string() return the library name, function
+name and reason string respectively.
+
+The OpenSSL error strings should be loaded by calling
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)> or, for SSL
+applications, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+first.
+If there is no text string registered for the given error code,
+the error string will contain the numeric code.
+
+L<ERR_print_errors(3)|ERR_print_errors(3)> can be used to print
+all error codes currently in the queue.
+
+=head1 RETURN VALUES
+
+ERR_error_string() returns a pointer to a static buffer containing the
+string if B<buf == NULL>, B<buf> otherwise.
+
+ERR_lib_error_string(), ERR_func_error_string() and
+ERR_reason_error_string() return the strings, and B<NULL> if
+none is registered for the error code.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+L<ERR_print_errors(3)|ERR_print_errors(3)>
+
+=head1 HISTORY
+
+ERR_error_string() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/ERR_get_error.pod b/src/lib/libcrypto/doc/ERR_get_error.pod
new file mode 100644
index 0000000000..75ece00d97
--- /dev/null
+++ b/src/lib/libcrypto/doc/ERR_get_error.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+ERR_get_error, ERR_peek_error - obtain error code
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ unsigned long ERR_get_error(void);
+ unsigned long ERR_peek_error(void);
+
+ unsigned long ERR_get_error_line(const char **file, int *line);
+ unsigned long ERR_peek_error_line(const char **file, int *line);
+
+ unsigned long ERR_get_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+ unsigned long ERR_peek_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+
+=head1 DESCRIPTION
+
+ERR_get_error() returns the last error code from the thread's error
+queue and removes the entry. This function can be called repeatedly
+until there are no more error codes to return.
+
+ERR_peek_error() returns the last error code from the thread's
+error queue without modifying it.
+
+See L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> for obtaining information about
+location and reason of the error, and
+L<ERR_error_string(3)|ERR_error_string(3)> for human-readable error
+messages.
+
+ERR_get_error_line() and ERR_peek_error_line() are the same as the
+above, but they additionally store the file name and line number where
+the error occurred in *B<file> and *B<line>, unless these are B<NULL>.
+
+ERR_get_error_line_data() and ERR_peek_error_line_data() store
+additional data and flags associated with the error code in *B<data>
+and *B<flags>, unless these are B<NULL>. *B<data> contains a string
+if *B<flags>&B<ERR_TXT_STRING>. If it has been allocated by Malloc(),
+*B<flags>&B<ERR_TXT_MALLOCED> is true.
+
+=head1 RETURN VALUES
+
+The error code, or 0 if there is no error in the queue.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
+L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>
+
+=head1 HISTORY
+
+ERR_get_error(), ERR_peek_error(), ERR_get_error_line() and
+ERR_peek_error_line() are available in all versions of SSLeay and
+OpenSSL. ERR_get_error_line_data() and ERR_peek_error_line_data()
+were added in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libcrypto/doc/ERR_load_crypto_strings.pod b/src/lib/libcrypto/doc/ERR_load_crypto_strings.pod
new file mode 100644
index 0000000000..9bdec75a46
--- /dev/null
+++ b/src/lib/libcrypto/doc/ERR_load_crypto_strings.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+ERR_load_crypto_strings, SSL_load_error_strings, ERR_free_strings -
+load and free error strings
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_load_crypto_strings(void);
+ void ERR_free_strings(void);
+
+ #include <openssl/ssl.h>
+
+ void SSL_load_error_strings(void);
+
+=head1 DESCRIPTION
+
+ERR_load_crypto_strings() registers the error strings for all
+B<libcrypto> functions. SSL_load_error_strings() does the same,
+but also registers the B<libssl> error strings.
+
+One of these functions should be called before generating
+textual error messages. However, this is not required when memory
+usage is an issue.
+
+ERR_free_strings() frees all previously loaded error strings.
+
+=head1 RETURN VALUES
+
+ERR_load_crypto_strings(), SSL_load_error_strings() and
+ERR_free_strings() return no values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>
+
+=head1 HISTORY
+
+ERR_load_error_strings(), SSL_load_error_strings() and
+ERR_free_strings() are available in all versions of SSLeay and
+OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/ERR_load_strings.pod b/src/lib/libcrypto/doc/ERR_load_strings.pod
new file mode 100644
index 0000000000..5acdd0edbc
--- /dev/null
+++ b/src/lib/libcrypto/doc/ERR_load_strings.pod
@@ -0,0 +1,54 @@
+=pod
+
+=head1 NAME
+
+ERR_load_strings, ERR_PACK, ERR_get_next_error_library - load
+arbitrary error strings
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
+
+ int ERR_get_next_error_library(void);
+
+ unsigned long ERR_PACK(int lib, int func, int reason);
+
+=head1 DESCRIPTION
+
+ERR_load_strings() registers error strings for library number B<lib>.
+
+B<str> is an array of error string data:
+
+ typedef struct ERR_string_data_st
+ {
+        unsigned long error;
+        char *string;
+ } ERR_STRING_DATA;
+
+The error code is generated from the library number and a function and
+reason code: B<error> = ERR_PACK(B<lib>, B<func>, B<reason>).
+ERR_PACK() is a macro.
+
+The last entry in the array is {0,0}.
+
+ERR_get_next_error_library() can be used to assign library numbers
+to user libraries at runtime.
+
+=head1 RETURN VALUE
+
+ERR_load_strings() returns no value. ERR_PACK() return the error code.
+ERR_get_next_error_library() returns a new library number.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
+
+=head1 HISTORY
+
+ERR_load_error_strings() and ERR_PACK() are available in all versions
+of SSLeay and OpenSSL. ERR_get_next_error_library() was added in
+SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libcrypto/doc/ERR_print_errors.pod b/src/lib/libcrypto/doc/ERR_print_errors.pod
new file mode 100644
index 0000000000..b100a5fa2b
--- /dev/null
+++ b/src/lib/libcrypto/doc/ERR_print_errors.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+ERR_print_errors, ERR_print_errors_fp - print error messages
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_print_errors(BIO *bp);
+ void ERR_print_errors_fp(FILE *fp);
+
+=head1 DESCRIPTION
+
+ERR_print_errors() is a convenience function that prints the error
+strings for all errors that OpenSSL has recorded to B<bp>, thus
+emptying the error queue.
+
+ERR_print_errors_fp() is the same, except that the output goes to a
+B<FILE>.
+
+
+The error strings will have the following format:
+
+ [pid]:error:[error code]:[library name]:[function name]:[reason string]:[file name]:[line]:[optional text message]
+
+I<error code> is an 8 digit hexadecimal number. I<library name>,
+I<function name> and I<reason string> are ASCII text, as is I<optional
+text message> if one was set for the respective error code.
+
+If there is no text string registered for the given error code,
+the error string will contain the numeric code.
+
+=head1 RETURN VALUES
+
+ERR_print_errors() and ERR_print_errors_fp() return no values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+
+=head1 HISTORY
+
+ERR_print_errors() and ERR_print_errors_fp()
+are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/ERR_put_error.pod b/src/lib/libcrypto/doc/ERR_put_error.pod
new file mode 100644
index 0000000000..acd241fbe4
--- /dev/null
+++ b/src/lib/libcrypto/doc/ERR_put_error.pod
@@ -0,0 +1,44 @@
+=pod
+
+=head1 NAME
+
+ERR_put_error, ERR_add_error_data - record an error
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_put_error(int lib, int func, int reason, const char *file,
+         int line);
+
+ void ERR_add_error_data(int num, ...);
+
+=head1 DESCRIPTION
+
+ERR_put_error() adds an error code to the thread's error queue. It
+signals that the error of reason code B<reason> occurred in function
+B<func> of library B<lib>, in line number B<line> of B<file>.
+This function is usually called by a macro.
+
+ERR_add_error_data() associates the concatenation of its B<num> string
+arguments with the error code added last.
+
+L<ERR_load_strings(3)|ERR_load_strings(3)> can be used to register
+error strings so that the application can a generate human-readable
+error messages for the error code.
+
+=head1 RETURN VALUES
+
+ERR_put_error() and ERR_add_error_data() return
+no values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
+
+=head1 HISTORY
+
+ERR_put_error() is available in all versions of SSLeay and OpenSSL.
+ERR_add_error_data() was added in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libcrypto/doc/ERR_remove_state.pod b/src/lib/libcrypto/doc/ERR_remove_state.pod
new file mode 100644
index 0000000000..ebcdc0f5a5
--- /dev/null
+++ b/src/lib/libcrypto/doc/ERR_remove_state.pod
@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+ERR_remove_state - free a thread's error queue
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_remove_state(unsigned long pid);
+
+=head1 DESCRIPTION
+
+ERR_remove_state() frees the error queue associated with thread B<pid>.
+If B<pid> == 0, the current thread will have its error queue removed.
+
+Since error queue data structures are allocated automatically for new
+threads, they must be freed when threads are terminated in oder to
+avoid memory leaks.
+
+=head1 RETURN VALUE
+
+ERR_remove_state() returns no value.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>
+
+=head1 HISTORY
+
+ERR_remove_state() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/EVP_BytesToKey.pod b/src/lib/libcrypto/doc/EVP_BytesToKey.pod
new file mode 100644
index 0000000000..5ce4add082
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_BytesToKey.pod
@@ -0,0 +1,67 @@
+=pod
+
+=head1 NAME
+
+ EVP_BytesToKey - password based encryption routine
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
+                       const unsigned char *salt,
+                       const unsigned char *data, int datal, int count,
+                       unsigned char *key,unsigned char *iv);
+
+=head1 DESCRIPTION
+
+EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
+the cipher to derive the key and IV for. B<md> is the message digest to use.
+The B<salt> paramter is used as a salt in the derivation: it should point to
+an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
+B<datal> bytes which is used to derive the keying data. B<count> is the
+iteration count to use. The derived key and IV will be written to B<key>
+and B<iv> respectively.
+
+=head1 NOTES
+
+A typical application of this function is to derive keying material for an
+encryption algorithm from a password in the B<data> parameter.
+
+Increasing the B<count> parameter slows down the algorithm which makes it
+harder for an attacker to peform a brute force attack using a large number
+of candidate passwords.
+
+If the total key and IV length is less than the digest length and
+B<MD5> is used then the derivation algorithm is compatible with PKCS#5 v1.5
+otherwise a non standard extension is used to derive the extra data.
+
+Newer applications should use more standard algorithms such as PKCS#5
+v2.0 for key derivation.
+
+=head1 KEY DERIVATION ALGORITHM
+
+The key and IV is derived by concatenating D_1, D_2, etc until
+enough data is available for the key and IV. D_i is defined as:
+
+        D_i = HASH^count(D_(i-1) || data || salt)
+
+where || denotes concatentaion, D_0 is empty, HASH is the digest
+algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data)
+is HASH(HASH(data)) and so on.
+
+The initial bytes are used for the key and the subsequent bytes for
+the IV.
+
+=head1 RETURN VALUES
+
+EVP_BytesToKey() returns the size of the derived key in bytes.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+
+=head1 HISTORY
+
+=cut
diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod
new file mode 100644
index 0000000000..345b1ddfa7
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_DigestInit.pod
@@ -0,0 +1,197 @@
+=pod
+
+=head1 NAME
+
+EVP_DigestInit, EVP_DigestUpdate, EVP_DigestFinal - EVP digest routines
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ void EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ void EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
+        unsigned int *s);
+
+ #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */
+
+ int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);  
+
+ #define EVP_MD_type(e)                 ((e)->type)
+ #define EVP_MD_pkey_type(e)            ((e)->pkey_type)
+ #define EVP_MD_size(e)                 ((e)->md_size)
+ #define EVP_MD_block_size(e)           ((e)->block_size)
+
+ #define EVP_MD_CTX_md(e)               (e)->digest)
+ #define EVP_MD_CTX_size(e)             EVP_MD_size((e)->digest)
+ #define EVP_MD_CTX_block_size(e)       EVP_MD_block_size((e)->digest)
+ #define EVP_MD_CTX_type(e)             EVP_MD_type((e)->digest)
+
+ EVP_MD *EVP_md_null(void);
+ EVP_MD *EVP_md2(void);
+ EVP_MD *EVP_md5(void);
+ EVP_MD *EVP_sha(void);
+ EVP_MD *EVP_sha1(void);
+ EVP_MD *EVP_dss(void);
+ EVP_MD *EVP_dss1(void);
+ EVP_MD *EVP_mdc2(void);
+ EVP_MD *EVP_ripemd160(void);
+
+ const EVP_MD *EVP_get_digestbyname(const char *name);
+ #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
+ #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a))
+
+=head1 DESCRIPTION
+
+The EVP digest routines are a high level interface to message digests.
+
+EVP_DigestInit() initialises a digest context B<ctx> to use a digest
+B<type>: this will typically be supplied by a function such as
+EVP_sha1().
+
+EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
+digest context B<ctx>. This funtion can be called several times on the
+same B<ctx> to hash additional data.
+
+EVP_DigestFinal() retrieves the digest value from B<ctx> and places
+it in B<md>. If the B<s> parameter is not NULL then the number of
+bytes of data written (i.e. the length of the digest) will be written
+to the integer at B<s>, at most B<EVP_MAX_MD_SIZE> bytes will be written.
+After calling EVP_DigestFinal() no additional calls to EVP_DigestUpdate()
+can be made, but EVP_DigestInit() can be called to initialiase a new
+digest operation.
+
+EVP_MD_CTX_copy() can be used to copy the message digest state from
+B<in> to B<out>. This is useful if large amounts of data are to be
+hashed which only differ in the last few bytes.
+
+EVP_MD_size() and EVP_MD_CTX_size() return the size of the message digest
+when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure, i.e. the size of the
+hash.
+
+EVP_MD_block_size() and EVP_MD_CTX_block_size() return the block size of the
+message digest when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure.
+
+EVP_MD_type() and EVP_MD_CTX_type() return the NID of the OBJECT IDENTIFIER
+representing the given message digest when passed an B<EVP_MD> structure.
+For example EVP_MD_type(EVP_sha1()) returns B<NID_sha1>. This function is
+normally used when setting ASN1 OIDs.
+
+EVP_MD_CTX_md() returns the B<EVP_MD> structure corresponding to the passed
+B<EVP_MD_CTX>.
+
+EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated
+with this digest. For example EVP_sha1() is associated with RSA so this will
+return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
+algorithms may not be retained in future versions of OpenSSL.
+
+EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
+return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
+algorithms respectively. The associated signature algorithm is RSA in each case.
+
+EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
+algorithms but using DSS (DSA) for the signature algorithm.
+
+EVP_md_null() is a "null" message digest that does nothing: i.e. the hash it
+returns is of zero length.
+
+EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
+return an B<EVP_MD> structure when passed a digest name, a digest NID or
+an ASN1_OBJECT structure respectively. The digest table must be initialised
+using, for example, OpenSSL_add_all_digests() for these functions to work.
+
+=head1 RETURN VALUES
+
+EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() do not return values.
+
+EVP_MD_CTX_copy() returns 1 if successful or 0 for failure.
+
+EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the
+corresponding OBJECT IDENTIFIER or NID_undef if none exists.
+
+EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size(e), EVP_MD_size(),
+EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
+size in bytes.
+
+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
+EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
+corresponding EVP_MD structures.
+
+EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
+return either an B<EVP_MD> structure or NULL if an error occurs.
+
+=head1 NOTES
+
+The B<EVP> interface to message digests should almost always be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the digest used and much more flexible.
+
+SHA1 is the digest of choice for new applications. The other digest algorithms
+are still in common use.
+
+=head1 EXAMPLE
+
+This example digests the data "Test Message\n" and "Hello World\n", using the
+digest name passed on the command line.
+
+ #include <stdio.h>
+ #include <openssl/evp.h>
+
+ main(int argc, char *argv[])
+ {
+ EVP_MD_CTX mdctx;
+ const EVP_MD *md;
+ char mess1[] = "Test Message\n";
+ char mess2[] = "Hello World\n";
+ unsigned char md_value[EVP_MAX_MD_SIZE];
+ int md_len, i;
+
+ OpenSSL_add_all_digests();
+
+ if(!argv[1]) {
+        printf("Usage: mdtest digestname\n");
+        exit(1);
+ }
+
+ md = EVP_get_digestbyname(argv[1]);
+
+ if(!md) {
+        printf("Unknown message digest %s\n", argv[1]);
+        exit(1);
+ }
+
+ EVP_DigestInit(&mdctx, md);
+ EVP_DigestUpdate(&mdctx, mess1, strlen(mess1));
+ EVP_DigestUpdate(&mdctx, mess2, strlen(mess2));
+ EVP_DigestFinal(&mdctx, md_value, &md_len);
+
+ printf("Digest is: ");
+ for(i = 0; i < md_len; i++) printf("%02x", md_value[i]);
+ printf("\n");
+ }
+
+=head1 BUGS
+
+Several of the functions do not return values: maybe they should. Although the
+internal digest operations will never fail some future hardware based operations
+might.
+
+The link between digests and signing algorithms results in a situation where
+EVP_sha1() must be used with RSA and EVP_dss1() must be used with DSS
+even though they are identical digests.
+
+The size of an B<EVP_MD_CTX> structure is determined at compile time: this results
+in code that must be recompiled if the size of B<EVP_MD_CTX> increases.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+
+=head1 HISTORY
+
+EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are
+available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
new file mode 100644
index 0000000000..77ed4ccdba
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -0,0 +1,224 @@
+=pod
+
+=head1 NAME
+
+EVP_EncryptInit, EVP_EncryptUpdate, EVP_EncryptFinal - EVP cipher routines
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv);
+ void EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ void EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+ void EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv);
+ void EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+         int *outl);
+
+ void EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv, int enc);
+ void EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+         int *outl);
+
+ void EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
+
+ const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
+ #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a))
+ #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
+
+ #define EVP_CIPHER_nid(e)              ((e)->nid)
+ #define EVP_CIPHER_block_size(e)       ((e)->block_size)
+ #define EVP_CIPHER_key_length(e)       ((e)->key_len)
+ #define EVP_CIPHER_iv_length(e)        ((e)->iv_len)
+
+ int EVP_CIPHER_type(const EVP_CIPHER *ctx);
+ #define EVP_CIPHER_CTX_cipher(e)       ((e)->cipher)
+ #define EVP_CIPHER_CTX_nid(e)          ((e)->cipher->nid)
+ #define EVP_CIPHER_CTX_block_size(e)   ((e)->cipher->block_size)
+ #define EVP_CIPHER_CTX_key_length(e)   ((e)->cipher->key_len)
+ #define EVP_CIPHER_CTX_iv_length(e)    ((e)->cipher->iv_len)
+ #define EVP_CIPHER_CTX_type(c)         EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
+
+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+
+=head1 DESCRIPTION
+
+The EVP cipher routines are a high level interface to certain
+symmetric ciphers.
+
+EVP_EncryptInit() initialises a cipher context B<ctx> for encryption
+with cipher B<type>. B<type> is normally supplied by a function such
+as EVP_des_cbc() . B<key> is the symmetric key to use and B<iv> is the
+IV to use (if necessary), the actual number of bytes used for the
+key and IV depends on the cipher. It is possible to set all parameters
+to NULL except B<type> in an initial call and supply the remaining
+parameters in subsequent calls. This is normally done when the 
+EVP_CIPHER_asn1_to_param() function is called to set the cipher
+parameters from an ASN1 AlgorithmIdentifier and the key from a
+different source.
+
+EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
+writes the encrypted version to B<out>. This function can be called
+multiple times to encrypt successive blocks of data. The amount
+of data written depends on the block alignment of the encrypted data:
+as a result the amount of data written may be anything from zero bytes
+to (inl + cipher_block_size - 1) so B<outl> should contain sufficient
+room.  The actual number of bytes written is placed in B<outl>.
+
+EVP_EncryptFinal() encrypts the "final" data, that is any data that
+remains in a partial block. It uses L<standard block padding|/NOTES> (aka PKCS
+padding). The encrypted final data is written to B<out> which should
+have sufficient space for one cipher block. The number of bytes written
+is placed in B<outl>. After this function is called the encryption operation
+is finished and no further calls to EVP_EncryptUpdate() should be made.
+
+EVP_DecryptInit(), EVP_DecryptUpdate() and EVP_DecryptFinal() are the
+corresponding decryption operations. EVP_DecryptFinal() will return an
+error code if the final block is not correctly formatted. The parameters
+and restrictions are identical to the encryption operations except that
+the decrypted data buffer B<out> passed to EVP_DecryptUpdate() should
+have sufficient room for (B<inl> + cipher_block_size) bytes unless the
+cipher block size is 1 in which case B<inl> bytes is sufficient.
+
+EVP_CipherInit(), EVP_CipherUpdate() and EVP_CipherFinal() are functions
+that can be used for decryption or encryption. The operation performed
+depends on the value of the B<enc> parameter. It should be set to 1 for
+encryption and 0 for decryption.
+
+EVP_CIPHER_CTX_cleanup() clears all information from a cipher context.
+It should be called after all operations using a cipher are complete
+so sensitive information does not remain in memory.
+
+EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
+return an EVP_CIPHER structure when passed a cipher name, a NID or an
+ASN1_OBJECT structure.
+
+EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return the NID of a cipher when
+passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure.  The actual NID
+value is an internal value which may not have a corresponding OBJECT
+IDENTIFIER.
+
+EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
+length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
+structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length
+for all ciphers.
+
+EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
+length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>.
+It will return zero if the cipher does not use an IV.  The constant
+B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers.
+
+EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
+size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
+structure. The constant B<EVP_MAX_IV_LENGTH> is also the maximum block
+length for all ciphers.
+
+EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the type of the passed
+cipher or context. This "type" is the actual NID of the cipher OBJECT
+IDENTIFIER as such it ignores the cipher parameters and 40 bit RC2 and
+128 bit RC2 have the same NID. If the cipher does not have an object
+identifier or does not have ASN1 support this function will return
+B<NID_undef>.
+
+EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed
+an B<EVP_CIPHER_CTX> structure.
+
+EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based
+on the passed cipher. This will typically include any parameters and an
+IV. The cipher IV (if any) must be set when this call is made. This call
+should be made before the cipher is actually "used" (before any
+EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). This function
+may fail if the cipher does not have any ASN1 support.
+
+EVP_CIPHER_asn1_to_param() sets the cipher parameters based on an ASN1
+AlgorithmIdentifier "parameter". The precise effect depends on the cipher
+In the case of RC2, for example, it will set the IV and effective key length.
+This function should be called after the base cipher type is set but before
+the key is set. For example EVP_CipherInit() will be called with the IV and
+key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
+EVP_CipherInit() again with all parameters except the key set to NULL. It is
+possible for this function to fail if the cipher does not have any ASN1 support
+or the parameters cannot be set (for example the RC2 effective key length
+does not have an B<EVP_CIPHER> structure).
+
+=head1 RETURN VALUES
+
+EVP_EncryptInit(), EVP_EncryptUpdate() and EVP_EncryptFinal() do not return
+values.
+
+EVP_DecryptInit() and EVP_DecryptUpdate() do not return values.
+EVP_DecryptFinal() returns 0 if the decrypt failed or 1 for success.
+
+EVP_CipherInit() and EVP_CipherUpdate() do not return values.
+EVP_CipherFinal() returns 1 for a decryption failure or 1 for success, if
+the operation is encryption then it always returns 1.
+
+EVP_CIPHER_CTX_cleanup() does not return a value.
+
+EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
+return an B<EVP_CIPHER> structure or NULL on error.
+
+EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID.
+
+EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
+size.
+
+EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
+length.
+
+EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
+length or zero if the cipher does not use an IV.
+
+EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's
+OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
+
+EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
+
+EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for 
+success or zero for failure.
+
+=head1 NOTES
+
+Where possible the B<EVP> interface to symmetric ciphers should be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the cipher used and much more flexible.
+
+PKCS padding works by adding B<n> padding bytes of value B<n> to make the total 
+length of the encrypted data a multiple of the block size. Padding is always
+added so if the data is already a multiple of the block size B<n> will equal
+the block size. For example if the block size is 8 and 11 bytes are to be
+encrypted then 5 padding bytes of value 5 will be added.
+
+When decrypting the final block is checked to see if it has the correct form.
+
+Although the decryption operation can produce an error, it is not a strong
+test that the input data or key is correct. A random block has better than
+1 in 256 chance of being of the correct format and problems with the
+input data earlier on will not produce a final decrypt error.
+
+=head1 BUGS
+
+The current B<EVP> cipher interface is not as flexible as it should be. Only
+certain "spot" encryption algorithms can be used for ciphers which have various
+parameters associated with them (RC2, RC5 for example) this is inadequate.
+
+Several of the functions do not return error codes because the software versions
+can never fail. This is not true of hardware versions.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/src/lib/libcrypto/doc/EVP_OpenInit.pod b/src/lib/libcrypto/doc/EVP_OpenInit.pod
new file mode 100644
index 0000000000..9707a4b399
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_OpenInit.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal - EVP envelope decryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek,
+                int ekl,unsigned char *iv,EVP_PKEY *priv);
+ void EVP_OpenUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ void EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+=head1 DESCRIPTION
+
+The EVP envelope routines are a high level interface to envelope
+decryption. They decrypt a public key encrypted symmetric key and
+then decrypt data using it.
+
+EVP_OpenInit() initialises a cipher context B<ctx> for decryption
+with cipher B<type>. It decrypts the encrypted symmetric key of length
+B<ekl> bytes passed in the B<ek> parameter using the private key B<priv>.
+The IV is supplied in the B<iv> parameter.
+
+EVP_OpenUpdate() and EVP_OpenFinal() have exactly the same properties
+as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as 
+documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
+page. 
+
+=head1 RETURN VALUES
+
+EVP_OpenInit() returns -1 on error or an non zero integer (actually the
+recovered secret key size) if successful.
+
+EVP_SealUpdate() does not return a value.
+
+EVP_SealFinal() returns 0 if the decrypt failed or 1 for success.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>,L<rand(3)|rand(3)>
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_SealInit(3)|EVP_SealInit(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/src/lib/libcrypto/doc/EVP_SealInit.pod b/src/lib/libcrypto/doc/EVP_SealInit.pod
new file mode 100644
index 0000000000..1579d110fa
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_SealInit.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+                int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+ void EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ void EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+=head1 DESCRIPTION
+
+The EVP envelope routines are a high level interface to envelope
+encryption. They generate a random key and then "envelope" it by
+using public key encryption. Data can then be encrypted using this
+key.
+
+EVP_SealInit() initialises a cipher context B<ctx> for encryption
+with cipher B<type> using a random secret key and IV supplied in
+the B<iv> parameter. B<type> is normally supplied by a function such
+as EVP_des_cbc(). The secret key is encrypted using one or more public
+keys, this allows the same encrypted data to be decrypted using any
+of the corresponding private keys. B<ek> is an array of buffers where
+the public key encrypted secret key will be written, each buffer must
+contain enough room for the corresponding encrypted key: that is
+B<ek[i]> must have room for B<EVP_PKEY_size(pubk[i])> bytes. The actual
+size of each encrypted secret key is written to the array B<ekl>. B<pubk> is
+an array of B<npubk> public keys.
+
+EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties
+as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as 
+documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
+page. 
+
+=head1 RETURN VALUES
+
+EVP_SealInit() returns -1 on error or B<npubk> if successful.
+
+EVP_SealUpdate() and EVP_SealFinal() do not return values.
+
+=head1 NOTES
+
+Because a random secret key is generated the random number generator
+must be seeded before calling EVP_SealInit().
+
+The public key must be RSA because it is the only OpenSSL public key
+algorithm that supports key transport.
+
+Envelope encryption is the usual method of using public key encryption
+on large amounts of data, this is because public key encryption is slow
+but symmetric encryption is fast. So symmetric encryption is used for
+bulk encryption and the small random symmetric key used is transferred
+using public key encryption.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>,L<rand(3)|rand(3)>
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_OpenInit(3)|EVP_OpenInit(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/src/lib/libcrypto/doc/EVP_SignInit.pod b/src/lib/libcrypto/doc/EVP_SignInit.pod
new file mode 100644
index 0000000000..bbc9203c9c
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_SignInit.pod
@@ -0,0 +1,85 @@
+=pod
+
+=head1 NAME
+
+EVP_SignInit, EVP_SignUpdate, EVP_SignFinal - EVP signing functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ void EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *sig,unsigned int *s, EVP_PKEY *pkey);
+
+ int EVP_PKEY_size(EVP_PKEY *pkey);
+
+=head1 DESCRIPTION
+
+The EVP signature routines are a high level interface to digital
+signatures.
+
+EVP_SignInit() initialises a signing context B<ctx> to using digest
+B<type>: this will typically be supplied by a function such as
+EVP_sha1().
+
+EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
+signature context B<ctx>. This funtion can be called several times on the
+same B<ctx> to include additional data.
+
+EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey>
+and places the signature in B<sig>. If the B<s> parameter is not NULL
+then the number of bytes of data written (i.e. the length of the signature)
+will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
+will be written.  After calling EVP_SignFinal() no additional calls to
+EVP_SignUpdate() can be made, but EVP_SignInit() can be called to initialiase
+a new signature operation.
+
+EVP_PKEY_size() returns the maximum size of a signature in bytes. The actual
+signature returned by EVP_SignFinal() may be smaller.
+
+=head1 RETURN VALUES
+
+EVP_SignInit() and EVP_SignUpdate() do not return values.
+
+EVP_SignFinal() returns 1 for success and 0 for failure.
+
+EVP_PKEY_size() returns the maximum size of a signature in bytes.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTES
+
+The B<EVP> interface to digital signatures should almost always be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the algorithm used and much more flexible.
+
+Due to the link between message digests and public key algorithms the correct
+digest algorithm must be used with the correct public key type. A list of
+algorithms and associated public key algorithms appears in 
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
+
+When signing with DSA private keys the random number generator must be seeded
+or the operation will fail. The random number generator does not need to be
+seeded for RSA signatures.
+
+=head1 BUGS
+
+Several of the functions do not return values: maybe they should. Although the
+internal digest operations will never fail some future hardware based operations
+might.
+
+=head1 SEE ALSO
+
+L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+
+=head1 HISTORY
+
+EVP_SignInit(), EVP_SignUpdate() and EVP_SignFinal() are
+available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/EVP_VerifyInit.pod b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
new file mode 100644
index 0000000000..3b5e07f4ad
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
@@ -0,0 +1,71 @@
+=pod
+
+=head1 NAME
+
+EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ void EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf, unsigned int siglen,EVP_PKEY *pkey);
+
+=head1 DESCRIPTION
+
+The EVP signature verification routines are a high level interface to digital
+signatures.
+
+EVP_VerifyInit() initialises a verification context B<ctx> to using digest
+B<type>: this will typically be supplied by a function such as EVP_sha1().
+
+EVP_VerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
+verification context B<ctx>. This funtion can be called several times on the
+same B<ctx> to include additional data.
+
+EVP_VerifyFinal() verifies the data in B<ctx> using the public key B<pkey>
+and against the B<siglen> bytes at B<sigbuf>. After calling EVP_VerifyFinal()
+no additional calls to EVP_VerifyUpdate() can be made, but EVP_VerifyInit()
+can be called to initialiase a new verification operation.
+
+=head1 RETURN VALUES
+
+EVP_VerifyInit() and EVP_VerifyUpdate() do not return values.
+
+EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if some
+other error occurred.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTES
+
+The B<EVP> interface to digital signatures should almost always be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the algorithm used and much more flexible.
+
+Due to the link between message digests and public key algorithms the correct
+digest algorithm must be used with the correct public key type. A list of
+algorithms and associated public key algorithms appears in 
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
+
+=head1 BUGS
+
+Several of the functions do not return values: maybe they should. Although the
+internal digest operations will never fail some future hardware based operations
+might.
+
+=head1 SEE ALSO
+
+L<EVP_SignInit(3)|EVP_SignInit(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+
+=head1 HISTORY
+
+EVP_VerifyInit(), EVP_VerifyUpdate() and EVP_VerifyFinal() are
+available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod b/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
new file mode 100644
index 0000000000..b0b1058d19
--- /dev/null
+++ b/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_VERSION_NUMBER, SSLeay - get OpenSSL version number
+
+=head1 SYNOPSIS
+
+ #include <openssl/opensslv.h>
+ #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL
+
+ #include <openssl/crypto.h>
+ long SSLeay(void);
+
+=head1 DESCRIPTION
+
+OPENSSL_VERSION_NUMBER is a numeric release version identifier:
+
+ MMNNFFRBB major minor fix final beta/patch
+
+for example
+
+ 0x000904100 == 0.9.4 release
+ 0x000905000 == 0.9.5 dev
+
+Versions prior to 0.9.3 have identifiers E<lt> 0x0930.
+For backward compatibility, SSLEAY_VERSION_NUMBER is also defined.
+
+SSLeay() returns this number. The return value can be compared to the
+macro to make sure that the correct version of the library has been
+loaded, especially when using DLLs on Windows systems.
+
+=head1 RETURN VALUE
+
+The version number.
+
+=head1 SEE ALSO
+
+L<crypto(3)|crypto(3)>
+
+=head1 HISTORY
+
+SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and OpenSSL.
+OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod b/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
new file mode 100644
index 0000000000..1300fe190c
--- /dev/null
+++ b/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
@@ -0,0 +1,65 @@
+=pod
+
+=head1 NAME
+
+OpenSSL_add_all_algorithms() - add algorithms to internal table
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void OpenSSL_add_all_algorithms(void);
+ void OpenSSL_add_all_ciphers(void);
+ void OpenSSL_add_all_digests(void);
+
+ void EVP_cleanup(void);
+
+=head1 DESCRIPTION
+
+OpenSSL keeps an internal table of digest algorithms and ciphers. It uses
+this table to lookup ciphers via functions such as EVP_get_cipher_byname().
+
+OpenSSL_add_all_digests() adds all digest algorithms to the table.
+
+OpenSSL_add_all_algorithms() adds all algorithms to the table (digests and
+ciphers).
+
+OpenSSL_add_all_ciphers() adds all encryption algorithms to the table including
+password based encryption algorithms.
+
+EVP_cleanup() removes all ciphers and digests from the table.
+
+=head1 RETURN VALUES
+
+None of the functions return a value.
+
+=head1 NOTES
+
+A typical application will will call OpenSSL_add_all_algorithms() initially and
+EVP_cleanup() before exiting.
+
+An application does not need to add algorithms to use them explicitly, for example
+by EVP_sha1(). It just needs to add them if it (or any of the functions it calls)
+needs to lookup algorithms.
+
+The cipher and digest lookup functions are used in many parts of the library. If
+the table is not initialised several functions will misbehave and complain they
+cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME libraries.
+This is a common query in the OpenSSL mailing lists.
+
+Calling OpenSSL_add_all_algorithms() links in all algorithms: as a result a
+statically linked executable can be quite large. If this is important it is possible
+to just add the required ciphers and digests.
+
+=head1 BUGS
+
+Although the functions do not return error codes it is possible for them to fail.
+This will only happen as a result of a memory allocation failure so this is not
+too much of a problem in practice.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
+
+=cut
diff --git a/src/lib/libcrypto/doc/RAND_add.pod b/src/lib/libcrypto/doc/RAND_add.pod
new file mode 100644
index 0000000000..0a13ec2a92
--- /dev/null
+++ b/src/lib/libcrypto/doc/RAND_add.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+RAND_add, RAND_seed, RAND_screen - add entropy to the PRNG
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ void RAND_seed(const void *buf, int num);
+
+ void RAND_add(const void *buf, int num, double entropy);
+
+ int  RAND_status(void);
+
+ void RAND_screen(void);
+
+=head1 DESCRIPTION
+
+RAND_add() mixes the B<num> bytes at B<buf> into the PRNG state. Thus,
+if the data at B<buf> are unpredictable to an adversary, this
+increases the uncertainty about the state and makes the PRNG output
+less predictable. Suitable input comes from user interaction (random
+key presses, mouse movements) and certain hardware events. The
+B<entropy> argument is (the lower bound of) an estimate of how much
+randomness is contained in B<buf>, measured in bytes. Details about
+sources of randomness and how to estimate their entropy can be found
+in the literature, e.g. RFC 1750.
+
+RAND_add() may be called with sensitive data such as user entered
+passwords. The seed values cannot be recovered from the PRNG output.
+
+OpenSSL makes sure that the PRNG state is unique for each thread. On
+systems that provide C</dev/urandom>, the randomness device is used
+to seed the PRNG transparently. However, on all other systems, the
+application is responsible for seeding the PRNG by calling RAND_add(),
+L<RAND_egd(3)|RAND_egd(3)>
+or L<RAND_load_file(3)|RAND_load_file(3)>.
+
+RAND_seed() is equivalent to RAND_add() when B<num == entropy>.
+
+The RAND_screen() function is available for the convenience of Windows
+programmers. It adds the current contents of the screen to the PRNG.
+For applications that can catch Windows events, seeding the PRNG with
+the parameters of B<WM_MOUSEMOVE> events is a significantly better
+source of randomness. It should be noted that both methods cannot be
+used on servers that run without user interaction.
+
+=head1 RETURN VALUES
+
+RAND_status() returns 1 if the PRNG has been seeded with enough data,
+0 otherwise.
+
+The other functions do not return values.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<RAND_egd(3)|RAND_egd(3)>,
+L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+
+=head1 HISTORY
+
+RAND_seed() and RAND_screen() are available in all versions of SSLeay
+and OpenSSL. RAND_add() and RAND_status() have been added in OpenSSL
+0.9.5.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RAND_bytes.pod b/src/lib/libcrypto/doc/RAND_bytes.pod
new file mode 100644
index 0000000000..b6ebd50527
--- /dev/null
+++ b/src/lib/libcrypto/doc/RAND_bytes.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+RAND_bytes, RAND_pseudo_bytes - generate random data
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ int RAND_bytes(unsigned char *buf, int num);
+
+ int RAND_pseudo_bytes(unsigned char *buf, int num);
+
+=head1 DESCRIPTION
+
+RAND_bytes() puts B<num> cryptographically strong pseudo-random bytes
+into B<buf>. An error occurs if the PRNG has not been seeded with
+enough randomness to ensure an unpredictable byte sequence.
+
+RAND_pseudo_bytes() puts B<num> pseudo-random bytes into B<buf>.
+Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be
+unique if they are of sufficient length, but are not necessarily
+unpredictable. They can be used for non-cryptographic purposes and for
+certain purposes in cryptographic protocols, but usually not for key
+generation etc.
+
+=head1 RETURN VALUES
+
+RAND_bytes() returns 1 on success, 0 otherwise. The error code can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
+bytes generated are cryptographically strong, 0 otherwise. Both
+functions return -1 if they are not supported by the current RAND
+method.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<err(3)|err(3)>, L<RAND_add(3)|RAND_add(3)>
+
+=head1 HISTORY
+
+RAND_bytes() is available in all versions of SSLeay and OpenSSL.  It
+has a return value since OpenSSL 0.9.5. RAND_pseudo_bytes() was added
+in OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RAND_cleanup.pod b/src/lib/libcrypto/doc/RAND_cleanup.pod
new file mode 100644
index 0000000000..3a8f0749a8
--- /dev/null
+++ b/src/lib/libcrypto/doc/RAND_cleanup.pod
@@ -0,0 +1,29 @@
+=pod
+
+=head1 NAME
+
+RAND_cleanup - erase the PRNG state
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ void RAND_cleanup(void);
+
+=head1 DESCRIPTION
+
+RAND_cleanup() erases the memory used by the PRNG.
+
+=head1 RETURN VALUE
+
+RAND_cleanup() returns no value.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+RAND_cleanup() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RAND_load_file.pod b/src/lib/libcrypto/doc/RAND_load_file.pod
new file mode 100644
index 0000000000..8dd700ca3d
--- /dev/null
+++ b/src/lib/libcrypto/doc/RAND_load_file.pod
@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ const char *RAND_file_name(char *buf, int num);
+
+ int RAND_load_file(const char *filename, long max_bytes);
+
+ int RAND_write_file(const char *filename);
+
+=head1 DESCRIPTION
+
+RAND_file_name() generates a default path for the random seed
+file. B<buf> points to a buffer of size B<num> in which to store the
+filename. The seed file is $RANDFILE if that environment variable is
+set, $HOME/.rnd otherwise. If $HOME is not set either, or B<num> is
+too small for the path name, an error occurs.
+
+RAND_load_file() reads a number of bytes from file B<filename> and
+adds them to the PRNG. If B<max_bytes> is non-negative,
+up to to B<max_bytes> are read; starting with OpenSSL 0.9.5,
+if B<max_bytes> is -1, the complete file is read.
+
+RAND_write_file() writes a number of random bytes (currently 1024) to
+file B<filename> which can be used to initialize the PRNG by calling
+RAND_load_file() in a later session.
+
+=head1 RETURN VALUES
+
+RAND_load_file() returns the number of bytes read.
+
+RAND_write_file() returns the number of bytes written, and -1 if the
+bytes written were generated without appropriate seed.
+
+RAND_file_name() returns a pointer to B<buf> on success, and NULL on
+error.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+
+=head1 HISTORY
+
+RAND_load_file(), RAND_write_file() and RAND_file_name() are available in
+all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RAND_set_rand_method.pod b/src/lib/libcrypto/doc/RAND_set_rand_method.pod
new file mode 100644
index 0000000000..466e9b8767
--- /dev/null
+++ b/src/lib/libcrypto/doc/RAND_set_rand_method.pod
@@ -0,0 +1,57 @@
+=pod
+
+=head1 NAME
+
+RAND_set_rand_method, RAND_get_rand_method, RAND_SSLeay - select RAND method
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ void RAND_set_rand_method(RAND_METHOD *meth);
+
+ RAND_METHOD *RAND_get_rand_method(void);
+
+ RAND_METHOD *RAND_SSLeay(void);
+
+=head1 DESCRIPTION
+
+A B<RAND_METHOD> specifies the functions that OpenSSL uses for random
+number generation. By modifying the method, alternative
+implementations such as hardware RNGs may be used.  Initially, the
+default is to use the OpenSSL internal implementation. RAND_SSLeay()
+returns a pointer to that method.
+
+RAND_set_rand_method() sets the RAND method to B<meth>.
+RAND_get_rand_method() returns a pointer to the current method.
+
+=head1 THE RAND_METHOD STRUCTURE
+
+ typedef struct rand_meth_st
+ {
+        void (*seed)(const void *buf, int num);
+        int (*bytes)(unsigned char *buf, int num);
+        void (*cleanup)(void);
+        void (*add)(const void *buf, int num, int entropy);
+        int (*pseudorand)(unsigned char *buf, int num);
+ } RAND_METHOD;
+
+The components point to the implementation of RAND_seed(),
+RAND_bytes(), RAND_cleanup(), RAND_add() and RAND_pseudo_rand().
+Each component may be NULL if the function is not implemented.
+
+=head1 RETURN VALUES
+
+RAND_set_rand_method() returns no value. RAND_get_rand_method() and
+RAND_SSLeay() return pointers to the respective methods.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+RAND_set_rand_method(), RAND_get_rand_method() and RAND_SSLeay() are
+available in all versions of OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_blinding_on.pod b/src/lib/libcrypto/doc/RSA_blinding_on.pod
new file mode 100644
index 0000000000..fd2c69abd8
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_blinding_on.pod
@@ -0,0 +1,43 @@
+=pod
+
+=head1 NAME
+
+RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing attacks
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
+
+ void RSA_blinding_off(RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA is vulnerable to timing attacks. In a setup where attackers can
+measure the time of RSA decryption or signature operations, blinding
+must be used to protect the RSA operation from that attack.
+
+RSA_blinding_on() turns blinding on for key B<rsa> and generates a
+random blinding factor. B<ctx> is B<NULL> or a pre-allocated and
+initialized B<BN_CTX>. The random number generator must be seeded
+prior to calling RSA_blinding_on().
+
+RSA_blinding_off() turns blinding off and frees the memory used for
+the blinding factor.
+
+=head1 RETURN VALUES
+
+RSA_blinding_on() returns 1 on success, and 0 if an error occurred.
+
+RSA_blinding_off() returns no value.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+RSA_blinding_on() and RSA_blinding_off() appeared in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_check_key.pod b/src/lib/libcrypto/doc/RSA_check_key.pod
new file mode 100644
index 0000000000..79fed753ad
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_check_key.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+RSA_check_key - validate private RSA keys
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_check_key(RSA *rsa);
+
+=head1 DESCRIPTION
+
+This function validates RSA keys. It checks that B<p> and B<q> are
+in fact prime, and that B<n = p*q>.
+
+It also checks that B<d*e = 1 mod (p-1*q-1)>,
+and that B<dmp1>, B<dmq1> and B<iqmp> are set correctly or are B<NULL>.
+
+The key's public components may not be B<NULL>.
+
+=head1 RETURN VALUE
+
+RSA_check_key() returns 1 if B<rsa> is a valid RSA key, and 0 otherwise.
+-1 is returned if an error occurs while checking the key.
+
+If the key is invalid or an error occurred, the reason code can be
+obtained using L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+RSA_check() appeared in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_generate_key.pod b/src/lib/libcrypto/doc/RSA_generate_key.pod
new file mode 100644
index 0000000000..fdaddbcb13
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_generate_key.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+RSA_generate_key - generate RSA key pair
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA *RSA_generate_key(int num, unsigned long e,
+    void (*callback)(int,int,void *), void *cb_arg);
+
+=head1 DESCRIPTION
+
+RSA_generate_key() generates a key pair and returns it in a newly
+allocated B<RSA> structure. The pseudo-random number generator must
+be seeded prior to calling RSA_generate_key().
+
+The modulus size will be B<num> bits, and the public exponent will be
+B<e>. Key sizes with B<num> E<lt> 1024 should be considered insecure.
+The exponent is an odd number, typically 3 or 65535.
+
+A callback function may be used to provide feedback about the
+progress of the key generation. If B<callback> is not B<NULL>, it
+will be called as follows:
+
+=over 4
+
+=item *
+
+While a random prime number is generated, it is called as
+described in L<BN_generate_prime(3)|BN_generate_prime(3)>.
+
+=item *
+
+When the n-th randomly generated prime is rejected as not
+suitable for the key, B<callback(2, n, cb_arg)> is called.
+
+=item *
+
+When a random p has been found with p-1 relatively prime to B<e>,
+it is called as B<callback(3, 0, cb_arg)>.
+
+=back
+
+The process is then repeated for prime q with B<callback(3, 1, cb_arg)>.
+
+=head1 RETURN VALUE
+
+If key generation fails, RSA_generate_key() returns B<NULL>; the
+error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+B<callback(2, x, cb_arg)> is used with two different meanings.
+
+RSA_generate_key() goes into an infinite loop for illegal input values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_free(3)|RSA_free(3)>
+
+=head1 HISTORY
+
+The B<cb_arg> argument was added in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod b/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod
new file mode 100644
index 0000000000..920dc76325
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod
@@ -0,0 +1,122 @@
+=pod
+
+=head1 NAME
+
+RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application specific data to RSA structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_get_ex_new_index(long argl, void *argp,
+                CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+
+ int RSA_set_ex_data(RSA *r, int idx, void *arg);
+
+ void *RSA_get_ex_data(RSA *r, int idx);
+
+ int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                                        int idx, long argl, void *argp);
+
+ void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                                        int idx, long argl, void *argp);
+
+ int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, 
+                                        int idx, long argl, void *argp);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+This has several potential uses, it can be used to cache data associated with
+a structure (for example the hash of some part of the structure) or some
+additional data (for example a handle to the data in an external library).
+
+Since the application data can be anything at all it is passed and retrieved
+as a B<void *> type.
+
+The B<RSA_get_ex_new_index()> function is initially called to "register" some
+new application specific data. It takes three optional function pointers which
+are called when the parent structure (in this case an RSA structure) is
+initially created, when it is copied and when it is freed up. If any or all of
+these function pointer arguments are not used they should be set to NULL. The
+precise manner in which these function pointers are called is described in more
+detail below. B<RSA_get_ex_new_index()> also takes additional long and pointer
+parameters which will be passed to the supplied functions but which otherwise
+have no special meaning. It returns an B<index> which should be stored
+(typically in a static variable) and passed used in the B<idx> parameter in
+the remaining functions. Each successful call to B<RSA_get_ex_new_index()>
+will return an index greater than any previously returned, this is important
+because the optional functions are called in order of increasing index value.
+
+B<RSA_set_ex_data()> is used to set application specific data, the data is
+supplied in the B<arg> parameter and its precise meaning is up to the
+application.
+
+B<RSA_get_ex_data()> is used to retrieve application specific data. The data
+is returned to the application, this will be the same value as supplied to
+a previous B<RSA_set_ex_data()> call.
+
+B<new_func()> is called when a structure is initially allocated (for example
+with B<RSA_new()>. The parent structure members will not have any meaningful
+values at this point. This function will typically be used to allocate any
+application specific structure.
+
+B<free_func()> is called when a structure is being freed up. The dynamic parent
+structure members should not be accessed because they will be freed up when
+this function is called.
+
+B<new_func()> and B<free_func()> take the same parameters. B<parent> is a
+pointer to the parent RSA structure. B<ptr> is a the application specific data
+(this wont be of much use in B<new_func()>. B<ad> is a pointer to the
+B<CRYPTO_EX_DATA> structure from the parent RSA structure: the functions
+B<CRYPTO_get_ex_data()> and B<CRYPTO_set_ex_data()> can be called to manipulate
+it. The B<idx> parameter is the index: this will be the same value returned by
+B<RSA_get_ex_new_index()> when the functions were initially registered. Finally
+the B<argl> and B<argp> parameters are the values originally passed to the same
+corresponding parameters when B<RSA_get_ex_new_index()> was called.
+
+B<dup_func()> is called when a structure is being copied. Pointers to the
+destination and source B<CRYPTO_EX_DATA> structures are passed in the B<to> and
+B<from> parameters respectively. The B<from_d> parameter is passed a pointer to
+the source application data when the function is called, when the function returns
+the value is copied to the destination: the application can thus modify the data
+pointed to by B<from_d> and have different values in the source and destination.
+The B<idx>, B<argl> and B<argp> parameters are the same as those in B<new_func()>
+and B<free_func()>.
+
+=head1 RETURN VALUES
+
+B<RSA_get_ex_new_index()> returns a new index or -1 on failure (note 0 is a valid
+index value).
+
+B<RSA_set_ex_data()> returns 1 on success or 0 on failure.
+
+B<RSA_get_ex_data()> returns the application data or 0 on failure. 0 may also
+be valid application data but currently it can only fail if given an invalid B<idx>
+parameter.
+
+B<new_func()> and B<dup_func()> should return 0 for failure and 1 for success.
+
+On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+B<dup_func()> is currently never called.
+
+The return value of B<new_func()> is ignored.
+
+The B<new_func()> function isn't very useful because no meaningful values are
+present in the parent RSA structure when it is called.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+
+=head1 HISTORY
+
+RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data() are
+available since SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_new.pod b/src/lib/libcrypto/doc/RSA_new.pod
new file mode 100644
index 0000000000..f16490ea6a
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_new.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+RSA_new, RSA_free - allocate and free RSA objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA * RSA_new(void);
+
+ void RSA_free(RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA_new() allocates and initializes an B<RSA> structure.
+
+RSA_free() frees the B<RSA> structure and its components. The key is
+erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, RSA_new() returns B<NULL> and sets an error
+code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+a pointer to the newly allocated structure.
+
+RSA_free() returns no value.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rsa(3)|rsa(3)>, L<RSA_generate_key(3)|RSA_generate_key(3)>
+
+=head1 HISTORY
+
+RSA_new() and RSA_free() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_padding_add_PKCS1_type_1.pod b/src/lib/libcrypto/doc/RSA_padding_add_PKCS1_type_1.pod
new file mode 100644
index 0000000000..b8f678fe72
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_padding_add_PKCS1_type_1.pod
@@ -0,0 +1,124 @@
+=pod
+
+=head1 NAME
+
+RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
+RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
+RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
+RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
+RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption
+padding
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+    unsigned char *f, int fl, unsigned char *p, int pl);
+
+ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len, unsigned char *p, int pl);
+
+ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+ int RSA_padding_add_none(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_none(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+=head1 DESCRIPTION
+
+The RSA_padding_xxx_xxx() functions are called from the RSA encrypt,
+decrypt, sign and verify functions. Normally they should not be called
+from application programs.
+
+However, they can also be called directly to implement padding for other
+asymmetric ciphers. RSA_padding_add_PKCS1_OAEP() and
+RSA_padding_check_PKCS1_OAEP() may be used in an application combined
+with B<RSA_NO_PADDING> in order to implement OAEP with an encoding
+parameter.
+
+RSA_padding_add_xxx() encodes B<fl> bytes from B<f> so as to fit into
+B<tlen> bytes and stores the result at B<to>. An error occurs if B<fl>
+does not meet the size requirements of the encoding method.
+
+The following encoding methods are implemented:
+
+=over 4
+
+=item PKCS1_type_1
+
+PKCS #1 v2.0 EMSA-PKCS1-v1_5 (PKCS #1 v1.5 block type 1); used for signatures
+
+=item PKCS1_type_2
+
+PKCS #1 v2.0 EME-PKCS1-v1_5 (PKCS #1 v1.5 block type 2)
+
+=item PKCS1_OAEP
+
+PKCS #1 v2.0 EME-OAEP
+
+=item SSLv23
+
+PKCS #1 EME-PKCS1-v1_5 with SSL-specific modification
+
+=item none
+
+simply copy the data
+
+=back
+
+The random number generator must be seeded prior to calling
+RSA_padding_add_xxx().
+
+RSA_padding_check_xxx() verifies that the B<fl> bytes at B<f> contain
+a valid encoding for a B<rsa_len> byte RSA key in the respective
+encoding method and stores the recovered data of at most B<tlen> bytes
+(for B<RSA_NO_PADDING>: of size B<tlen>)
+at B<to>.
+
+For RSA_padding_xxx_OAEP(), B<p> points to the encoding parameter
+of length B<pl>. B<p> may be B<NULL> if B<pl> is 0.
+
+=head1 RETURN VALUES
+
+The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
+The RSA_padding_check_xxx() functions return the length of the
+recovered data, -1 on error. Error codes can be obtained by calling
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
+L<RSA_private_decrypt(3)|RSA_private_decrypt(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+
+=head1 HISTORY
+
+RSA_padding_add_PKCS1_type_1(), RSA_padding_check_PKCS1_type_1(),
+RSA_padding_add_PKCS1_type_2(), RSA_padding_check_PKCS1_type_2(),
+RSA_padding_add_SSLv23(), RSA_padding_check_SSLv23(),
+RSA_padding_add_none() and RSA_padding_check_none() appeared in
+SSLeay 0.9.0.
+
+RSA_padding_add_PKCS1_OAEP() and RSA_padding_check_PKCS1_OAEP() were
+added in OpenSSL 0.9.2b.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_print.pod b/src/lib/libcrypto/doc/RSA_print.pod
new file mode 100644
index 0000000000..dd968a5274
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_print.pod
@@ -0,0 +1,48 @@
+=pod
+
+=head1 NAME
+
+RSA_print, RSA_print_fp, DHparams_print, DHparams_print_fp - print
+cryptographic parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_print(BIO *bp, RSA *x, int offset);
+ int RSA_print_fp(FILE *fp, RSA *x, int offset);
+
+ #include <openssl/dsa.h>
+
+ int DSAparams_print(BIO *bp, DSA *x);
+ int DSAparams_print_fp(FILE *fp, DSA *x);
+ int DSA_print(BIO *bp, DSA *x, int offset);
+ int DSA_print_fp(FILE *fp, DSA *x, int offset);
+
+ #include <openssl/dh.h>
+
+ int DHparams_print(BIO *bp, DH *x);
+ int DHparams_print_fp(FILE *fp, DH *x);
+
+=head1 DESCRIPTION
+
+A human-readable hexadecimal output of the components of the RSA
+key, DSA parameters or key or DH parameters is printed to B<bp> or B<fp>.
+
+The output lines are indented by B<offset> spaces.
+
+=head1 RETURN VALUES
+
+These functions return 1 on success, 0 on error.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
+
+=head1 HISTORY
+
+RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(),
+DH_print_fp() are available in all versions of SSLeay and OpenSSL.
+DSAparams_print() and DSAparams_print_pf() were added in SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_private_encrypt.pod b/src/lib/libcrypto/doc/RSA_private_encrypt.pod
new file mode 100644
index 0000000000..6861a98a10
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_private_encrypt.pod
@@ -0,0 +1,69 @@
+=pod
+
+=head1 NAME
+
+RSA_private_encrypt, RSA_public_decrypt - low level signature operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_private_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+
+ int RSA_public_decrypt(int flen, unsigned char *from, 
+    unsigned char *to, RSA *rsa, int padding);
+
+=head1 DESCRIPTION
+
+These functions handle RSA signatures at a low level.
+
+RSA_private_encrypt() signs the B<flen> bytes at B<from> (usually a
+message digest with an algorithm identifier) using the private key
+B<rsa> and stores the signature in B<to>. B<to> must point to
+B<RSA_size(rsa)> bytes of memory.
+
+B<padding> denotes one of the following modes:
+
+=over 4
+
+=item RSA_PKCS1_PADDING
+
+PKCS #1 v1.5 padding. This function does not handle the
+B<algorithmIdentifier> specified in PKCS #1. When generating or
+verifying PKCS #1 signatures, L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be
+used.
+
+=item RSA_NO_PADDING
+
+Raw RSA signature. This mode should I<only> be used to implement
+cryptographically sound padding modes in the application code.
+Signing user data directly with RSA is insecure.
+
+=back
+
+RSA_public_decrypt() recovers the message digest from the B<flen>
+bytes long signature at B<from> using the signer's public key
+B<rsa>. B<to> must point to a memory section large enough to hold the
+message digest (which is smaller than B<RSA_size(rsa) -
+11>). B<padding> is the padding mode that was used to sign the data.
+
+=head1 RETURN VALUES
+
+RSA_private_encrypt() returns the size of the signature (i.e.,
+RSA_size(rsa)). RSA_public_decrypt() returns the size of the
+recovered message digest.
+
+On error, -1 is returned; the error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+
+=head1 HISTORY
+
+The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
+available since SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_public_encrypt.pod b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
new file mode 100644
index 0000000000..910c4752b8
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
@@ -0,0 +1,86 @@
+=pod
+
+=head1 NAME
+
+RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_public_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+
+ int RSA_private_decrypt(int flen, unsigned char *from,
+     unsigned char *to, RSA *rsa, int padding);
+
+=head1 DESCRIPTION
+
+RSA_public_encrypt() encrypts the B<flen> bytes at B<from> (usually a
+session key) using the public key B<rsa> and stores the ciphertext in
+B<to>. B<to> must point to RSA_size(B<rsa>) bytes of memory.
+
+B<padding> denotes one of the following modes:
+
+=over 4
+
+=item RSA_PKCS1_PADDING
+
+PKCS #1 v1.5 padding. This currently is the most widely used mode.
+
+=item RSA_PKCS1_OAEP_PADDING
+
+EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty
+encoding parameter. This mode is recommended for all new applications.
+
+=item RSA_SSLV23_PADDING
+
+PKCS #1 v1.5 padding with an SSL-specific modification that denotes
+that the server is SSL3 capable.
+
+=item RSA_NO_PADDING
+
+Raw RSA encryption. This mode should I<only> be used to implement
+cryptographically sound padding modes in the application code.
+Encrypting user data directly with RSA is insecure.
+
+=back
+
+B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
+based padding modes, and less than RSA_size(B<rsa>) - 21 for
+RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded
+prior to calling RSA_public_encrypt().
+
+RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
+private key B<rsa> and stores the plaintext in B<to>. B<to> must point
+to a memory section large enough to hold the decrypted data (which is
+smaller than RSA_size(B<rsa>)). B<padding> is the padding mode that
+was used to encrypt the data.
+
+=head1 RETURN VALUES
+
+RSA_public_encrypt() returns the size of the encrypted data (i.e.,
+RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the
+recovered plaintext.
+
+On error, -1 is returned; the error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 CONFORMING TO
+
+SSL, PKCS #1 v2.0
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_size(3)|RSA_size(3)>
+
+=head1 NOTES
+
+The L<RSA_PKCS1_RSAref(3)|RSA_PKCS1_RSAref(3)> method supports only the RSA_PKCS1_PADDING mode.
+
+=head1 HISTORY
+
+The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
+available since SSLeay 0.9.0, OAEP was added in OpenSSL 0.9.2b.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_set_method.pod b/src/lib/libcrypto/doc/RSA_set_method.pod
new file mode 100644
index 0000000000..deb1183a23
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_set_method.pod
@@ -0,0 +1,153 @@
+=pod
+
+=head1 NAME
+
+RSA_set_default_method, RSA_get_default_method, RSA_set_method,
+RSA_get_method, RSA_PKCS1_SSLeay, RSA_PKCS1_RSAref,
+RSA_PKCS1_null_method, RSA_flags, RSA_new_method - select RSA method
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ void RSA_set_default_method(RSA_METHOD *meth);
+
+ RSA_METHOD *RSA_get_default_method(void);
+
+ RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
+
+ RSA_METHOD *RSA_get_method(RSA *rsa);
+
+ RSA_METHOD *RSA_PKCS1_SSLeay(void);
+
+ RSA_METHOD *RSA_PKCS1_RSAref(void);
+
+ RSA_METHOD *RSA_null_method(void);
+
+ int RSA_flags(RSA *rsa);
+
+ RSA *RSA_new_method(RSA_METHOD *method);
+
+=head1 DESCRIPTION
+
+An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA
+operations. By modifying the method, alternative implementations
+such as hardware accelerators may be used.
+
+Initially, the default is to use the OpenSSL internal implementation,
+unless OpenSSL was configured with the C<rsaref> or C<-DRSA_NULL>
+options. RSA_PKCS1_SSLeay() returns a pointer to that method.
+
+RSA_PKCS1_RSAref() returns a pointer to a method that uses the RSAref
+library. This is the default method in the C<rsaref> configuration;
+the function is not available in other configurations.
+RSA_null_method() returns a pointer to a method that does not support
+the RSA transformation. It is the default if OpenSSL is compiled with
+C<-DRSA_NULL>. These methods may be useful in the USA because of a
+patent on the RSA cryptosystem.
+
+RSA_set_default_method() makes B<meth> the default method for all B<RSA>
+structures created later.
+
+RSA_get_default_method() returns a pointer to the current default
+method.
+
+RSA_set_method() selects B<meth> for all operations using the key
+B<rsa>.
+
+RSA_get_method() returns a pointer to the method currently selected
+for B<rsa>.
+
+RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
+
+RSA_new_method() allocates and initializes an B<RSA> structure so that
+B<method> will be used for the RSA operations. If B<method> is B<NULL>,
+the default method is used.
+
+=head1 THE RSA_METHOD STRUCTURE
+
+ typedef struct rsa_meth_st
+ {
+     /* name of the implementation */
+        const char *name;
+
+     /* encrypt */
+        int (*rsa_pub_enc)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* verify arbitrary data */
+        int (*rsa_pub_dec)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* sign arbitrary data */
+        int (*rsa_priv_enc)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* decrypt */
+        int (*rsa_priv_dec)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* compute r0 = r0 ^ I mod rsa->n. May be NULL */
+        int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+
+     /* compute r = a ^ p mod m. May be NULL */
+        int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+     /* called at RSA_new */
+        int (*init)(RSA *rsa);
+
+     /* called at RSA_free */
+        int (*finish)(RSA *rsa);
+
+     /* RSA_FLAG_EXT_PKEY        - rsa_mod_exp is called for private key
+      *                            operations, even if p,q,dmp1,dmq1,iqmp
+      *                            are NULL
+      * RSA_FLAG_SIGN_VER        - enable rsa_sign and rsa_verify
+      * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match
+      */
+        int flags;
+
+        char *app_data; /* ?? */
+
+     /* sign. For backward compatibility, this is used only
+      * if (flags & RSA_FLAG_SIGN_VER)
+      */
+        int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
+           unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+
+     /* verify. For backward compatibility, this is used only
+      * if (flags & RSA_FLAG_SIGN_VER)
+      */
+        int (*rsa_verify)(int type, unsigned char *m, unsigned int m_len,
+           unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+ } RSA_METHOD;
+
+=head1 RETURN VALUES
+
+RSA_PKCS1_SSLeay(), RSA_PKCS1_RSAref(), RSA_PKCS1_null_method(),
+RSA_get_default_method() and RSA_get_method() return pointers to the
+respective B<RSA_METHOD>s.
+
+RSA_set_default_method() returns no value.
+
+RSA_set_method() returns a pointer to the B<RSA_METHOD> previously
+associated with B<rsa>.
+
+RSA_new_method() returns B<NULL> and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
+returns a pointer to the newly allocated structure.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<RSA_new(3)|RSA_new(3)>
+
+=head1 HISTORY
+
+RSA_new_method() and RSA_set_default_method() appeared in SSLeay 0.8.
+RSA_get_default_method(), RSA_set_method() and RSA_get_method() as
+well as the rsa_sign and rsa_verify components of RSA_METHOD were
+added in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_sign.pod b/src/lib/libcrypto/doc/RSA_sign.pod
new file mode 100644
index 0000000000..f0bf6eea1b
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_sign.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+RSA_sign, RSA_verify - RSA signatures
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+
+ int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA_sign() signs the message digest B<m> of size B<m_len> using the
+private key B<rsa> as specified in PKCS #1 v2.0. It stores the
+signature in B<sigret> and the signature size in B<siglen>. B<sigret>
+must point to RSA_size(B<rsa>) bytes of memory.
+
+B<type> denotes the message digest algorithm that was used to generate
+B<m>. It usually is one of B<NID_sha1>, B<NID_ripemd160> and B<NID_md5>;
+see L<objects(3)|objects(3)> for details. If B<type> is B<NID_md5_sha1>,
+an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding
+and no algorithm identifier) is created.
+
+RSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
+matches a given message digest B<m> of size B<m_len>. B<type> denotes
+the message digest algorithm that was used to generate the signature.
+B<rsa> is the signer's public key.
+
+=head1 RETURN VALUES
+
+RSA_sign() returns 1 on success, 0 otherwise.  RSA_verify() returns 1
+on successful verification, 0 otherwise.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+Certain signatures with an improper algorithm identifier are accepted
+for compatibility with SSLeay 0.4.5 :-)
+
+=head1 CONFORMING TO
+
+SSL, PKCS #1 v2.0
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
+L<RSA_public_decrypt(3)|RSA_public_decrypt(3)> 
+
+=head1 HISTORY
+
+RSA_sign() and RSA_verify() are available in all versions of SSLeay
+and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod b/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
new file mode 100644
index 0000000000..df9ceb339a
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING - RSA signatures
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
+    RSA *rsa);
+
+ int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
+    RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA_sign_ASN1_OCTET_STRING() signs the octet string B<m> of size
+B<m_len> using the private key B<rsa> represented in DER using PKCS #1
+padding. It stores the signature in B<sigret> and the signature size
+in B<siglen>. B<sigret> must point to B<RSA_size(rsa)> bytes of
+memory.
+
+B<dummy> is ignored.
+
+The random number generator must be seeded prior to calling RSA_sign_ASN1_OCTET_STRING().
+
+RSA_verify_ASN1_OCTET_STRING() verifies that the signature B<sigbuf>
+of size B<siglen> is the DER representation of a given octet string
+B<m> of size B<m_len>. B<dummy> is ignored. B<rsa> is the signer's
+public key.
+
+=head1 RETURN VALUES
+
+RSA_sign_ASN1_OCTET_STRING() returns 1 on success, 0 otherwise.
+RSA_verify_ASN1_OCTET_STRING() returns 1 on successful verification, 0
+otherwise.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+These functions serve no recognizable purpose.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rand(3)|rand(3)>,
+L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
+L<RSA_verify(3)|RSA_verify(3)>
+
+=head1 HISTORY
+
+RSA_sign_ASN1_OCTET_STRING() and RSA_verify_ASN1_OCTET_STRING() were
+added in SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libcrypto/doc/RSA_size.pod b/src/lib/libcrypto/doc/RSA_size.pod
new file mode 100644
index 0000000000..b36b4d58d5
--- /dev/null
+++ b/src/lib/libcrypto/doc/RSA_size.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+RSA_size - get RSA modulus size
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_size(RSA *rsa);
+
+=head1 DESCRIPTION
+
+This function returns the RSA modulus size in bytes. It can be used to
+determine how much memory must be allocated for an RSA encrypted
+value.
+
+B<rsa-E<gt>n> must not be B<NULL>.
+
+=head1 RETURN VALUE
+
+The size in bytes.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>
+
+=head1 HISTORY
+
+RSA_size() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libcrypto/doc/bn.pod b/src/lib/libcrypto/doc/bn.pod
new file mode 100644
index 0000000000..1504a1c92d
--- /dev/null
+++ b/src/lib/libcrypto/doc/bn.pod
@@ -0,0 +1,148 @@
+=pod
+
+=head1 NAME
+
+bn - multiprecision integer arithmetics
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_new(void);
+ void BN_free(BIGNUM *a);
+ void BN_init(BIGNUM *);
+ void BN_clear(BIGNUM *a);
+ void BN_clear_free(BIGNUM *a);
+
+ BN_CTX *BN_CTX_new(void);
+ void BN_CTX_init(BN_CTX *c);
+ void BN_CTX_free(BN_CTX *c);
+
+ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
+ BIGNUM *BN_dup(const BIGNUM *a);
+
+ int BN_num_bytes(const BIGNUM *a);
+ int BN_num_bits(const BIGNUM *a);
+ int BN_num_bits_word(BN_ULONG w);
+
+ int BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
+         BN_CTX *ctx);
+ int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+ int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+         BN_CTX *ctx);
+ int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+         const BIGNUM *m, BN_CTX *ctx);
+ int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+
+ int BN_add_word(BIGNUM *a, BN_ULONG w);
+ int BN_sub_word(BIGNUM *a, BN_ULONG w);
+ int BN_mul_word(BIGNUM *a, BN_ULONG w);
+ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
+ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
+
+ int BN_cmp(BIGNUM *a, BIGNUM *b);
+ int BN_ucmp(BIGNUM *a, BIGNUM *b);
+ int BN_is_zero(BIGNUM *a);
+ int BN_is_one(BIGNUM *a);
+ int BN_is_word(BIGNUM *a, BN_ULONG w);
+ int BN_is_odd(BIGNUM *a);
+
+ int BN_zero(BIGNUM *a);
+ int BN_one(BIGNUM *a);
+ BIGNUM *BN_value_one(void);
+ int BN_set_word(BIGNUM *a, unsigned long w);
+ unsigned long BN_get_word(BIGNUM *a);
+
+ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+
+ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
+         BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
+ int BN_is_prime(const BIGNUM *p, int nchecks,
+         void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg);
+
+ int BN_set_bit(BIGNUM *a, int n);
+ int BN_clear_bit(BIGNUM *a, int n);
+ int BN_is_bit_set(const BIGNUM *a, int n);
+ int BN_mask_bits(BIGNUM *a, int n);
+ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+ int BN_lshift1(BIGNUM *r, BIGNUM *a);
+ int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+ int BN_rshift1(BIGNUM *r, BIGNUM *a);
+
+ int BN_bn2bin(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+ char *BN_bn2hex(const BIGNUM *a);
+ char *BN_bn2dec(const BIGNUM *a);
+ int BN_hex2bn(BIGNUM **a, const char *str);
+ int BN_dec2bn(BIGNUM **a, const char *str);
+ int BN_print(BIO *fp, const BIGNUM *a);
+ int BN_print_fp(FILE *fp, const BIGNUM *a);
+ int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret);
+
+ BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n,
+     BN_CTX *ctx);
+
+ BN_RECP_CTX *BN_RECP_CTX_new(void);
+ void BN_RECP_CTX_init(BN_RECP_CTX *recp);
+ void BN_RECP_CTX_free(BN_RECP_CTX *recp);
+ int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx);
+ int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+        BN_RECP_CTX *recp, BN_CTX *ctx);
+
+ BN_MONT_CTX *BN_MONT_CTX_new(void);
+ void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+ void BN_MONT_CTX_free(BN_MONT_CTX *mont);
+ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx);
+ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
+ int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+         BN_MONT_CTX *mont, BN_CTX *ctx);
+ int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+ int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+
+
+=head1 DESCRIPTION
+
+This library performs arithmetic operations on integers of arbitrary
+size. It was written for use in public key cryptography, such as RSA
+and Diffie-Hellman.
+
+It uses dynamic memory allocation for storing its data structures.
+That means that there is no limit on the size of the numbers
+manipulated by these functions, but return values must always be
+checked in case a memory allocation error has occurred.
+
+The basic object in this library is a B<BIGNUM>. It is used to hold a
+single large integer. This type should be considered opaque and fields
+should not be modified or accessed directly.
+
+The creation of B<BIGNUM> objects is described in L<BN_new(3)|BN_new(3)>;
+L<BN_add(3)|BN_add(3)> describes most of the arithmetic operations.
+Comparison is described in L<BN_cmp(3)|BN_cmp(3)>; L<BN_zero(3)|BN_zero(3)>
+describes certain assignments, L<BN_rand(3)|BN_rand(3)> the generation of
+random numbers, L<BN_generate_prime(3)|BN_generate_prime(3)> deals with prime
+numbers and L<BN_set_bit(3)|BN_set_bit(3)> with bit operations. The conversion
+of B<BIGNUM>s to external formats is described in L<BN_bn2bin(3)|BN_bn2bin(3)>.
+
+=head1 SEE ALSO
+
+L<bn_internal(3)|bn_internal(3)>,
+L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<BN_new(3)|BN_new(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<BN_copy(3)|BN_copy(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
+L<BN_add(3)|BN_add(3)>, L<BN_add_word(3)|BN_add_word(3)>,
+L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
+L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
+L<BN_bn2bin(3)|BN_bn2bin(3)>, L<BN_mod_inverse(3)|BN_mod_inverse(3)>,
+L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>,
+L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)> 
+
+=cut
diff --git a/src/lib/libcrypto/doc/d2i_DHparams.pod b/src/lib/libcrypto/doc/d2i_DHparams.pod
new file mode 100644
index 0000000000..a6d1743d39
--- /dev/null
+++ b/src/lib/libcrypto/doc/d2i_DHparams.pod
@@ -0,0 +1,30 @@
+=pod
+
+=head1 NAME
+
+d2i_DHparams, i2d_DHparams - ...
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH *d2i_DHparams(DH **a, unsigned char **pp, long length);
+ int i2d_DHparams(DH *a, unsigned char **pp);
+
+=head1 DESCRIPTION
+
+...
+
+=head1 RETURN VALUES
+
+...
+
+=head1 SEE ALSO
+
+...
+
+=head1 HISTORY
+
+...
+
+=cut
diff --git a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
new file mode 100644
index 0000000000..ff4d0d57db
--- /dev/null
+++ b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Netscape_RSA, d2i_Netscape_RSA - ...
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
+
+ int i2d_RSAPublicKey(RSA *a, unsigned char **pp);
+
+ RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
+
+ int i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
+
+ int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)());
+
+ RSA * d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)());
+
+=head1 DESCRIPTION
+
+...
+
+=head1 RETURN VALUES
+
+...
+
+=head1 SEE ALSO
+
+...
+
+=head1 HISTORY
+
+...
+
+=cut
diff --git a/src/lib/libcrypto/doc/dh.pod b/src/lib/libcrypto/doc/dh.pod
new file mode 100644
index 0000000000..0a9b7c03a2
--- /dev/null
+++ b/src/lib/libcrypto/doc/dh.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+dh - Diffie-Hellman key agreement
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH *   DH_new(void);
+ void   DH_free(DH *dh);
+
+ int    DH_size(DH *dh);
+
+ DH *   DH_generate_parameters(int prime_len, int generator,
+                void (*callback)(int, int, void *), void *cb_arg);
+ int    DH_check(DH *dh, int *codes);
+
+ int    DH_generate_key(DH *dh);
+ int    DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
+
+ void DH_set_default_method(DH_METHOD *meth);
+ DH_METHOD *DH_get_default_method(void);
+ DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
+ DH *DH_new_method(DH_METHOD *meth);
+ DH_METHOD *DH_OpenSSL(void);
+
+ int DH_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+             int (*dup_func)(), void (*free_func)());
+ int DH_set_ex_data(DH *d, int idx, char *arg);
+ char *DH_get_ex_data(DH *d, int idx);
+
+ DH *   d2i_DHparams(DH **a, unsigned char **pp, long length);
+ int    i2d_DHparams(DH *a, unsigned char **pp);
+
+ int    DHparams_print_fp(FILE *fp, DH *x);
+ int    DHparams_print(BIO *bp, DH *x);
+
+=head1 DESCRIPTION
+
+These functions implement the Diffie-Hellman key agreement protocol.
+The generation of shared DH parameters is described in
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>; L<DH_generate_key(3)|DH_generate_key(3)> describes how
+to perform a key agreement.
+
+The B<DH> structure consists of several BIGNUM components.
+
+ struct
+        {
+        BIGNUM *p;              // prime number (shared)
+        BIGNUM *g;              // generator of Z_p (shared)
+        BIGNUM *priv_key;       // private DH value x
+        BIGNUM *pub_key;        // public DH value g^x
+        // ...
+        };
+ DH
+
+=head1 SEE ALSO
+
+L<dhparam(1)|dhparam(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<DH_set_method(3)|DH_set_method(3)>,
+L<DH_new(3)|DH_new(3)>, L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>,
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
+L<DH_compute_key(3)|DH_compute_key(3)>, L<d2i_DHparams(3)|d2i_DHparams(3)>,
+L<RSA_print(3)|RSA_print(3)> 
+
+=cut
diff --git a/src/lib/libcrypto/doc/dsa.pod b/src/lib/libcrypto/doc/dsa.pod
new file mode 100644
index 0000000000..2c09244899
--- /dev/null
+++ b/src/lib/libcrypto/doc/dsa.pod
@@ -0,0 +1,104 @@
+=pod
+
+=head1 NAME
+
+dsa - Digital Signature Algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA *  DSA_new(void);
+ void   DSA_free(DSA *dsa);
+
+ int    DSA_size(DSA *dsa);
+
+ DSA *  DSA_generate_parameters(int bits, unsigned char *seed,
+                int seed_len, int *counter_ret, unsigned long *h_ret,
+                void (*callback)(int, int, void *), void *cb_arg);
+
+ DH *   DSA_dup_DH(DSA *r);
+
+ int    DSA_generate_key(DSA *dsa);
+
+ int    DSA_sign(int dummy, const unsigned char *dgst, int len,
+                unsigned char *sigret, unsigned int *siglen, DSA *dsa);
+ int    DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
+                BIGNUM **rp);
+ int    DSA_verify(int dummy, const unsigned char *dgst, int len,
+                unsigned char *sigbuf, int siglen, DSA *dsa);
+
+ void DSA_set_default_method(DSA_METHOD *meth);
+ DSA_METHOD *DSA_get_default_method(void);
+ DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth);
+ DSA *DSA_new_method(DSA_METHOD *meth);
+ DSA_METHOD *DSA_OpenSSL(void);
+
+ int DSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+             int (*dup_func)(), void (*free_func)());
+ int DSA_set_ex_data(DSA *d, int idx, char *arg);
+ char *DSA_get_ex_data(DSA *d, int idx);
+
+ DSA_SIG *DSA_SIG_new(void);
+ void   DSA_SIG_free(DSA_SIG *a);
+ int    i2d_DSA_SIG(DSA_SIG *a, unsigned char **pp);
+ DSA_SIG *d2i_DSA_SIG(DSA_SIG **v, unsigned char **pp, long length);
+
+ DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+ int    DSA_do_verify(const unsigned char *dgst, int dgst_len,
+             DSA_SIG *sig, DSA *dsa);
+
+ DSA *  d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length);
+ DSA *  d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
+ DSA *  d2i_DSAparams(DSA **a, unsigned char **pp, long length);
+ int    i2d_DSAPublicKey(DSA *a, unsigned char **pp);
+ int    i2d_DSAPrivateKey(DSA *a, unsigned char **pp);
+ int    i2d_DSAparams(DSA *a,unsigned char **pp);
+
+ int    DSAparams_print(BIO *bp, DSA *x);
+ int    DSAparams_print_fp(FILE *fp, DSA *x);
+ int    DSA_print(BIO *bp, DSA *x, int off);
+ int    DSA_print_fp(FILE *bp, DSA *x, int off);
+
+=head1 DESCRIPTION
+
+These functions implement the Digital Signature Algorithm (DSA).  The
+generation of shared DSA parameters is described in
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>;
+L<DSA_generate_key(3)|DSA_generate_key(3)> describes how to
+generate a signature key. Signature generation and verification are
+described in L<DSA_sign(3)|DSA_sign(3)>.
+
+The B<DSA> structure consists of several BIGNUM components.
+
+ struct
+        {
+        BIGNUM *p;              // prime number (public)
+        BIGNUM *q;              // 160-bit subprime, q | p-1 (public)
+        BIGNUM *g;              // generator of subgroup (public)
+        BIGNUM *priv_key;       // private key x
+        BIGNUM *pub_key;        // public key y = g^x
+        // ...
+        }
+ DSA;
+
+In public keys, B<priv_key> is NULL.
+
+=head1 CONFORMING TO
+
+US Federal Information Processing Standard FIPS 186 (Digital Signature
+Standard, DSS), ANSI X9.30
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<rsa(3)|rsa(3)>, L<sha(3)|sha(3)>, L<DSA_new(3)|DSA_new(3)>,
+L<DSA_size(3)|DSA_size(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
+L<DSA_dup_DH(3)|DSA_dup_DH(3)>,
+L<DSA_generate_key(3)|DSA_generate_key(3)>,
+L<DSA_sign(3)|DSA_sign(3)>, L<DSA_set_method(3)|DSA_set_method(3)>,
+L<DSA_get_ex_new_index(3)|DSA_get_ex_new_index(3)>,
+L<RSA_print(3)|RSA_print(3)>
+
+=cut
diff --git a/src/lib/libcrypto/doc/evp.pod b/src/lib/libcrypto/doc/evp.pod
new file mode 100644
index 0000000000..f089dd49a2
--- /dev/null
+++ b/src/lib/libcrypto/doc/evp.pod
@@ -0,0 +1,37 @@
+=pod
+
+=head1 NAME
+
+evp - high-level cryptographic functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+=head1 DESCRIPTION
+
+The EVP library provided a high-level interface to cryptographic
+functions.
+
+B<EVP_Seal>I<...> and B<EVP_Open>I<...> provide public key encryption
+and decryption to implement digital "envelopes".
+
+The B<EVP_Sign>I<...> and B<EVP_Verify>I<...> functions implement
+digital signatures.
+
+Symmetric encryption is available with the B<EVP_Encrypt>I<...>
+functions.  The B<EVP_Digest>I<...> functions provide message digests.
+
+Algorithms are loaded with OpenSSL_add_all_algorithms(3).
+
+=head1 SEE ALSO
+
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_OpenInit(3)|EVP_OpenInit(3)>,
+L<EVP_SealInit(3)|EVP_SealInit(3)>,
+L<EVP_SignInit(3)|EVP_SignInit(3)>,
+L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
+L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>
+
+=cut
diff --git a/src/lib/libcrypto/doc/lh_stats.pod b/src/lib/libcrypto/doc/lh_stats.pod
new file mode 100644
index 0000000000..3eeaa72e52
--- /dev/null
+++ b/src/lib/libcrypto/doc/lh_stats.pod
@@ -0,0 +1,60 @@
+=pod
+
+=head1 NAME
+
+lh_stats, lh_node_stats, lh_node_usage_stats, lh_stats_bio,
+lh_node_stats_bio, lh_node_usage_stats_bio - LHASH statistics
+
+=head1 SYNOPSIS
+
+ #include <openssl/lhash.h>
+
+ void lh_stats(LHASH *table, FILE *out);
+ void lh_node_stats(LHASH *table, FILE *out);
+ void lh_node_usage_stats(LHASH *table, FILE *out);
+
+ void lh_stats_bio(LHASH *table, BIO *out);
+ void lh_node_stats_bio(LHASH *table, BIO *out);
+ void lh_node_usage_stats_bio(LHASH *table, BIO *out);
+
+=head1 DESCRIPTION
+
+The B<LHASH> structure records statistics about most aspects of
+accessing the hash table.  This is mostly a legacy of Eric Young
+writing this library for the reasons of implementing what looked like
+a nice algorithm rather than for a particular software product.
+
+lh_stats() prints out statistics on the size of the hash table, how
+many entries are in it, and the number and result of calls to the
+routines in this library.
+
+lh_node_stats() prints the number of entries for each 'bucket' in the
+hash table.
+
+lh_node_usage_stats() prints out a short summary of the state of the
+hash table.  It prints the 'load' and the 'actual load'.  The load is
+the average number of data items per 'bucket' in the hash table.  The
+'actual load' is the average number of items per 'bucket', but only
+for buckets which contain entries.  So the 'actual load' is the
+average number of searches that will need to find an item in the hash
+table, while the 'load' is the average number that will be done to
+record a miss.
+
+lh_stats_bio(), lh_node_stats_bio() and lh_node_usage_stats_bio()
+are the same as the above, except that the output goes to a B<BIO>.
+
+=head1 RETURN VALUES
+
+These functions do not return values.
+
+=head1 SEE ALSO
+
+L<bio(3)|bio(3)>, L<lhash(3)|lhash(3)>
+
+=head1 HISTORY
+
+These functions are available in all versions of SSLeay and OpenSSL.
+
+This manpage is derived from the SSLeay documentation.
+
+=cut
diff --git a/src/lib/libcrypto/doc/rsa.pod b/src/lib/libcrypto/doc/rsa.pod
new file mode 100644
index 0000000000..0486c044a6
--- /dev/null
+++ b/src/lib/libcrypto/doc/rsa.pod
@@ -0,0 +1,115 @@
+=pod
+
+=head1 NAME
+
+rsa - RSA public key cryptosystem
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA * RSA_new(void);
+ void RSA_free(RSA *rsa);
+
+ int RSA_public_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+ int RSA_private_decrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+
+ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+ int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+ int RSA_size(RSA *rsa);
+
+ RSA *RSA_generate_key(int num, unsigned long e,
+    void (*callback)(int,int,void *), void *cb_arg);
+
+ int RSA_check_key(RSA *rsa);
+
+ int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
+ void RSA_blinding_off(RSA *rsa);
+
+ void RSA_set_default_method(RSA_METHOD *meth);
+ RSA_METHOD *RSA_get_default_method(void);
+ RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
+ RSA_METHOD *RSA_get_method(RSA *rsa);
+ RSA_METHOD *RSA_PKCS1_SSLeay(void);
+ RSA_METHOD *RSA_PKCS1_RSAref(void);
+ RSA_METHOD *RSA_null_method(void);
+ int RSA_flags(RSA *rsa);
+ RSA *RSA_new_method(RSA_METHOD *method);
+
+ int RSA_print(BIO *bp, RSA *x, int offset);
+ int RSA_print_fp(FILE *fp, RSA *x, int offset);
+
+ int RSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+    int (*dup_func)(), void (*free_func)());
+ int RSA_set_ex_data(RSA *r,int idx,char *arg);
+ char *RSA_get_ex_data(RSA *r, int idx);
+
+ int RSA_private_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa,int padding);
+ int RSA_public_decrypt(int flen, unsigned char *from, 
+    unsigned char *to, RSA *rsa,int padding);
+
+ int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
+    RSA *rsa);
+ int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
+    RSA *rsa);
+
+=head1 DESCRIPTION
+
+These functions implement RSA public key encryption and signatures
+as defined in PKCS #1 v2.0 [RFC 2437].
+
+The B<RSA> structure consists of several BIGNUM components. It can
+contain public as well as private RSA keys:
+
+ struct
+        {
+        BIGNUM *n;              // public modulus
+        BIGNUM *e;              // public exponent
+        BIGNUM *d;              // private exponent
+        BIGNUM *p;              // secret prime factor
+        BIGNUM *q;              // secret prime factor
+        BIGNUM *dmp1;           // d mod (p-1)
+        BIGNUM *dmq1;           // d mod (q-1)
+        BIGNUM *iqmp;           // q^-1 mod p
+        // ...
+        };
+ RSA
+
+In public keys, the private exponent and the related secret values are
+B<NULL>.
+
+B<dmp1>, B<dmq1> and B<iqmp> may be B<NULL> in private keys, but the
+RSA operations are much faster when these values are available.
+
+=head1 CONFORMING TO
+
+SSL, PKCS #1 v2.0
+
+=head1 PATENTS
+
+RSA is covered by a US patent which expires in September 2000.
+
+=head1 SEE ALSO
+
+L<rsa(1)|rsa(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>,
+L<rand(3)|rand(3)>, L<RSA_new(3)|RSA_new(3)>,
+L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_size(3)|RSA_size(3)>,
+L<RSA_generate_key(3)|RSA_generate_key(3)>,
+L<RSA_check_key(3)|RSA_check_key(3)>,
+L<RSA_blinding_on(3)|RSA_blinding_on(3)>,
+L<RSA_set_method(3)|RSA_set_method(3)>, L<RSA_print(3)|RSA_print(3)>,
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
+L<RSA_sign_ASN_OCTET_STRING(3)|RSA_sign_ASN_OCTET_STRING(3)>,
+L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)> 
+
+=cut
diff --git a/src/lib/libcrypto/dsa/dsa_asn1.c b/src/lib/libcrypto/dsa/dsa_asn1.c
new file mode 100644
index 0000000000..7523b21654
--- /dev/null
+++ b/src/lib/libcrypto/dsa/dsa_asn1.c
@@ -0,0 +1,96 @@
+/* crypto/dsa/dsa_asn1.c */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dsa.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+
+DSA_SIG *DSA_SIG_new(void)
+{
+        DSA_SIG *ret;
+
+        ret = Malloc(sizeof(DSA_SIG));
+        if (ret == NULL)
+                {
+                DSAerr(DSA_F_DSA_SIG_NEW,ERR_R_MALLOC_FAILURE);
+                return(NULL);
+                }
+        ret->r = NULL;
+        ret->s = NULL;
+        return(ret);
+}
+
+void DSA_SIG_free(DSA_SIG *r)
+{
+        if (r == NULL) return;
+        if (r->r) BN_clear_free(r->r);
+        if (r->s) BN_clear_free(r->s);
+        Free(r);
+}
+
+int i2d_DSA_SIG(DSA_SIG *v, unsigned char **pp)
+{
+        int t=0,len;
+        ASN1_INTEGER rbs,sbs;
+        unsigned char *p;
+
+        rbs.data=Malloc(BN_num_bits(v->r)/8+1);
+        if (rbs.data == NULL)
+                {
+                DSAerr(DSA_F_I2D_DSA_SIG, ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+        rbs.type=V_ASN1_INTEGER;
+        rbs.length=BN_bn2bin(v->r,rbs.data);
+        sbs.data=Malloc(BN_num_bits(v->s)/8+1);
+        if (sbs.data == NULL)
+                {
+                Free(rbs.data);
+                DSAerr(DSA_F_I2D_DSA_SIG, ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+        sbs.type=V_ASN1_INTEGER;
+        sbs.length=BN_bn2bin(v->s,sbs.data);
+
+        len=i2d_ASN1_INTEGER(&rbs,NULL);
+        len+=i2d_ASN1_INTEGER(&sbs,NULL);
+
+        if (pp)
+                {
+                p=*pp;
+                ASN1_put_object(&p,1,len,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+                i2d_ASN1_INTEGER(&rbs,&p);
+                i2d_ASN1_INTEGER(&sbs,&p);
+                }
+        t=ASN1_object_size(1,len,V_ASN1_SEQUENCE);
+        Free(rbs.data);
+        Free(sbs.data);
+        return(t);
+}
+
+DSA_SIG *d2i_DSA_SIG(DSA_SIG **a, unsigned char **pp, long length)
+{
+        int i=ERR_R_NESTED_ASN1_ERROR;
+        ASN1_INTEGER *bs=NULL;
+        M_ASN1_D2I_vars(a,DSA_SIG *,DSA_SIG_new);
+
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+        if ((ret->r=BN_bin2bn(bs->data,bs->length,ret->r)) == NULL)
+                goto err_bn;
+        M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+        if ((ret->s=BN_bin2bn(bs->data,bs->length,ret->s)) == NULL)
+                goto err_bn;
+        ASN1_BIT_STRING_free(bs);
+        M_ASN1_D2I_Finish_2(a);
+
+err_bn:
+        i=ERR_R_BN_LIB;
+err:
+        DSAerr(DSA_F_D2I_DSA_SIG,i);
+        if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_SIG_free(ret);
+        if (bs != NULL) ASN1_BIT_STRING_free(bs);
+        return(NULL);
+}
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
new file mode 100644
index 0000000000..b51cf6ad8d
--- /dev/null
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -0,0 +1,321 @@
+/* crypto/dsa/dsa_ossl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rand.h>
+#include <openssl/asn1.h>
+
+static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
+static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
+                  DSA *dsa);
+static int dsa_init(DSA *dsa);
+static int dsa_finish(DSA *dsa);
+static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+                BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *in_mont);
+static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                                const BIGNUM *m, BN_CTX *ctx,
+                                BN_MONT_CTX *m_ctx);
+
+static DSA_METHOD openssl_dsa_meth = {
+"OpenSSL DSA method",
+dsa_do_sign,
+dsa_sign_setup,
+dsa_do_verify,
+dsa_mod_exp,
+dsa_bn_mod_exp,
+dsa_init,
+dsa_finish,
+0,
+NULL
+};
+
+DSA_METHOD *DSA_OpenSSL(void)
+{
+        return &openssl_dsa_meth;
+}
+
+static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+        {
+        BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
+        BIGNUM m;
+        BIGNUM xr;
+        BN_CTX *ctx=NULL;
+        int i,reason=ERR_R_BN_LIB;
+        DSA_SIG *ret=NULL;
+
+        BN_init(&m);
+        BN_init(&xr);
+        s=BN_new();
+        if (s == NULL) goto err;
+
+        i=BN_num_bytes(dsa->q); /* should be 20 */
+        if ((dlen > i) || (dlen > 50))
+                {
+                reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
+                goto err;
+                }
+
+        ctx=BN_CTX_new();
+        if (ctx == NULL) goto err;
+
+        if ((dsa->kinv == NULL) || (dsa->r == NULL))
+                {
+                if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
+                }
+        else
+                {
+                kinv=dsa->kinv;
+                dsa->kinv=NULL;
+                r=dsa->r;
+                dsa->r=NULL;
+                }
+
+        if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err;
+
+        /* Compute  s = inv(k) (m + xr) mod q */
+        if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
+        if (!BN_add(s, &xr, &m)) goto err;              /* s = m + xr */
+        if (BN_cmp(s,dsa->q) > 0)
+                BN_sub(s,s,dsa->q);
+        if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
+
+        ret=DSA_SIG_new();
+        if (ret == NULL) goto err;
+        ret->r = r;
+        ret->s = s;
+        
+err:
+        if (!ret)
+                {
+                DSAerr(DSA_F_DSA_DO_SIGN,reason);
+                BN_free(r);
+                BN_free(s);
+                }
+        if (ctx != NULL) BN_CTX_free(ctx);
+        BN_clear_free(&m);
+        BN_clear_free(&xr);
+        if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
+            BN_clear_free(kinv);
+        return(ret);
+        }
+
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
+        {
+        BN_CTX *ctx;
+        BIGNUM k,*kinv=NULL,*r=NULL;
+        int ret=0;
+
+        if (ctx_in == NULL)
+                {
+                if ((ctx=BN_CTX_new()) == NULL) goto err;
+                }
+        else
+                ctx=ctx_in;
+
+        BN_init(&k);
+        if ((r=BN_new()) == NULL) goto err;
+        kinv=NULL;
+
+        /* Get random k */
+        for (;;)
+                {
+                if (!BN_rand(&k, BN_num_bits(dsa->q), 1, 0)) goto err;
+                if (BN_cmp(&k,dsa->q) >= 0)
+                        BN_sub(&k,&k,dsa->q);
+                if (!BN_is_zero(&k)) break;
+                }
+
+        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+                {
+                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                dsa->p,ctx)) goto err;
+                }
+
+        /* Compute r = (g^k mod p) mod q */
+        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+                (BN_MONT_CTX *)dsa->method_mont_p)) goto err;
+        if (!BN_mod(r,r,dsa->q,ctx)) goto err;
+
+        /* Compute  part of 's = inv(k) (m + xr) mod q' */
+        if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
+
+        if (*kinvp != NULL) BN_clear_free(*kinvp);
+        *kinvp=kinv;
+        kinv=NULL;
+        if (*rp != NULL) BN_clear_free(*rp);
+        *rp=r;
+        ret=1;
+err:
+        if (!ret)
+                {
+                DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
+                if (kinv != NULL) BN_clear_free(kinv);
+                if (r != NULL) BN_clear_free(r);
+                }
+        if (ctx_in == NULL) BN_CTX_free(ctx);
+        if (kinv != NULL) BN_clear_free(kinv);
+        BN_clear_free(&k);
+        return(ret);
+        }
+
+static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
+                  DSA *dsa)
+        {
+        BN_CTX *ctx;
+        BIGNUM u1,u2,t1;
+        BN_MONT_CTX *mont=NULL;
+        int ret = -1;
+
+        if ((ctx=BN_CTX_new()) == NULL) goto err;
+        BN_init(&u1);
+        BN_init(&u2);
+        BN_init(&t1);
+
+        /* Calculate W = inv(S) mod Q
+         * save W in u2 */
+        if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
+
+        /* save M in u1 */
+        if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
+
+        /* u1 = M * w mod q */
+        if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
+
+        /* u2 = r * w mod q */
+        if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
+
+        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+                {
+                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                dsa->p,ctx)) goto err;
+                }
+        mont=(BN_MONT_CTX *)dsa->method_mont_p;
+
+#if 0
+        {
+        BIGNUM t2;
+
+        BN_init(&t2);
+        /* v = ( g^u1 * y^u2 mod p ) mod q */
+        /* let t1 = g ^ u1 mod p */
+        if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err;
+        /* let t2 = y ^ u2 mod p */
+        if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err;
+        /* let u1 = t1 * t2 mod p */
+        if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn;
+        BN_free(&t2);
+        }
+        /* let u1 = u1 mod q */
+        if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
+#else
+        {
+        if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
+                                                dsa->p,ctx,mont)) goto err;
+        /* BN_copy(&u1,&t1); */
+        /* let u1 = u1 mod q */
+        if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
+        }
+#endif
+        /* V is now in u1.  If the signature is correct, it will be
+         * equal to R. */
+        ret=(BN_ucmp(&u1, sig->r) == 0);
+
+        err:
+        if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
+        if (ctx != NULL) BN_CTX_free(ctx);
+        BN_free(&u1);
+        BN_free(&u2);
+        BN_free(&t1);
+        return(ret);
+        }
+
+static int dsa_init(DSA *dsa)
+{
+        dsa->flags|=DSA_FLAG_CACHE_MONT_P;
+        return(1);
+}
+
+static int dsa_finish(DSA *dsa)
+{
+        if(dsa->method_mont_p)
+                BN_MONT_CTX_free((BN_MONT_CTX *)dsa->method_mont_p);
+        return(1);
+}
+
+static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+                BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *in_mont)
+{
+        return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
+}
+        
+static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                                const BIGNUM *m, BN_CTX *ctx,
+                                BN_MONT_CTX *m_ctx)
+{
+        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+}
diff --git a/src/lib/libcrypto/dso/dso.h b/src/lib/libcrypto/dso/dso.h
new file mode 100644
index 0000000000..bed7c464a6
--- /dev/null
+++ b/src/lib/libcrypto/dso/dso.h
@@ -0,0 +1,250 @@
+/* dso.h */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_DSO_H
+#define HEADER_DSO_H
+
+#include <openssl/crypto.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* These values are used as commands to DSO_ctrl() */
+#define DSO_CTRL_GET_FLAGS      1
+#define DSO_CTRL_SET_FLAGS      2
+#define DSO_CTRL_OR_FLAGS       3
+
+/* These flags control the translation of file-names from canonical to
+ * native. Eg. in the CryptoSwift support, the "dl" and "dlfcn"
+ * methods will translate "swift" -> "libswift.so" whereas the "win32"
+ * method will translate "swift" -> "swift.dll". NB: Until I can figure
+ * out how to be more "conventional" with this, the methods will only
+ * honour this flag if it looks like it was passed a file without any
+ * path and if the filename is small enough.
+ */
+#define DSO_FLAG_NAME_TRANSLATION 0x01
+
+/* The following flag controls the translation of symbol names to upper
+ * case.  This is currently only being implemented for OpenVMS.
+ */
+#define DSO_FLAG_UPCASE_SYMBOL    0x02
+
+
+typedef void (*DSO_FUNC_TYPE)(void);
+
+typedef struct dso_st DSO;
+
+typedef struct dso_meth_st
+        {
+        const char *name;
+        /* Loads a shared library */
+        int (*dso_load)(DSO *dso, const char *filename);
+        /* Unloads a shared library */
+        int (*dso_unload)(DSO *dso);
+        /* Binds a variable */
+        void *(*dso_bind_var)(DSO *dso, const char *symname);
+        /* Binds a function - assumes a return type of DSO_FUNC_TYPE.
+         * This should be cast to the real function prototype by the
+         * caller. Platforms that don't have compatible representations
+         * for different prototypes (this is possible within ANSI C)
+         * are highly unlikely to have shared libraries at all, let
+         * alone a DSO_METHOD implemented for them. */
+        DSO_FUNC_TYPE (*dso_bind_func)(DSO *dso, const char *symname);
+
+/* I don't think this would actually be used in any circumstances. */
+#if 0
+        /* Unbinds a variable */
+        int (*dso_unbind_var)(DSO *dso, char *symname, void *symptr);
+        /* Unbinds a function */
+        int (*dso_unbind_func)(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
+#endif
+        /* The generic (yuck) "ctrl()" function. NB: Negative return
+         * values (rather than zero) indicate errors. */
+        long (*dso_ctrl)(DSO *dso, int cmd, long larg, void *parg);
+
+        /* [De]Initialisation handlers. */
+        int (*init)(DSO *dso);
+        int (*finish)(DSO *dso);
+        } DSO_METHOD;
+
+/**********************************************************************/
+/* The low-level handle type used to refer to a loaded shared library */
+
+struct dso_st
+        {
+        DSO_METHOD *meth;
+        /* Standard dlopen uses a (void *). Win32 uses a HANDLE. VMS
+         * doesn't use anything but will need to cache the filename
+         * for use in the dso_bind handler. All in all, let each
+         * method control its own destiny. "Handles" and such go in
+         * a STACK. */
+        STACK *meth_data;
+        int references;
+        int flags;
+        /* For use by applications etc ... use this for your bits'n'pieces,
+         * don't touch meth_data! */
+        CRYPTO_EX_DATA ex_data;
+        };
+
+
+DSO *   DSO_new(void);
+DSO *   DSO_new_method(DSO_METHOD *method);
+int     DSO_free(DSO *dso);
+int     DSO_flags(DSO *dso);
+int     DSO_up(DSO *dso);
+long    DSO_ctrl(DSO *dso, int cmd, long larg, void *parg);
+
+void DSO_set_default_method(DSO_METHOD *meth);
+DSO_METHOD *DSO_get_default_method(void);
+DSO_METHOD *DSO_get_method(DSO *dso);
+DSO_METHOD *DSO_set_method(DSO *dso, DSO_METHOD *meth);
+
+/* The all-singing all-dancing load function, you normally pass NULL
+ * for the first and third parameters. Use DSO_up and DSO_free for
+ * subsequent reference count handling. Any flags passed in will be set
+ * in the constructed DSO after its init() function but before the
+ * load operation. This will be done with;
+ *    DSO_ctrl(dso, DSO_CTRL_SET_FLAGS, flags, NULL); */
+DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags);
+
+/* This function binds to a variable inside a shared library. */
+void *DSO_bind_var(DSO *dso, const char *symname);
+
+/* This function binds to a function inside a shared library. */
+DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname);
+
+/* This method is the default, but will beg, borrow, or steal whatever
+ * method should be the default on any particular platform (including
+ * DSO_METH_null() if necessary). */
+DSO_METHOD *DSO_METHOD_openssl(void);
+
+/* This method is defined for all platforms - if a platform has no
+ * DSO support then this will be the only method! */
+DSO_METHOD *DSO_METHOD_null(void);
+
+/* If DSO_DLFCN is defined, the standard dlfcn.h-style functions
+ * (dlopen, dlclose, dlsym, etc) will be used and incorporated into
+ * this method. If not, this method will return NULL. */
+DSO_METHOD *DSO_METHOD_dlfcn(void);
+
+/* If DSO_DL is defined, the standard dl.h-style functions (shl_load, 
+ * shl_unload, shl_findsym, etc) will be used and incorporated into
+ * this method. If not, this method will return NULL. */
+DSO_METHOD *DSO_METHOD_dl(void);
+
+/* If WIN32 is defined, use DLLs. If not, return NULL. */
+DSO_METHOD *DSO_METHOD_win32(void);
+
+/* If VMS is defined, use shared images. If not, return NULL. */
+DSO_METHOD *DSO_METHOD_vms(void);
+
+void ERR_load_DSO_strings(void);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the DSO functions. */
+
+/* Function codes. */
+#define DSO_F_DLFCN_BIND_FUNC                            100
+#define DSO_F_DLFCN_BIND_VAR                             101
+#define DSO_F_DLFCN_CTRL                                 102
+#define DSO_F_DLFCN_LOAD                                 103
+#define DSO_F_DLFCN_UNLOAD                               104
+#define DSO_F_DL_BIND_FUNC                               105
+#define DSO_F_DL_BIND_VAR                                106
+#define DSO_F_DL_CTRL                                    107
+#define DSO_F_DL_LOAD                                    108
+#define DSO_F_DL_UNLOAD                                  109
+#define DSO_F_DSO_BIND_FUNC                              110
+#define DSO_F_DSO_BIND_VAR                               111
+#define DSO_F_DSO_CTRL                                   112
+#define DSO_F_DSO_FREE                                   113
+#define DSO_F_DSO_LOAD                                   114
+#define DSO_F_DSO_NEW_METHOD                             115
+#define DSO_F_DSO_UP                                     116
+#define DSO_F_VMS_BIND_VAR                               122
+#define DSO_F_VMS_CTRL                                   123
+#define DSO_F_VMS_LOAD                                   124
+#define DSO_F_VMS_UNLOAD                                 125
+#define DSO_F_WIN32_BIND_FUNC                            117
+#define DSO_F_WIN32_BIND_VAR                             118
+#define DSO_F_WIN32_CTRL                                 119
+#define DSO_F_WIN32_LOAD                                 120
+#define DSO_F_WIN32_UNLOAD                               121
+
+/* Reason codes. */
+#define DSO_R_CTRL_FAILED                                100
+#define DSO_R_FILENAME_TOO_BIG                           109
+#define DSO_R_FINISH_FAILED                              101
+#define DSO_R_LOAD_FAILED                                102
+#define DSO_R_NULL_HANDLE                                103
+#define DSO_R_STACK_ERROR                                104
+#define DSO_R_SYM_FAILURE                                105
+#define DSO_R_UNKNOWN_COMMAND                            106
+#define DSO_R_UNLOAD_FAILED                              107
+#define DSO_R_UNSUPPORTED                                108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libcrypto/dso/dso_dlfcn.c b/src/lib/libcrypto/dso/dso_dlfcn.c
new file mode 100644
index 0000000000..e709c721cc
--- /dev/null
+++ b/src/lib/libcrypto/dso/dso_dlfcn.c
@@ -0,0 +1,276 @@
+/* dso_dlfcn.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+#ifndef DSO_DLFCN
+DSO_METHOD *DSO_METHOD_dlfcn(void)
+        {
+        return NULL;
+        }
+#else
+
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+/* Part of the hack in "dlfcn_load" ... */
+#define DSO_MAX_TRANSLATED_SIZE 256
+
+static int dlfcn_load(DSO *dso, const char *filename);
+static int dlfcn_unload(DSO *dso);
+static void *dlfcn_bind_var(DSO *dso, const char *symname);
+static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname);
+#if 0
+static int dlfcn_unbind(DSO *dso, char *symname, void *symptr);
+static int dlfcn_init(DSO *dso);
+static int dlfcn_finish(DSO *dso);
+#endif
+static long dlfcn_ctrl(DSO *dso, int cmd, long larg, void *parg);
+
+static DSO_METHOD dso_meth_dlfcn = {
+        "OpenSSL 'dlfcn' shared library method",
+        dlfcn_load,
+        dlfcn_unload,
+        dlfcn_bind_var,
+        dlfcn_bind_func,
+/* For now, "unbind" doesn't exist */
+#if 0
+        NULL, /* unbind_var */
+        NULL, /* unbind_func */
+#endif
+        dlfcn_ctrl,
+        NULL, /* init */
+        NULL  /* finish */
+        };
+
+DSO_METHOD *DSO_METHOD_dlfcn(void)
+        {
+        return(&dso_meth_dlfcn);
+        }
+
+/* Prior to using the dlopen() function, we should decide on the flag
+ * we send. There's a few different ways of doing this and it's a
+ * messy venn-diagram to match up which platforms support what. So
+ * as we don't have autoconf yet, I'm implementing a hack that could
+ * be hacked further relatively easily to deal with cases as we find
+ * them. Initially this is to cope with OpenBSD. */
+#ifdef __OpenBSD__
+#       ifdef DL_LAZY
+#               define DLOPEN_FLAG DL_LAZY
+#       else
+#               ifdef RTLD_NOW
+#                       define DLOPEN_FLAG RTLD_NOW
+#               else
+#                       define DLOPEN_FLAG 0
+#               endif
+#       endif
+#else
+#       define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#endif
+
+/* For this DSO_METHOD, our meth_data STACK will contain;
+ * (i) the handle (void*) returned from dlopen().
+ */
+
+static int dlfcn_load(DSO *dso, const char *filename)
+        {
+        void *ptr;
+        char translated[DSO_MAX_TRANSLATED_SIZE];
+        int len;
+
+        /* NB: This is a hideous hack, but I'm not yet sure what
+         * to replace it with. This attempts to convert any filename,
+         * that looks like it has no path information, into a
+         * translated form, e. "blah" -> "libblah.so" */
+        len = strlen(filename);
+        if((dso->flags & DSO_FLAG_NAME_TRANSLATION) &&
+                        (len + 6 < DSO_MAX_TRANSLATED_SIZE) &&
+                        (strstr(filename, "/") == NULL))
+                {
+                sprintf(translated, "lib%s.so", filename);
+                ptr = dlopen(translated, DLOPEN_FLAG);
+                }
+        else
+                {
+                ptr = dlopen(filename, DLOPEN_FLAG);
+                }
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_LOAD,DSO_R_LOAD_FAILED);
+                return(0);
+                }
+        if(!sk_push(dso->meth_data, (char *)ptr))
+                {
+                DSOerr(DSO_F_DLFCN_LOAD,DSO_R_STACK_ERROR);
+                dlclose(ptr);
+                return(0);
+                }
+        return(1);
+        }
+
+static int dlfcn_unload(DSO *dso)
+        {
+        void *ptr;
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_UNLOAD,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                return(1);
+        ptr = (void *)sk_pop(dso->meth_data);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_UNLOAD,DSO_R_NULL_HANDLE);
+                /* Should push the value back onto the stack in
+                 * case of a retry. */
+                sk_push(dso->meth_data, (char *)ptr);
+                return(0);
+                }
+        /* For now I'm not aware of any errors associated with dlclose() */
+        dlclose(ptr);
+        return(1);
+        }
+
+static void *dlfcn_bind_var(DSO *dso, const char *symname)
+        {
+        void *ptr, *sym;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DLFCN_BIND_VAR,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_VAR,DSO_R_STACK_ERROR);
+                return(NULL);
+                }
+        ptr = (void *)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_VAR,DSO_R_NULL_HANDLE);
+                return(NULL);
+                }
+        sym = dlsym(ptr, symname);
+        if(sym == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_VAR,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        return(sym);
+        }
+
+static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
+        {
+        void *ptr;
+        DSO_FUNC_TYPE sym;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DLFCN_BIND_FUNC,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_STACK_ERROR);
+                return(NULL);
+                }
+        ptr = (void *)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
+                return(NULL);
+                }
+        sym = (DSO_FUNC_TYPE)dlsym(ptr, symname);
+        if(sym == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        return(sym);
+        }
+
+static long dlfcn_ctrl(DSO *dso, int cmd, long larg, void *parg)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return(-1);
+                }
+        switch(cmd)
+                {
+        case DSO_CTRL_GET_FLAGS:
+                return dso->flags;
+        case DSO_CTRL_SET_FLAGS:
+                dso->flags = (int)larg;
+                return(0);
+        case DSO_CTRL_OR_FLAGS:
+                dso->flags |= (int)larg;
+                return(0);
+        default:
+                break;
+                }
+        DSOerr(DSO_F_DLFCN_CTRL,DSO_R_UNKNOWN_COMMAND);
+        return(-1);
+        }
+
+#endif /* DSO_DLFCN */
diff --git a/src/lib/libcrypto/dso/dso_err.c b/src/lib/libcrypto/dso/dso_err.c
new file mode 100644
index 0000000000..a3d7321c9b
--- /dev/null
+++ b/src/lib/libcrypto/dso/dso_err.c
@@ -0,0 +1,128 @@
+/* crypto/dso/dso_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/dso.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA DSO_str_functs[]=
+        {
+{ERR_PACK(0,DSO_F_DLFCN_BIND_FUNC,0),   "DLFCN_BIND_FUNC"},
+{ERR_PACK(0,DSO_F_DLFCN_BIND_VAR,0),    "DLFCN_BIND_VAR"},
+{ERR_PACK(0,DSO_F_DLFCN_CTRL,0),        "DLFCN_CTRL"},
+{ERR_PACK(0,DSO_F_DLFCN_LOAD,0),        "DLFCN_LOAD"},
+{ERR_PACK(0,DSO_F_DLFCN_UNLOAD,0),      "DLFCN_UNLOAD"},
+{ERR_PACK(0,DSO_F_DL_BIND_FUNC,0),      "DL_BIND_FUNC"},
+{ERR_PACK(0,DSO_F_DL_BIND_VAR,0),       "DL_BIND_VAR"},
+{ERR_PACK(0,DSO_F_DL_CTRL,0),   "DL_CTRL"},
+{ERR_PACK(0,DSO_F_DL_LOAD,0),   "DL_LOAD"},
+{ERR_PACK(0,DSO_F_DL_UNLOAD,0), "DL_UNLOAD"},
+{ERR_PACK(0,DSO_F_DSO_BIND_FUNC,0),     "DSO_bind_func"},
+{ERR_PACK(0,DSO_F_DSO_BIND_VAR,0),      "DSO_bind_var"},
+{ERR_PACK(0,DSO_F_DSO_CTRL,0),  "DSO_ctrl"},
+{ERR_PACK(0,DSO_F_DSO_FREE,0),  "DSO_free"},
+{ERR_PACK(0,DSO_F_DSO_LOAD,0),  "DSO_load"},
+{ERR_PACK(0,DSO_F_DSO_NEW_METHOD,0),    "DSO_new_method"},
+{ERR_PACK(0,DSO_F_DSO_UP,0),    "DSO_up"},
+{ERR_PACK(0,DSO_F_VMS_BIND_VAR,0),      "VMS_BIND_VAR"},
+{ERR_PACK(0,DSO_F_VMS_CTRL,0),  "VMS_CTRL"},
+{ERR_PACK(0,DSO_F_VMS_LOAD,0),  "VMS_LOAD"},
+{ERR_PACK(0,DSO_F_VMS_UNLOAD,0),        "VMS_UNLOAD"},
+{ERR_PACK(0,DSO_F_WIN32_BIND_FUNC,0),   "WIN32_BIND_FUNC"},
+{ERR_PACK(0,DSO_F_WIN32_BIND_VAR,0),    "WIN32_BIND_VAR"},
+{ERR_PACK(0,DSO_F_WIN32_CTRL,0),        "WIN32_CTRL"},
+{ERR_PACK(0,DSO_F_WIN32_LOAD,0),        "WIN32_LOAD"},
+{ERR_PACK(0,DSO_F_WIN32_UNLOAD,0),      "WIN32_UNLOAD"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA DSO_str_reasons[]=
+        {
+{DSO_R_CTRL_FAILED                       ,"control command failed"},
+{DSO_R_FILENAME_TOO_BIG                  ,"filename too big"},
+{DSO_R_FINISH_FAILED                     ,"cleanup method function failed"},
+{DSO_R_LOAD_FAILED                       ,"could not load the shared library"},
+{DSO_R_NULL_HANDLE                       ,"a null shared library handle was used"},
+{DSO_R_STACK_ERROR                       ,"the meth_data stack is corrupt"},
+{DSO_R_SYM_FAILURE                       ,"could not bind to the requested symbol name"},
+{DSO_R_UNKNOWN_COMMAND                   ,"unknown control command"},
+{DSO_R_UNLOAD_FAILED                     ,"could not unload the shared library"},
+{DSO_R_UNSUPPORTED                       ,"functionality not supported"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_DSO_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_DSO,DSO_str_functs);
+                ERR_load_strings(ERR_LIB_DSO,DSO_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/dso/dso_lib.c b/src/lib/libcrypto/dso/dso_lib.c
new file mode 100644
index 0000000000..acd166697e
--- /dev/null
+++ b/src/lib/libcrypto/dso/dso_lib.c
@@ -0,0 +1,306 @@
+/* dso_lib.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+static DSO_METHOD *default_DSO_meth = NULL;
+
+DSO *DSO_new(void)
+        {
+        return(DSO_new_method(NULL));
+        }
+
+void DSO_set_default_method(DSO_METHOD *meth)
+        {
+        default_DSO_meth = meth;
+        }
+
+DSO_METHOD *DSO_get_default_method(void)
+        {
+        return(default_DSO_meth);
+        }
+
+DSO_METHOD *DSO_get_method(DSO *dso)
+        {
+        return(dso->meth);
+        }
+
+DSO_METHOD *DSO_set_method(DSO *dso, DSO_METHOD *meth)
+        {
+        DSO_METHOD *mtmp;
+        mtmp = dso->meth;
+        dso->meth = meth;
+        return(mtmp);
+        }
+
+DSO *DSO_new_method(DSO_METHOD *meth)
+        {
+        DSO *ret;
+
+        if(default_DSO_meth == NULL)
+                /* We default to DSO_METH_openssl() which in turn defaults
+                 * to stealing the "best available" method. Will fallback
+                 * to DSO_METH_null() in the worst case. */
+                default_DSO_meth = DSO_METHOD_openssl();
+        ret = (DSO *)OPENSSL_malloc(sizeof(DSO));
+        if(ret == NULL)
+                {
+                DSOerr(DSO_F_DSO_NEW_METHOD,ERR_R_MALLOC_FAILURE);
+                return(NULL);
+                }
+        memset(ret, 0, sizeof(DSO));
+        ret->meth_data = sk_new_null();
+        if((ret->meth_data = sk_new_null()) == NULL)
+                {
+                /* sk_new doesn't generate any errors so we do */
+                DSOerr(DSO_F_DSO_NEW_METHOD,ERR_R_MALLOC_FAILURE);
+                OPENSSL_free(ret);
+                return(NULL);
+                }
+        if(meth == NULL)
+                ret->meth = default_DSO_meth;
+        else
+                ret->meth = meth;
+        ret->references = 1;
+        if((ret->meth->init != NULL) && !ret->meth->init(ret))
+                {
+                OPENSSL_free(ret);
+                ret=NULL;
+                }
+        return(ret);
+        }
+
+int DSO_free(DSO *dso)
+        {
+        int i;
+ 
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_FREE,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+ 
+        i=CRYPTO_add(&dso->references,-1,CRYPTO_LOCK_DSO);
+#ifdef REF_PRINT
+        REF_PRINT("DSO",dso);
+#endif
+        if(i > 0) return(1);
+#ifdef REF_CHECK
+        if(i < 0)
+                {
+                fprintf(stderr,"DSO_free, bad reference count\n");
+                abort();
+                }
+#endif
+
+        if((dso->meth->dso_unload != NULL) && !dso->meth->dso_unload(dso))
+                {
+                DSOerr(DSO_F_DSO_FREE,DSO_R_UNLOAD_FAILED);
+                return(0);
+                }
+ 
+        if((dso->meth->finish != NULL) && !dso->meth->finish(dso))
+                {
+                DSOerr(DSO_F_DSO_FREE,DSO_R_FINISH_FAILED);
+                return(0);
+                }
+        
+        sk_free(dso->meth_data);
+ 
+        OPENSSL_free(dso);
+        return(1);
+        }
+
+int DSO_flags(DSO *dso)
+        {
+        return((dso == NULL) ? 0 : dso->flags);
+        }
+
+
+int DSO_up(DSO *dso)
+        {
+        if (dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_UP,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+
+        CRYPTO_add(&dso->references,1,CRYPTO_LOCK_DSO);
+        return(1);
+        }
+
+DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags)
+        {
+        DSO *ret;
+        int allocated = 0;
+
+        if(filename == NULL)
+                {
+                DSOerr(DSO_F_DSO_LOAD,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(dso == NULL)
+                {
+                ret = DSO_new_method(meth);
+                if(ret == NULL)
+                        {
+                        DSOerr(DSO_F_DSO_LOAD,ERR_R_MALLOC_FAILURE);
+                        return(NULL);
+                        }
+                allocated = 1;
+                }
+        else
+                ret = dso;
+        /* Bleurgh ... have to check for negative return values for
+         * errors. <grimace> */
+        if(DSO_ctrl(ret, DSO_CTRL_SET_FLAGS, flags, NULL) < 0)
+                {
+                DSOerr(DSO_F_DSO_LOAD,DSO_R_CTRL_FAILED);
+                if(allocated)
+                        DSO_free(ret);
+                return(NULL);
+                }
+        if(ret->meth->dso_load == NULL)
+                {
+                DSOerr(DSO_F_DSO_LOAD,DSO_R_UNSUPPORTED);
+                if(allocated)
+                        DSO_free(ret);
+                return(NULL);
+                }
+        if(!ret->meth->dso_load(ret, filename))
+                {
+                DSOerr(DSO_F_DSO_LOAD,DSO_R_LOAD_FAILED);
+                if(allocated)
+                        DSO_free(ret);
+                return(NULL);
+                }
+        /* Load succeeded */
+        return(ret);
+        }
+
+void *DSO_bind_var(DSO *dso, const char *symname)
+        {
+        void *ret = NULL;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DSO_BIND_VAR,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(dso->meth->dso_bind_var == NULL)
+                {
+                DSOerr(DSO_F_DSO_BIND_VAR,DSO_R_UNSUPPORTED);
+                return(NULL);
+                }
+        if((ret = dso->meth->dso_bind_var(dso, symname)) == NULL)
+                {
+                DSOerr(DSO_F_DSO_BIND_VAR,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        /* Success */
+        return(ret);
+        }
+
+DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname)
+        {
+        DSO_FUNC_TYPE ret = NULL;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DSO_BIND_FUNC,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(dso->meth->dso_bind_func == NULL)
+                {
+                DSOerr(DSO_F_DSO_BIND_FUNC,DSO_R_UNSUPPORTED);
+                return(NULL);
+                }
+        if((ret = dso->meth->dso_bind_func(dso, symname)) == NULL)
+                {
+                DSOerr(DSO_F_DSO_BIND_FUNC,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        /* Success */
+        return(ret);
+        }
+
+/* I don't really like these *_ctrl functions very much to be perfectly
+ * honest. For one thing, I think I have to return a negative value for
+ * any error because possible DSO_ctrl() commands may return values
+ * such as "size"s that can legitimately be zero (making the standard
+ * "if(DSO_cmd(...))" form that works almost everywhere else fail at
+ * odd times. I'd prefer "output" values to be passed by reference and
+ * the return value as success/failure like usual ... but we conform
+ * when we must... :-) */
+long DSO_ctrl(DSO *dso, int cmd, long larg, void *parg)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return(-1);
+                }
+        if((dso->meth == NULL) || (dso->meth->dso_ctrl == NULL))
+                {
+                DSOerr(DSO_F_DSO_CTRL,DSO_R_UNSUPPORTED);
+                return(-1);
+                }
+        return(dso->meth->dso_ctrl(dso,cmd,larg,parg));
+        }
diff --git a/src/lib/libcrypto/dso/dso_null.c b/src/lib/libcrypto/dso/dso_null.c
new file mode 100644
index 0000000000..fa13a7cb0f
--- /dev/null
+++ b/src/lib/libcrypto/dso/dso_null.c
@@ -0,0 +1,86 @@
+/* dso_null.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* This "NULL" method is provided as the fallback for systems that have
+ * no appropriate support for "shared-libraries". */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+static DSO_METHOD dso_meth_null = {
+        "NULL shared library method",
+        NULL, /* load */
+        NULL, /* unload */
+        NULL, /* bind_var */
+        NULL, /* bind_func */
+/* For now, "unbind" doesn't exist */
+#if 0
+        NULL, /* unbind_var */
+        NULL, /* unbind_func */
+#endif
+        NULL, /* ctrl */
+        NULL, /* init */
+        NULL  /* finish */
+        };
+
+DSO_METHOD *DSO_METHOD_null(void)
+        {
+        return(&dso_meth_null);
+        }
+
diff --git a/src/lib/libcrypto/dso/dso_openssl.c b/src/lib/libcrypto/dso/dso_openssl.c
new file mode 100644
index 0000000000..a4395ebffe
--- /dev/null
+++ b/src/lib/libcrypto/dso/dso_openssl.c
@@ -0,0 +1,81 @@
+/* dso_openssl.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+/* We just pinch the method from an appropriate "default" method. */
+
+DSO_METHOD *DSO_METHOD_openssl(void)
+        {
+#ifdef DEF_DSO_METHOD
+        return(DEF_DSO_METHOD());
+#elif defined(DSO_DLFCN)
+        return(DSO_METHOD_dlfcn());
+#elif defined(DSO_DL)
+        return(DSO_METHOD_dl());
+#elif defined(DSO_WIN32)
+        return(DSO_METHOD_win32());
+#elif defined(DSO_VMS)
+        return(DSO_METHOD_vms());
+#else
+        return(DSO_METHOD_null());
+#endif
+        }
+
diff --git a/src/lib/libcrypto/ec/ec.h b/src/lib/libcrypto/ec/ec.h
new file mode 100644
index 0000000000..a52d4edf14
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec.h
@@ -0,0 +1,245 @@
+/* crypto/ec/ec.h */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_EC_H
+#define HEADER_EC_H
+
+#ifdef OPENSSL_NO_EC
+#error EC is disabled.
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/symhacks.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+typedef enum {
+        /* values as defined in X9.62 (ECDSA) and elsewhere */
+        POINT_CONVERSION_COMPRESSED = 2,
+        POINT_CONVERSION_UNCOMPRESSED = 4,
+        POINT_CONVERSION_HYBRID = 6
+} point_conversion_form_t;
+
+
+typedef struct ec_method_st EC_METHOD;
+
+typedef struct ec_group_st
+        /*
+         EC_METHOD *meth;
+         -- field definition
+         -- curve coefficients
+         -- optional generator with associated information (order, cofactor)
+         -- optional extra data (TODO: precomputed table for fast computation of multiples of generator)
+        */
+        EC_GROUP;
+
+typedef struct ec_point_st EC_POINT;
+
+
+/* EC_METHODs for curves over GF(p).
+ * EC_GFp_simple_method provides the basis for the optimized methods.
+ */
+const EC_METHOD *EC_GFp_simple_method(void);
+const EC_METHOD *EC_GFp_mont_method(void);
+#if 0
+const EC_METHOD *EC_GFp_recp_method(void); /* TODO */
+const EC_METHOD *EC_GFp_nist_method(void); /* TODO */
+#endif
+
+
+EC_GROUP *EC_GROUP_new(const EC_METHOD *);
+void EC_GROUP_free(EC_GROUP *);
+void EC_GROUP_clear_free(EC_GROUP *);
+int EC_GROUP_copy(EC_GROUP *, const EC_GROUP *);
+
+const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *);
+        
+
+/* We don't have types for field specifications and field elements in general.
+ * Otherwise we could declare
+ *     int EC_GROUP_set_curve(EC_GROUP *, .....);
+ */
+int EC_GROUP_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int EC_GROUP_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+
+/* EC_GROUP_new_GFp() calls EC_GROUP_new() and EC_GROUP_set_GFp()
+ * after choosing an appropriate EC_METHOD */
+EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+
+int EC_GROUP_set_generator(EC_GROUP *, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor);
+EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *);
+int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+int EC_GROUP_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+
+EC_POINT *EC_POINT_new(const EC_GROUP *);
+void EC_POINT_free(EC_POINT *);
+void EC_POINT_clear_free(EC_POINT *);
+int EC_POINT_copy(EC_POINT *, const EC_POINT *);
+ 
+const EC_METHOD *EC_POINT_method_of(const EC_POINT *);
+
+int EC_POINT_set_to_infinity(const EC_GROUP *, EC_POINT *);
+int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BN_CTX *);
+int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, int y_bit, BN_CTX *);
+
+size_t EC_POINT_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *);
+int EC_POINT_oct2point(const EC_GROUP *, EC_POINT *,
+        const unsigned char *buf, size_t len, BN_CTX *);
+
+int EC_POINT_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int EC_POINT_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+int EC_POINT_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+
+int EC_POINT_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int EC_POINT_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+int EC_POINT_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+
+int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+
+
+int EC_POINTs_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, size_t num, const EC_POINT *[], const BIGNUM *[], BN_CTX *);
+int EC_POINT_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, const EC_POINT *, const BIGNUM *, BN_CTX *);
+int EC_GROUP_precompute_mult(EC_GROUP *, BN_CTX *);
+
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_EC_strings(void);
+
+/* Error codes for the EC functions. */
+
+/* Function codes. */
+#define EC_F_COMPUTE_WNAF                                143
+#define EC_F_EC_GFP_MONT_FIELD_DECODE                    133
+#define EC_F_EC_GFP_MONT_FIELD_ENCODE                    134
+#define EC_F_EC_GFP_MONT_FIELD_MUL                       131
+#define EC_F_EC_GFP_MONT_FIELD_SQR                       132
+#define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP           100
+#define EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR           101
+#define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE                   102
+#define EC_F_EC_GFP_SIMPLE_OCT2POINT                     103
+#define EC_F_EC_GFP_SIMPLE_POINT2OCT                     104
+#define EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE            137
+#define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP 105
+#define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP 128
+#define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP 129
+#define EC_F_EC_GROUP_COPY                               106
+#define EC_F_EC_GROUP_GET0_GENERATOR                     139
+#define EC_F_EC_GROUP_GET_COFACTOR                       140
+#define EC_F_EC_GROUP_GET_CURVE_GFP                      130
+#define EC_F_EC_GROUP_GET_EXTRA_DATA                     107
+#define EC_F_EC_GROUP_GET_ORDER                          141
+#define EC_F_EC_GROUP_NEW                                108
+#define EC_F_EC_GROUP_PRECOMPUTE_MULT                    142
+#define EC_F_EC_GROUP_SET_CURVE_GFP                      109
+#define EC_F_EC_GROUP_SET_EXTRA_DATA                     110
+#define EC_F_EC_GROUP_SET_GENERATOR                      111
+#define EC_F_EC_POINTS_MAKE_AFFINE                       136
+#define EC_F_EC_POINTS_MUL                               138
+#define EC_F_EC_POINT_ADD                                112
+#define EC_F_EC_POINT_CMP                                113
+#define EC_F_EC_POINT_COPY                               114
+#define EC_F_EC_POINT_DBL                                115
+#define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP         116
+#define EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP    117
+#define EC_F_EC_POINT_IS_AT_INFINITY                     118
+#define EC_F_EC_POINT_IS_ON_CURVE                        119
+#define EC_F_EC_POINT_MAKE_AFFINE                        120
+#define EC_F_EC_POINT_NEW                                121
+#define EC_F_EC_POINT_OCT2POINT                          122
+#define EC_F_EC_POINT_POINT2OCT                          123
+#define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP         124
+#define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP     125
+#define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP    126
+#define EC_F_EC_POINT_SET_TO_INFINITY                    127
+#define EC_F_GFP_MONT_GROUP_SET_CURVE_GFP                135
+
+/* Reason codes. */
+#define EC_R_BUFFER_TOO_SMALL                            100
+#define EC_R_INCOMPATIBLE_OBJECTS                        101
+#define EC_R_INVALID_ARGUMENT                            112
+#define EC_R_INVALID_COMPRESSED_POINT                    110
+#define EC_R_INVALID_COMPRESSION_BIT                     109
+#define EC_R_INVALID_ENCODING                            102
+#define EC_R_INVALID_FIELD                               103
+#define EC_R_INVALID_FORM                                104
+#define EC_R_NOT_INITIALIZED                             111
+#define EC_R_NO_SUCH_EXTRA_DATA                          105
+#define EC_R_POINT_AT_INFINITY                           106
+#define EC_R_POINT_IS_NOT_ON_CURVE                       107
+#define EC_R_SLOT_FULL                                   108
+#define EC_R_UNDEFINED_GENERATOR                         113
+#define EC_R_UNKNOWN_ORDER                               114
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/ec/ec_cvt.c b/src/lib/libcrypto/ec/ec_cvt.c
new file mode 100644
index 0000000000..45b0ec33a0
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_cvt.c
@@ -0,0 +1,80 @@
+/* crypto/ec/ec_cvt.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ec_lcl.h"
+
+
+EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        const EC_METHOD *meth;
+        EC_GROUP *ret;
+        
+        /* Finally, this will use EC_GFp_nist_method if 'p' is a special
+         * prime with optimized modular arithmetics (for NIST curves)
+         */
+        meth = EC_GFp_mont_method();
+        
+        ret = EC_GROUP_new(meth);
+        if (ret == NULL)
+                return NULL;
+
+        if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
+                {
+                EC_GROUP_clear_free(ret);
+                return NULL;
+                }
+
+        return ret;
+        }
diff --git a/src/lib/libcrypto/ec/ec_err.c b/src/lib/libcrypto/ec/ec_err.c
new file mode 100644
index 0000000000..394cdc021f
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_err.c
@@ -0,0 +1,151 @@
+/* crypto/ec/ec_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ec.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA EC_str_functs[]=
+        {
+{ERR_PACK(0,EC_F_COMPUTE_WNAF,0),       "COMPUTE_WNAF"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_DECODE,0),   "ec_GFp_mont_field_decode"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_ENCODE,0),   "ec_GFp_mont_field_encode"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_MUL,0),      "ec_GFp_mont_field_mul"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_SQR,0),      "ec_GFp_mont_field_sqr"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP,0),  "ec_GFp_simple_group_set_curve_GFp"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR,0),  "ec_GFp_simple_group_set_generator"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_MAKE_AFFINE,0),  "ec_GFp_simple_make_affine"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_OCT2POINT,0),    "ec_GFp_simple_oct2point"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT2OCT,0),    "ec_GFp_simple_point2oct"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE,0),   "ec_GFp_simple_points_make_affine"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP,0),     "ec_GFp_simple_point_get_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP,0),     "ec_GFp_simple_point_set_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP,0),       "ec_GFp_simple_set_compressed_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_GROUP_COPY,0),      "EC_GROUP_copy"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0),    "EC_GROUP_get0_generator"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0),      "EC_GROUP_get_cofactor"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0),     "EC_GROUP_get_curve_GFp"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_EXTRA_DATA,0),    "EC_GROUP_get_extra_data"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0), "EC_GROUP_get_order"},
+{ERR_PACK(0,EC_F_EC_GROUP_NEW,0),       "EC_GROUP_new"},
+{ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0),   "EC_GROUP_precompute_mult"},
+{ERR_PACK(0,EC_F_EC_GROUP_SET_CURVE_GFP,0),     "EC_GROUP_set_curve_GFp"},
+{ERR_PACK(0,EC_F_EC_GROUP_SET_EXTRA_DATA,0),    "EC_GROUP_set_extra_data"},
+{ERR_PACK(0,EC_F_EC_GROUP_SET_GENERATOR,0),     "EC_GROUP_set_generator"},
+{ERR_PACK(0,EC_F_EC_POINTS_MAKE_AFFINE,0),      "EC_POINTs_make_affine"},
+{ERR_PACK(0,EC_F_EC_POINTS_MUL,0),      "EC_POINTs_mul"},
+{ERR_PACK(0,EC_F_EC_POINT_ADD,0),       "EC_POINT_add"},
+{ERR_PACK(0,EC_F_EC_POINT_CMP,0),       "EC_POINT_cmp"},
+{ERR_PACK(0,EC_F_EC_POINT_COPY,0),      "EC_POINT_copy"},
+{ERR_PACK(0,EC_F_EC_POINT_DBL,0),       "EC_POINT_dbl"},
+{ERR_PACK(0,EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP,0),        "EC_POINT_get_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP,0),   "EC_POINT_get_Jprojective_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_IS_AT_INFINITY,0),    "EC_POINT_is_at_infinity"},
+{ERR_PACK(0,EC_F_EC_POINT_IS_ON_CURVE,0),       "EC_POINT_is_on_curve"},
+{ERR_PACK(0,EC_F_EC_POINT_MAKE_AFFINE,0),       "EC_POINT_make_affine"},
+{ERR_PACK(0,EC_F_EC_POINT_NEW,0),       "EC_POINT_new"},
+{ERR_PACK(0,EC_F_EC_POINT_OCT2POINT,0), "EC_POINT_oct2point"},
+{ERR_PACK(0,EC_F_EC_POINT_POINT2OCT,0), "EC_POINT_point2oct"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,0),        "EC_POINT_set_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP,0),    "EC_POINT_set_compressed_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP,0),   "EC_POINT_set_Jprojective_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_TO_INFINITY,0),   "EC_POINT_set_to_infinity"},
+{ERR_PACK(0,EC_F_GFP_MONT_GROUP_SET_CURVE_GFP,0),       "GFP_MONT_GROUP_SET_CURVE_GFP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA EC_str_reasons[]=
+        {
+{EC_R_BUFFER_TOO_SMALL                   ,"buffer too small"},
+{EC_R_INCOMPATIBLE_OBJECTS               ,"incompatible objects"},
+{EC_R_INVALID_ARGUMENT                   ,"invalid argument"},
+{EC_R_INVALID_COMPRESSED_POINT           ,"invalid compressed point"},
+{EC_R_INVALID_COMPRESSION_BIT            ,"invalid compression bit"},
+{EC_R_INVALID_ENCODING                   ,"invalid encoding"},
+{EC_R_INVALID_FIELD                      ,"invalid field"},
+{EC_R_INVALID_FORM                       ,"invalid form"},
+{EC_R_NOT_INITIALIZED                    ,"not initialized"},
+{EC_R_NO_SUCH_EXTRA_DATA                 ,"no such extra data"},
+{EC_R_POINT_AT_INFINITY                  ,"point at infinity"},
+{EC_R_POINT_IS_NOT_ON_CURVE              ,"point is not on curve"},
+{EC_R_SLOT_FULL                          ,"slot full"},
+{EC_R_UNDEFINED_GENERATOR                ,"undefined generator"},
+{EC_R_UNKNOWN_ORDER                      ,"unknown order"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_EC_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_EC,EC_str_functs);
+                ERR_load_strings(ERR_LIB_EC,EC_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/ec/ec_lcl.h b/src/lib/libcrypto/ec/ec_lcl.h
new file mode 100644
index 0000000000..cc4cf27755
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_lcl.h
@@ -0,0 +1,277 @@
+/* crypto/ec/ec_lcl.h */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdlib.h>
+
+#include <openssl/ec.h>
+
+
+/* Structure details are not part of the exported interface,
+ * so all this may change in future versions. */
+
+struct ec_method_st {
+        /* used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_copy: */
+        int (*group_init)(EC_GROUP *);
+        void (*group_finish)(EC_GROUP *);
+        void (*group_clear_finish)(EC_GROUP *);
+        int (*group_copy)(EC_GROUP *, const EC_GROUP *);
+
+        /* used by EC_GROUP_set_curve_GFp and EC_GROUP_get_curve_GFp: */
+        int (*group_set_curve_GFp)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+        int (*group_get_curve_GFp)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+
+        /* used by EC_GROUP_set_generator, EC_GROUP_get0_generator,
+         * EC_GROUP_get_order, EC_GROUP_get_cofactor:
+         */
+        int (*group_set_generator)(EC_GROUP *, const EC_POINT *generator,
+                const BIGNUM *order, const BIGNUM *cofactor);
+        EC_POINT *(*group_get0_generator)(const EC_GROUP *);
+        int (*group_get_order)(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+        int (*group_get_cofactor)(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+
+        /* used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy: */
+        int (*point_init)(EC_POINT *);
+        void (*point_finish)(EC_POINT *);
+        void (*point_clear_finish)(EC_POINT *);
+        int (*point_copy)(EC_POINT *, const EC_POINT *);
+
+        /* used by EC_POINT_set_to_infinity,
+         * EC_POINT_set_Jprojective_coordinates_GFp, EC_POINT_get_Jprojective_coordinates_GFp,
+         * EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp,
+         * EC_POINT_set_compressed_coordinates_GFp:
+         */
+        int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *);
+        int (*point_set_Jprojective_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+                const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+        int (*point_get_Jprojective_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
+                BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+        int (*point_set_affine_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+                const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+        int (*point_get_affine_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
+                BIGNUM *x, BIGNUM *y, BN_CTX *);
+        int (*point_set_compressed_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+                const BIGNUM *x, int y_bit, BN_CTX *);
+
+        /* used by EC_POINT_point2oct, EC_POINT_oct2point: */
+        size_t (*point2oct)(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+                unsigned char *buf, size_t len, BN_CTX *);
+        int (*oct2point)(const EC_GROUP *, EC_POINT *,
+                const unsigned char *buf, size_t len, BN_CTX *);
+
+        /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */
+        int (*add)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+        int (*dbl)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+        int (*invert)(const EC_GROUP *, EC_POINT *, BN_CTX *);
+
+        /* used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp: */
+        int (*is_at_infinity)(const EC_GROUP *, const EC_POINT *);
+        int (*is_on_curve)(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+        int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+
+        /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */
+        int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *);
+        int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+
+
+        /* internal functions */
+
+        /* 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that
+         * the same implementations of point operations can be used with different
+         * optimized implementations of expensive field operations: */
+        int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+        int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */
+        int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */
+        int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+} /* EC_METHOD */;
+
+
+struct ec_group_st {
+        const EC_METHOD *meth;
+
+        void *extra_data;
+        void *(*extra_data_dup_func)(void *);
+        void (*extra_data_free_func)(void *);
+        void (*extra_data_clear_free_func)(void *);
+
+        /* All members except 'meth' and 'extra_data...' are handled by
+         * the method functions, even if they appear generic */
+        
+        BIGNUM field; /* Field specification.
+                       * For curves over GF(p), this is the modulus. */
+
+        BIGNUM a, b; /* Curve coefficients.
+                      * (Here the assumption is that BIGNUMs can be used
+                      * or abused for all kinds of fields, not just GF(p).)
+                      * For characteristic  > 3,  the curve is defined
+                      * by a Weierstrass equation of the form
+                      *     y^2 = x^3 + a*x + b.
+                      */
+        int a_is_minus3; /* enable optimized point arithmetics for special case */
+
+        EC_POINT *generator; /* optional */
+        BIGNUM order, cofactor;
+
+        void *field_data1; /* method-specific (e.g., Montgomery structure) */
+        void *field_data2; /* method-specific */
+} /* EC_GROUP */;
+
+
+/* Basically a 'mixin' for extra data, but available for EC_GROUPs only
+ * (with visibility limited to 'package' level for now).
+ * We use the function pointers as index for retrieval; this obviates
+ * global ex_data-style index tables.
+ * (Currently, we have one slot only, but is is possible to extend this
+ * if necessary.) */
+int EC_GROUP_set_extra_data(EC_GROUP *, void *extra_data, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *));
+void *EC_GROUP_get_extra_data(const EC_GROUP *, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *));
+void EC_GROUP_free_extra_data(EC_GROUP *);
+void EC_GROUP_clear_free_extra_data(EC_GROUP *);
+
+
+
+struct ec_point_st {
+        const EC_METHOD *meth;
+
+        /* All members except 'meth' are handled by the method functions,
+         * even if they appear generic */
+
+        BIGNUM X;
+        BIGNUM Y;
+        BIGNUM Z; /* Jacobian projective coordinates:
+                   * (X, Y, Z)  represents  (X/Z^2, Y/Z^3)  if  Z != 0 */
+        int Z_is_one; /* enable optimized point arithmetics for special case */
+} /* EC_POINT */;
+
+
+
+/* method functions in ecp_smpl.c */
+int ec_GFp_simple_group_init(EC_GROUP *);
+void ec_GFp_simple_group_finish(EC_GROUP *);
+void ec_GFp_simple_group_clear_finish(EC_GROUP *);
+int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_set_generator(EC_GROUP *, const EC_POINT *generator,
+        const BIGNUM *order, const BIGNUM *cofactor);
+EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *);
+int ec_GFp_simple_group_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+int ec_GFp_simple_group_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+int ec_GFp_simple_point_init(EC_POINT *);
+void ec_GFp_simple_point_finish(EC_POINT *);
+void ec_GFp_simple_point_clear_finish(EC_POINT *);
+int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);
+int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
+int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BN_CTX *);
+int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, int y_bit, BN_CTX *);
+size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *);
+int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *,
+        const unsigned char *buf, size_t len, BN_CTX *);
+int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+
+/* method functions in ecp_mont.c */
+int ec_GFp_mont_group_init(EC_GROUP *);
+int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+void ec_GFp_mont_group_finish(EC_GROUP *);
+void ec_GFp_mont_group_clear_finish(EC_GROUP *);
+int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+
+
+/* method functions in ecp_recp.c */
+int ec_GFp_recp_group_init(EC_GROUP *);
+int ec_GFp_recp_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+void ec_GFp_recp_group_finish(EC_GROUP *);
+void ec_GFp_recp_group_clear_finish(EC_GROUP *);
+int ec_GFp_recp_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_recp_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_recp_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+
+/* method functions in ecp_nist.c */
+int ec_GFp_nist_group_init(EC_GROUP *);
+int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+void ec_GFp_nist_group_finish(EC_GROUP *);
+void ec_GFp_nist_group_clear_finish(EC_GROUP *);
+int ec_GFp_nist_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
new file mode 100644
index 0000000000..e0d78d67fb
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -0,0 +1,646 @@
+/* crypto/ec/ec_lib.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+
+#include <openssl/err.h>
+#include <openssl/opensslv.h>
+
+#include "ec_lcl.h"
+
+static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
+
+
+/* functions for EC_GROUP objects */
+
+EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
+        {
+        EC_GROUP *ret;
+
+        if (meth == NULL)
+                {
+                ECerr(EC_F_EC_GROUP_NEW, ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+                }
+        if (meth->group_init == 0)
+                {
+                ECerr(EC_F_EC_GROUP_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return NULL;
+                }
+
+        ret = OPENSSL_malloc(sizeof *ret);
+        if (ret == NULL)
+                {
+                ECerr(EC_F_EC_GROUP_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+
+        ret->meth = meth;
+
+        ret->extra_data = NULL;
+        ret->extra_data_dup_func = 0;
+        ret->extra_data_free_func = 0;
+        ret->extra_data_clear_free_func = 0;
+        
+        if (!meth->group_init(ret))
+                {
+                OPENSSL_free(ret);
+                return NULL;
+                }
+        
+        return ret;
+        }
+
+
+void EC_GROUP_free(EC_GROUP *group)
+        {
+        if (group->meth->group_finish != 0)
+                group->meth->group_finish(group);
+
+        EC_GROUP_free_extra_data(group);
+
+        OPENSSL_free(group);
+        }
+ 
+
+void EC_GROUP_clear_free(EC_GROUP *group)
+        {
+        if (group->meth->group_clear_finish != 0)
+                group->meth->group_clear_finish(group);
+        else if (group->meth != NULL && group->meth->group_finish != 0)
+                group->meth->group_finish(group);
+
+        EC_GROUP_clear_free_extra_data(group);
+
+        memset(group, 0, sizeof *group);
+        OPENSSL_free(group);
+        }
+
+
+int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
+        {
+        if (dest->meth->group_copy == 0)
+                {
+                ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (dest->meth != src->meth)
+                {
+                ECerr(EC_F_EC_GROUP_COPY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        if (dest == src)
+                return 1;
+        
+        EC_GROUP_clear_free_extra_data(dest);
+        if (src->extra_data_dup_func)
+                {
+                if (src->extra_data != NULL)
+                        {
+                        dest->extra_data = src->extra_data_dup_func(src->extra_data);
+                        if (dest->extra_data == NULL)
+                                return 0;
+                        }
+
+                dest->extra_data_dup_func = src->extra_data_dup_func;
+                dest->extra_data_free_func = src->extra_data_free_func;
+                dest->extra_data_clear_free_func = src->extra_data_clear_free_func;
+                }
+
+        return dest->meth->group_copy(dest, src);
+        }
+
+
+const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group)
+        {
+        return group->meth;
+        }
+
+
+int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        if (group->meth->group_set_curve_GFp == 0)
+                {
+                ECerr(EC_F_EC_GROUP_SET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_set_curve_GFp(group, p, a, b, ctx);
+        }
+
+
+int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+        {
+        if (group->meth->group_get_curve_GFp == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get_curve_GFp(group, p, a, b, ctx);
+        }
+
+
+int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor)
+        {
+        if (group->meth->group_set_generator == 0)
+                {
+                ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_set_generator(group, generator, order, cofactor);
+        }
+
+
+EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group)
+        {
+        if (group->meth->group_get0_generator == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET0_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get0_generator(group);
+        }
+
+
+int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
+        {
+        if (group->meth->group_get_order == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET_ORDER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get_order(group, order, ctx);
+        }
+
+
+int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
+        {
+        if (group->meth->group_get_cofactor == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET_COFACTOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get_cofactor(group, cofactor, ctx);
+        }
+
+
+/* this has 'package' visibility */
+int EC_GROUP_set_extra_data(EC_GROUP *group, void *extra_data, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *))
+        {
+        if ((group->extra_data != NULL)
+                || (group->extra_data_dup_func != 0)
+                || (group->extra_data_free_func != 0)
+                || (group->extra_data_clear_free_func != 0))
+                {
+                ECerr(EC_F_EC_GROUP_SET_EXTRA_DATA, EC_R_SLOT_FULL);
+                return 0;
+                }
+
+        group->extra_data = extra_data;
+        group->extra_data_dup_func = extra_data_dup_func;
+        group->extra_data_free_func = extra_data_free_func;
+        group->extra_data_clear_free_func = extra_data_clear_free_func;
+        return 1;
+        }
+
+
+/* this has 'package' visibility */
+void *EC_GROUP_get_extra_data(const EC_GROUP *group, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *))
+        {
+        if ((group->extra_data_dup_func != extra_data_dup_func)
+                || (group->extra_data_free_func != extra_data_free_func)
+                || (group->extra_data_clear_free_func != extra_data_clear_free_func))
+                {
+                ECerr(EC_F_EC_GROUP_GET_EXTRA_DATA, EC_R_NO_SUCH_EXTRA_DATA);
+                return NULL;
+                }
+
+        return group->extra_data;
+        }
+
+
+/* this has 'package' visibility */
+void EC_GROUP_free_extra_data(EC_GROUP *group)
+        {
+        if (group->extra_data_free_func)
+                group->extra_data_free_func(group->extra_data);
+        group->extra_data = NULL;
+        group->extra_data_dup_func = 0;
+        group->extra_data_free_func = 0;
+        group->extra_data_clear_free_func = 0;
+        }
+
+
+/* this has 'package' visibility */
+void EC_GROUP_clear_free_extra_data(EC_GROUP *group)
+        {
+        if (group->extra_data_clear_free_func)
+                group->extra_data_clear_free_func(group->extra_data);
+        else if (group->extra_data_free_func)
+                group->extra_data_free_func(group->extra_data);
+        group->extra_data = NULL;
+        group->extra_data_dup_func = 0;
+        group->extra_data_free_func = 0;
+        group->extra_data_clear_free_func = 0;
+        }
+
+
+
+/* functions for EC_POINT objects */
+
+EC_POINT *EC_POINT_new(const EC_GROUP *group)
+        {
+        EC_POINT *ret;
+
+        if (group == NULL)
+                {
+                ECerr(EC_F_EC_POINT_NEW, ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+                }
+        if (group->meth->point_init == 0)
+                {
+                ECerr(EC_F_EC_POINT_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return NULL;
+                }
+
+        ret = OPENSSL_malloc(sizeof *ret);
+        if (ret == NULL)
+                {
+                ECerr(EC_F_EC_POINT_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+
+        ret->meth = group->meth;
+        
+        if (!ret->meth->point_init(ret))
+                {
+                OPENSSL_free(ret);
+                return NULL;
+                }
+        
+        return ret;
+        }
+
+
+void EC_POINT_free(EC_POINT *point)
+        {
+        if (point->meth->point_finish != 0)
+                point->meth->point_finish(point);
+        OPENSSL_free(point);
+        }
+ 
+
+void EC_POINT_clear_free(EC_POINT *point)
+        {
+        if (point->meth->point_clear_finish != 0)
+                point->meth->point_clear_finish(point);
+        else if (point->meth != NULL && point->meth->point_finish != 0)
+                point->meth->point_finish(point);
+        memset(point, 0, sizeof *point);
+        OPENSSL_free(point);
+        }
+
+
+int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src)
+        {
+        if (dest->meth->point_copy == 0)
+                {
+                ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (dest->meth != src->meth)
+                {
+                ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        if (dest == src)
+                return 1;
+        return dest->meth->point_copy(dest, src);
+        }
+
+
+const EC_METHOD *EC_POINT_method_of(const EC_POINT *point)
+        {
+        return point->meth;
+        }
+
+
+int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+        {
+        if (group->meth->point_set_to_infinity == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_TO_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_TO_INFINITY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_to_infinity(group, point);
+        }
+
+
+int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
+        {
+        if (group->meth->point_set_Jprojective_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
+        }
+
+
+int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
+        {
+        if (group->meth->point_get_Jprojective_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_get_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
+        }
+
+
+int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+        {
+        if (group->meth->point_set_affine_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_affine_coordinates_GFp(group, point, x, y, ctx);
+        }
+
+
+int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+        {
+        if (group->meth->point_get_affine_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_get_affine_coordinates_GFp(group, point, x, y, ctx);
+        }
+
+
+int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, int y_bit, BN_CTX *ctx)
+        {
+        if (group->meth->point_set_compressed_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx);
+        }
+
+
+size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        if (group->meth->point2oct == 0)
+                {
+                ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point2oct(group, point, form, buf, len, ctx);
+        }
+
+
+int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
+        const unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        if (group->meth->oct2point == 0)
+                {
+                ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->oct2point(group, point, buf, len, ctx);
+        }
+
+
+int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        if (group->meth->add == 0)
+                {
+                ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if ((group->meth != r->meth) || (r->meth != a->meth) || (a->meth != b->meth))
+                {
+                ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->add(group, r, a, b, ctx);
+        }
+
+
+int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+        {
+        if (group->meth->dbl == 0)
+                {
+                ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if ((group->meth != r->meth) || (r->meth != a->meth))
+                {
+                ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->dbl(group, r, a, ctx);
+        }
+
+
+int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx)
+        {
+        if (group->meth->dbl == 0)
+                {
+                ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != a->meth)
+                {
+                ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->invert(group, a, ctx);
+        }
+
+
+int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+        {
+        if (group->meth->is_at_infinity == 0)
+                {
+                ECerr(EC_F_EC_POINT_IS_AT_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->is_at_infinity(group, point);
+        }
+
+
+int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
+        {
+        if (group->meth->is_on_curve == 0)
+                {
+                ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->is_on_curve(group, point, ctx);
+        }
+
+
+int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        if (group->meth->point_cmp == 0)
+                {
+                ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if ((group->meth != a->meth) || (a->meth != b->meth))
+                {
+                ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_cmp(group, a, b, ctx);
+        }
+
+
+int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+        {
+        if (group->meth->make_affine == 0)
+                {
+                ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->make_affine(group, point, ctx);
+        }
+
+
+int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
+        {
+        size_t i;
+
+        if (group->meth->points_make_affine == 0)
+                {
+                ECerr(EC_F_EC_POINTS_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        for (i = 0; i < num; i++)
+                {
+                if (group->meth != points[i]->meth)
+                        {
+                        ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
+                        return 0;
+                        }
+                }
+        return group->meth->points_make_affine(group, num, points, ctx);
+        }
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
new file mode 100644
index 0000000000..603ba31b81
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -0,0 +1,473 @@
+/* crypto/ec/ec_mult.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+/* TODO: optional precomputation of multiples of the generator */
+
+
+
+/*
+ * wNAF-based interleaving multi-exponentation method
+ * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>)
+ */
+
+
+/* Determine the width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
+ * This is an array  r[]  of values that are either zero or odd with an
+ * absolute value less than  2^w  satisfying
+ *     scalar = \sum_j r[j]*2^j
+ * where at most one of any  w+1  consecutive digits is non-zero.
+ */
+static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, BN_CTX *ctx)
+        {
+        BIGNUM *c;
+        int ok = 0;
+        signed char *r = NULL;
+        int sign = 1;
+        int bit, next_bit, mask;
+        size_t len = 0, j;
+        
+        BN_CTX_start(ctx);
+        c = BN_CTX_get(ctx);
+        if (c == NULL) goto err;
+        
+        if (w <= 0 || w > 7) /* 'signed char' can represent integers with absolute values less than 2^7 */
+                {
+                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+        bit = 1 << w; /* at most 128 */
+        next_bit = bit << 1; /* at most 256 */
+        mask = next_bit - 1; /* at most 255 */
+
+        if (!BN_copy(c, scalar)) goto err;
+        if (c->neg)
+                {
+                sign = -1;
+                c->neg = 0;
+                }
+
+        len = BN_num_bits(c) + 1; /* wNAF may be one digit longer than binary representation */
+        r = OPENSSL_malloc(len);
+        if (r == NULL) goto err;
+
+        j = 0;
+        while (!BN_is_zero(c))
+                {
+                int u = 0;
+
+                if (BN_is_odd(c)) 
+                        {
+                        if (c->d == NULL || c->top == 0)
+                                {
+                                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                                }
+                        u = c->d[0] & mask;
+                        if (u & bit)
+                                {
+                                u -= next_bit;
+                                /* u < 0 */
+                                if (!BN_add_word(c, -u)) goto err;
+                                }
+                        else
+                                {
+                                /* u > 0 */
+                                if (!BN_sub_word(c, u)) goto err;
+                                }
+
+                        if (u <= -bit || u >= bit || !(u & 1) || c->neg)
+                                {
+                                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                                }
+                        }
+
+                r[j++] = sign * u;
+                
+                if (BN_is_odd(c))
+                        {
+                        ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                if (!BN_rshift1(c, c)) goto err;
+                }
+
+        if (j > len)
+                {
+                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+        len = j;
+        ok = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (!ok)
+                {
+                OPENSSL_free(r);
+                r = NULL;
+                }
+        if (ok)
+                *ret_len = len;
+        return r;
+        }
+
+
+/* TODO: table should be optimised for the wNAF-based implementation,
+ *       sometimes smaller windows will give better performance
+ *       (thus the boundaries should be increased)
+ */
+#define EC_window_bits_for_scalar_size(b) \
+                ((b) >= 2000 ? 6 : \
+                 (b) >=  800 ? 5 : \
+                 (b) >=  300 ? 4 : \
+                 (b) >=   70 ? 3 : \
+                 (b) >=   20 ? 2 : \
+                  1)
+
+/* Compute
+ *      \sum scalars[i]*points[i],
+ * also including
+ *      scalar*generator
+ * in the addition if scalar != NULL
+ */
+int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+        size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        EC_POINT *generator = NULL;
+        EC_POINT *tmp = NULL;
+        size_t totalnum;
+        size_t i, j;
+        int k;
+        int r_is_inverted = 0;
+        int r_is_at_infinity = 1;
+        size_t *wsize = NULL; /* individual window sizes */
+        signed char **wNAF = NULL; /* individual wNAFs */
+        size_t *wNAF_len = NULL;
+        size_t max_len = 0;
+        size_t num_val;
+        EC_POINT **val = NULL; /* precomputation */
+        EC_POINT **v;
+        EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */
+        int ret = 0;
+        
+        if (scalar != NULL)
+                {
+                generator = EC_GROUP_get0_generator(group);
+                if (generator == NULL)
+                        {
+                        ECerr(EC_F_EC_POINTS_MUL, EC_R_UNDEFINED_GENERATOR);
+                        return 0;
+                        }
+                }
+        
+        for (i = 0; i < num; i++)
+                {
+                if (group->meth != points[i]->meth)
+                        {
+                        ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
+                        return 0;
+                        }
+                }
+
+        totalnum = num + (scalar != NULL);
+
+        wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]);
+        wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
+        wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]);
+        if (wNAF != NULL)
+                {
+                wNAF[0] = NULL; /* preliminary pivot */
+                }
+        if (wsize == NULL || wNAF_len == NULL || wNAF == NULL) goto err;
+
+        /* num_val := total number of points to precompute */
+        num_val = 0;
+        for (i = 0; i < totalnum; i++)
+                {
+                size_t bits;
+
+                bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
+                wsize[i] = EC_window_bits_for_scalar_size(bits);
+                num_val += 1u << (wsize[i] - 1);
+                }
+
+        /* all precomputed points go into a single array 'val',
+         * 'val_sub[i]' is a pointer to the subarray for the i-th point */
+        val = OPENSSL_malloc((num_val + 1) * sizeof val[0]);
+        if (val == NULL) goto err;
+        val[num_val] = NULL; /* pivot element */
+
+        val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
+        if (val_sub == NULL) goto err;
+
+        /* allocate points for precomputation */
+        v = val;
+        for (i = 0; i < totalnum; i++)
+                {
+                val_sub[i] = v;
+                for (j = 0; j < (1u << (wsize[i] - 1)); j++)
+                        {
+                        *v = EC_POINT_new(group);
+                        if (*v == NULL) goto err;
+                        v++;
+                        }
+                }
+        if (!(v == val + num_val))
+                {
+                ECerr(EC_F_EC_POINTS_MUL, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        goto err;
+                }
+        
+        tmp = EC_POINT_new(group);
+        if (tmp == NULL) goto err;
+
+        /* prepare precomputed values:
+         *    val_sub[i][0] :=     points[i]
+         *    val_sub[i][1] := 3 * points[i]
+         *    val_sub[i][2] := 5 * points[i]
+         *    ...
+         */
+        for (i = 0; i < totalnum; i++)
+                {
+                if (i < num)
+                        {
+                        if (!EC_POINT_copy(val_sub[i][0], points[i])) goto err;
+                        }
+                else
+                        {
+                        if (!EC_POINT_copy(val_sub[i][0], generator)) goto err;
+                        }
+
+                if (wsize[i] > 1)
+                        {
+                        if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) goto err;
+                        for (j = 1; j < (1u << (wsize[i] - 1)); j++)
+                                {
+                                if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err;
+                                }
+                        }
+
+                wNAF[i + 1] = NULL; /* make sure we always have a pivot */
+                wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i], ctx);
+                if (wNAF[i] == NULL) goto err;
+                if (wNAF_len[i] > max_len)
+                        max_len = wNAF_len[i];
+                }
+
+#if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */
+        if (!EC_POINTs_make_affine(group, num_val, val, ctx)) goto err;
+#endif
+
+        r_is_at_infinity = 1;
+
+        for (k = max_len - 1; k >= 0; k--)
+                {
+                if (!r_is_at_infinity)
+                        {
+                        if (!EC_POINT_dbl(group, r, r, ctx)) goto err;
+                        }
+                
+                for (i = 0; i < totalnum; i++)
+                        {
+                        if (wNAF_len[i] > (size_t)k)
+                                {
+                                int digit = wNAF[i][k];
+                                int is_neg;
+
+                                if (digit) 
+                                        {
+                                        is_neg = digit < 0;
+
+                                        if (is_neg)
+                                                digit = -digit;
+
+                                        if (is_neg != r_is_inverted)
+                                                {
+                                                if (!r_is_at_infinity)
+                                                        {
+                                                        if (!EC_POINT_invert(group, r, ctx)) goto err;
+                                                        }
+                                                r_is_inverted = !r_is_inverted;
+                                                }
+
+                                        /* digit > 0 */
+
+                                        if (r_is_at_infinity)
+                                                {
+                                                if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) goto err;
+                                                r_is_at_infinity = 0;
+                                                }
+                                        else
+                                                {
+                                                if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx)) goto err;
+                                                }
+                                        }
+                                }
+                        }
+                }
+
+        if (r_is_at_infinity)
+                {
+                if (!EC_POINT_set_to_infinity(group, r)) goto err;
+                }
+        else
+                {
+                if (r_is_inverted)
+                        if (!EC_POINT_invert(group, r, ctx)) goto err;
+                }
+        
+        ret = 1;
+
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        if (tmp != NULL)
+                EC_POINT_free(tmp);
+        if (wsize != NULL)
+                OPENSSL_free(wsize);
+        if (wNAF_len != NULL)
+                OPENSSL_free(wNAF_len);
+        if (wNAF != NULL)
+                {
+                signed char **w;
+                
+                for (w = wNAF; *w != NULL; w++)
+                        OPENSSL_free(*w);
+                
+                OPENSSL_free(wNAF);
+                }
+        if (val != NULL)
+                {
+                for (v = val; *v != NULL; v++)
+                        EC_POINT_clear_free(*v);
+
+                OPENSSL_free(val);
+                }
+        if (val_sub != NULL)
+                {
+                OPENSSL_free(val_sub);
+                }
+        return ret;
+        }
+
+
+int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
+        {
+        const EC_POINT *points[1];
+        const BIGNUM *scalars[1];
+
+        points[0] = point;
+        scalars[0] = p_scalar;
+
+        return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx);
+        }
+
+
+int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
+        {
+        const EC_POINT *generator;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *order;
+        int ret = 0;
+
+        generator = EC_GROUP_get0_generator(group);
+        if (generator == NULL)
+                {
+                ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+        
+        BN_CTX_start(ctx);
+        order = BN_CTX_get(ctx);
+        if (order == NULL) goto err;
+        
+        if (!EC_GROUP_get_order(group, order, ctx)) return 0;
+        if (BN_is_zero(order))
+                {
+                ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
+                goto err;
+                }
+
+        /* TODO */
+
+        ret = 1;
+        
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
diff --git a/src/lib/libcrypto/ec/ecp_mont.c b/src/lib/libcrypto/ec/ecp_mont.c
new file mode 100644
index 0000000000..7b30d4c38a
--- /dev/null
+++ b/src/lib/libcrypto/ec/ecp_mont.c
@@ -0,0 +1,304 @@
+/* crypto/ec/ecp_mont.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+const EC_METHOD *EC_GFp_mont_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_mont_group_init,
+                ec_GFp_mont_group_finish,
+                ec_GFp_mont_group_clear_finish,
+                ec_GFp_mont_group_copy,
+                ec_GFp_mont_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_mont_field_mul,
+                ec_GFp_mont_field_sqr,
+                ec_GFp_mont_field_encode,
+                ec_GFp_mont_field_decode,
+                ec_GFp_mont_field_set_to_one };
+
+        return &ret;
+        }
+
+
+int ec_GFp_mont_group_init(EC_GROUP *group)
+        {
+        int ok;
+
+        ok = ec_GFp_simple_group_init(group);
+        group->field_data1 = NULL;
+        group->field_data2 = NULL;
+        return ok;
+        }
+
+
+int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BN_MONT_CTX *mont = NULL;
+        BIGNUM *one = NULL;
+        int ret = 0;
+
+        if (group->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                }
+        if (group->field_data2 != NULL)
+                {
+                BN_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+        
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        mont = BN_MONT_CTX_new();
+        if (mont == NULL) goto err;
+        if (!BN_MONT_CTX_set(mont, p, ctx))
+                {
+                ECerr(EC_F_GFP_MONT_GROUP_SET_CURVE_GFP, ERR_R_BN_LIB);
+                goto err;
+                }
+        one = BN_new();
+        if (one == NULL) goto err;
+        if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err;
+
+        group->field_data1 = mont;
+        mont = NULL;
+        group->field_data2 = one;
+        one = NULL;
+
+        ret = ec_GFp_simple_group_set_curve_GFp(group, p, a, b, ctx);
+
+        if (!ret)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                BN_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        if (mont != NULL)
+                BN_MONT_CTX_free(mont);
+        return ret;
+        }
+
+
+void ec_GFp_mont_group_finish(EC_GROUP *group)
+        {
+        if (group->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                }
+        if (group->field_data2 != NULL)
+                {
+                BN_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+        ec_GFp_simple_group_finish(group);
+        }
+
+
+void ec_GFp_mont_group_clear_finish(EC_GROUP *group)
+        {
+        if (group->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                }
+        if (group->field_data2 != NULL)
+                {
+                BN_clear_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+        ec_GFp_simple_group_clear_finish(group);
+        }
+
+
+int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src)
+        {
+        if (dest->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(dest->field_data1);
+                dest->field_data1 = NULL;
+                }
+        if (dest->field_data2 != NULL)
+                {
+                BN_clear_free(dest->field_data2);
+                dest->field_data2 = NULL;
+                }
+
+        if (!ec_GFp_simple_group_copy(dest, src)) return 0;
+
+        if (src->field_data1 != NULL)
+                {
+                dest->field_data1 = BN_MONT_CTX_new();
+                if (dest->field_data1 == NULL) return 0;
+                if (!BN_MONT_CTX_copy(dest->field_data1, src->field_data1)) goto err;
+                }
+        if (src->field_data2 != NULL)
+                {
+                dest->field_data2 = BN_dup(src->field_data2);
+                if (dest->field_data2 == NULL) goto err;
+                }
+
+        return 1;
+
+ err:
+        if (dest->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(dest->field_data1);
+                dest->field_data1 = NULL;
+                }
+        return 0;       
+        }
+
+
+int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_MUL, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_SQR, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_ENCODE, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_to_montgomery(r, a, (BN_MONT_CTX *)group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_from_montgomery(r, a, group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx)
+        {
+        if (group->field_data2 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        if (!BN_copy(r, group->field_data2)) return 0;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/ec/ecp_nist.c b/src/lib/libcrypto/ec/ecp_nist.c
new file mode 100644
index 0000000000..ed07748675
--- /dev/null
+++ b/src/lib/libcrypto/ec/ecp_nist.c
@@ -0,0 +1,134 @@
+/* crypto/ec/ecp_nist.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ec_lcl.h"
+
+#if 0
+const EC_METHOD *EC_GFp_nist_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_nist_group_init,
+                ec_GFp_nist_group_finish,
+                ec_GFp_nist_group_clear_finish,
+                ec_GFp_nist_group_copy,
+                ec_GFp_nist_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_nist_field_mul,
+                ec_GFp_nist_field_sqr,
+                0 /* field_encode */,
+                0 /* field_decode */,
+                0 /* field_set_to_one */ };
+
+        return &ret;
+        }
+#endif
+
+
+int ec_GFp_nist_group_init(EC_GROUP *group)
+        {
+        int ok;
+
+        ok = ec_GFp_simple_group_init(group);
+        group->field_data1 = NULL;
+        return ok;
+        }
+
+
+int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+void ec_GFp_nist_group_finish(EC_GROUP *group);
+/* TODO */
+
+
+void ec_GFp_nist_group_clear_finish(EC_GROUP *group);
+/* TODO */
+
+
+int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
+/* TODO */
+
+
+int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
+/* TODO */
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
new file mode 100644
index 0000000000..4666a052bf
--- /dev/null
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -0,0 +1,1717 @@
+/* crypto/ec/ecp_smpl.c */
+/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
+ * for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+const EC_METHOD *EC_GFp_simple_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_simple_group_init,
+                ec_GFp_simple_group_finish,
+                ec_GFp_simple_group_clear_finish,
+                ec_GFp_simple_group_copy,
+                ec_GFp_simple_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_simple_field_mul,
+                ec_GFp_simple_field_sqr,
+                0 /* field_encode */,
+                0 /* field_decode */,
+                0 /* field_set_to_one */ };
+
+        return &ret;
+        }
+
+
+int ec_GFp_simple_group_init(EC_GROUP *group)
+        {
+        BN_init(&group->field);
+        BN_init(&group->a);
+        BN_init(&group->b);
+        group->a_is_minus3 = 0;
+        group->generator = NULL;
+        BN_init(&group->order);
+        BN_init(&group->cofactor);
+        return 1;
+        }
+
+
+void ec_GFp_simple_group_finish(EC_GROUP *group)
+        {
+        BN_free(&group->field);
+        BN_free(&group->a);
+        BN_free(&group->b);
+        if (group->generator != NULL)
+                EC_POINT_free(group->generator);
+        BN_free(&group->order);
+        BN_free(&group->cofactor);
+        }
+
+
+void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
+        {
+        BN_clear_free(&group->field);
+        BN_clear_free(&group->a);
+        BN_clear_free(&group->b);
+        if (group->generator != NULL)
+                {
+                EC_POINT_clear_free(group->generator);
+                group->generator = NULL;
+                }
+        BN_clear_free(&group->order);
+        BN_clear_free(&group->cofactor);
+        }
+
+
+int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
+        {
+        if (!BN_copy(&dest->field, &src->field)) return 0;
+        if (!BN_copy(&dest->a, &src->a)) return 0;
+        if (!BN_copy(&dest->b, &src->b)) return 0;
+
+        dest->a_is_minus3 = src->a_is_minus3;
+
+        if (src->generator != NULL)
+                {
+                if (dest->generator == NULL)
+                        {
+                        dest->generator = EC_POINT_new(dest);
+                        if (dest->generator == NULL) return 0;
+                        }
+                if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
+                }
+        else
+                {
+                /* src->generator == NULL */
+                if (dest->generator != NULL)
+                        {
+                        EC_POINT_clear_free(dest->generator);
+                        dest->generator = NULL;
+                        }
+                }
+
+        if (!BN_copy(&dest->order, &src->order)) return 0;
+        if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
+
+        return 1;
+        }
+
+
+int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
+        const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        int ret = 0;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp_a;
+        
+        /* p must be a prime > 3 */
+        if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP, EC_R_INVALID_FIELD);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        tmp_a = BN_CTX_get(ctx);
+        if (tmp_a == NULL) goto err;
+
+        /* group->field */
+        if (!BN_copy(&group->field, p)) goto err;
+        group->field.neg = 0;
+
+        /* group->a */
+        if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
+        if (group->meth->field_encode)
+                { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; }     
+        else
+                if (!BN_copy(&group->a, tmp_a)) goto err;
+        
+        /* group->b */
+        if (!BN_nnmod(&group->b, b, p, ctx)) goto err;
+        if (group->meth->field_encode)
+                if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err;
+        
+        /* group->a_is_minus3 */
+        if (!BN_add_word(tmp_a, 3)) goto err;
+        group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+        {
+        int ret = 0;
+        BN_CTX *new_ctx = NULL;
+        
+        if (p != NULL)
+                {
+                if (!BN_copy(p, &group->field)) return 0;
+                }
+
+        if (a != NULL || b != NULL)
+                {
+                if (group->meth->field_decode)
+                        {
+                        if (ctx == NULL)
+                                {
+                                ctx = new_ctx = BN_CTX_new();
+                                if (ctx == NULL)
+                                        return 0;
+                                }
+                        if (a != NULL)
+                                {
+                                if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
+                                }
+                        if (b != NULL)
+                                {
+                                if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
+                                }
+                        }
+                else
+                        {
+                        if (a != NULL)
+                                {
+                                if (!BN_copy(a, &group->a)) goto err;
+                                }
+                        if (b != NULL)
+                                {
+                                if (!BN_copy(b, &group->b)) goto err;
+                                }
+                        }
+                }
+        
+        ret = 1;
+        
+ err:
+        if (new_ctx)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+
+int ec_GFp_simple_group_set_generator(EC_GROUP *group, const EC_POINT *generator,
+        const BIGNUM *order, const BIGNUM *cofactor)
+        {
+        if (generator == NULL)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
+                return 0   ;
+                }
+
+        if (group->generator == NULL)
+                {
+                group->generator = EC_POINT_new(group);
+                if (group->generator == NULL) return 0;
+                }
+        if (!EC_POINT_copy(group->generator, generator)) return 0;
+
+        if (order != NULL)
+                { if (!BN_copy(&group->order, order)) return 0; }       
+        else
+                { if (!BN_zero(&group->order)) return 0; }      
+
+        if (cofactor != NULL)
+                { if (!BN_copy(&group->cofactor, cofactor)) return 0; } 
+        else
+                { if (!BN_zero(&group->cofactor)) return 0; }   
+
+        return 1;
+        }
+
+
+EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *group)
+        {
+        return group->generator;
+        }
+
+
+int ec_GFp_simple_group_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
+        {
+        if (!BN_copy(order, &group->order))
+                return 0;
+
+        return !BN_is_zero(&group->order);
+        }
+
+
+int ec_GFp_simple_group_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
+        {
+        if (!BN_copy(cofactor, &group->cofactor))
+                return 0;
+
+        return !BN_is_zero(&group->cofactor);
+        }
+
+
+int ec_GFp_simple_point_init(EC_POINT *point)
+        {
+        BN_init(&point->X);
+        BN_init(&point->Y);
+        BN_init(&point->Z);
+        point->Z_is_one = 0;
+
+        return 1;
+        }
+
+
+void ec_GFp_simple_point_finish(EC_POINT *point)
+        {
+        BN_free(&point->X);
+        BN_free(&point->Y);
+        BN_free(&point->Z);
+        }
+
+
+void ec_GFp_simple_point_clear_finish(EC_POINT *point)
+        {
+        BN_clear_free(&point->X);
+        BN_clear_free(&point->Y);
+        BN_clear_free(&point->Z);
+        point->Z_is_one = 0;
+        }
+
+
+int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
+        {
+        if (!BN_copy(&dest->X, &src->X)) return 0;
+        if (!BN_copy(&dest->Y, &src->Y)) return 0;
+        if (!BN_copy(&dest->Z, &src->Z)) return 0;
+        dest->Z_is_one = src->Z_is_one;
+
+        return 1;
+        }
+
+
+int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+        {
+        point->Z_is_one = 0;
+        return (BN_zero(&point->Z));
+        }
+
+
+int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        int ret = 0;
+        
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        if (x != NULL)
+                {
+                if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err;
+                if (group->meth->field_encode)
+                        {
+                        if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err;
+                        }
+                }
+        
+        if (y != NULL)
+                {
+                if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err;
+                if (group->meth->field_encode)
+                        {
+                        if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
+                        }
+                }
+        
+        if (z != NULL)
+                {
+                int Z_is_one;
+
+                if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err;
+                Z_is_one = BN_is_one(&point->Z);
+                if (group->meth->field_encode)
+                        {
+                        if (Z_is_one && (group->meth->field_set_to_one != 0))
+                                {
+                                if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err;
+                                }
+                        else
+                                {
+                                if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
+                                }
+                        }
+                point->Z_is_one = Z_is_one;
+                }
+        
+        ret = 1;
+        
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        int ret = 0;
+        
+        if (group->meth->field_decode != 0)
+                {
+                if (ctx == NULL)
+                        {
+                        ctx = new_ctx = BN_CTX_new();
+                        if (ctx == NULL)
+                                return 0;
+                        }
+
+                if (x != NULL)
+                        {
+                        if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
+                        }
+                if (y != NULL)
+                        {
+                        if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
+                        }
+                if (z != NULL)
+                        {
+                        if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err;
+                        }
+                }
+        else    
+                {
+                if (x != NULL)
+                        {
+                        if (!BN_copy(x, &point->X)) goto err;
+                        }
+                if (y != NULL)
+                        {
+                        if (!BN_copy(y, &point->Y)) goto err;
+                        }
+                if (z != NULL)
+                        {
+                        if (!BN_copy(z, &point->Z)) goto err;
+                        }
+                }
+        
+        ret = 1;
+
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+        {
+        if (x == NULL || y == NULL)
+                {
+                /* unlike for projective coordinates, we do not tolerate this */
+                ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+
+        return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
+        }
+
+
+int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3;
+        const BIGNUM *X_, *Y_, *Z_;
+        int ret = 0;
+
+        if (EC_POINT_is_at_infinity(group, point))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_POINT_AT_INFINITY);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        X = BN_CTX_get(ctx);
+        Y = BN_CTX_get(ctx);
+        Z = BN_CTX_get(ctx);
+        Z_1 = BN_CTX_get(ctx);
+        Z_2 = BN_CTX_get(ctx);
+        Z_3 = BN_CTX_get(ctx);
+        if (Z_3 == NULL) goto err;
+
+        /* transform  (X, Y, Z)  into  (x, y) := (X/Z^2, Y/Z^3) */
+        
+        if (group->meth->field_decode)
+                {
+                if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err;
+                if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err;
+                if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
+                X_ = X; Y_ = Y; Z_ = Z;
+                }
+        else
+                {
+                X_ = &point->X;
+                Y_ = &point->Y;
+                Z_ = &point->Z;
+                }
+        
+        if (BN_is_one(Z_))
+                {
+                if (x != NULL)
+                        {
+                        if (!BN_copy(x, X_)) goto err;
+                        }
+                if (y != NULL)
+                        {
+                        if (!BN_copy(y, Y_)) goto err;
+                        }
+                }
+        else
+                {
+                if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_BN_LIB);
+                        goto err;
+                        }
+                
+                if (group->meth->field_encode == 0)
+                        {
+                        /* field_sqr works on standard representation */
+                        if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err;
+                        }
+                else
+                        {
+                        if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err;
+                        }
+        
+                if (x != NULL)
+                        {
+                        if (group->meth->field_encode == 0)
+                                {
+                                /* field_mul works on standard representation */
+                                if (!group->meth->field_mul(group, x, X_, Z_2, ctx)) goto err;
+                                }
+                        else
+                                {
+                                if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err;
+                                }
+                        }
+
+                if (y != NULL)
+                        {
+                        if (group->meth->field_encode == 0)
+                                {
+                                /* field_mul works on standard representation */
+                                if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
+                                if (!group->meth->field_mul(group, y, Y_, Z_3, ctx)) goto err;
+                                
+                                }
+                        else
+                                {
+                                if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
+                                if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err;
+                                }
+                        }
+                }
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x_, int y_bit, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp1, *tmp2, *x, *y;
+        int ret = 0;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        y_bit = (y_bit != 0);
+
+        BN_CTX_start(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        tmp2 = BN_CTX_get(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto err;
+
+        /* Recover y.  We have a Weierstrass equation
+         *     y^2 = x^3 + a*x + b,
+         * so  y  is one of the square roots of  x^3 + a*x + b.
+         */
+
+        /* tmp1 := x^3 */
+        if (!BN_nnmod(x, x_, &group->field,ctx)) goto err;
+        if (group->meth->field_decode == 0)
+                {
+                /* field_{sqr,mul} work on standard representation */
+                if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err;
+                if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) goto err;
+                }
+        else
+                {
+                if (!BN_mod_sqr(tmp2, x_, &group->field, ctx)) goto err;
+                if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) goto err;
+                }
+        
+        /* tmp1 := tmp1 + a*x */
+        if (group->a_is_minus3)
+                {
+                if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err;
+                if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err;
+                if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
+                }
+        else
+                {
+                if (group->meth->field_decode)
+                        {
+                        if (!group->meth->field_decode(group, tmp2, &group->a, ctx)) goto err;
+                        if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) goto err;
+                        }
+                else
+                        {
+                        /* field_mul works on standard representation */
+                        if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) goto err;
+                        }
+                
+                if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
+                }
+        
+        /* tmp1 := tmp1 + b */
+        if (group->meth->field_decode)
+                {
+                if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err;
+                if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
+                }
+        else
+                {
+                if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err;
+                }
+        
+        if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
+                {
+                unsigned long err = ERR_peek_error();
+                
+                if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE)
+                        {
+                        (void)ERR_get_error();
+                        ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
+                        }
+                else
+                        ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_BN_LIB);
+                goto err;
+                }
+        /* If tmp1 is not a square (i.e. there is no point on the curve with
+         * our x), then y now is a nonsense value too */
+
+        if (y_bit != BN_is_odd(y))
+                {
+                if (BN_is_zero(y))
+                        {
+                        int kron;
+
+                        kron = BN_kronecker(x, &group->field, ctx);
+                        if (kron == -2) goto err;
+
+                        if (kron == 1)
+                                ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSION_BIT);
+                        else
+                                ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
+                        goto err;
+                        }
+                if (!BN_usub(y, &group->field, y)) goto err;
+                }
+        if (y_bit != BN_is_odd(y))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+
+        if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        size_t ret;
+        BN_CTX *new_ctx = NULL;
+        int used_ctx = 0;
+        BIGNUM *x, *y;
+        size_t field_len, i, skip;
+
+        if ((form != POINT_CONVERSION_COMPRESSED)
+                && (form != POINT_CONVERSION_UNCOMPRESSED)
+                && (form != POINT_CONVERSION_HYBRID))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
+                goto err;
+                }
+
+        if (EC_POINT_is_at_infinity(group, point))
+                {
+                /* encodes to a single 0 octet */
+                if (buf != NULL)
+                        {
+                        if (len < 1)
+                                {
+                                ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
+                                return 0;
+                                }
+                        buf[0] = 0;
+                        }
+                return 1;
+                }
+
+
+        /* ret := required output buffer length */
+        field_len = BN_num_bytes(&group->field);
+        ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
+
+        /* if 'buf' is NULL, just return required length */
+        if (buf != NULL)
+                {
+                if (len < ret)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
+                        goto err;
+                        }
+
+                if (ctx == NULL)
+                        {
+                        ctx = new_ctx = BN_CTX_new();
+                        if (ctx == NULL)
+                                return 0;
+                        }
+
+                BN_CTX_start(ctx);
+                used_ctx = 1;
+                x = BN_CTX_get(ctx);
+                y = BN_CTX_get(ctx);
+                if (y == NULL) goto err;
+
+                if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+
+                if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
+                        buf[0] = form + 1;
+                else
+                        buf[0] = form;
+        
+                i = 1;
+                
+                skip = field_len - BN_num_bytes(x);
+                if (skip > field_len)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                while (skip > 0)
+                        {
+                        buf[i++] = 0;
+                        skip--;
+                        }
+                skip = BN_bn2bin(x, buf + i);
+                i += skip;
+                if (i != 1 + field_len)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+
+                if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
+                        {
+                        skip = field_len - BN_num_bytes(y);
+                        if (skip > field_len)
+                                {
+                                ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                                }
+                        while (skip > 0)
+                                {
+                                buf[i++] = 0;
+                                skip--;
+                                }
+                        skip = BN_bn2bin(y, buf + i);
+                        i += skip;
+                        }
+
+                if (i != ret)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (used_ctx)
+                BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+
+ err:
+        if (used_ctx)
+                BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return 0;
+        }
+
+
+int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
+        const unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        point_conversion_form_t form;
+        int y_bit;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *x, *y;
+        size_t field_len, enc_len;
+        int ret = 0;
+
+        if (len == 0)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
+                return 0;
+                }
+        form = buf[0];
+        y_bit = form & 1;
+        form = form & ~1;
+        if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
+                && (form != POINT_CONVERSION_UNCOMPRESSED)
+                && (form != POINT_CONVERSION_HYBRID))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                return 0;
+                }
+        if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                return 0;
+                }
+
+        if (form == 0)
+                {
+                if (len != 1)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                        return 0;
+                        }
+
+                return EC_POINT_set_to_infinity(group, point);
+                }
+        
+        field_len = BN_num_bytes(&group->field);
+        enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
+
+        if (len != enc_len)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto err;
+
+        if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
+        if (BN_ucmp(x, &group->field) >= 0)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                goto err;
+                }
+
+        if (form == POINT_CONVERSION_COMPRESSED)
+                {
+                if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err;
+                }
+        else
+                {
+                if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
+                if (BN_ucmp(y, &group->field) >= 0)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                        goto err;
+                        }
+                if (form == POINT_CONVERSION_HYBRID)
+                        {
+                        if (y_bit != BN_is_odd(y))
+                                {
+                                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                                goto err;
+                                }
+                        }
+
+                if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+                }
+        
+        if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
+                goto err;
+                }
+
+        ret = 1;
+        
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        const BIGNUM *p;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
+        int ret = 0;
+        
+        if (a == b)
+                return EC_POINT_dbl(group, r, a, ctx);
+        if (EC_POINT_is_at_infinity(group, a))
+                return EC_POINT_copy(r, b);
+        if (EC_POINT_is_at_infinity(group, b))
+                return EC_POINT_copy(r, a);
+        
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+        p = &group->field;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        n0 = BN_CTX_get(ctx);
+        n1 = BN_CTX_get(ctx);
+        n2 = BN_CTX_get(ctx);
+        n3 = BN_CTX_get(ctx);
+        n4 = BN_CTX_get(ctx);
+        n5 = BN_CTX_get(ctx);
+        n6 = BN_CTX_get(ctx);
+        if (n6 == NULL) goto end;
+
+        /* Note that in this function we must not read components of 'a' or 'b'
+         * once we have written the corresponding components of 'r'.
+         * ('r' might be one of 'a' or 'b'.)
+         */
+
+        /* n1, n2 */
+        if (b->Z_is_one)
+                {
+                if (!BN_copy(n1, &a->X)) goto end;
+                if (!BN_copy(n2, &a->Y)) goto end;
+                /* n1 = X_a */
+                /* n2 = Y_a */
+                }
+        else
+                {
+                if (!field_sqr(group, n0, &b->Z, ctx)) goto end;
+                if (!field_mul(group, n1, &a->X, n0, ctx)) goto end;
+                /* n1 = X_a * Z_b^2 */
+
+                if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end;
+                if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end;
+                /* n2 = Y_a * Z_b^3 */
+                }
+
+        /* n3, n4 */
+        if (a->Z_is_one)
+                {
+                if (!BN_copy(n3, &b->X)) goto end;
+                if (!BN_copy(n4, &b->Y)) goto end;
+                /* n3 = X_b */
+                /* n4 = Y_b */
+                }
+        else
+                {
+                if (!field_sqr(group, n0, &a->Z, ctx)) goto end;
+                if (!field_mul(group, n3, &b->X, n0, ctx)) goto end;
+                /* n3 = X_b * Z_a^2 */
+
+                if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end;
+                if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end;
+                /* n4 = Y_b * Z_a^3 */
+                }
+
+        /* n5, n6 */
+        if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
+        if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
+        /* n5 = n1 - n3 */
+        /* n6 = n2 - n4 */
+
+        if (BN_is_zero(n5))
+                {
+                if (BN_is_zero(n6))
+                        {
+                        /* a is the same point as b */
+                        BN_CTX_end(ctx);
+                        ret = EC_POINT_dbl(group, r, a, ctx);
+                        ctx = NULL;
+                        goto end;
+                        }
+                else
+                        {
+                        /* a is the inverse of b */
+                        if (!BN_zero(&r->Z)) goto end;
+                        r->Z_is_one = 0;
+                        ret = 1;
+                        goto end;
+                        }
+                }
+
+        /* 'n7', 'n8' */
+        if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
+        if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
+        /* 'n7' = n1 + n3 */
+        /* 'n8' = n2 + n4 */
+
+        /* Z_r */
+        if (a->Z_is_one && b->Z_is_one)
+                {
+                if (!BN_copy(&r->Z, n5)) goto end;
+                }
+        else
+                {
+                if (a->Z_is_one)
+                        { if (!BN_copy(n0, &b->Z)) goto end; }
+                else if (b->Z_is_one)
+                        { if (!BN_copy(n0, &a->Z)) goto end; }
+                else
+                        { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; }
+                if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end;
+                }
+        r->Z_is_one = 0;
+        /* Z_r = Z_a * Z_b * n5 */
+
+        /* X_r */
+        if (!field_sqr(group, n0, n6, ctx)) goto end;
+        if (!field_sqr(group, n4, n5, ctx)) goto end;
+        if (!field_mul(group, n3, n1, n4, ctx)) goto end;
+        if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end;
+        /* X_r = n6^2 - n5^2 * 'n7' */
+        
+        /* 'n9' */
+        if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end;
+        if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
+        /* n9 = n5^2 * 'n7' - 2 * X_r */
+
+        /* Y_r */
+        if (!field_mul(group, n0, n0, n6, ctx)) goto end;
+        if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
+        if (!field_mul(group, n1, n2, n5, ctx)) goto end;
+        if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
+        if (BN_is_odd(n0))
+                if (!BN_add(n0, n0, p)) goto end;
+        /* now  0 <= n0 < 2*p,  and n0 is even */
+        if (!BN_rshift1(&r->Y, n0)) goto end;
+        /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
+
+        ret = 1;
+
+ end:
+        if (ctx) /* otherwise we already called BN_CTX_end */
+                BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+        {
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        const BIGNUM *p;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *n0, *n1, *n2, *n3;
+        int ret = 0;
+        
+        if (EC_POINT_is_at_infinity(group, a))
+                {
+                if (!BN_zero(&r->Z)) return 0;
+                r->Z_is_one = 0;
+                return 1;
+                }
+
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+        p = &group->field;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        n0 = BN_CTX_get(ctx);
+        n1 = BN_CTX_get(ctx);
+        n2 = BN_CTX_get(ctx);
+        n3 = BN_CTX_get(ctx);
+        if (n3 == NULL) goto err;
+
+        /* Note that in this function we must not read components of 'a'
+         * once we have written the corresponding components of 'r'.
+         * ('r' might the same as 'a'.)
+         */
+
+        /* n1 */
+        if (a->Z_is_one)
+                {
+                if (!field_sqr(group, n0, &a->X, ctx)) goto err;
+                if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
+                if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
+                if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err;
+                /* n1 = 3 * X_a^2 + a_curve */
+                }
+        else if (group->a_is_minus3)
+                {
+                if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
+                if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err;
+                if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err;
+                if (!field_mul(group, n1, n0, n2, ctx)) goto err;
+                if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
+                if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
+                /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
+                 *    = 3 * X_a^2 - 3 * Z_a^4 */
+                }
+        else
+                {
+                if (!field_sqr(group, n0, &a->X, ctx)) goto err;
+                if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
+                if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
+                if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
+                if (!field_sqr(group, n1, n1, ctx)) goto err;
+                if (!field_mul(group, n1, n1, &group->a, ctx)) goto err;
+                if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
+                /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
+                }
+
+        /* Z_r */
+        if (a->Z_is_one)
+                {
+                if (!BN_copy(n0, &a->Y)) goto err;
+                }
+        else
+                {
+                if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err;
+                }
+        if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err;
+        r->Z_is_one = 0;
+        /* Z_r = 2 * Y_a * Z_a */
+
+        /* n2 */
+        if (!field_sqr(group, n3, &a->Y, ctx)) goto err;
+        if (!field_mul(group, n2, &a->X, n3, ctx)) goto err;
+        if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
+        /* n2 = 4 * X_a * Y_a^2 */
+
+        /* X_r */
+        if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
+        if (!field_sqr(group, &r->X, n1, ctx)) goto err;
+        if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err;
+        /* X_r = n1^2 - 2 * n2 */
+        
+        /* n3 */
+        if (!field_sqr(group, n0, n3, ctx)) goto err;
+        if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
+        /* n3 = 8 * Y_a^4 */
+        
+        /* Y_r */
+        if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err;
+        if (!field_mul(group, n0, n1, n0, ctx)) goto err;
+        if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err;
+        /* Y_r = n1 * (n2 - X_r) - n3 */
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+        {
+        if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
+                /* point is its own inverse */
+                return 1;
+        
+        return BN_usub(&point->Y, &group->field, &point->Y);
+        }
+
+
+int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+        {
+        return BN_is_zero(&point->Z);
+        }
+
+
+int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
+        {
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        const BIGNUM *p;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6;
+        int ret = -1;
+
+        if (EC_POINT_is_at_infinity(group, point))
+                return 1;
+        
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+        p = &group->field;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return -1;
+                }
+
+        BN_CTX_start(ctx);
+        rh = BN_CTX_get(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        tmp2 = BN_CTX_get(ctx);
+        Z4 = BN_CTX_get(ctx);
+        Z6 = BN_CTX_get(ctx);
+        if (Z6 == NULL) goto err;
+
+        /* We have a curve defined by a Weierstrass equation
+         *      y^2 = x^3 + a*x + b.
+         * The point to consider is given in Jacobian projective coordinates
+         * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).
+         * Substituting this and multiplying by  Z^6  transforms the above equation into
+         *      Y^2 = X^3 + a*X*Z^4 + b*Z^6.
+         * To test this, we add up the right-hand side in 'rh'.
+         */
+
+        /* rh := X^3 */
+        if (!field_sqr(group, rh, &point->X, ctx)) goto err;
+        if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
+
+        if (!point->Z_is_one)
+                {
+                if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err;
+                if (!field_sqr(group, Z4, tmp1, ctx)) goto err;
+                if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err;
+
+                /* rh := rh + a*X*Z^4 */
+                if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err;
+                if (group->a_is_minus3)
+                        {
+                        if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err;
+                        if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err;
+                        if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
+                        }
+                else
+                        {
+                        if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err;
+                        if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
+                        }
+
+                /* rh := rh + b*Z^6 */
+                if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err;
+                if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err;
+                }
+        else
+                {
+                /* point->Z_is_one */
+
+                /* rh := rh + a*X */
+                if (group->a_is_minus3)
+                        {
+                        if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err;
+                        if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err;
+                        if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
+                        }
+                else
+                        {
+                        if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err;
+                        if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
+                        }
+
+                /* rh := rh + b */
+                if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
+                }
+
+        /* 'lh' := Y^2 */
+        if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err;
+
+        ret = (0 == BN_cmp(tmp1, rh));
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        /* return values:
+         *  -1   error
+         *   0   equal (in affine coordinates)
+         *   1   not equal
+         */
+
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
+        const BIGNUM *tmp1_, *tmp2_;
+        int ret = -1;
+        
+        if (EC_POINT_is_at_infinity(group, a))
+                {
+                return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
+                }
+        
+        if (a->Z_is_one && b->Z_is_one)
+                {
+                return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
+                }
+
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return -1;
+                }
+
+        BN_CTX_start(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        tmp2 = BN_CTX_get(ctx);
+        Za23 = BN_CTX_get(ctx);
+        Zb23 = BN_CTX_get(ctx);
+        if (Zb23 == NULL) goto end;
+
+        /* We have to decide whether
+         *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
+         * or equivalently, whether
+         *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
+         */
+
+        if (!b->Z_is_one)
+                {
+                if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end;
+                if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end;
+                tmp1_ = tmp1;
+                }
+        else
+                tmp1_ = &a->X;
+        if (!a->Z_is_one)
+                {
+                if (!field_sqr(group, Za23, &a->Z, ctx)) goto end;
+                if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end;
+                tmp2_ = tmp2;
+                }
+        else
+                tmp2_ = &b->X;
+        
+        /* compare  X_a*Z_b^2  with  X_b*Z_a^2 */
+        if (BN_cmp(tmp1_, tmp2_) != 0)
+                {
+                ret = 1; /* points differ */
+                goto end;
+                }
+
+
+        if (!b->Z_is_one)
+                {
+                if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end;
+                if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end;
+                /* tmp1_ = tmp1 */
+                }
+        else
+                tmp1_ = &a->Y;
+        if (!a->Z_is_one)
+                {
+                if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end;
+                if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end;
+                /* tmp2_ = tmp2 */
+                }
+        else
+                tmp2_ = &b->Y;
+
+        /* compare  Y_a*Z_b^3  with  Y_b*Z_a^3 */
+        if (BN_cmp(tmp1_, tmp2_) != 0)
+                {
+                ret = 1; /* points differ */
+                goto end;
+                }
+
+        /* points are equal */
+        ret = 0;
+
+ end:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *x, *y;
+        int ret = 0;
+
+        if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
+                return 1;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto err;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+        if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+        if (!point->Z_is_one)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+        
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp0, *tmp1;
+        size_t pow2 = 0;
+        BIGNUM **heap = NULL;
+        size_t i;
+        int ret = 0;
+
+        if (num == 0)
+                return 1;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        tmp0 = BN_CTX_get(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        if (tmp0  == NULL || tmp1 == NULL) goto err;
+
+        /* Before converting the individual points, compute inverses of all Z values.
+         * Modular inversion is rather slow, but luckily we can do with a single
+         * explicit inversion, plus about 3 multiplications per input value.
+         */
+
+        pow2 = 1;
+        while (num > pow2)
+                pow2 <<= 1;
+        /* Now pow2 is the smallest power of 2 satifsying pow2 >= num.
+         * We need twice that. */
+        pow2 <<= 1;
+
+        heap = OPENSSL_malloc(pow2 * sizeof heap[0]);
+        if (heap == NULL) goto err;
+        
+        /* The array is used as a binary tree, exactly as in heapsort:
+         *
+         *                               heap[1]
+         *                 heap[2]                     heap[3]
+         *          heap[4]       heap[5]       heap[6]       heap[7]
+         *   heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15]
+         *
+         * We put the Z's in the last line;
+         * then we set each other node to the product of its two child-nodes (where
+         * empty or 0 entries are treated as ones);
+         * then we invert heap[1];
+         * then we invert each other node by replacing it by the product of its
+         * parent (after inversion) and its sibling (before inversion).
+         */
+        heap[0] = NULL;
+        for (i = pow2/2 - 1; i > 0; i--)
+                heap[i] = NULL;
+        for (i = 0; i < num; i++)
+                heap[pow2/2 + i] = &points[i]->Z;
+        for (i = pow2/2 + num; i < pow2; i++)
+                heap[i] = NULL;
+        
+        /* set each node to the product of its children */
+        for (i = pow2/2 - 1; i > 0; i--)
+                {
+                heap[i] = BN_new();
+                if (heap[i] == NULL) goto err;
+                
+                if (heap[2*i] != NULL)
+                        {
+                        if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1]))
+                                {
+                                if (!BN_copy(heap[i], heap[2*i])) goto err;
+                                }
+                        else
+                                {
+                                if (BN_is_zero(heap[2*i]))
+                                        {
+                                        if (!BN_copy(heap[i], heap[2*i + 1])) goto err;
+                                        }
+                                else
+                                        {
+                                        if (!group->meth->field_mul(group, heap[i],
+                                                heap[2*i], heap[2*i + 1], ctx)) goto err;
+                                        }
+                                }
+                        }
+                }
+
+        /* invert heap[1] */
+        if (!BN_is_zero(heap[1]))
+                {
+                if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx))
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
+                        goto err;
+                        }
+                }
+        if (group->meth->field_encode != 0)
+                {
+                /* in the Montgomery case, we just turned  R*H  (representing H)
+                 * into  1/(R*H),  but we need  R*(1/H)  (representing 1/H);
+                 * i.e. we have need to multiply by the Montgomery factor twice */
+                if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
+                if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
+                }
+
+        /* set other heap[i]'s to their inverses */
+        for (i = 2; i < pow2/2 + num; i += 2)
+                {
+                /* i is even */
+                if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1]))
+                        {
+                        if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err;
+                        if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err;
+                        if (!BN_copy(heap[i], tmp0)) goto err;
+                        if (!BN_copy(heap[i + 1], tmp1)) goto err;
+                        }
+                else
+                        {
+                        if (!BN_copy(heap[i], heap[i/2])) goto err;
+                        }
+                }
+
+        /* we have replaced all non-zero Z's by their inverses, now fix up all the points */
+        for (i = 0; i < num; i++)
+                {
+                EC_POINT *p = points[i];
+                
+                if (!BN_is_zero(&p->Z))
+                        {
+                        /* turn  (X, Y, 1/Z)  into  (X/Z^2, Y/Z^3, 1) */
+
+                        if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err;
+                        if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err;
+
+                        if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err;
+                        if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err;
+                
+                        if (group->meth->field_set_to_one != 0)
+                                {
+                                if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err;
+                                }
+                        else
+                                {
+                                if (!BN_one(&p->Z)) goto err;
+                                }
+                        p->Z_is_one = 1;
+                        }
+                }
+
+        ret = 1;
+                
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        if (heap != NULL)
+                {
+                /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */
+                for (i = pow2/2 - 1; i > 0; i--)
+                        {
+                        if (heap[i] != NULL)
+                                BN_clear_free(heap[i]);
+                        }
+                OPENSSL_free(heap);
+                }
+        return ret;
+        }
+
+
+int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        return BN_mod_mul(r, a, b, &group->field, ctx);
+        }
+
+
+int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        return BN_mod_sqr(r, a, &group->field, ctx);
+        }
diff --git a/src/lib/libcrypto/engine/README b/src/lib/libcrypto/engine/README
new file mode 100644
index 0000000000..96595e6f35
--- /dev/null
+++ b/src/lib/libcrypto/engine/README
@@ -0,0 +1,278 @@
+NOTES, THOUGHTS, and EVERYTHING
+-------------------------------
+
+(1) Concurrency and locking ... I made a change to the ENGINE_free code
+    because I spotted a potential hold-up in proceedings (doing too
+    much inside a lock including calling a callback), there may be
+    other bits like this. What do the speed/optimisation freaks think
+    of this aspect of the code and design? There's lots of locking for
+    manipulation functions and I need that to keep things nice and
+    solid, but this manipulation is mostly (de)initialisation, I would
+    think that most run-time locking is purely in the ENGINE_init and
+    ENGINE_finish calls that might be made when getting handles for
+    RSA (and friends') structures. These would be mostly reference
+    count operations as the functional references should always be 1
+    or greater at run-time to prevent init/deinit thrashing.
+
+(2) nCipher support, via the HWCryptoHook API, is now in the code.
+    Apparently this hasn't been tested too much yet, but it looks
+    good. :-) Atalla support has been added too, but shares a lot in
+    common with Ben's original hooks in bn_exp.c (although it has been
+    ENGINE-ified, and error handling wrapped around it) and it's also
+    had some low-volume testing, so it should be usable.
+
+(3) Of more concern, we need to work out (a) how to put together usable
+    RAND_METHODs for units that just have one "get n or less random
+    bytes" function, (b) we also need to determine how to hook the code
+    in crypto/rand/ to use the ENGINE defaults in a way similar to what
+    has been done in crypto/rsa/, crypto/dsa/, etc.
+
+(4) ENGINE should really grow to encompass more than 3 public key
+    algorithms and randomness gathering. The structure/data level of
+    the engine code is hidden from code outside the crypto/engine/
+    directory so change shouldn't be too viral. More important though
+    is how things should evolve ... this needs thought and discussion.
+
+
+-----------------------------------==*==-----------------------------------
+
+More notes 2000-08-01
+---------------------
+
+Geoff Thorpe, who designed the engine part, wrote a pretty good description
+of the thoughts he had when he built it, good enough to include verbatim here
+(with his permission)                                   -- Richard Levitte
+
+
+Date: Tue, 1 Aug 2000 16:54:08 +0100 (BST)
+From: Geoff Thorpe
+Subject: Re: The thoughts to merge BRANCH_engine into the main trunk are
+ emerging
+
+Hi there,
+
+I'm going to try and do some justice to this, but I'm a little short on
+time and the there is an endless amount that could be discussed on this
+subject. sigh ... please bear with me :-)
+
+> The changes in BRANCH_engine dig deep into the core of OpenSSL, for example
+> into the RSA and RAND routines, adding a level of indirection which is needed
+> to keep the abstraction, as far as I understand.  It would be a good thing if
+> those who do play with those things took a look at the changes that have been
+> done in the branch and say out loud how much (or hopefully little) we've made
+> fools of ourselves.
+
+The point here is that the code that has emerged in the BRANCH_engine
+branch was based on some initial requirements of mine that I went in and
+addressed, and Richard has picked up the ball and run with it too. It
+would be really useful to get some review of the approach we've taken, but
+first I think I need to describe as best I can the reasons behind what has
+been done so far, in particular what issues we have tried to address when
+doing this, and what issues we have intentionally (or necessarily) tried
+to avoid.
+
+methods, engines, and evps
+--------------------------
+
+There has been some dicussion, particularly with Steve, about where this
+ENGINE stuff might fit into the conceptual picture as/when we start to
+abstract algorithms a little bit to make the library more extensible. In
+particular, it would desirable to have algorithms (symmetric, hash, pkc,
+etc) abstracted in some way that allows them to be just objects sitting in
+a list (or database) ... it'll just happen that the "DSA" object doesn't
+support encryption whereas the "RSA" object does. This requires a lot of
+consideration to begin to know how to tackle it; in particular how
+encapsulated should these things be? If the objects also understand their
+own ASN1 encodings and what-not, then it would for example be possible to
+add support for elliptic-curve DSA in as a new algorithm and automatically
+have ECC-DSA certificates supported in SSL applications. Possible, but not
+easy. :-)
+
+Whatever, it seems that the way to go (if I've grok'd Steve's comments on
+this in the past) is to amalgamate these things in EVP as is already done
+(I think) for ciphers or hashes (Steve, please correct/elaborate). I
+certainly think something should be done in this direction because right
+now we have different source directories, types, functions, and methods
+for each algorithm - even when conceptually they are very much different
+feathers of the same bird. (This is certainly all true for the public-key
+stuff, and may be partially true for the other parts.)
+
+ENGINE was *not* conceived as a way of solving this, far from it. Nor was
+it conceived as a way of replacing the various "***_METHOD"s. It was
+conceived as an abstraction of a sort of "virtual crypto device". If we
+lived in a world where "EVP_ALGO"s (or something like them) encapsulated
+particular algorithms like RSA,DSA,MD5,RC4,etc, and "***_METHOD"s
+encapsulated interfaces to algorithms (eg. some algo's might support a
+PKC_METHOD, a HASH_METHOD, or a CIPHER_METHOD, who knows?), then I would
+think that ENGINE would encapsulate an implementation of arbitrarily many
+of those algorithms - perhaps as alternatives to existing algorithms
+and/or perhaps as new previously unimplemented algorithms. An ENGINE could
+be used to contain an alternative software implementation, a wrapper for a
+hardware acceleration and/or key-management unit, a comms-wrapper for
+distributing cryptographic operations to remote machines, or any other
+"devices" your imagination can dream up.
+
+However, what has been done in the ENGINE branch so far is nothing more
+than starting to get our toes wet. I had a couple of self-imposed
+requirements when putting the initial abstraction together, and I may have
+already posed these in one form or another on the list, but briefly;
+
+   (i) only bother with public key algorithms for now, and maybe RAND too
+       (motivated by the need to get hardware support going and the fact
+       this was a comparitively easy subset to address to begin with).
+
+  (ii) don't change (if at all possible) the existing crypto code, ie. the
+       implementations, the way the ***_METHODs work, etc.
+
+ (iii) ensure that if no function from the ENGINE code is ever called then
+       things work the way they always did, and there is no memory
+       allocation (otherwise the failure to cleanup would be a problem -
+       this is part of the reason no STACKs were used, the other part of
+       the reason being I found them inappropriate).
+
+  (iv) ensure that all the built-in crypto was encapsulated by one of
+       these "ENGINE"s and that this engine was automatically selected as
+       the default.
+
+   (v) provide the minimum hooking possible in the existing crypto code
+       so that global functions (eg. RSA_public_encrypt) do not need any
+       extra parameter, yet will use whatever the current default ENGINE
+       for that RSA key is, and that the default can be set "per-key"
+       and globally (new keys will assume the global default, and keys
+       without their own default will be operated on using the global
+       default). NB: Try and make (v) conflict as little as possible with
+       (ii). :-)
+
+  (vi) wrap the ENGINE code up in duct tape so you can't even see the
+       corners. Ie. expose no structures at all, just black-box pointers.
+
+   (v) maintain internally a list of ENGINEs on which a calling
+       application can iterate, interrogate, etc. Allow a calling
+       application to hook in new ENGINEs, remove ENGINEs from the list,
+       and enforce uniqueness within the global list of each ENGINE's
+       "unique id".
+
+  (vi) keep reference counts for everything - eg. this includes storing a
+       reference inside each RSA structure to the ENGINE that it uses.
+       This is freed when the RSA structure is destroyed, or has its
+       ENGINE explicitly changed. The net effect needs to be that at any
+       time, it is deterministic to know whether an ENGINE is in use or
+       can be safely removed (or unloaded in the case of the other type
+       of reference) without invalidating function pointers that may or
+       may not be used indavertently in the future. This was actually
+       one of the biggest problems to overcome in the existing OpenSSL
+       code - implementations had always been assumed to be ever-present,
+       so there was no trivial way to get round this.
+
+ (vii) distinguish between structural references and functional
+       references.
+
+A *little* detail
+-----------------
+
+While my mind is on it; I'll illustrate the bit in item (vii). This idea
+turned out to be very handy - the ENGINEs themselves need to be operated
+on and manipulated simply as objects without necessarily trying to
+"enable" them for use. Eg. most host machines will not have the necessary
+hardware or software to support all the engines one might compile into
+OpenSSL, yet it needs to be possible to iterate across the ENGINEs,
+querying their names, properties, etc - all happening in a thread-safe
+manner that uses reference counts (if you imagine two threads iterating
+through a list and one thread removing the ENGINE the other is currently
+looking at - you can see the gotcha waiting to happen). For all of this,
+*structural references* are used and operate much like the other reference
+counts in OpenSSL.
+
+The other kind of reference count is for *functional* references - these
+indicate a reference on which the caller can actually assume the
+particular ENGINE to be initialised and usable to perform the operations
+it implements. Any increment or decrement of the functional reference
+count automatically invokes a corresponding change in the structural
+reference count, as it is fairly obvious that a functional reference is a
+restricted case of a structural reference. So struct_ref >= funct_ref at
+all times. NB: functional references are usually obtained by a call to
+ENGINE_init(), but can also be created implicitly by calls that require a
+new functional reference to be created, eg. ENGINE_set_default(). Either
+way the only time the underlying ENGINE's "init" function is really called
+is when the (functional) reference count increases to 1, similarly the
+underlying "finish" handler is only called as the count goes down to 0.
+The effect of this, for example, is that if you set the default ENGINE for
+RSA operations to be "cswift", then its functional reference count will
+already be at least 1 so the CryptoSwift shared-library and the card will
+stay loaded and initialised until such time as all RSA keys using the
+cswift ENGINE are changed or destroyed and the default ENGINE for RSA
+operations has been changed. This prevents repeated thrashing of init and
+finish handling if the count keeps getting down as far as zero.
+
+Otherwise, the way the ENGINE code has been put together I think pretty
+much reflects the above points. The reason for the ENGINE structure having
+individual RSA_METHOD, DSA_METHOD, etc pointers is simply that it was the
+easiest way to go about things for now, to hook it all into the raw
+RSA,DSA,etc code, and I was trying to the keep the structure invisible
+anyway so that the way this is internally managed could be easily changed
+later on when we start to work out what's to be done about these other
+abstractions.
+
+Down the line, if some EVP-based technique emerges for adequately
+encapsulating algorithms and all their various bits and pieces, then I can
+imagine that "ENGINE" would turn into a reference-counting database of
+these EVP things, of which the default "openssl" ENGINE would be the
+library's own object database of pre-built software implemented algorithms
+(and such). It would also be cool to see the idea of "METHOD"s detached
+from the algorithms themselves ... so RSA, DSA, ElGamal, etc can all
+expose essentially the same METHOD (aka interface), which would include
+any querying/flagging stuff to identify what the algorithm can/can't do,
+its name, and other stuff like max/min block sizes, key sizes, etc. This
+would result in ENGINE similarly detaching its internal database of
+algorithm implementations from the function definitions that return
+interfaces to them. I think ...
+
+As for DSOs etc. Well the DSO code is pretty handy (but could be made much
+more so) for loading vendor's driver-libraries and talking to them in some
+generic way, but right now there's still big problems associated with
+actually putting OpenSSL code (ie. new ENGINEs, or anything else for that
+matter) in dynamically loadable libraries. These problems won't go away in
+a hurry so I don't think we should expect to have any kind of
+shared-library extensions any time soon - but solving the problems is a
+good thing to aim for, and would as a side-effect probably help make
+OpenSSL more usable as a shared-library itself (looking at the things
+needed to do this will show you why).
+
+One of the problems is that if you look at any of the ENGINE
+implementations, eg. hw_cswift.c or hw_ncipher.c, you'll see how it needs
+a variety of functionality and definitions from various areas of OpenSSL,
+including crypto/bn/, crypto/err/, crypto/ itself (locking for example),
+crypto/dso/, crypto/engine/, crypto/rsa, etc etc etc. So if similar code
+were to be suctioned off into shared libraries, the shared libraries would
+either have to duplicate all the definitions and code and avoid loader
+conflicts, or OpenSSL would have to somehow expose all that functionality
+to the shared-library. If this isn't a big enough problem, the issue of
+binary compatibility will be - anyone writing Apache modules can tell you
+that (Ralf? Ben? :-). However, I don't think OpenSSL would need to be
+quite so forgiving as Apache should be, so OpenSSL could simply tell its
+version to the DSO and leave the DSO with the problem of deciding whether
+to proceed or bail out for fear of binary incompatibilities.
+
+Certainly one thing that would go a long way to addressing this is to
+embark on a bit of an opaqueness mission. I've set the ENGINE code up with
+this in mind - it's so draconian that even to declare your own ENGINE, you
+have to get the engine code to create the underlying ENGINE structure, and
+then feed in the new ENGINE's function/method pointers through various
+"set" functions. The more of the code that takes on such a black-box
+approach, the more of the code that will be (a) easy to expose to shared
+libraries that need it, and (b) easy to expose to applications wanting to
+use OpenSSL itself as a shared-library. From my own explorations in
+OpenSSL, the biggest leviathan I've seen that is a problem in this respect
+is the BIGNUM code. Trying to "expose" the bignum code through any kind of
+organised "METHODs", let alone do all the necessary bignum operations
+solely through functions rather than direct access to the structures and
+macros, will be a massive pain in the "r"s.
+
+Anyway, I'm done for now - hope it was readable. Thoughts?
+
+Cheers,
+Geoff
+
+
+-----------------------------------==*==-----------------------------------
+
diff --git a/src/lib/libcrypto/engine/eng_all.c b/src/lib/libcrypto/engine/eng_all.c
new file mode 100644
index 0000000000..a35b3db9e8
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_all.c
@@ -0,0 +1,118 @@
+/* crypto/engine/eng_all.c -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+#ifdef __OpenBSD__
+static int openbsd_default_loaded = 0;
+#endif
+
+void ENGINE_load_builtin_engines(void)
+        {
+        /* There's no longer any need for an "openssl" ENGINE unless, one day,
+         * it is the *only* way for standard builtin implementations to be be
+         * accessed (ie. it would be possible to statically link binaries with
+         * *no* builtin implementations). */
+#if 0
+        ENGINE_load_openssl();
+#endif
+        ENGINE_load_dynamic();
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_CSWIFT
+        ENGINE_load_cswift();
+#endif
+#ifndef OPENSSL_NO_HW_NCIPHER
+        ENGINE_load_chil();
+#endif
+#ifndef OPENSSL_NO_HW_ATALLA
+        ENGINE_load_atalla();
+#endif
+#ifndef OPENSSL_NO_HW_NURON
+        ENGINE_load_nuron();
+#endif
+#ifndef OPENSSL_NO_HW_UBSEC
+        ENGINE_load_ubsec();
+#endif
+#ifndef OPENSSL_NO_HW_AEP
+        ENGINE_load_aep();
+#endif
+#ifndef OPENSSL_NO_HW_SUREWARE
+        ENGINE_load_sureware();
+#endif
+#ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+        ENGINE_load_openbsd_dev_crypto();
+#endif
+#ifdef __OpenBSD__
+        ENGINE_load_cryptodev();
+#endif
+#endif
+        }
+
+#ifdef __OpenBSD__
+void ENGINE_setup_openbsd(void) {
+        if (!openbsd_default_loaded) {
+                ENGINE_load_cryptodev();
+                ENGINE_register_all_complete();
+        }
+        openbsd_default_loaded=1;
+}
+#endif
+
+
diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c
new file mode 100644
index 0000000000..8c0ae8a1ad
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_cnf.c
@@ -0,0 +1,242 @@
+/* eng_cnf.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+
+/* #define ENGINE_CONF_DEBUG */
+
+/* ENGINE config module */
+
+static char *skip_dot(char *name)
+        {
+        char *p;
+        p = strchr(name, '.');
+        if (p)
+                return p + 1;
+        return name;
+        }
+
+static STACK_OF(ENGINE) *initialized_engines = NULL;
+
+static int int_engine_init(ENGINE *e)
+        {
+        if (!ENGINE_init(e))
+                return 0;
+        if (!initialized_engines)
+                initialized_engines = sk_ENGINE_new_null();
+        if (!initialized_engines || !sk_ENGINE_push(initialized_engines, e))
+                {
+                ENGINE_finish(e);
+                return 0;
+                }
+        return 1;
+        }
+        
+
+int int_engine_configure(char *name, char *value, const CONF *cnf)
+        {
+        int i;
+        int ret = 0;
+        long do_init = -1;
+        STACK_OF(CONF_VALUE) *ecmds;
+        CONF_VALUE *ecmd;
+        char *ctrlname, *ctrlvalue;
+        ENGINE *e = NULL;
+        name = skip_dot(name);
+#ifdef ENGINE_CONF_DEBUG
+        fprintf(stderr, "Configuring engine %s\n", name);
+#endif
+        /* Value is a section containing ENGINE commands */
+        ecmds = NCONF_get_section(cnf, value);
+
+        if (!ecmds)
+                {
+                ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_ENGINE_SECTION_ERROR);
+                return 0;
+                }
+
+        for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++)
+                {
+                ecmd = sk_CONF_VALUE_value(ecmds, i);
+                ctrlname = skip_dot(ecmd->name);
+                ctrlvalue = ecmd->value;
+#ifdef ENGINE_CONF_DEBUG
+        fprintf(stderr, "ENGINE conf: doing ctrl(%s,%s)\n", ctrlname, ctrlvalue);
+#endif
+
+                /* First handle some special pseudo ctrls */
+
+                /* Override engine name to use */
+                if (!strcmp(ctrlname, "engine_id"))
+                        name = ctrlvalue;
+                /* Load a dynamic ENGINE */
+                else if (!strcmp(ctrlname, "dynamic_path"))
+                        {
+                        e = ENGINE_by_id("dynamic");
+                        if (!e)
+                                goto err;
+                        if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", ctrlvalue, 0))
+                                goto err;
+                        if (!ENGINE_ctrl_cmd_string(e, "LIST_ADD", "2", 0))
+                                goto err;
+                        if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
+                                goto err;
+                        }
+                /* ... add other pseudos here ... */
+                else
+                        {
+                        /* At this point we need an ENGINE structural reference
+                         * if we don't already have one.
+                         */
+                        if (!e)
+                                {
+                                e = ENGINE_by_id(name);
+                                if (!e)
+                                        return 0;
+                                }
+                        /* Allow "EMPTY" to mean no value: this allows a valid
+                         * "value" to be passed to ctrls of type NO_INPUT
+                         */
+                        if (!strcmp(ctrlvalue, "EMPTY"))
+                                ctrlvalue = NULL;
+                        else if (!strcmp(ctrlname, "init"))
+                                {
+                                if (!NCONF_get_number_e(cnf, value, "init", &do_init))
+                                        goto err;
+                                if (do_init == 1)
+                                        {
+                                        if (!int_engine_init(e))
+                                                goto err;
+                                        }
+                                else if (do_init != 0)
+                                        {
+                                        ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_INVALID_INIT_VALUE);
+                                        goto err;
+                                        }
+                                }
+                        else if (!strcmp(ctrlname, "default_algorithms"))
+                                {
+                                if (!ENGINE_set_default_string(e, ctrlvalue))
+                                        goto err;
+                                }
+                        else if (!ENGINE_ctrl_cmd_string(e,
+                                        ctrlname, ctrlvalue, 0))
+                                return 0;
+                        }
+
+
+
+                }
+        if (e && (do_init == -1) && !int_engine_init(e))
+                goto err;
+        ret = 1;
+        err:
+        if (e)
+                ENGINE_free(e);
+        return ret;
+        }
+
+
+static int int_engine_module_init(CONF_IMODULE *md, const CONF *cnf)
+        {
+        STACK_OF(CONF_VALUE) *elist;
+        CONF_VALUE *cval;
+        int i;
+#ifdef ENGINE_CONF_DEBUG
+        fprintf(stderr, "Called engine module: name %s, value %s\n",
+                        CONF_imodule_get_name(md), CONF_imodule_get_value(md));
+#endif
+        /* Value is a section containing ENGINEs to configure */
+        elist = NCONF_get_section(cnf, CONF_imodule_get_value(md));
+
+        if (!elist)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_MODULE_INIT, ENGINE_R_ENGINES_SECTION_ERROR);
+                return 0;
+                }
+
+        for (i = 0; i < sk_CONF_VALUE_num(elist); i++)
+                {
+                cval = sk_CONF_VALUE_value(elist, i);
+                if (!int_engine_configure(cval->name, cval->value, cnf))
+                        return 0;
+                }
+
+        return 1;
+        }
+
+static void int_engine_module_finish(CONF_IMODULE *md)
+        {
+        ENGINE *e;
+        while ((e = sk_ENGINE_pop(initialized_engines)))
+                ENGINE_finish(e);
+        sk_ENGINE_free(initialized_engines);
+        initialized_engines = NULL;
+        }
+        
+
+void ENGINE_add_conf_module(void)
+        {
+        CONF_module_add("engines",
+                        int_engine_module_init,
+                        int_engine_module_finish);
+        }
diff --git a/src/lib/libcrypto/engine/eng_ctrl.c b/src/lib/libcrypto/engine/eng_ctrl.c
new file mode 100644
index 0000000000..ad3858395b
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_ctrl.c
@@ -0,0 +1,387 @@
+/* crypto/engine/eng_ctrl.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* When querying a ENGINE-specific control command's 'description', this string
+ * is used if the ENGINE_CMD_DEFN has cmd_desc set to NULL. */
+static const char *int_no_description = "";
+
+/* These internal functions handle 'CMD'-related control commands when the
+ * ENGINE in question has asked us to take care of it (ie. the ENGINE did not
+ * set the ENGINE_FLAGS_MANUAL_CMD_CTRL flag. */
+
+static int int_ctrl_cmd_is_null(const ENGINE_CMD_DEFN *defn)
+        {
+        if((defn->cmd_num == 0) || (defn->cmd_name == NULL))
+                return 1;
+        return 0;
+        }
+
+static int int_ctrl_cmd_by_name(const ENGINE_CMD_DEFN *defn, const char *s)
+        {
+        int idx = 0;
+        while(!int_ctrl_cmd_is_null(defn) && (strcmp(defn->cmd_name, s) != 0))
+                {
+                idx++;
+                defn++;
+                }
+        if(int_ctrl_cmd_is_null(defn))
+                /* The given name wasn't found */
+                return -1;
+        return idx;
+        }
+
+static int int_ctrl_cmd_by_num(const ENGINE_CMD_DEFN *defn, unsigned int num)
+        {
+        int idx = 0;
+        /* NB: It is stipulated that 'cmd_defn' lists are ordered by cmd_num. So
+         * our searches don't need to take any longer than necessary. */
+        while(!int_ctrl_cmd_is_null(defn) && (defn->cmd_num < num))
+                {
+                idx++;
+                defn++;
+                }
+        if(defn->cmd_num == num)
+                return idx;
+        /* The given cmd_num wasn't found */
+        return -1;
+        }
+
+static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int idx;
+        char *s = (char *)p;
+        /* Take care of the easy one first (eg. it requires no searches) */
+        if(cmd == ENGINE_CTRL_GET_FIRST_CMD_TYPE)
+                {
+                if((e->cmd_defns == NULL) || int_ctrl_cmd_is_null(e->cmd_defns))
+                        return 0;
+                return e->cmd_defns->cmd_num;
+                }
+        /* One or two commands require that "p" be a valid string buffer */
+        if((cmd == ENGINE_CTRL_GET_CMD_FROM_NAME) ||
+                        (cmd == ENGINE_CTRL_GET_NAME_FROM_CMD) ||
+                        (cmd == ENGINE_CTRL_GET_DESC_FROM_CMD))
+                {
+                if(s == NULL)
+                        {
+                        ENGINEerr(ENGINE_F_INT_CTRL_HELPER,
+                                ERR_R_PASSED_NULL_PARAMETER);
+                        return -1;
+                        }
+                }
+        /* Now handle cmd_name -> cmd_num conversion */
+        if(cmd == ENGINE_CTRL_GET_CMD_FROM_NAME)
+                {
+                if((e->cmd_defns == NULL) || ((idx = int_ctrl_cmd_by_name(
+                                                e->cmd_defns, s)) < 0))
+                        {
+                        ENGINEerr(ENGINE_F_INT_CTRL_HELPER,
+                                ENGINE_R_INVALID_CMD_NAME);
+                        return -1;
+                        }
+                return e->cmd_defns[idx].cmd_num;
+                }
+        /* For the rest of the commands, the 'long' argument must specify a
+         * valie command number - so we need to conduct a search. */
+        if((e->cmd_defns == NULL) || ((idx = int_ctrl_cmd_by_num(e->cmd_defns,
+                                        (unsigned int)i)) < 0))
+                {
+                ENGINEerr(ENGINE_F_INT_CTRL_HELPER,
+                        ENGINE_R_INVALID_CMD_NUMBER);
+                return -1;
+                }
+        /* Now the logic splits depending on command type */
+        switch(cmd)
+                {
+        case ENGINE_CTRL_GET_NEXT_CMD_TYPE:
+                idx++;
+                if(int_ctrl_cmd_is_null(e->cmd_defns + idx))
+                        /* end-of-list */
+                        return 0;
+                else
+                        return e->cmd_defns[idx].cmd_num;
+        case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD:
+                return strlen(e->cmd_defns[idx].cmd_name);
+        case ENGINE_CTRL_GET_NAME_FROM_CMD:
+                return sprintf(s, "%s", e->cmd_defns[idx].cmd_name);
+        case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD:
+                if(e->cmd_defns[idx].cmd_desc)
+                        return strlen(e->cmd_defns[idx].cmd_desc);
+                return strlen(int_no_description);
+        case ENGINE_CTRL_GET_DESC_FROM_CMD:
+                if(e->cmd_defns[idx].cmd_desc)
+                        return sprintf(s, "%s", e->cmd_defns[idx].cmd_desc);
+                return sprintf(s, "%s", int_no_description);
+        case ENGINE_CTRL_GET_CMD_FLAGS:
+                return e->cmd_defns[idx].cmd_flags;
+                }
+        /* Shouldn't really be here ... */
+        ENGINEerr(ENGINE_F_INT_CTRL_HELPER,ENGINE_R_INTERNAL_LIST_ERROR);
+        return -1;
+        }
+
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int ctrl_exists, ref_exists;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        ref_exists = ((e->struct_ref > 0) ? 1 : 0);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        ctrl_exists = ((e->ctrl == NULL) ? 0 : 1);
+        if(!ref_exists)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_REFERENCE);
+                return 0;
+                }
+        /* Intercept any "root-level" commands before trying to hand them on to
+         * ctrl() handlers. */
+        switch(cmd)
+                {
+        case ENGINE_CTRL_HAS_CTRL_FUNCTION:
+                return ctrl_exists;
+        case ENGINE_CTRL_GET_FIRST_CMD_TYPE:
+        case ENGINE_CTRL_GET_NEXT_CMD_TYPE:
+        case ENGINE_CTRL_GET_CMD_FROM_NAME:
+        case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD:
+        case ENGINE_CTRL_GET_NAME_FROM_CMD:
+        case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD:
+        case ENGINE_CTRL_GET_DESC_FROM_CMD:
+        case ENGINE_CTRL_GET_CMD_FLAGS:
+                if(ctrl_exists && !(e->flags & ENGINE_FLAGS_MANUAL_CMD_CTRL))
+                        return int_ctrl_helper(e,cmd,i,p,f);
+                if(!ctrl_exists)
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION);
+                        /* For these cmd-related functions, failure is indicated
+                         * by a -1 return value (because 0 is used as a valid
+                         * return in some places). */
+                        return -1;
+                        }
+        default:
+                break;
+                }
+        /* Anything else requires a ctrl() handler to exist. */
+        if(!ctrl_exists)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION);
+                return 0;
+                }
+        return e->ctrl(e, cmd, i, p, f);
+        }
+
+int ENGINE_cmd_is_executable(ENGINE *e, int cmd)
+        {
+        int flags;
+        if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, cmd, NULL, NULL)) < 0)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,
+                        ENGINE_R_INVALID_CMD_NUMBER);
+                return 0;
+                }
+        if(!(flags & ENGINE_CMD_FLAG_NO_INPUT) &&
+                        !(flags & ENGINE_CMD_FLAG_NUMERIC) &&
+                        !(flags & ENGINE_CMD_FLAG_STRING))
+                return 0;
+        return 1;
+        }
+
+int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
+        long i, void *p, void (*f)(), int cmd_optional)
+        {
+        int num;
+
+        if((e == NULL) || (cmd_name == NULL))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if((e->ctrl == NULL) || ((num = ENGINE_ctrl(e,
+                                        ENGINE_CTRL_GET_CMD_FROM_NAME,
+                                        0, (void *)cmd_name, NULL)) <= 0))
+                {
+                /* If the command didn't *have* to be supported, we fake
+                 * success. This allows certain settings to be specified for
+                 * multiple ENGINEs and only require a change of ENGINE id
+                 * (without having to selectively apply settings). Eg. changing
+                 * from a hardware device back to the regular software ENGINE
+                 * without editing the config file, etc. */
+                if(cmd_optional)
+                        {
+                        ERR_clear_error();
+                        return 1;
+                        }
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD,
+                        ENGINE_R_INVALID_CMD_NAME);
+                return 0;
+                }
+        /* Force the result of the control command to 0 or 1, for the reasons
+         * mentioned before. */
+        if (ENGINE_ctrl(e, num, i, p, f))
+                return 1;
+        return 0;
+        }
+
+int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
+                                int cmd_optional)
+        {
+        int num, flags;
+        long l;
+        char *ptr;
+        if((e == NULL) || (cmd_name == NULL))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if((e->ctrl == NULL) || ((num = ENGINE_ctrl(e,
+                                        ENGINE_CTRL_GET_CMD_FROM_NAME,
+                                        0, (void *)cmd_name, NULL)) <= 0))
+                {
+                /* If the command didn't *have* to be supported, we fake
+                 * success. This allows certain settings to be specified for
+                 * multiple ENGINEs and only require a change of ENGINE id
+                 * (without having to selectively apply settings). Eg. changing
+                 * from a hardware device back to the regular software ENGINE
+                 * without editing the config file, etc. */
+                if(cmd_optional)
+                        {
+                        ERR_clear_error();
+                        return 1;
+                        }
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_INVALID_CMD_NAME);
+                return 0;
+                }
+        if(!ENGINE_cmd_is_executable(e, num))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_CMD_NOT_EXECUTABLE);
+                return 0;
+                }
+        if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num, NULL, NULL)) < 0)
+                {
+                /* Shouldn't happen, given that ENGINE_cmd_is_executable()
+                 * returned success. */
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                return 0;
+                }
+        /* If the command takes no input, there must be no input. And vice
+         * versa. */
+        if(flags & ENGINE_CMD_FLAG_NO_INPUT)
+                {
+                if(arg != NULL)
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                                ENGINE_R_COMMAND_TAKES_NO_INPUT);
+                        return 0;
+                        }
+                /* We deliberately force the result of ENGINE_ctrl() to 0 or 1
+                 * rather than returning it as "return data". This is to ensure
+                 * usage of these commands is consistent across applications and
+                 * that certain applications don't understand it one way, and
+                 * others another. */
+                if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+                        return 1;
+                return 0;
+                }
+        /* So, we require input */
+        if(arg == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_COMMAND_TAKES_INPUT);
+                return 0;
+                }
+        /* If it takes string input, that's easy */
+        if(flags & ENGINE_CMD_FLAG_STRING)
+                {
+                /* Same explanation as above */
+                if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+                        return 1;
+                return 0;
+                }
+        /* If it doesn't take numeric either, then it is unsupported for use in
+         * a config-setting situation, which is what this function is for. This
+         * should never happen though, because ENGINE_cmd_is_executable() was
+         * used. */
+        if(!(flags & ENGINE_CMD_FLAG_NUMERIC))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                return 0;
+                }
+        l = strtol(arg, &ptr, 10);
+        if((arg == ptr) || (*ptr != '\0'))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER);
+                return 0;
+                }
+        /* Force the result of the control command to 0 or 1, for the reasons
+         * mentioned before. */
+        if(ENGINE_ctrl(e, num, l, NULL, NULL))
+                return 1;
+        return 0;
+        }
diff --git a/src/lib/libcrypto/engine/eng_dyn.c b/src/lib/libcrypto/engine/eng_dyn.c
new file mode 100644
index 0000000000..4fefcc0cae
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_dyn.c
@@ -0,0 +1,446 @@
+/* crypto/engine/eng_dyn.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+#include <openssl/dso.h>
+
+/* Shared libraries implementing ENGINEs for use by the "dynamic" ENGINE loader
+ * should implement the hook-up functions with the following prototypes. */
+
+/* Our ENGINE handlers */
+static int dynamic_init(ENGINE *e);
+static int dynamic_finish(ENGINE *e);
+static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+/* Predeclare our context type */
+typedef struct st_dynamic_data_ctx dynamic_data_ctx;
+/* The implementation for the important control command */
+static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx);
+
+#define DYNAMIC_CMD_SO_PATH             ENGINE_CMD_BASE
+#define DYNAMIC_CMD_NO_VCHECK           (ENGINE_CMD_BASE + 1)
+#define DYNAMIC_CMD_ID                  (ENGINE_CMD_BASE + 2)
+#define DYNAMIC_CMD_LIST_ADD            (ENGINE_CMD_BASE + 3)
+#define DYNAMIC_CMD_LOAD                (ENGINE_CMD_BASE + 4)
+
+/* The constants used when creating the ENGINE */
+static const char *engine_dynamic_id = "dynamic";
+static const char *engine_dynamic_name = "Dynamic engine loading support";
+static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
+        {DYNAMIC_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the new ENGINE shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {DYNAMIC_CMD_NO_VCHECK,
+                "NO_VCHECK",
+                "Specifies to continue even if version checking fails (boolean)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {DYNAMIC_CMD_ID,
+                "ID",
+                "Specifies an ENGINE id name for loading",
+                ENGINE_CMD_FLAG_STRING},
+        {DYNAMIC_CMD_LIST_ADD,
+                "LIST_ADD",
+                "Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {DYNAMIC_CMD_LOAD,
+                "LOAD",
+                "Load up the ENGINE specified by other settings",
+                ENGINE_CMD_FLAG_NO_INPUT},
+        {0, NULL, NULL, 0}
+        };
+static const ENGINE_CMD_DEFN dynamic_cmd_defns_empty[] = {
+        {0, NULL, NULL, 0}
+        };
+
+/* Loading code stores state inside the ENGINE structure via the "ex_data"
+ * element. We load all our state into a single structure and use that as a
+ * single context in the "ex_data" stack. */
+struct st_dynamic_data_ctx
+        {
+        /* The DSO object we load that supplies the ENGINE code */
+        DSO *dynamic_dso;
+        /* The function pointer to the version checking shared library function */
+        dynamic_v_check_fn v_check;
+        /* The function pointer to the engine-binding shared library function */
+        dynamic_bind_engine bind_engine;
+        /* The default name/path for loading the shared library */
+        const char *DYNAMIC_LIBNAME;
+        /* Whether to continue loading on a version check failure */
+        int no_vcheck;
+        /* If non-NULL, stipulates the 'id' of the ENGINE to be loaded */
+        const char *engine_id;
+        /* If non-zero, a successfully loaded ENGINE should be added to the internal
+         * ENGINE list. If 2, the add must succeed or the entire load should fail. */
+        int list_add_value;
+        /* The symbol name for the version checking function */
+        const char *DYNAMIC_F1;
+        /* The symbol name for the "initialise ENGINE structure" function */
+        const char *DYNAMIC_F2;
+        };
+
+/* This is the "ex_data" index we obtain and reserve for use with our context
+ * structure. */
+static int dynamic_ex_data_idx = -1;
+
+/* Because our ex_data element may or may not get allocated depending on whether
+ * a "first-use" occurs before the ENGINE is freed, we have a memory leak
+ * problem to solve. We can't declare a "new" handler for the ex_data as we
+ * don't want a dynamic_data_ctx in *all* ENGINE structures of all types (this
+ * is a bug in the design of CRYPTO_EX_DATA). As such, we just declare a "free"
+ * handler and that will get called if an ENGINE is being destroyed and there
+ * was an ex_data element corresponding to our context type. */
+static void dynamic_data_ctx_free_func(void *parent, void *ptr,
+                        CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
+        {
+        if(ptr)
+                {
+                dynamic_data_ctx *ctx = (dynamic_data_ctx *)ptr;
+                if(ctx->dynamic_dso)
+                        DSO_free(ctx->dynamic_dso);
+                OPENSSL_free(ctx);
+                }
+        }
+
+/* Construct the per-ENGINE context. We create it blindly and then use a lock to
+ * check for a race - if so, all but one of the threads "racing" will have
+ * wasted their time. The alternative involves creating everything inside the
+ * lock which is far worse. */
+static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
+        {
+        dynamic_data_ctx *c;
+        c = OPENSSL_malloc(sizeof(dynamic_data_ctx));
+        if(!ctx)
+                {
+                ENGINEerr(ENGINE_F_SET_DATA_CTX,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        memset(c, 0, sizeof(dynamic_data_ctx));
+        c->dynamic_dso = NULL;
+        c->v_check = NULL;
+        c->bind_engine = NULL;
+        c->DYNAMIC_LIBNAME = NULL;
+        c->no_vcheck = 0;
+        c->engine_id = NULL;
+        c->list_add_value = 0;
+        c->DYNAMIC_F1 = "v_check";
+        c->DYNAMIC_F2 = "bind_engine";
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if((*ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e,
+                                dynamic_ex_data_idx)) == NULL)
+                {
+                /* Good, we're the first */
+                ENGINE_set_ex_data(e, dynamic_ex_data_idx, c);
+                *ctx = c;
+                c = NULL;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        /* If we lost the race to set the context, c is non-NULL and *ctx is the
+         * context of the thread that won. */
+        if(c)
+                OPENSSL_free(c);
+        return 1;
+        }
+
+/* This function retrieves the context structure from an ENGINE's "ex_data", or
+ * if it doesn't exist yet, sets it up. */
+static dynamic_data_ctx *dynamic_get_data_ctx(ENGINE *e)
+        {
+        dynamic_data_ctx *ctx;
+        if(dynamic_ex_data_idx < 0)
+                {
+                /* Create and register the ENGINE ex_data, and associate our
+                 * "free" function with it to ensure any allocated contexts get
+                 * freed when an ENGINE goes underground. */
+                int new_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL,
+                                        dynamic_data_ctx_free_func);
+                if(new_idx == -1)
+                        {
+                        ENGINEerr(ENGINE_F_DYNAMIC_GET_DATA_CTX,ENGINE_R_NO_INDEX);
+                        return NULL;
+                        }
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                /* Avoid a race by checking again inside this lock */
+                if(dynamic_ex_data_idx < 0)
+                        {
+                        /* Good, someone didn't beat us to it */
+                        dynamic_ex_data_idx = new_idx;
+                        new_idx = -1;
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                /* In theory we could "give back" the index here if
+                 * (new_idx>-1), but it's not possible and wouldn't gain us much
+                 * if it were. */
+                }
+        ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e, dynamic_ex_data_idx);
+        /* Check if the context needs to be created */
+        if((ctx == NULL) && !dynamic_set_data_ctx(e, &ctx))
+                /* "set_data" will set errors if necessary */
+                return NULL;
+        return ctx;
+        }
+
+static ENGINE *engine_dynamic(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!ENGINE_set_id(ret, engine_dynamic_id) ||
+                        !ENGINE_set_name(ret, engine_dynamic_name) ||
+                        !ENGINE_set_init_function(ret, dynamic_init) ||
+                        !ENGINE_set_finish_function(ret, dynamic_finish) ||
+                        !ENGINE_set_ctrl_function(ret, dynamic_ctrl) ||
+                        !ENGINE_set_flags(ret, ENGINE_FLAGS_BY_ID_COPY) ||
+                        !ENGINE_set_cmd_defns(ret, dynamic_cmd_defns))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_dynamic(void)
+        {
+        ENGINE *toadd = engine_dynamic();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        /* If the "add" worked, it gets a structural reference. So either way,
+         * we release our just-created reference. */
+        ENGINE_free(toadd);
+        /* If the "add" didn't work, it was probably a conflict because it was
+         * already added (eg. someone calling ENGINE_load_blah then calling
+         * ENGINE_load_builtin_engines() perhaps). */
+        ERR_clear_error();
+        }
+
+static int dynamic_init(ENGINE *e)
+        {
+        /* We always return failure - the "dyanamic" engine itself can't be used
+         * for anything. */
+        return 0;
+        }
+
+static int dynamic_finish(ENGINE *e)
+        {
+        /* This should never be called on account of "dynamic_init" always
+         * failing. */
+        return 0;
+        }
+
+static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        dynamic_data_ctx *ctx = dynamic_get_data_ctx(e);
+        int initialised;
+        
+        if(!ctx)
+                {
+                ENGINEerr(ENGINE_F_DYNAMIC_CTRL,ENGINE_R_NOT_LOADED);
+                return 0;
+                }
+        initialised = ((ctx->dynamic_dso == NULL) ? 0 : 1);
+        /* All our control commands require the ENGINE to be uninitialised */
+        if(initialised)
+                {
+                ENGINEerr(ENGINE_F_DYNAMIC_CTRL,
+                        ENGINE_R_ALREADY_LOADED);
+                return 0;
+                }
+        switch(cmd)
+                {
+        case DYNAMIC_CMD_SO_PATH:
+                /* a NULL 'p' or a string of zero-length is the same thing */
+                if(p && (strlen((const char *)p) < 1))
+                        p = NULL;
+                ctx->DYNAMIC_LIBNAME = (const char *)p;
+                return 1;
+        case DYNAMIC_CMD_NO_VCHECK:
+                ctx->no_vcheck = ((i == 0) ? 0 : 1);
+                return 1;
+        case DYNAMIC_CMD_ID:
+                /* a NULL 'p' or a string of zero-length is the same thing */
+                if(p && (strlen((const char *)p) < 1))
+                        p = NULL;
+                ctx->engine_id = (const char *)p;
+                return 1;
+        case DYNAMIC_CMD_LIST_ADD:
+                if((i < 0) || (i > 2))
+                        {
+                        ENGINEerr(ENGINE_F_DYNAMIC_CTRL,
+                                ENGINE_R_INVALID_ARGUMENT);
+                        return 0;
+                        }
+                ctx->list_add_value = (int)i;
+                return 1;
+        case DYNAMIC_CMD_LOAD:
+                return dynamic_load(e, ctx);
+        default:
+                break;
+                }
+        ENGINEerr(ENGINE_F_DYNAMIC_CTRL,ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
+        {
+        ENGINE cpy;
+        dynamic_fns fns;
+
+        if(!ctx->DYNAMIC_LIBNAME || ((ctx->dynamic_dso = DSO_load(NULL,
+                                ctx->DYNAMIC_LIBNAME, NULL, 0)) == NULL))
+                {
+                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                        ENGINE_R_DSO_NOT_FOUND);
+                return 0;
+                }
+        /* We have to find a bind function otherwise it'll always end badly */
+        if(!(ctx->bind_engine = (dynamic_bind_engine)DSO_bind_func(
+                                        ctx->dynamic_dso, ctx->DYNAMIC_F2)))
+                {
+                ctx->bind_engine = NULL;
+                DSO_free(ctx->dynamic_dso);
+                ctx->dynamic_dso = NULL;
+                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                        ENGINE_R_DSO_FAILURE);
+                return 0;
+                }
+        /* Do we perform version checking? */
+        if(!ctx->no_vcheck)
+                {
+                unsigned long vcheck_res = 0;
+                /* Now we try to find a version checking function and decide how
+                 * to cope with failure if/when it fails. */
+                ctx->v_check = (dynamic_v_check_fn)DSO_bind_func(
+                                ctx->dynamic_dso, ctx->DYNAMIC_F1);
+                if(ctx->v_check)
+                        vcheck_res = ctx->v_check(OSSL_DYNAMIC_VERSION);
+                /* We fail if the version checker veto'd the load *or* if it is
+                 * deferring to us (by returning its version) and we think it is
+                 * too old. */
+                if(vcheck_res < OSSL_DYNAMIC_OLDEST)
+                        {
+                        /* Fail */
+                        ctx->bind_engine = NULL;
+                        ctx->v_check = NULL;
+                        DSO_free(ctx->dynamic_dso);
+                        ctx->dynamic_dso = NULL;
+                        ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                                ENGINE_R_VERSION_INCOMPATIBILITY);
+                        return 0;
+                        }
+                }
+        /* First binary copy the ENGINE structure so that we can roll back if
+         * the hand-over fails */
+        memcpy(&cpy, e, sizeof(ENGINE));
+        /* Provide the ERR, "ex_data", memory, and locking callbacks so the
+         * loaded library uses our state rather than its own. FIXME: As noted in
+         * engine.h, much of this would be simplified if each area of code
+         * provided its own "summary" structure of all related callbacks. It
+         * would also increase opaqueness. */
+        fns.err_fns = ERR_get_implementation();
+        fns.ex_data_fns = CRYPTO_get_ex_data_implementation();
+        CRYPTO_get_mem_functions(&fns.mem_fns.malloc_cb,
+                                &fns.mem_fns.realloc_cb,
+                                &fns.mem_fns.free_cb);
+        fns.lock_fns.lock_locking_cb = CRYPTO_get_locking_callback();
+        fns.lock_fns.lock_add_lock_cb = CRYPTO_get_add_lock_callback();
+        fns.lock_fns.dynlock_create_cb = CRYPTO_get_dynlock_create_callback();
+        fns.lock_fns.dynlock_lock_cb = CRYPTO_get_dynlock_lock_callback();
+        fns.lock_fns.dynlock_destroy_cb = CRYPTO_get_dynlock_destroy_callback();
+        /* Now that we've loaded the dynamic engine, make sure no "dynamic"
+         * ENGINE elements will show through. */
+        engine_set_all_null(e);
+
+        /* Try to bind the ENGINE onto our own ENGINE structure */
+        if(!ctx->bind_engine(e, ctx->engine_id, &fns))
+                {
+                ctx->bind_engine = NULL;
+                ctx->v_check = NULL;
+                DSO_free(ctx->dynamic_dso);
+                ctx->dynamic_dso = NULL;
+                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,ENGINE_R_INIT_FAILED);
+                /* Copy the original ENGINE structure back */
+                memcpy(e, &cpy, sizeof(ENGINE));
+                return 0;
+                }
+        /* Do we try to add this ENGINE to the internal list too? */
+        if(ctx->list_add_value > 0)
+                {
+                if(!ENGINE_add(e))
+                        {
+                        /* Do we tolerate this or fail? */
+                        if(ctx->list_add_value > 1)
+                                {
+                                /* Fail - NB: By this time, it's too late to
+                                 * rollback, and trying to do so allows the
+                                 * bind_engine() code to have created leaks. We
+                                 * just have to fail where we are, after the
+                                 * ENGINE has changed. */
+                                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                                        ENGINE_R_CONFLICTING_ENGINE_ID);
+                                return 0;
+                                }
+                        /* Tolerate */
+                        ERR_clear_error();
+                        }
+                }
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/eng_err.c b/src/lib/libcrypto/engine/eng_err.c
new file mode 100644
index 0000000000..f6c5630395
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_err.c
@@ -0,0 +1,165 @@
+/* crypto/engine/eng_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/engine.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA ENGINE_str_functs[]=
+        {
+{ERR_PACK(0,ENGINE_F_DYNAMIC_CTRL,0),   "DYNAMIC_CTRL"},
+{ERR_PACK(0,ENGINE_F_DYNAMIC_GET_DATA_CTX,0),   "DYNAMIC_GET_DATA_CTX"},
+{ERR_PACK(0,ENGINE_F_DYNAMIC_LOAD,0),   "DYNAMIC_LOAD"},
+{ERR_PACK(0,ENGINE_F_ENGINE_ADD,0),     "ENGINE_add"},
+{ERR_PACK(0,ENGINE_F_ENGINE_BY_ID,0),   "ENGINE_by_id"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,0),       "ENGINE_cmd_is_executable"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL,0),    "ENGINE_ctrl"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD,0),        "ENGINE_ctrl_cmd"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD_STRING,0), "ENGINE_ctrl_cmd_string"},
+{ERR_PACK(0,ENGINE_F_ENGINE_FINISH,0),  "ENGINE_finish"},
+{ERR_PACK(0,ENGINE_F_ENGINE_FREE,0),    "ENGINE_free"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_CIPHER,0),      "ENGINE_get_cipher"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_DEFAULT_TYPE,0),        "ENGINE_GET_DEFAULT_TYPE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_DIGEST,0),      "ENGINE_get_digest"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_NEXT,0),        "ENGINE_get_next"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_PREV,0),        "ENGINE_get_prev"},
+{ERR_PACK(0,ENGINE_F_ENGINE_INIT,0),    "ENGINE_init"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LIST_ADD,0),        "ENGINE_LIST_ADD"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LIST_REMOVE,0),     "ENGINE_LIST_REMOVE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,0),        "ENGINE_load_private_key"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,0), "ENGINE_load_public_key"},
+{ERR_PACK(0,ENGINE_F_ENGINE_MODULE_INIT,0),     "ENGINE_MODULE_INIT"},
+{ERR_PACK(0,ENGINE_F_ENGINE_NEW,0),     "ENGINE_new"},
+{ERR_PACK(0,ENGINE_F_ENGINE_REMOVE,0),  "ENGINE_remove"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_STRING,0),      "ENGINE_set_default_string"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_TYPE,0),        "ENGINE_SET_DEFAULT_TYPE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_ID,0),  "ENGINE_set_id"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0),        "ENGINE_set_name"},
+{ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0),  "ENGINE_TABLE_REGISTER"},
+{ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),      "ENGINE_UNLOAD_KEY"},
+{ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0),        "INT_CTRL_HELPER"},
+{ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0),   "INT_ENGINE_CONFIGURE"},
+{ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),    "LOG_MESSAGE"},
+{ERR_PACK(0,ENGINE_F_SET_DATA_CTX,0),   "SET_DATA_CTX"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA ENGINE_str_reasons[]=
+        {
+{ENGINE_R_ALREADY_LOADED                 ,"already loaded"},
+{ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER       ,"argument is not a number"},
+{ENGINE_R_CMD_NOT_EXECUTABLE             ,"cmd not executable"},
+{ENGINE_R_COMMAND_TAKES_INPUT            ,"command takes input"},
+{ENGINE_R_COMMAND_TAKES_NO_INPUT         ,"command takes no input"},
+{ENGINE_R_CONFLICTING_ENGINE_ID          ,"conflicting engine id"},
+{ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{ENGINE_R_DH_NOT_IMPLEMENTED             ,"dh not implemented"},
+{ENGINE_R_DSA_NOT_IMPLEMENTED            ,"dsa not implemented"},
+{ENGINE_R_DSO_FAILURE                    ,"DSO failure"},
+{ENGINE_R_DSO_NOT_FOUND                  ,"dso not found"},
+{ENGINE_R_ENGINES_SECTION_ERROR          ,"engines section error"},
+{ENGINE_R_ENGINE_IS_NOT_IN_LIST          ,"engine is not in the list"},
+{ENGINE_R_ENGINE_SECTION_ERROR           ,"engine section error"},
+{ENGINE_R_FAILED_LOADING_PRIVATE_KEY     ,"failed loading private key"},
+{ENGINE_R_FAILED_LOADING_PUBLIC_KEY      ,"failed loading public key"},
+{ENGINE_R_FINISH_FAILED                  ,"finish failed"},
+{ENGINE_R_GET_HANDLE_FAILED              ,"could not obtain hardware handle"},
+{ENGINE_R_ID_OR_NAME_MISSING             ,"'id' or 'name' missing"},
+{ENGINE_R_INIT_FAILED                    ,"init failed"},
+{ENGINE_R_INTERNAL_LIST_ERROR            ,"internal list error"},
+{ENGINE_R_INVALID_ARGUMENT               ,"invalid argument"},
+{ENGINE_R_INVALID_CMD_NAME               ,"invalid cmd name"},
+{ENGINE_R_INVALID_CMD_NUMBER             ,"invalid cmd number"},
+{ENGINE_R_INVALID_INIT_VALUE             ,"invalid init value"},
+{ENGINE_R_INVALID_STRING                 ,"invalid string"},
+{ENGINE_R_NOT_INITIALISED                ,"not initialised"},
+{ENGINE_R_NOT_LOADED                     ,"not loaded"},
+{ENGINE_R_NO_CONTROL_FUNCTION            ,"no control function"},
+{ENGINE_R_NO_INDEX                       ,"no index"},
+{ENGINE_R_NO_LOAD_FUNCTION               ,"no load function"},
+{ENGINE_R_NO_REFERENCE                   ,"no reference"},
+{ENGINE_R_NO_SUCH_ENGINE                 ,"no such engine"},
+{ENGINE_R_NO_UNLOAD_FUNCTION             ,"no unload function"},
+{ENGINE_R_PROVIDE_PARAMETERS             ,"provide parameters"},
+{ENGINE_R_RSA_NOT_IMPLEMENTED            ,"rsa not implemented"},
+{ENGINE_R_UNIMPLEMENTED_CIPHER           ,"unimplemented cipher"},
+{ENGINE_R_UNIMPLEMENTED_DIGEST           ,"unimplemented digest"},
+{ENGINE_R_VERSION_INCOMPATIBILITY        ,"version incompatibility"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_ENGINE_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_functs);
+                ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/engine/eng_fat.c b/src/lib/libcrypto/engine/eng_fat.c
new file mode 100644
index 0000000000..af918b1499
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_fat.c
@@ -0,0 +1,148 @@
+/* crypto/engine/eng_fat.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+#include <openssl/conf.h>
+
+int ENGINE_set_default(ENGINE *e, unsigned int flags)
+        {
+        if((flags & ENGINE_METHOD_CIPHERS) && !ENGINE_set_default_ciphers(e))
+                return 0;
+        if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e))
+                return 0;
+#ifndef OPENSSL_NO_RSA
+        if((flags & ENGINE_METHOD_RSA) & !ENGINE_set_default_RSA(e))
+                return 0;
+#endif
+#ifndef OPENSSL_NO_DSA
+        if((flags & ENGINE_METHOD_DSA) & !ENGINE_set_default_DSA(e))
+                return 0;
+#endif
+#ifndef OPENSSL_NO_DH
+        if((flags & ENGINE_METHOD_DH) & !ENGINE_set_default_DH(e))
+                return 0;
+#endif
+        if((flags & ENGINE_METHOD_RAND) & !ENGINE_set_default_RAND(e))
+                return 0;
+        return 1;
+        }
+
+/* Set default algorithms using a string */
+
+int int_def_cb(const char *alg, int len, void *arg)
+        {
+        unsigned int *pflags = arg;
+        if (!strncmp(alg, "ALL", len))
+                *pflags |= ENGINE_METHOD_ALL;
+        else if (!strncmp(alg, "RSA", len))
+                *pflags |= ENGINE_METHOD_RSA;
+        else if (!strncmp(alg, "DSA", len))
+                *pflags |= ENGINE_METHOD_DSA;
+        else if (!strncmp(alg, "DH", len))
+                *pflags |= ENGINE_METHOD_DH;
+        else if (!strncmp(alg, "RAND", len))
+                *pflags |= ENGINE_METHOD_RAND;
+        else if (!strncmp(alg, "CIPHERS", len))
+                *pflags |= ENGINE_METHOD_CIPHERS;
+        else if (!strncmp(alg, "DIGESTS", len))
+                *pflags |= ENGINE_METHOD_DIGESTS;
+        else
+                return 0;
+        return 1;
+        }
+
+
+int ENGINE_set_default_string(ENGINE *e, const char *list)
+        {
+        unsigned int flags = 0;
+        if (!CONF_parse_list(list, ',', 1, int_def_cb, &flags))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_STRING,
+                                        ENGINE_R_INVALID_STRING);
+                ERR_add_error_data(2, "str=",list);
+                return 0;
+                }
+        return ENGINE_set_default(e, flags);
+        }
+
+int ENGINE_register_complete(ENGINE *e)
+        {
+        ENGINE_register_ciphers(e);
+        ENGINE_register_digests(e);
+#ifndef OPENSSL_NO_RSA
+        ENGINE_register_RSA(e);
+#endif
+#ifndef OPENSSL_NO_DSA
+        ENGINE_register_DSA(e);
+#endif
+#ifndef OPENSSL_NO_DH
+        ENGINE_register_DH(e);
+#endif
+        ENGINE_register_RAND(e);
+        return 1;
+        }
+
+int ENGINE_register_all_complete(void)
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e)) {
+                ENGINE_register_complete(e);
+        }
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/eng_init.c b/src/lib/libcrypto/engine/eng_init.c
new file mode 100644
index 0000000000..cc9396e863
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_init.c
@@ -0,0 +1,158 @@
+/* crypto/engine/eng_init.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* Initialise a engine type for use (or up its functional reference count
+ * if it's already in use). This version is only used internally. */
+int engine_unlocked_init(ENGINE *e)
+        {
+        int to_return = 1;
+
+        if((e->funct_ref == 0) && e->init)
+                /* This is the first functional reference and the engine
+                 * requires initialisation so we do it now. */
+                to_return = e->init(e);
+        if(to_return)
+                {
+                /* OK, we return a functional reference which is also a
+                 * structural reference. */
+                e->struct_ref++;
+                e->funct_ref++;
+                engine_ref_debug(e, 0, 1)
+                engine_ref_debug(e, 1, 1)
+                }
+        return to_return;
+        }
+
+/* Free a functional reference to a engine type. This version is only used
+ * internally. */
+int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers)
+        {
+        int to_return = 1;
+
+        /* Reduce the functional reference count here so if it's the terminating
+         * case, we can release the lock safely and call the finish() handler
+         * without risk of a race. We get a race if we leave the count until
+         * after and something else is calling "finish" at the same time -
+         * there's a chance that both threads will together take the count from
+         * 2 to 0 without either calling finish(). */
+        e->funct_ref--;
+        engine_ref_debug(e, 1, -1);
+        if((e->funct_ref == 0) && e->finish)
+                {
+                if(unlock_for_handlers)
+                        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                to_return = e->finish(e);
+                if(unlock_for_handlers)
+                        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                if(!to_return)
+                        return 0;
+                }
+#ifdef REF_CHECK
+        if(e->funct_ref < 0)
+                {
+                fprintf(stderr,"ENGINE_finish, bad functional reference count\n");
+                abort();
+                }
+#endif
+        /* Release the structural reference too */
+        if(!engine_free_util(e, 0))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FINISH,ENGINE_R_FINISH_FAILED);
+                return 0;
+                }
+        return to_return;
+        }
+
+/* The API (locked) version of "init" */
+int ENGINE_init(ENGINE *e)
+        {
+        int ret;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_INIT,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        ret = engine_unlocked_init(e);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+
+/* The API (locked) version of "finish" */
+int ENGINE_finish(ENGINE *e)
+        {
+        int to_return = 1;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FINISH,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        to_return = engine_unlocked_finish(e, 1);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if(!to_return)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FINISH,ENGINE_R_FINISH_FAILED);
+                return 0;
+                }
+        return to_return;
+        }
+
diff --git a/src/lib/libcrypto/engine/eng_int.h b/src/lib/libcrypto/engine/eng_int.h
new file mode 100644
index 0000000000..38335f99cd
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_int.h
@@ -0,0 +1,185 @@
+/* crypto/engine/eng_int.h */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ENGINE_INT_H
+#define HEADER_ENGINE_INT_H
+
+/* Take public definitions from engine.h */
+#include <openssl/engine.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* If we compile with this symbol defined, then both reference counts in the
+ * ENGINE structure will be monitored with a line of output on stderr for each
+ * change. This prints the engine's pointer address (truncated to unsigned int),
+ * "struct" or "funct" to indicate the reference type, the before and after
+ * reference count, and the file:line-number pair. The "engine_ref_debug"
+ * statements must come *after* the change. */
+#ifdef ENGINE_REF_COUNT_DEBUG
+
+#define engine_ref_debug(e, isfunct, diff) \
+        fprintf(stderr, "engine: %08x %s from %d to %d (%s:%d)\n", \
+                (unsigned int)(e), (isfunct ? "funct" : "struct"), \
+                ((isfunct) ? ((e)->funct_ref - (diff)) : ((e)->struct_ref - (diff))), \
+                ((isfunct) ? (e)->funct_ref : (e)->struct_ref), \
+                (__FILE__), (__LINE__));
+
+#else
+
+#define engine_ref_debug(e, isfunct, diff)
+
+#endif
+
+/* Any code that will need cleanup operations should use these functions to
+ * register callbacks. ENGINE_cleanup() will call all registered callbacks in
+ * order. NB: both the "add" functions assume CRYPTO_LOCK_ENGINE to already be
+ * held (in "write" mode). */
+typedef void (ENGINE_CLEANUP_CB)(void);
+typedef struct st_engine_cleanup_item
+        {
+        ENGINE_CLEANUP_CB *cb;
+        } ENGINE_CLEANUP_ITEM;
+DECLARE_STACK_OF(ENGINE_CLEANUP_ITEM)
+void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb);
+void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb);
+
+/* We need stacks of ENGINEs for use in eng_table.c */
+DECLARE_STACK_OF(ENGINE)
+
+/* If this symbol is defined then engine_table_select(), the function that is
+ * used by RSA, DSA (etc) code to select registered ENGINEs, cache defaults and
+ * functional references (etc), will display debugging summaries to stderr. */
+/* #define ENGINE_TABLE_DEBUG */
+
+/* This represents an implementation table. Dependent code should instantiate it
+ * as a (ENGINE_TABLE *) pointer value set initially to NULL. */
+typedef struct st_engine_table ENGINE_TABLE;
+int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
+                ENGINE *e, const int *nids, int num_nids, int setdefault);
+void engine_table_unregister(ENGINE_TABLE **table, ENGINE *e);
+void engine_table_cleanup(ENGINE_TABLE **table);
+#ifndef ENGINE_TABLE_DEBUG
+ENGINE *engine_table_select(ENGINE_TABLE **table, int nid);
+#else
+ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, int l);
+#define engine_table_select(t,n) engine_table_select_tmp(t,n,__FILE__,__LINE__)
+#endif
+
+/* Internal versions of API functions that have control over locking. These are
+ * used between C files when functionality needs to be shared but the caller may
+ * already be controlling of the CRYPTO_LOCK_ENGINE lock. */
+int engine_unlocked_init(ENGINE *e);
+int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers);
+int engine_free_util(ENGINE *e, int locked);
+
+/* This function will reset all "set"able values in an ENGINE to NULL. This
+ * won't touch reference counts or ex_data, but is equivalent to calling all the
+ * ENGINE_set_***() functions with a NULL value. */
+void engine_set_all_null(ENGINE *e);
+
+/* NB: Bitwise OR-able values for the "flags" variable in ENGINE are now exposed
+ * in engine.h. */
+
+/* This is a structure for storing implementations of various crypto
+ * algorithms and functions. */
+struct engine_st
+        {
+        const char *id;
+        const char *name;
+        const RSA_METHOD *rsa_meth;
+        const DSA_METHOD *dsa_meth;
+        const DH_METHOD *dh_meth;
+        const RAND_METHOD *rand_meth;
+        /* Cipher handling is via this callback */
+        ENGINE_CIPHERS_PTR ciphers;
+        /* Digest handling is via this callback */
+        ENGINE_DIGESTS_PTR digests;
+
+
+        ENGINE_GEN_INT_FUNC_PTR destroy;
+
+        ENGINE_GEN_INT_FUNC_PTR init;
+        ENGINE_GEN_INT_FUNC_PTR finish;
+        ENGINE_CTRL_FUNC_PTR ctrl;
+        ENGINE_LOAD_KEY_PTR load_privkey;
+        ENGINE_LOAD_KEY_PTR load_pubkey;
+
+        const ENGINE_CMD_DEFN *cmd_defns;
+        int flags;
+        /* reference count on the structure itself */
+        int struct_ref;
+        /* reference count on usability of the engine type. NB: This
+         * controls the loading and initialisation of any functionlity
+         * required by this engine, whereas the previous count is
+         * simply to cope with (de)allocation of this structure. Hence,
+         * running_ref <= struct_ref at all times. */
+        int funct_ref;
+        /* A place to store per-ENGINE data */
+        CRYPTO_EX_DATA ex_data;
+        /* Used to maintain the linked-list of engines. */
+        struct engine_st *prev;
+        struct engine_st *next;
+        };
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* HEADER_ENGINE_INT_H */
diff --git a/src/lib/libcrypto/engine/eng_lib.c b/src/lib/libcrypto/engine/eng_lib.c
new file mode 100644
index 0000000000..a66d0f08af
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_lib.c
@@ -0,0 +1,321 @@
+/* crypto/engine/eng_lib.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/rand.h> /* FIXME: This shouldn't be needed */
+#include <openssl/engine.h>
+
+/* The "new"/"free" stuff first */
+
+ENGINE *ENGINE_new(void)
+        {
+        ENGINE *ret;
+
+        ret = (ENGINE *)OPENSSL_malloc(sizeof(ENGINE));
+        if(ret == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        memset(ret, 0, sizeof(ENGINE));
+        ret->struct_ref = 1;
+        engine_ref_debug(ret, 0, 1)
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_ENGINE, ret, &ret->ex_data);
+        return ret;
+        }
+
+/* Placed here (close proximity to ENGINE_new) so that modifications to the
+ * elements of the ENGINE structure are more likely to be caught and changed
+ * here. */
+void engine_set_all_null(ENGINE *e)
+        {
+        e->id = NULL;
+        e->name = NULL;
+        e->rsa_meth = NULL;
+        e->dsa_meth = NULL;
+        e->dh_meth = NULL;
+        e->rand_meth = NULL;
+        e->ciphers = NULL;
+        e->digests = NULL;
+        e->destroy = NULL;
+        e->init = NULL;
+        e->finish = NULL;
+        e->ctrl = NULL;
+        e->load_privkey = NULL;
+        e->load_pubkey = NULL;
+        e->cmd_defns = NULL;
+        e->flags = 0;
+        }
+
+int engine_free_util(ENGINE *e, int locked)
+        {
+        int i;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FREE,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if(locked)
+                i = CRYPTO_add(&e->struct_ref,-1,CRYPTO_LOCK_ENGINE);
+        else
+                i = --e->struct_ref;
+        engine_ref_debug(e, 0, -1)
+        if (i > 0) return 1;
+#ifdef REF_CHECK
+        if (i < 0)
+                {
+                fprintf(stderr,"ENGINE_free, bad structural reference count\n");
+                abort();
+                }
+#endif
+        /* Give the ENGINE a chance to do any structural cleanup corresponding
+         * to allocation it did in its constructor (eg. unload error strings) */
+        if(e->destroy)
+                e->destroy(e);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data);
+        OPENSSL_free(e);
+        return 1;
+        }
+
+int ENGINE_free(ENGINE *e)
+        {
+        return engine_free_util(e, 1);
+        }
+
+/* Cleanup stuff */
+
+/* ENGINE_cleanup() is coded such that anything that does work that will need
+ * cleanup can register a "cleanup" callback here. That way we don't get linker
+ * bloat by referring to all *possible* cleanups, but any linker bloat into code
+ * "X" will cause X's cleanup function to end up here. */
+static STACK_OF(ENGINE_CLEANUP_ITEM) *cleanup_stack = NULL;
+static int int_cleanup_check(int create)
+        {
+        if(cleanup_stack) return 1;
+        if(!create) return 0;
+        cleanup_stack = sk_ENGINE_CLEANUP_ITEM_new_null();
+        return (cleanup_stack ? 1 : 0);
+        }
+static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb)
+        {
+        ENGINE_CLEANUP_ITEM *item = OPENSSL_malloc(sizeof(
+                                        ENGINE_CLEANUP_ITEM));
+        if(!item) return NULL;
+        item->cb = cb;
+        return item;
+        }
+void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)
+        {
+        ENGINE_CLEANUP_ITEM *item;
+        if(!int_cleanup_check(1)) return;
+        item = int_cleanup_item(cb);
+        if(item)
+                sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0);
+        }
+void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
+        {
+        ENGINE_CLEANUP_ITEM *item;
+        if(!int_cleanup_check(1)) return;
+        item = int_cleanup_item(cb);
+        if(item)
+                sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item);
+        }
+/* The API function that performs all cleanup */
+static void engine_cleanup_cb_free(ENGINE_CLEANUP_ITEM *item)
+        {
+        (*(item->cb))();
+        OPENSSL_free(item);
+        }
+void ENGINE_cleanup(void)
+        {
+        if(int_cleanup_check(0))
+                {
+                sk_ENGINE_CLEANUP_ITEM_pop_free(cleanup_stack,
+                        engine_cleanup_cb_free);
+                cleanup_stack = NULL;
+                }
+        /* FIXME: This should be handled (somehow) through RAND, eg. by it
+         * registering a cleanup callback. */
+        RAND_set_rand_method(NULL);
+        }
+
+/* Now the "ex_data" support */
+
+int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_ENGINE, argl, argp,
+                        new_func, dup_func, free_func);
+        }
+
+int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg)
+        {
+        return(CRYPTO_set_ex_data(&e->ex_data, idx, arg));
+        }
+
+void *ENGINE_get_ex_data(const ENGINE *e, int idx)
+        {
+        return(CRYPTO_get_ex_data(&e->ex_data, idx));
+        }
+
+/* Functions to get/set an ENGINE's elements - mainly to avoid exposing the
+ * ENGINE structure itself. */
+
+int ENGINE_set_id(ENGINE *e, const char *id)
+        {
+        if(id == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_SET_ID,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        e->id = id;
+        return 1;
+        }
+
+int ENGINE_set_name(ENGINE *e, const char *name)
+        {
+        if(name == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_SET_NAME,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        e->name = name;
+        return 1;
+        }
+
+int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f)
+        {
+        e->destroy = destroy_f;
+        return 1;
+        }
+
+int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f)
+        {
+        e->init = init_f;
+        return 1;
+        }
+
+int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f)
+        {
+        e->finish = finish_f;
+        return 1;
+        }
+
+int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f)
+        {
+        e->ctrl = ctrl_f;
+        return 1;
+        }
+
+int ENGINE_set_flags(ENGINE *e, int flags)
+        {
+        e->flags = flags;
+        return 1;
+        }
+
+int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns)
+        {
+        e->cmd_defns = defns;
+        return 1;
+        }
+
+const char *ENGINE_get_id(const ENGINE *e)
+        {
+        return e->id;
+        }
+
+const char *ENGINE_get_name(const ENGINE *e)
+        {
+        return e->name;
+        }
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e)
+        {
+        return e->destroy;
+        }
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e)
+        {
+        return e->init;
+        }
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e)
+        {
+        return e->finish;
+        }
+
+ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e)
+        {
+        return e->ctrl;
+        }
+
+int ENGINE_get_flags(const ENGINE *e)
+        {
+        return e->flags;
+        }
+
+const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e)
+        {
+        return e->cmd_defns;
+        }
diff --git a/src/lib/libcrypto/engine/eng_list.c b/src/lib/libcrypto/engine/eng_list.c
new file mode 100644
index 0000000000..ce48d2255a
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_list.c
@@ -0,0 +1,383 @@
+/* crypto/engine/eng_list.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* The linked-list of pointers to engine types. engine_list_head
+ * incorporates an implicit structural reference but engine_list_tail
+ * does not - the latter is a computational niceity and only points
+ * to something that is already pointed to by its predecessor in the
+ * list (or engine_list_head itself). In the same way, the use of the
+ * "prev" pointer in each ENGINE is to save excessive list iteration,
+ * it doesn't correspond to an extra structural reference. Hence,
+ * engine_list_head, and each non-null "next" pointer account for
+ * the list itself assuming exactly 1 structural reference on each
+ * list member. */
+static ENGINE *engine_list_head = NULL;
+static ENGINE *engine_list_tail = NULL;
+
+/* This cleanup function is only needed internally. If it should be called, we
+ * register it with the "ENGINE_cleanup()" stack to be called during cleanup. */
+
+static void engine_list_cleanup(void)
+        {
+        ENGINE *iterator = engine_list_head;
+
+        while(iterator != NULL)
+                {
+                ENGINE_remove(iterator);
+                iterator = engine_list_head;
+                }
+        return;
+        }
+
+/* These static functions starting with a lower case "engine_" always
+ * take place when CRYPTO_LOCK_ENGINE has been locked up. */
+static int engine_list_add(ENGINE *e)
+        {
+        int conflict = 0;
+        ENGINE *iterator = NULL;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        iterator = engine_list_head;
+        while(iterator && !conflict)
+                {
+                conflict = (strcmp(iterator->id, e->id) == 0);
+                iterator = iterator->next;
+                }
+        if(conflict)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                        ENGINE_R_CONFLICTING_ENGINE_ID);
+                return 0;
+                }
+        if(engine_list_head == NULL)
+                {
+                /* We are adding to an empty list. */
+                if(engine_list_tail)
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                                ENGINE_R_INTERNAL_LIST_ERROR);
+                        return 0;
+                        }
+                engine_list_head = e;
+                e->prev = NULL;
+                /* The first time the list allocates, we should register the
+                 * cleanup. */
+                engine_cleanup_add_last(engine_list_cleanup);
+                }
+        else
+                {
+                /* We are adding to the tail of an existing list. */
+                if((engine_list_tail == NULL) ||
+                                (engine_list_tail->next != NULL))
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                                ENGINE_R_INTERNAL_LIST_ERROR);
+                        return 0;
+                        }
+                engine_list_tail->next = e;
+                e->prev = engine_list_tail;
+                }
+        /* Having the engine in the list assumes a structural
+         * reference. */
+        e->struct_ref++;
+        engine_ref_debug(e, 0, 1)
+        /* However it came to be, e is the last item in the list. */
+        engine_list_tail = e;
+        e->next = NULL;
+        return 1;
+        }
+
+static int engine_list_remove(ENGINE *e)
+        {
+        ENGINE *iterator;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_REMOVE,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        /* We need to check that e is in our linked list! */
+        iterator = engine_list_head;
+        while(iterator && (iterator != e))
+                iterator = iterator->next;
+        if(iterator == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_REMOVE,
+                        ENGINE_R_ENGINE_IS_NOT_IN_LIST);
+                return 0;
+                }
+        /* un-link e from the chain. */
+        if(e->next)
+                e->next->prev = e->prev;
+        if(e->prev)
+                e->prev->next = e->next;
+        /* Correct our head/tail if necessary. */
+        if(engine_list_head == e)
+                engine_list_head = e->next;
+        if(engine_list_tail == e)
+                engine_list_tail = e->prev;
+        engine_free_util(e, 0);
+        return 1;
+        }
+
+/* Get the first/last "ENGINE" type available. */
+ENGINE *ENGINE_get_first(void)
+        {
+        ENGINE *ret;
+
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        ret = engine_list_head;
+        if(ret)
+                {
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+
+ENGINE *ENGINE_get_last(void)
+        {
+        ENGINE *ret;
+
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+                ret = engine_list_tail;
+        if(ret)
+                {
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+
+/* Iterate to the next/previous "ENGINE" type (NULL = end of the list). */
+ENGINE *ENGINE_get_next(ENGINE *e)
+        {
+        ENGINE *ret = NULL;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_NEXT,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        ret = e->next;
+        if(ret)
+                {
+                /* Return a valid structural refernce to the next ENGINE */
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        /* Release the structural reference to the previous ENGINE */
+        ENGINE_free(e);
+        return ret;
+        }
+
+ENGINE *ENGINE_get_prev(ENGINE *e)
+        {
+        ENGINE *ret = NULL;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_PREV,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        ret = e->prev;
+        if(ret)
+                {
+                /* Return a valid structural reference to the next ENGINE */
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        /* Release the structural reference to the previous ENGINE */
+        ENGINE_free(e);
+        return ret;
+        }
+
+/* Add another "ENGINE" type into the list. */
+int ENGINE_add(ENGINE *e)
+        {
+        int to_return = 1;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_ADD,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if((e->id == NULL) || (e->name == NULL))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_ADD,
+                        ENGINE_R_ID_OR_NAME_MISSING);
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(!engine_list_add(e))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_ADD,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                to_return = 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return to_return;
+        }
+
+/* Remove an existing "ENGINE" type from the array. */
+int ENGINE_remove(ENGINE *e)
+        {
+        int to_return = 1;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_REMOVE,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(!engine_list_remove(e))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_REMOVE,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                to_return = 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return to_return;
+        }
+
+static void engine_cpy(ENGINE *dest, const ENGINE *src)
+        {
+        dest->id = src->id;
+        dest->name = src->name;
+#ifndef OPENSSL_NO_RSA
+        dest->rsa_meth = src->rsa_meth;
+#endif
+#ifndef OPENSSL_NO_DSA
+        dest->dsa_meth = src->dsa_meth;
+#endif
+#ifndef OPENSSL_NO_DH
+        dest->dh_meth = src->dh_meth;
+#endif
+        dest->rand_meth = src->rand_meth;
+        dest->ciphers = src->ciphers;
+        dest->digests = src->digests;
+        dest->destroy = src->destroy;
+        dest->init = src->init;
+        dest->finish = src->finish;
+        dest->ctrl = src->ctrl;
+        dest->load_privkey = src->load_privkey;
+        dest->load_pubkey = src->load_pubkey;
+        dest->cmd_defns = src->cmd_defns;
+        dest->flags = src->flags;
+        }
+
+ENGINE *ENGINE_by_id(const char *id)
+        {
+        ENGINE *iterator;
+        if(id == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_BY_ID,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+                }
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        iterator = engine_list_head;
+        while(iterator && (strcmp(id, iterator->id) != 0)) 
+                iterator = iterator->next;
+        if(iterator)
+                {
+                /* We need to return a structural reference. If this is an
+                 * ENGINE type that returns copies, make a duplicate - otherwise
+                 * increment the existing ENGINE's reference count. */
+                if(iterator->flags & ENGINE_FLAGS_BY_ID_COPY)
+                        {
+                        ENGINE *cp = ENGINE_new();
+                        if(!cp)
+                                iterator = NULL;
+                        else
+                                {
+                                engine_cpy(cp, iterator);
+                                iterator = cp;
+                                }
+                        }
+                else
+                        {
+                        iterator->struct_ref++;
+                        engine_ref_debug(iterator, 0, 1)
+                        }
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        if(iterator == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_BY_ID,
+                        ENGINE_R_NO_SUCH_ENGINE);
+                ERR_add_error_data(2, "id=", id);
+                }
+        return iterator;
+        }
diff --git a/src/lib/libcrypto/engine/eng_openssl.c b/src/lib/libcrypto/engine/eng_openssl.c
new file mode 100644
index 0000000000..e9d976f46b
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_openssl.c
@@ -0,0 +1,347 @@
+/* crypto/engine/eng_openssl.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/engine.h>
+#include <openssl/dso.h>
+#include <openssl/pem.h>
+
+/* This testing gunk is implemented (and explained) lower down. It also assumes
+ * the application explicitly calls "ENGINE_load_openssl()" because this is no
+ * longer automatic in ENGINE_load_builtin_engines(). */
+#define TEST_ENG_OPENSSL_RC4
+#define TEST_ENG_OPENSSL_PKEY
+/* #define TEST_ENG_OPENSSL_RC4_OTHERS */
+#define TEST_ENG_OPENSSL_RC4_P_INIT
+/* #define TEST_ENG_OPENSSL_RC4_P_CIPHER */
+#define TEST_ENG_OPENSSL_SHA
+/* #define TEST_ENG_OPENSSL_SHA_OTHERS */
+/* #define TEST_ENG_OPENSSL_SHA_P_INIT */
+/* #define TEST_ENG_OPENSSL_SHA_P_UPDATE */
+/* #define TEST_ENG_OPENSSL_SHA_P_FINAL */
+
+#ifdef TEST_ENG_OPENSSL_RC4
+static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+                                const int **nids, int nid);
+#endif
+#ifdef TEST_ENG_OPENSSL_SHA
+static int openssl_digests(ENGINE *e, const EVP_MD **digest,
+                                const int **nids, int nid);
+#endif
+
+#ifdef TEST_ENG_OPENSSL_PKEY
+static EVP_PKEY *openssl_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data);
+#endif
+
+/* The constants used when creating the ENGINE */
+static const char *engine_openssl_id = "openssl";
+static const char *engine_openssl_name = "Software engine support";
+
+/* This internal function is used by ENGINE_openssl() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+        {
+        if(!ENGINE_set_id(e, engine_openssl_id)
+                        || !ENGINE_set_name(e, engine_openssl_name)
+#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
+#ifndef OPENSSL_NO_RSA
+                        || !ENGINE_set_RSA(e, RSA_get_default_method())
+#endif
+#ifndef OPENSSL_NO_DSA
+                        || !ENGINE_set_DSA(e, DSA_get_default_method())
+#endif
+#ifndef OPENSSL_NO_DH
+                        || !ENGINE_set_DH(e, DH_get_default_method())
+#endif
+                        || !ENGINE_set_RAND(e, RAND_SSLeay())
+#ifdef TEST_ENG_OPENSSL_RC4
+                        || !ENGINE_set_ciphers(e, openssl_ciphers)
+#endif
+#ifdef TEST_ENG_OPENSSL_SHA
+                        || !ENGINE_set_digests(e, openssl_digests)
+#endif
+#endif
+#ifdef TEST_ENG_OPENSSL_PKEY
+                        || !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
+#endif
+                        )
+                return 0;
+        /* If we add errors to this ENGINE, ensure the error handling is setup here */
+        /* openssl_load_error_strings(); */
+        return 1;
+        }
+
+static ENGINE *engine_openssl(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_openssl(void)
+        {
+        ENGINE *toadd = engine_openssl();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        /* If the "add" worked, it gets a structural reference. So either way,
+         * we release our just-created reference. */
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_openssl_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#ifdef TEST_ENG_OPENSSL_RC4
+/* This section of code compiles an "alternative implementation" of two modes of
+ * RC4 into this ENGINE. The result is that EVP_CIPHER operation for "rc4"
+ * should under normal circumstances go via this support rather than the default
+ * EVP support. There are other symbols to tweak the testing;
+ *    TEST_ENC_OPENSSL_RC4_OTHERS - print a one line message to stderr each time
+ *        we're asked for a cipher we don't support (should not happen).
+ *    TEST_ENG_OPENSSL_RC4_P_INIT - print a one line message to stderr each time
+ *        the "init_key" handler is called.
+ *    TEST_ENG_OPENSSL_RC4_P_CIPHER - ditto for the "cipher" handler.
+ */
+#include <openssl/evp.h>
+#include <openssl/rc4.h>
+#define TEST_RC4_KEY_SIZE               16
+static int test_cipher_nids[] = {NID_rc4,NID_rc4_40};
+static int test_cipher_nids_number = 2;
+typedef struct {
+        unsigned char key[TEST_RC4_KEY_SIZE];
+        RC4_KEY ks;
+        } TEST_RC4_KEY;
+#define test(ctx) ((TEST_RC4_KEY *)(ctx)->cipher_data)
+static int test_rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv, int enc)
+        {
+#ifdef TEST_ENG_OPENSSL_RC4_P_INIT
+        fprintf(stderr, "(TEST_ENG_OPENSSL_RC4) test_init_key() called\n");
+#endif
+        memcpy(&test(ctx)->key[0],key,EVP_CIPHER_CTX_key_length(ctx));
+        RC4_set_key(&test(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),
+                test(ctx)->key);
+        return 1;
+        }
+static int test_rc4_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                      const unsigned char *in, unsigned int inl)
+        {
+#ifdef TEST_ENG_OPENSSL_RC4_P_CIPHER
+        fprintf(stderr, "(TEST_ENG_OPENSSL_RC4) test_cipher() called\n");
+#endif
+        RC4(&test(ctx)->ks,inl,in,out);
+        return 1;
+        }
+static const EVP_CIPHER test_r4_cipher=
+        {
+        NID_rc4,
+        1,TEST_RC4_KEY_SIZE,0,
+        EVP_CIPH_VARIABLE_LENGTH,
+        test_rc4_init_key,
+        test_rc4_cipher,
+        NULL,
+        sizeof(TEST_RC4_KEY),
+        NULL,
+        NULL,
+        NULL
+        };
+static const EVP_CIPHER test_r4_40_cipher=
+        {
+        NID_rc4_40,
+        1,5 /* 40 bit */,0,
+        EVP_CIPH_VARIABLE_LENGTH,
+        test_rc4_init_key,
+        test_rc4_cipher,
+        NULL,
+        sizeof(TEST_RC4_KEY),
+        NULL, 
+        NULL,
+        NULL
+        };
+static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+                        const int **nids, int nid)
+        {
+        if(!cipher)
+                {
+                /* We are returning a list of supported nids */
+                *nids = test_cipher_nids;
+                return test_cipher_nids_number;
+                }
+        /* We are being asked for a specific cipher */
+        if(nid == NID_rc4)
+                *cipher = &test_r4_cipher;
+        else if(nid == NID_rc4_40)
+                *cipher = &test_r4_40_cipher;
+        else
+                {
+#ifdef TEST_ENG_OPENSSL_RC4_OTHERS
+                fprintf(stderr, "(TEST_ENG_OPENSSL_RC4) returning NULL for "
+                                "nid %d\n", nid);
+#endif
+                *cipher = NULL;
+                return 0;
+                }
+        return 1;
+        }
+#endif
+
+#ifdef TEST_ENG_OPENSSL_SHA
+/* Much the same sort of comment as for TEST_ENG_OPENSSL_RC4 */
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+static int test_digest_nids[] = {NID_sha1};
+static int test_digest_nids_number = 1;
+static int test_sha1_init(EVP_MD_CTX *ctx)
+        {
+#ifdef TEST_ENG_OPENSSL_SHA_P_INIT
+        fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_init() called\n");
+#endif
+        return SHA1_Init(ctx->md_data);
+        }
+static int test_sha1_update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        {
+#ifdef TEST_ENG_OPENSSL_SHA_P_UPDATE
+        fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_update() called\n");
+#endif
+        return SHA1_Update(ctx->md_data,data,count);
+        }
+static int test_sha1_final(EVP_MD_CTX *ctx,unsigned char *md)
+        {
+#ifdef TEST_ENG_OPENSSL_SHA_P_FINAL
+        fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_final() called\n");
+#endif
+        return SHA1_Final(md,ctx->md_data);
+        }
+static const EVP_MD test_sha_md=
+        {
+        NID_sha1,
+        NID_sha1WithRSAEncryption,
+        SHA_DIGEST_LENGTH,
+        0,
+        test_sha1_init,
+        test_sha1_update,
+        test_sha1_final,
+        NULL,
+        NULL,
+        EVP_PKEY_RSA_method,
+        SHA_CBLOCK,
+        sizeof(EVP_MD *)+sizeof(SHA_CTX),
+        };
+static int openssl_digests(ENGINE *e, const EVP_MD **digest,
+                        const int **nids, int nid)
+        {
+        if(!digest)
+                {
+                /* We are returning a list of supported nids */
+                *nids = test_digest_nids;
+                return test_digest_nids_number;
+                }
+        /* We are being asked for a specific digest */
+        if(nid == NID_sha1)
+                *digest = &test_sha_md;
+        else
+                {
+#ifdef TEST_ENG_OPENSSL_SHA_OTHERS
+                fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) returning NULL for "
+                                "nid %d\n", nid);
+#endif
+                *digest = NULL;
+                return 0;
+                }
+        return 1;
+        }
+#endif
+
+#ifdef TEST_ENG_OPENSSL_PKEY
+static EVP_PKEY *openssl_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        BIO *in;
+        EVP_PKEY *key;
+        fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id);
+        in = BIO_new_file(key_id, "r");
+        if (!in)
+                return NULL;
+        key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL);
+        BIO_free(in);
+        return key;
+        }
+#endif
diff --git a/src/lib/libcrypto/engine/eng_pkey.c b/src/lib/libcrypto/engine/eng_pkey.c
new file mode 100644
index 0000000000..8c69171511
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_pkey.c
@@ -0,0 +1,157 @@
+/* crypto/engine/eng_pkey.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* Basic get/set stuff */
+
+int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f)
+        {
+        e->load_privkey = loadpriv_f;
+        return 1;
+        }
+
+int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f)
+        {
+        e->load_pubkey = loadpub_f;
+        return 1;
+        }
+
+ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e)
+        {
+        return e->load_privkey;
+        }
+
+ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e)
+        {
+        return e->load_pubkey;
+        }
+
+/* API functions to load public/private keys */
+
+EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        EVP_PKEY *pkey;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(e->funct_ref == 0)
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ENGINE_R_NOT_INITIALISED);
+                return 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if (!e->load_privkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ENGINE_R_NO_LOAD_FUNCTION);
+                return 0;
+                }
+        pkey = e->load_privkey(e, key_id, ui_method, callback_data);
+        if (!pkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+                return 0;
+                }
+        return pkey;
+        }
+
+EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        EVP_PKEY *pkey;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(e->funct_ref == 0)
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ENGINE_R_NOT_INITIALISED);
+                return 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if (!e->load_pubkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ENGINE_R_NO_LOAD_FUNCTION);
+                return 0;
+                }
+        pkey = e->load_pubkey(e, key_id, ui_method, callback_data);
+        if (!pkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+                return 0;
+                }
+        return pkey;
+        }
diff --git a/src/lib/libcrypto/engine/eng_table.c b/src/lib/libcrypto/engine/eng_table.c
new file mode 100644
index 0000000000..c69a84a8bf
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_table.c
@@ -0,0 +1,361 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* This is the type of item in the 'implementation' table. Each 'nid' hashes to
+ * a (potentially NULL) ENGINE_PILE structure which contains a stack of ENGINE*
+ * pointers. These pointers aren't references, because they're inserted and
+ * removed during ENGINE creation and ENGINE destruction. They point to ENGINEs
+ * that *exist* (ie. have a structural reference count greater than zero) rather
+ * than ENGINEs that are *functional*. Each pointer in those stacks are to
+ * ENGINEs that implements the algorithm corresponding to each 'nid'. */
+
+/* The type of the items in the table */
+typedef struct st_engine_pile
+        {
+        /* The 'nid' of the algorithm/mode this ENGINE_PILE structure represents
+         * */
+        int nid;
+        /* A stack of ENGINE pointers for ENGINEs that support this
+         * algorithm/mode. In the event that 'funct' is NULL, the first entry in
+         * this stack that initialises will be set as 'funct' and assumed as the
+         * default for operations of this type. */
+        STACK_OF(ENGINE) *sk;
+        /* The default ENGINE to perform this algorithm/mode. */
+        ENGINE *funct;
+        /* This value optimises engine_table_select(). If it is called it sets
+         * this value to 1. Any changes to this ENGINE_PILE resets it to zero.
+         * As such, no ENGINE_init() thrashing is done unless ENGINEs
+         * continually register (and/or unregister). */
+        int uptodate;
+        } ENGINE_PILE;
+
+/* The type of the hash table of ENGINE_PILE structures such that each are
+ * unique and keyed by the 'nid' value. */
+struct st_engine_table
+        {
+        LHASH piles;
+        }; /* ENGINE_TABLE */
+
+/* This value stores global options controlling behaviour of (mostly) the
+ * engine_table_select() function. It's a bitmask of flag values of the form
+ * ENGINE_TABLE_FLAG_*** (as defined in engine.h) and is controlled by the
+ * ENGINE_[get|set]_table_flags() function. */
+static unsigned int table_flags = 0;
+
+/* API function manipulating 'table_flags' */
+unsigned int ENGINE_get_table_flags(void)
+        {
+        return table_flags;
+        }
+void ENGINE_set_table_flags(unsigned int flags)
+        {
+        table_flags = flags;
+        }
+
+/* Internal functions for the "piles" hash table */
+static unsigned long engine_pile_hash(const ENGINE_PILE *c)
+        {
+        return c->nid;
+        }
+static int engine_pile_cmp(const ENGINE_PILE *a, const ENGINE_PILE *b)
+        {
+        return a->nid - b->nid;
+        }
+static IMPLEMENT_LHASH_HASH_FN(engine_pile_hash, const ENGINE_PILE *)
+static IMPLEMENT_LHASH_COMP_FN(engine_pile_cmp, const ENGINE_PILE *)
+static int int_table_check(ENGINE_TABLE **t, int create)
+        {
+        LHASH *lh;
+        if(*t)
+                return 1;
+        if(!create)
+                return 0;
+        if((lh = lh_new(LHASH_HASH_FN(engine_pile_hash),
+                        LHASH_COMP_FN(engine_pile_cmp))) == NULL)
+                return 0;
+        *t = (ENGINE_TABLE *)lh;
+        return 1;
+        }
+
+/* Privately exposed (via eng_int.h) functions for adding and/or removing
+ * ENGINEs from the implementation table */
+int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
+                ENGINE *e, const int *nids, int num_nids, int setdefault)
+        {
+        int ret = 0, added = 0;
+        ENGINE_PILE tmplate, *fnd;
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(!(*table))
+                added = 1;
+        if(!int_table_check(table, 1))
+                goto end;
+        if(added)
+                /* The cleanup callback needs to be added */
+                engine_cleanup_add_first(cleanup);
+        while(num_nids--)
+                {
+                tmplate.nid = *nids;
+                fnd = lh_retrieve(&(*table)->piles, &tmplate);
+                if(!fnd)
+                        {
+                        fnd = OPENSSL_malloc(sizeof(ENGINE_PILE));
+                        if(!fnd)
+                                goto end;
+                        fnd->uptodate = 1;
+                        fnd->nid = *nids;
+                        fnd->sk = sk_ENGINE_new_null();
+                        if(!fnd->sk)
+                                {
+                                OPENSSL_free(fnd);
+                                goto end;
+                                }
+                        fnd->funct= NULL;
+                        lh_insert(&(*table)->piles, fnd);
+                        }
+                /* A registration shouldn't add duplciate entries */
+                sk_ENGINE_delete_ptr(fnd->sk, e);
+                /* if 'setdefault', this ENGINE goes to the head of the list */
+                if(!sk_ENGINE_push(fnd->sk, e))
+                        goto end;
+                /* "touch" this ENGINE_PILE */
+                fnd->uptodate = 0;
+                if(setdefault)
+                        {
+                        if(!engine_unlocked_init(e))
+                                {
+                                ENGINEerr(ENGINE_F_ENGINE_TABLE_REGISTER,
+                                                ENGINE_R_INIT_FAILED);
+                                goto end;
+                                }
+                        if(fnd->funct)
+                                engine_unlocked_finish(fnd->funct, 0);
+                        fnd->funct = e;
+                        }
+                nids++;
+                }
+        ret = 1;
+end:
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+static void int_unregister_cb(ENGINE_PILE *pile, ENGINE *e)
+        {
+        int n;
+        /* Iterate the 'c->sk' stack removing any occurance of 'e' */
+        while((n = sk_ENGINE_find(pile->sk, e)) >= 0)
+                {
+                sk_ENGINE_delete(pile->sk, n);
+                /* "touch" this ENGINE_CIPHER */
+                pile->uptodate = 0;
+                }
+        if(pile->funct == e)
+                {
+                engine_unlocked_finish(e, 0);
+                pile->funct = NULL;
+                }
+        }
+static IMPLEMENT_LHASH_DOALL_ARG_FN(int_unregister_cb,ENGINE_PILE *,ENGINE *)
+void engine_table_unregister(ENGINE_TABLE **table, ENGINE *e)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(int_table_check(table, 0))
+                lh_doall_arg(&(*table)->piles,
+                        LHASH_DOALL_ARG_FN(int_unregister_cb), e);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        }
+
+static void int_cleanup_cb(ENGINE_PILE *p)
+        {
+        sk_ENGINE_free(p->sk);
+        if(p->funct)
+                engine_unlocked_finish(p->funct, 0);
+        OPENSSL_free(p);
+        }
+static IMPLEMENT_LHASH_DOALL_FN(int_cleanup_cb,ENGINE_PILE *)
+void engine_table_cleanup(ENGINE_TABLE **table)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(*table)
+                {
+                lh_doall(&(*table)->piles, LHASH_DOALL_FN(int_cleanup_cb));
+                lh_free(&(*table)->piles);
+                *table = NULL;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references) for a given cipher 'nid' */
+#ifndef ENGINE_TABLE_DEBUG
+ENGINE *engine_table_select(ENGINE_TABLE **table, int nid)
+#else
+ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, int l)
+#endif
+        {
+        ENGINE *ret = NULL;
+        ENGINE_PILE tmplate, *fnd=NULL;
+        int initres, loop = 0;
+
+        /* If 'engine_ciphers' is NULL, then it's absolutely *sure* that no
+         * ENGINEs have registered any implementations! */
+        if(!(*table))
+                {
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, no "
+                        "registered for anything!\n", f, l, nid);
+#endif
+                return NULL;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        /* Check again inside the lock otherwise we could race against cleanup
+         * operations. But don't worry about a fprintf(stderr). */
+        if(!int_table_check(table, 0))
+                goto end;
+        tmplate.nid = nid;
+        fnd = lh_retrieve(&(*table)->piles, &tmplate);
+        if(!fnd)
+                goto end;
+        if(fnd->funct && engine_unlocked_init(fnd->funct))
+                {
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, using "
+                        "ENGINE '%s' cached\n", f, l, nid, fnd->funct->id);
+#endif
+                ret = fnd->funct;
+                goto end;
+                }
+        if(fnd->uptodate)
+                {
+                ret = fnd->funct;
+                goto end;
+                }
+trynext:
+        ret = sk_ENGINE_value(fnd->sk, loop++);
+        if(!ret)
+                {
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, no "
+                                "registered implementations would initialise\n",
+                                f, l, nid);
+#endif
+                goto end;
+                }
+#if 0
+        /* Don't need to get a reference if we hold the lock. If the locking has
+         * to change in future, that would be different ... */
+        ret->struct_ref++; engine_ref_debug(ret, 0, 1)
+#endif
+        /* Try and initialise the ENGINE if it's already functional *or* if the
+         * ENGINE_TABLE_FLAG_NOINIT flag is not set. */
+        if((ret->funct_ref > 0) || !(table_flags & ENGINE_TABLE_FLAG_NOINIT))
+                initres = engine_unlocked_init(ret);
+        else
+                initres = 0;
+#if 0
+        /* Release the structural reference */
+        ret->struct_ref--; engine_ref_debug(ret, 0, -1);
+#endif
+        if(initres)
+                {
+                /* If we didn't have a default (functional reference) for this
+                 * 'nid' (or we had one but for whatever reason we're now
+                 * initialising a different one), use this opportunity to set
+                 * 'funct'. */
+                if((fnd->funct != ret) && engine_unlocked_init(ret))
+                        {
+                        /* If there was a previous default we release it. */
+                        if(fnd->funct)
+                                engine_unlocked_finish(fnd->funct, 0);
+                        /* We got an extra functional reference for the
+                         * per-'nid' default */
+                        fnd->funct = ret;
+#ifdef ENGINE_TABLE_DEBUG
+                        fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, "
+                                "setting default to '%s'\n", f, l, nid, ret->id);
+#endif
+                        }
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, using "
+                                "newly initialised '%s'\n", f, l, nid, ret->id);
+#endif
+                goto end;
+                }
+        goto trynext;
+end:
+        /* Whatever happened - we should "untouch" our uptodate file seeing as
+         * we have tried our best to find a functional reference for 'nid'. If
+         * it failed, it is unlikely to succeed again until some future
+         * registrations (or unregistrations) have taken place that affect that
+         * 'nid'. */
+        if(fnd)
+                fnd->uptodate = 1;
+#ifdef ENGINE_TABLE_DEBUG
+        if(ret)
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, caching "
+                                "ENGINE '%s'\n", f, l, nid, ret->id);
+        else
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, caching "
+                                "'no matching ENGINE'\n", f, l, nid);
+#endif
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        /* Whatever happened, any failed init()s are not failures in this
+         * context, so clear our error state. */
+        ERR_clear_error();
+        return ret;
+        }
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
new file mode 100644
index 0000000000..2983f47034
--- /dev/null
+++ b/src/lib/libcrypto/engine/engine.h
@@ -0,0 +1,398 @@
+/* openssl/engine.h */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ENGINE_H
+#define HEADER_ENGINE_H
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/dh.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/symhacks.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* These flags are used to control combinations of algorithm (methods)
+ * by bitwise "OR"ing. */
+#define ENGINE_METHOD_RSA               (unsigned int)0x0001
+#define ENGINE_METHOD_DSA               (unsigned int)0x0002
+#define ENGINE_METHOD_DH                (unsigned int)0x0004
+#define ENGINE_METHOD_RAND              (unsigned int)0x0008
+#define ENGINE_METHOD_BN_MOD_EXP        (unsigned int)0x0010
+#define ENGINE_METHOD_BN_MOD_EXP_CRT    (unsigned int)0x0020
+/* Obvious all-or-nothing cases. */
+#define ENGINE_METHOD_ALL               (unsigned int)0xFFFF
+#define ENGINE_METHOD_NONE              (unsigned int)0x0000
+
+/* These flags are used to tell the ctrl function what should be done.
+ * All command numbers are shared between all engines, even if some don't
+ * make sense to some engines.  In such a case, they do nothing but return
+ * the error ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED. */
+#define ENGINE_CTRL_SET_LOGSTREAM               1
+#define ENGINE_CTRL_SET_PASSWORD_CALLBACK       2
+/* Flags specific to the nCipher "chil" engine */
+#define ENGINE_CTRL_CHIL_SET_FORKCHECK          100
+        /* Depending on the value of the (long)i argument, this sets or
+         * unsets the SimpleForkCheck flag in the CHIL API to enable or
+         * disable checking and workarounds for applications that fork().
+         */
+#define ENGINE_CTRL_CHIL_NO_LOCKING             101
+        /* This prevents the initialisation function from providing mutex
+         * callbacks to the nCipher library. */
+
+/* As we're missing a BIGNUM_METHOD, we need a couple of locally
+ * defined function types that engines can implement. */
+
+#ifndef HEADER_ENGINE_INT_H
+/* mod_exp operation, calculates; r = a ^ p mod m
+ * NB: ctx can be NULL, but if supplied, the implementation may use
+ * it if it wishes. */
+typedef int (*BN_MOD_EXP)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx);
+
+/* private key operation for RSA, provided seperately in case other
+ * RSA implementations wish to use it. */
+typedef int (*BN_MOD_EXP_CRT)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
+                const BIGNUM *iqmp, BN_CTX *ctx);
+
+/* Generic function pointer */
+typedef void (*ENGINE_GEN_FUNC_PTR)();
+/* Generic function pointer taking no arguments */
+typedef void (*ENGINE_GEN_INT_FUNC_PTR)(void);
+/* Specific control function pointer */
+typedef int (*ENGINE_CTRL_FUNC_PTR)(int cmd, long i, void *p, void (*f)());
+
+/* The list of "engine" types is a static array of (const ENGINE*)
+ * pointers (not dynamic because static is fine for now and we otherwise
+ * have to hook an appropriate load/unload function in to initialise and
+ * cleanup). */
+typedef struct engine_st ENGINE;
+#endif
+
+/* STRUCTURE functions ... all of these functions deal with pointers to
+ * ENGINE structures where the pointers have a "structural reference".
+ * This means that their reference is to allow access to the structure
+ * but it does not imply that the structure is functional. To simply
+ * increment or decrement the structural reference count, use ENGINE_new
+ * and ENGINE_free. NB: This is not required when iterating using
+ * ENGINE_get_next as it will automatically decrement the structural
+ * reference count of the "current" ENGINE and increment the structural
+ * reference count of the ENGINE it returns (unless it is NULL). */
+
+/* Get the first/last "ENGINE" type available. */
+ENGINE *ENGINE_get_first(void);
+ENGINE *ENGINE_get_last(void);
+/* Iterate to the next/previous "ENGINE" type (NULL = end of the list). */
+ENGINE *ENGINE_get_next(ENGINE *e);
+ENGINE *ENGINE_get_prev(ENGINE *e);
+/* Add another "ENGINE" type into the array. */
+int ENGINE_add(ENGINE *e);
+/* Remove an existing "ENGINE" type from the array. */
+int ENGINE_remove(ENGINE *e);
+/* Retrieve an engine from the list by its unique "id" value. */
+ENGINE *ENGINE_by_id(const char *id);
+
+/* These functions are useful for manufacturing new ENGINE
+ * structures. They don't address reference counting at all -
+ * one uses them to populate an ENGINE structure with personalised
+ * implementations of things prior to using it directly or adding
+ * it to the builtin ENGINE list in OpenSSL. These are also here
+ * so that the ENGINE structure doesn't have to be exposed and
+ * break binary compatibility!
+ *
+ * NB: I'm changing ENGINE_new to force the ENGINE structure to
+ * be allocated from within OpenSSL. See the comment for
+ * ENGINE_get_struct_size().
+ */
+#if 0
+ENGINE *ENGINE_new(ENGINE *e);
+#else
+ENGINE *ENGINE_new(void);
+#endif
+int ENGINE_free(ENGINE *e);
+int ENGINE_set_id(ENGINE *e, const char *id);
+int ENGINE_set_name(ENGINE *e, const char *name);
+int ENGINE_set_RSA(ENGINE *e, RSA_METHOD *rsa_meth);
+int ENGINE_set_DSA(ENGINE *e, DSA_METHOD *dsa_meth);
+int ENGINE_set_DH(ENGINE *e, DH_METHOD *dh_meth);
+int ENGINE_set_RAND(ENGINE *e, RAND_METHOD *rand_meth);
+int ENGINE_set_BN_mod_exp(ENGINE *e, BN_MOD_EXP bn_mod_exp);
+int ENGINE_set_BN_mod_exp_crt(ENGINE *e, BN_MOD_EXP_CRT bn_mod_exp_crt);
+int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
+int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
+int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
+
+/* These return values from within the ENGINE structure. These can
+ * be useful with functional references as well as structural
+ * references - it depends which you obtained. Using the result
+ * for functional purposes if you only obtained a structural
+ * reference may be problematic! */
+const char *ENGINE_get_id(ENGINE *e);
+const char *ENGINE_get_name(ENGINE *e);
+RSA_METHOD *ENGINE_get_RSA(ENGINE *e);
+DSA_METHOD *ENGINE_get_DSA(ENGINE *e);
+DH_METHOD *ENGINE_get_DH(ENGINE *e);
+RAND_METHOD *ENGINE_get_RAND(ENGINE *e);
+BN_MOD_EXP ENGINE_get_BN_mod_exp(ENGINE *e);
+BN_MOD_EXP_CRT ENGINE_get_BN_mod_exp_crt(ENGINE *e);
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(ENGINE *e);
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(ENGINE *e);
+ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(ENGINE *e);
+
+/* ENGINE_new is normally passed a NULL in the first parameter because
+ * the calling code doesn't have access to the definition of the ENGINE
+ * structure (for good reason). However, if the caller wishes to use
+ * its own memory allocation or use a static array, the following call
+ * should be used to check the amount of memory the ENGINE structure
+ * will occupy. This will make the code more future-proof.
+ *
+ * NB: I'm "#if 0"-ing this out because it's better to force the use of
+ * internally allocated memory. See similar change in ENGINE_new().
+ */
+#if 0
+int ENGINE_get_struct_size(void);
+#endif
+
+/* FUNCTIONAL functions. These functions deal with ENGINE structures
+ * that have (or will) be initialised for use. Broadly speaking, the
+ * structural functions are useful for iterating the list of available
+ * engine types, creating new engine types, and other "list" operations.
+ * These functions actually deal with ENGINEs that are to be used. As
+ * such these functions can fail (if applicable) when particular
+ * engines are unavailable - eg. if a hardware accelerator is not
+ * attached or not functioning correctly. Each ENGINE has 2 reference
+ * counts; structural and functional. Every time a functional reference
+ * is obtained or released, a corresponding structural reference is
+ * automatically obtained or released too. */
+
+/* Initialise a engine type for use (or up its reference count if it's
+ * already in use). This will fail if the engine is not currently
+ * operational and cannot initialise. */
+int ENGINE_init(ENGINE *e);
+/* Free a functional reference to a engine type. This does not require
+ * a corresponding call to ENGINE_free as it also releases a structural
+ * reference. */
+int ENGINE_finish(ENGINE *e);
+/* Send control parametrised commands to the engine.  The possibilities
+ * to send down an integer, a pointer to data or a function pointer are
+ * provided.  Any of the parameters may or may not be NULL, depending
+ * on the command number */
+/* WARNING: This is currently experimental and may change radically! */
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+
+/* The following functions handle keys that are stored in some secondary
+ * location, handled by the engine.  The storage may be on a card or
+ * whatever. */
+EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+        const char *passphrase);
+EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
+        const char *passphrase);
+
+/* This returns a pointer for the current ENGINE structure that
+ * is (by default) performing any RSA operations. The value returned
+ * is an incremented reference, so it should be free'd (ENGINE_finish)
+ * before it is discarded. */
+ENGINE *ENGINE_get_default_RSA(void);
+/* Same for the other "methods" */
+ENGINE *ENGINE_get_default_DSA(void);
+ENGINE *ENGINE_get_default_DH(void);
+ENGINE *ENGINE_get_default_RAND(void);
+ENGINE *ENGINE_get_default_BN_mod_exp(void);
+ENGINE *ENGINE_get_default_BN_mod_exp_crt(void);
+
+/* This sets a new default ENGINE structure for performing RSA
+ * operations. If the result is non-zero (success) then the ENGINE
+ * structure will have had its reference count up'd so the caller
+ * should still free their own reference 'e'. */
+int ENGINE_set_default_RSA(ENGINE *e);
+/* Same for the other "methods" */
+int ENGINE_set_default_DSA(ENGINE *e);
+int ENGINE_set_default_DH(ENGINE *e);
+int ENGINE_set_default_RAND(ENGINE *e);
+int ENGINE_set_default_BN_mod_exp(ENGINE *e);
+int ENGINE_set_default_BN_mod_exp_crt(ENGINE *e);
+
+/* The combination "set" - the flags are bitwise "OR"d from the
+ * ENGINE_METHOD_*** defines above. */
+int ENGINE_set_default(ENGINE *e, unsigned int flags);
+
+/* Obligatory error function. */
+void ERR_load_ENGINE_strings(void);
+
+/*
+ * Error codes for all engine functions. NB: We use "generic"
+ * function names instead of per-implementation ones because this
+ * levels the playing field for externally implemented bootstrapped
+ * support code. As the filename and line number is included, it's
+ * more important to indicate the type of function, so that
+ * bootstrapped code (that can't easily add its own errors in) can
+ * use the same error codes too.
+ */
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the ENGINE functions. */
+
+/* Function codes. */
+#define ENGINE_F_ATALLA_FINISH                           135
+#define ENGINE_F_ATALLA_INIT                             136
+#define ENGINE_F_ATALLA_MOD_EXP                          137
+#define ENGINE_F_ATALLA_RSA_MOD_EXP                      138
+#define ENGINE_F_CSWIFT_DSA_SIGN                         133
+#define ENGINE_F_CSWIFT_DSA_VERIFY                       134
+#define ENGINE_F_CSWIFT_FINISH                           100
+#define ENGINE_F_CSWIFT_INIT                             101
+#define ENGINE_F_CSWIFT_MOD_EXP                          102
+#define ENGINE_F_CSWIFT_MOD_EXP_CRT                      103
+#define ENGINE_F_CSWIFT_RSA_MOD_EXP                      104
+#define ENGINE_F_ENGINE_ADD                              105
+#define ENGINE_F_ENGINE_BY_ID                            106
+#define ENGINE_F_ENGINE_CTRL                             142
+#define ENGINE_F_ENGINE_FINISH                           107
+#define ENGINE_F_ENGINE_FREE                             108
+#define ENGINE_F_ENGINE_GET_BN_MOD_EXP                   109
+#define ENGINE_F_ENGINE_GET_BN_MOD_EXP_CRT               110
+#define ENGINE_F_ENGINE_GET_CTRL_FUNCTION                144
+#define ENGINE_F_ENGINE_GET_DH                           111
+#define ENGINE_F_ENGINE_GET_DSA                          112
+#define ENGINE_F_ENGINE_GET_FINISH_FUNCTION              145
+#define ENGINE_F_ENGINE_GET_ID                           113
+#define ENGINE_F_ENGINE_GET_INIT_FUNCTION                146
+#define ENGINE_F_ENGINE_GET_NAME                         114
+#define ENGINE_F_ENGINE_GET_NEXT                         115
+#define ENGINE_F_ENGINE_GET_PREV                         116
+#define ENGINE_F_ENGINE_GET_RAND                         117
+#define ENGINE_F_ENGINE_GET_RSA                          118
+#define ENGINE_F_ENGINE_INIT                             119
+#define ENGINE_F_ENGINE_LIST_ADD                         120
+#define ENGINE_F_ENGINE_LIST_REMOVE                      121
+#define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY                 150
+#define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY                  151
+#define ENGINE_F_ENGINE_NEW                              122
+#define ENGINE_F_ENGINE_REMOVE                           123
+#define ENGINE_F_ENGINE_SET_BN_MOD_EXP                   124
+#define ENGINE_F_ENGINE_SET_BN_MOD_EXP_CRT               125
+#define ENGINE_F_ENGINE_SET_CTRL_FUNCTION                147
+#define ENGINE_F_ENGINE_SET_DEFAULT_TYPE                 126
+#define ENGINE_F_ENGINE_SET_DH                           127
+#define ENGINE_F_ENGINE_SET_DSA                          128
+#define ENGINE_F_ENGINE_SET_FINISH_FUNCTION              148
+#define ENGINE_F_ENGINE_SET_ID                           129
+#define ENGINE_F_ENGINE_SET_INIT_FUNCTION                149
+#define ENGINE_F_ENGINE_SET_NAME                         130
+#define ENGINE_F_ENGINE_SET_RAND                         131
+#define ENGINE_F_ENGINE_SET_RSA                          132
+#define ENGINE_F_ENGINE_UNLOAD_KEY                       152
+#define ENGINE_F_HWCRHK_CTRL                             143
+#define ENGINE_F_HWCRHK_FINISH                           135
+#define ENGINE_F_HWCRHK_GET_PASS                         155
+#define ENGINE_F_HWCRHK_INIT                             136
+#define ENGINE_F_HWCRHK_LOAD_PRIVKEY                     153
+#define ENGINE_F_HWCRHK_LOAD_PUBKEY                      154
+#define ENGINE_F_HWCRHK_MOD_EXP                          137
+#define ENGINE_F_HWCRHK_MOD_EXP_CRT                      138
+#define ENGINE_F_HWCRHK_RAND_BYTES                       139
+#define ENGINE_F_HWCRHK_RSA_MOD_EXP                      140
+#define ENGINE_F_LOG_MESSAGE                             141
+
+/* Reason codes. */
+#define ENGINE_R_ALREADY_LOADED                          100
+#define ENGINE_R_BIO_WAS_FREED                           121
+#define ENGINE_R_BN_CTX_FULL                             101
+#define ENGINE_R_BN_EXPAND_FAIL                          102
+#define ENGINE_R_CHIL_ERROR                              123
+#define ENGINE_R_CONFLICTING_ENGINE_ID                   103
+#define ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED            119
+#define ENGINE_R_DSO_FAILURE                             104
+#define ENGINE_R_ENGINE_IS_NOT_IN_LIST                   105
+#define ENGINE_R_FAILED_LOADING_PRIVATE_KEY              128
+#define ENGINE_R_FAILED_LOADING_PUBLIC_KEY               129
+#define ENGINE_R_FINISH_FAILED                           106
+#define ENGINE_R_GET_HANDLE_FAILED                       107
+#define ENGINE_R_ID_OR_NAME_MISSING                      108
+#define ENGINE_R_INIT_FAILED                             109
+#define ENGINE_R_INTERNAL_LIST_ERROR                     110
+#define ENGINE_R_MISSING_KEY_COMPONENTS                  111
+#define ENGINE_R_NOT_INITIALISED                         117
+#define ENGINE_R_NOT_LOADED                              112
+#define ENGINE_R_NO_CALLBACK                             127
+#define ENGINE_R_NO_CONTROL_FUNCTION                     120
+#define ENGINE_R_NO_KEY                                  124
+#define ENGINE_R_NO_LOAD_FUNCTION                        125
+#define ENGINE_R_NO_REFERENCE                            130
+#define ENGINE_R_NO_SUCH_ENGINE                          116
+#define ENGINE_R_NO_UNLOAD_FUNCTION                      126
+#define ENGINE_R_PROVIDE_PARAMETERS                      113
+#define ENGINE_R_REQUEST_FAILED                          114
+#define ENGINE_R_REQUEST_FALLBACK                        118
+#define ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL             122
+#define ENGINE_R_UNIT_FAILURE                            115
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libcrypto/engine/tb_cipher.c b/src/lib/libcrypto/engine/tb_cipher.c
new file mode 100644
index 0000000000..c5a50fc910
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_cipher.c
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_cipher_engine(), the function that
+ * is used by EVP to hook in cipher code and cache defaults (etc), will display
+ * brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_CIPHER_DEBUG */
+
+static ENGINE_TABLE *cipher_table = NULL;
+
+void ENGINE_unregister_ciphers(ENGINE *e)
+        {
+        engine_table_unregister(&cipher_table, e);
+        }
+
+static void engine_unregister_all_ciphers(void)
+        {
+        engine_table_cleanup(&cipher_table);
+        }
+
+int ENGINE_register_ciphers(ENGINE *e)
+        {
+        if(e->ciphers)
+                {
+                const int *nids;
+                int num_nids = e->ciphers(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&cipher_table,
+                                        &engine_unregister_all_ciphers, e, nids,
+                                        num_nids, 0);
+                }
+        return 1;
+        }
+
+void ENGINE_register_all_ciphers()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_ciphers(e);
+        }
+
+int ENGINE_set_default_ciphers(ENGINE *e)
+        {
+        if(e->ciphers)
+                {
+                const int *nids;
+                int num_nids = e->ciphers(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&cipher_table,
+                                        &engine_unregister_all_ciphers, e, nids,
+                                        num_nids, 1);
+                }
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references) for a given cipher 'nid' */
+ENGINE *ENGINE_get_cipher_engine(int nid)
+        {
+        return engine_table_select(&cipher_table, nid);
+        }
+
+/* Obtains a cipher implementation from an ENGINE functional reference */
+const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid)
+        {
+        const EVP_CIPHER *ret;
+        ENGINE_CIPHERS_PTR fn = ENGINE_get_ciphers(e);
+        if(!fn || !fn(e, &ret, NULL, nid))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_CIPHER,
+                                ENGINE_R_UNIMPLEMENTED_CIPHER);
+                return NULL;
+                }
+        return ret;
+        }
+
+/* Gets the cipher callback from an ENGINE structure */
+ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e)
+        {
+        return e->ciphers;
+        }
+
+/* Sets the cipher callback in an ENGINE structure */
+int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f)
+        {
+        e->ciphers = f;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_dh.c b/src/lib/libcrypto/engine/tb_dh.c
new file mode 100644
index 0000000000..c9347235ea
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_dh.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_DH(), the function that is
+ * used by DH to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_DH_DEBUG */
+
+static ENGINE_TABLE *dh_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_DH(ENGINE *e)
+        {
+        engine_table_unregister(&dh_table, e);
+        }
+
+static void engine_unregister_all_DH(void)
+        {
+        engine_table_cleanup(&dh_table);
+        }
+
+int ENGINE_register_DH(ENGINE *e)
+        {
+        if(e->dh_meth)
+                return engine_table_register(&dh_table,
+                                &engine_unregister_all_DH, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_DH()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_DH(e);
+        }
+
+int ENGINE_set_default_DH(ENGINE *e)
+        {
+        if(e->dh_meth)
+                return engine_table_register(&dh_table,
+                                &engine_unregister_all_DH, e, &dummy_nid, 1, 1);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_DH(void)
+        {
+        return engine_table_select(&dh_table, dummy_nid);
+        }
+
+/* Obtains an DH implementation from an ENGINE functional reference */
+const DH_METHOD *ENGINE_get_DH(const ENGINE *e)
+        {
+        return e->dh_meth;
+        }
+
+/* Sets an DH implementation in an ENGINE structure */
+int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth)
+        {
+        e->dh_meth = dh_meth;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_digest.c b/src/lib/libcrypto/engine/tb_digest.c
new file mode 100644
index 0000000000..2c4dd6f796
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_digest.c
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_digest_engine(), the function that
+ * is used by EVP to hook in digest code and cache defaults (etc), will display
+ * brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_DIGEST_DEBUG */
+
+static ENGINE_TABLE *digest_table = NULL;
+
+void ENGINE_unregister_digests(ENGINE *e)
+        {
+        engine_table_unregister(&digest_table, e);
+        }
+
+static void engine_unregister_all_digests(void)
+        {
+        engine_table_cleanup(&digest_table);
+        }
+
+int ENGINE_register_digests(ENGINE *e)
+        {
+        if(e->digests)
+                {
+                const int *nids;
+                int num_nids = e->digests(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&digest_table,
+                                        &engine_unregister_all_digests, e, nids,
+                                        num_nids, 0);
+                }
+        return 1;
+        }
+
+void ENGINE_register_all_digests()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_digests(e);
+        }
+
+int ENGINE_set_default_digests(ENGINE *e)
+        {
+        if(e->digests)
+                {
+                const int *nids;
+                int num_nids = e->digests(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&digest_table,
+                                        &engine_unregister_all_digests, e, nids,
+                                        num_nids, 1);
+                }
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references) for a given digest 'nid' */
+ENGINE *ENGINE_get_digest_engine(int nid)
+        {
+        return engine_table_select(&digest_table, nid);
+        }
+
+/* Obtains a digest implementation from an ENGINE functional reference */
+const EVP_MD *ENGINE_get_digest(ENGINE *e, int nid)
+        {
+        const EVP_MD *ret;
+        ENGINE_DIGESTS_PTR fn = ENGINE_get_digests(e);
+        if(!fn || !fn(e, &ret, NULL, nid))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_DIGEST,
+                                ENGINE_R_UNIMPLEMENTED_DIGEST);
+                return NULL;
+                }
+        return ret;
+        }
+
+/* Gets the digest callback from an ENGINE structure */
+ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e)
+        {
+        return e->digests;
+        }
+
+/* Sets the digest callback in an ENGINE structure */
+int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f)
+        {
+        e->digests = f;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_dsa.c b/src/lib/libcrypto/engine/tb_dsa.c
new file mode 100644
index 0000000000..e9209476b8
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_dsa.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_DSA(), the function that is
+ * used by DSA to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_DSA_DEBUG */
+
+static ENGINE_TABLE *dsa_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_DSA(ENGINE *e)
+        {
+        engine_table_unregister(&dsa_table, e);
+        }
+
+static void engine_unregister_all_DSA(void)
+        {
+        engine_table_cleanup(&dsa_table);
+        }
+
+int ENGINE_register_DSA(ENGINE *e)
+        {
+        if(e->dsa_meth)
+                return engine_table_register(&dsa_table,
+                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_DSA()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_DSA(e);
+        }
+
+int ENGINE_set_default_DSA(ENGINE *e)
+        {
+        if(e->dsa_meth)
+                return engine_table_register(&dsa_table,
+                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_DSA(void)
+        {
+        return engine_table_select(&dsa_table, dummy_nid);
+        }
+
+/* Obtains an DSA implementation from an ENGINE functional reference */
+const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e)
+        {
+        return e->dsa_meth;
+        }
+
+/* Sets an DSA implementation in an ENGINE structure */
+int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth)
+        {
+        e->dsa_meth = dsa_meth;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_rand.c b/src/lib/libcrypto/engine/tb_rand.c
new file mode 100644
index 0000000000..0b1d031f1e
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_rand.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_RAND(), the function that is
+ * used by RAND to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_RAND_DEBUG */
+
+static ENGINE_TABLE *rand_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_RAND(ENGINE *e)
+        {
+        engine_table_unregister(&rand_table, e);
+        }
+
+static void engine_unregister_all_RAND(void)
+        {
+        engine_table_cleanup(&rand_table);
+        }
+
+int ENGINE_register_RAND(ENGINE *e)
+        {
+        if(e->rand_meth)
+                return engine_table_register(&rand_table,
+                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_RAND()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_RAND(e);
+        }
+
+int ENGINE_set_default_RAND(ENGINE *e)
+        {
+        if(e->rand_meth)
+                return engine_table_register(&rand_table,
+                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 1);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_RAND(void)
+        {
+        return engine_table_select(&rand_table, dummy_nid);
+        }
+
+/* Obtains an RAND implementation from an ENGINE functional reference */
+const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e)
+        {
+        return e->rand_meth;
+        }
+
+/* Sets an RAND implementation in an ENGINE structure */
+int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth)
+        {
+        e->rand_meth = rand_meth;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_rsa.c b/src/lib/libcrypto/engine/tb_rsa.c
new file mode 100644
index 0000000000..f84fea3968
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_rsa.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_RSA(), the function that is
+ * used by RSA to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_RSA_DEBUG */
+
+static ENGINE_TABLE *rsa_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_RSA(ENGINE *e)
+        {
+        engine_table_unregister(&rsa_table, e);
+        }
+
+static void engine_unregister_all_RSA(void)
+        {
+        engine_table_cleanup(&rsa_table);
+        }
+
+int ENGINE_register_RSA(ENGINE *e)
+        {
+        if(e->rsa_meth)
+                return engine_table_register(&rsa_table,
+                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_RSA()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_RSA(e);
+        }
+
+int ENGINE_set_default_RSA(ENGINE *e)
+        {
+        if(e->rsa_meth)
+                return engine_table_register(&rsa_table,
+                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 1);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_RSA(void)
+        {
+        return engine_table_select(&rsa_table, dummy_nid);
+        }
+
+/* Obtains an RSA implementation from an ENGINE functional reference */
+const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e)
+        {
+        return e->rsa_meth;
+        }
+
+/* Sets an RSA implementation in an ENGINE structure */
+int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth)
+        {
+        e->rsa_meth = rsa_meth;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/err/openssl.ec b/src/lib/libcrypto/err/openssl.ec
new file mode 100644
index 0000000000..c2a8acff0c
--- /dev/null
+++ b/src/lib/libcrypto/err/openssl.ec
@@ -0,0 +1,71 @@
+L ERR           NONE                            NONE
+L CRYPTO        crypto/crypto.h                 crypto/cpt_err.c
+L BN            crypto/bn/bn.h                  crypto/bn/bn_err.c
+L RSA           crypto/rsa/rsa.h                crypto/rsa/rsa_err.c
+L DSA           crypto/dsa/dsa.h                crypto/dsa/dsa_err.c
+L DH            crypto/dh/dh.h                  crypto/dh/dh_err.c
+L EVP           crypto/evp/evp.h                crypto/evp/evp_err.c
+L BUF           crypto/buffer/buffer.h          crypto/buffer/buf_err.c
+L BIO           crypto/bio/bio.h                crypto/bio/bio_err.c
+L OBJ           crypto/objects/objects.h        crypto/objects/obj_err.c
+L PEM           crypto/pem/pem.h                crypto/pem/pem_err.c
+L X509          crypto/x509/x509.h              crypto/x509/x509_err.c
+L NONE          crypto/x509/x509_vfy.h          NONE
+L X509V3        crypto/x509v3/x509v3.h          crypto/x509v3/v3err.c
+#L METH         crypto/meth/meth.h              crypto/meth/meth_err.c
+L ASN1          crypto/asn1/asn1.h              crypto/asn1/asn1_err.c
+L CONF          crypto/conf/conf.h              crypto/conf/conf_err.c
+#L PROXY                crypto/proxy/proxy.h            crypto/proxy/proxy_err.c
+L PKCS7         crypto/pkcs7/pkcs7.h            crypto/pkcs7/pkcs7err.c
+L PKCS12        crypto/pkcs12/pkcs12.h          crypto/pkcs12/pk12err.c
+L RSAREF        rsaref/rsaref.h                 rsaref/rsar_err.c
+L SSL           ssl/ssl.h                       ssl/ssl_err.c
+L COMP          crypto/comp/comp.h              crypto/comp/comp_err.c
+
+
+F RSAREF_F_RSA_BN2BIN
+F RSAREF_F_RSA_PRIVATE_DECRYPT
+F RSAREF_F_RSA_PRIVATE_ENCRYPT
+F RSAREF_F_RSA_PUBLIC_DECRYPT
+F RSAREF_F_RSA_PUBLIC_ENCRYPT
+#F SSL_F_CLIENT_CERTIFICATE
+
+R SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE          1010
+R SSL_R_SSLV3_ALERT_BAD_RECORD_MAC              1020
+R SSL_R_TLSV1_ALERT_DECRYPTION_FAILED           1021
+R SSL_R_TLSV1_ALERT_RECORD_OVERFLOW             1022
+R SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE       1030
+R SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE           1040
+R SSL_R_SSLV3_ALERT_NO_CERTIFICATE              1041
+R SSL_R_SSLV3_ALERT_BAD_CERTIFICATE             1042
+R SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE     1043
+R SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED         1044
+R SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED         1045
+R SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN         1046
+R SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER           1047
+R SSL_R_TLSV1_ALERT_UNKNOWN_CA                  1048
+R SSL_R_TLSV1_ALERT_ACCESS_DENIED               1049
+R SSL_R_TLSV1_ALERT_DECODE_ERROR                1050
+R SSL_R_TLSV1_ALERT_DECRYPT_ERROR               1051
+R SSL_R_TLSV1_ALERT_EXPORT_RESTRICION           1060
+R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION            1070
+R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY       1071
+R SSL_R_TLSV1_ALERT_INTERNAL_ERROR              1080
+R SSL_R_TLSV1_ALERT_USER_CANCLED                1090
+R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION            1100
+
+R RSAREF_R_CONTENT_ENCODING                     0x0400
+R RSAREF_R_DATA                                 0x0401
+R RSAREF_R_DIGEST_ALGORITHM                     0x0402
+R RSAREF_R_ENCODING                             0x0403
+R RSAREF_R_KEY                                  0x0404
+R RSAREF_R_KEY_ENCODING                         0x0405
+R RSAREF_R_LEN                                  0x0406
+R RSAREF_R_MODULUS_LEN                          0x0407
+R RSAREF_R_NEED_RANDOM                          0x0408
+R RSAREF_R_PRIVATE_KEY                          0x0409
+R RSAREF_R_PUBLIC_KEY                           0x040a
+R RSAREF_R_SIGNATURE                            0x040b
+R RSAREF_R_SIGNATURE_ENCODING                   0x040c
+R RSAREF_R_ENCRYPTION_ALGORITHM                 0x040d
+
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
new file mode 100644
index 0000000000..9d03a9602f
--- /dev/null
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -0,0 +1,99 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#ifndef OPENSSL_NO_AES
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <string.h>
+#include <assert.h>
+#include <openssl/aes.h>
+#include "evp_locl.h"
+
+static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                                        const unsigned char *iv, int enc);
+
+typedef struct
+        {
+        AES_KEY ks;
+        } EVP_AES_KEY;
+
+#define data(ctx)       EVP_C_DATA(EVP_AES_KEY,ctx)
+
+IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
+                       NID_aes_128, 16, 16, 16, 128,
+                       0, aes_init_key, NULL, 
+                       EVP_CIPHER_set_asn1_iv,
+                       EVP_CIPHER_get_asn1_iv,
+                       NULL)
+IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
+                       NID_aes_192, 16, 24, 16, 128,
+                       0, aes_init_key, NULL, 
+                       EVP_CIPHER_set_asn1_iv,
+                       EVP_CIPHER_get_asn1_iv,
+                       NULL)
+IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
+                       NID_aes_256, 16, 32, 16, 128,
+                       0, aes_init_key, NULL, 
+                       EVP_CIPHER_set_asn1_iv,
+                       EVP_CIPHER_get_asn1_iv,
+                       NULL)
+
+static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                   const unsigned char *iv, int enc) {
+
+        if (enc) 
+                AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+        else
+                AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+
+        return 1;
+}
+
+#endif
diff --git a/src/lib/libcrypto/evp/e_bf.c b/src/lib/libcrypto/evp/e_bf.c
new file mode 100644
index 0000000000..72047f64da
--- /dev/null
+++ b/src/lib/libcrypto/evp/e_bf.c
@@ -0,0 +1,80 @@
+/* crypto/evp/e_bf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_BF
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include "evp_locl.h"
+#include <openssl/objects.h>
+
+static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                       const unsigned char *iv, int enc);
+
+IMPLEMENT_BLOCK_CIPHER(bf, bf_ks, BF, bf_ks, NID_bf, 8, 16, 8,
+                        0, bf_init_key, NULL, 
+                        EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
+        
+static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                       const unsigned char *iv, int enc)
+        {
+        BF_set_key(&(ctx->c.bf_ks),EVP_CIPHER_CTX_key_length(ctx),key);
+        return 1;
+        }
+
+#endif
diff --git a/src/lib/libcrypto/evp/e_cast.c b/src/lib/libcrypto/evp/e_cast.c
new file mode 100644
index 0000000000..e5af7fb4ed
--- /dev/null
+++ b/src/lib/libcrypto/evp/e_cast.c
@@ -0,0 +1,82 @@
+/* crypto/evp/e_cast.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_CAST
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                         const unsigned char *iv,int enc);
+
+IMPLEMENT_BLOCK_CIPHER(cast5, cast_ks, CAST, cast_ks, 
+                        NID_cast5, 8, EVP_CAST5_KEY_SIZE, 8,
+                        EVP_CIPH_VARIABLE_LENGTH, cast_init_key, NULL,
+                        EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
+                        
+static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                         const unsigned char *iv, int enc)
+        {
+        CAST_set_key(&(ctx->c.cast_ks),EVP_CIPHER_CTX_key_length(ctx),key);
+        return 1;
+        }
+
+#endif
diff --git a/src/lib/libcrypto/evp/e_des.c b/src/lib/libcrypto/evp/e_des.c
new file mode 100644
index 0000000000..f4e998b81c
--- /dev/null
+++ b/src/lib/libcrypto/evp/e_des.c
@@ -0,0 +1,118 @@
+/* crypto/evp/e_des.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv, int enc);
+
+/* Because of various casts and different names can't use IMPLEMENT_BLOCK_CIPHER */
+
+static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                          const unsigned char *in, unsigned int inl)
+{
+        BLOCK_CIPHER_ecb_loop()
+                des_ecb_encrypt((des_cblock *)(in + i), (des_cblock *)(out + i), ctx->c.des_ks, ctx->encrypt);
+        return 1;
+}
+
+static int des_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                          const unsigned char *in, unsigned int inl)
+{
+        des_ofb64_encrypt(in, out, (long)inl, ctx->c.des_ks, (des_cblock *)ctx->iv, &ctx->num);
+        return 1;
+}
+
+static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                          const unsigned char *in, unsigned int inl)
+{
+        des_ncbc_encrypt(in, out, (long)inl, ctx->c.des_ks,
+                         (des_cblock *)ctx->iv, ctx->encrypt);
+        return 1;
+}
+
+static int des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                          const unsigned char *in, unsigned int inl)
+{
+        des_cfb64_encrypt(in, out, (long)inl, ctx->c.des_ks,
+                          (des_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
+        return 1;
+}
+
+BLOCK_CIPHER_defs(des, des_ks, NID_des, 8, 8, 8,
+                        0, des_init_key, NULL,
+                        EVP_CIPHER_set_asn1_iv,
+                        EVP_CIPHER_get_asn1_iv,
+                        NULL)
+
+
+static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv, int enc)
+        {
+        des_cblock *deskey = (des_cblock *)key;
+
+        des_set_key_unchecked(deskey,ctx->c.des_ks);
+        return 1;
+        }
+
+#endif
diff --git a/src/lib/libcrypto/evp/e_des3.c b/src/lib/libcrypto/evp/e_des3.c
new file mode 100644
index 0000000000..a9aba4ae70
--- /dev/null
+++ b/src/lib/libcrypto/evp/e_des3.c
@@ -0,0 +1,165 @@
+/* crypto/evp/e_des3.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                            const unsigned char *iv,int enc);
+
+static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                             const unsigned char *iv,int enc);
+
+/* Because of various casts and different args can't use IMPLEMENT_BLOCK_CIPHER */
+
+static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                              const unsigned char *in, unsigned int inl)
+{
+        BLOCK_CIPHER_ecb_loop()
+                des_ecb3_encrypt((des_cblock *)(in + i), (des_cblock *)(out + i), 
+                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
+                         ctx->encrypt);
+        return 1;
+}
+
+static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                              const unsigned char *in, unsigned int inl)
+{
+        des_ede3_ofb64_encrypt(in, out, (long)inl,
+                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
+                                                                (des_cblock *)ctx->iv, &ctx->num);
+        return 1;
+}
+
+static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                              const unsigned char *in, unsigned int inl)
+{
+        des_ede3_cbc_encrypt(in, out, (long)inl,
+                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
+                                                                (des_cblock *)ctx->iv, ctx->encrypt);
+        return 1;
+}
+
+static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                              const unsigned char *in, unsigned int inl)
+{
+        des_ede3_cfb64_encrypt(in, out, (long)inl, 
+                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
+                                        (des_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
+        return 1;
+}
+
+#define NID_des_ede_ecb NID_des_ede
+
+BLOCK_CIPHER_defs(des_ede, des_ede, NID_des_ede, 8, 16, 8,
+                        0, des_ede_init_key, NULL, 
+                        EVP_CIPHER_set_asn1_iv,
+                        EVP_CIPHER_get_asn1_iv,
+                        NULL)
+
+#define NID_des_ede3_ecb NID_des_ede3
+#define des_ede3_cfb_cipher des_ede_cfb_cipher
+#define des_ede3_ofb_cipher des_ede_ofb_cipher
+#define des_ede3_cbc_cipher des_ede_cbc_cipher
+#define des_ede3_ecb_cipher des_ede_ecb_cipher
+
+BLOCK_CIPHER_defs(des_ede3, des_ede, NID_des_ede3, 8, 24, 8,
+                        0, des_ede3_init_key, NULL, 
+                        EVP_CIPHER_set_asn1_iv,
+                        EVP_CIPHER_get_asn1_iv,
+                        NULL)
+
+static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                            const unsigned char *iv, int enc)
+        {
+        des_cblock *deskey = (des_cblock *)key;
+
+        des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+        des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+        memcpy( (char *)ctx->c.des_ede.ks3,
+                        (char *)ctx->c.des_ede.ks1,
+                        sizeof(ctx->c.des_ede.ks1));
+        return 1;
+        }
+
+static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                             const unsigned char *iv, int enc)
+        {
+        des_cblock *deskey = (des_cblock *)key;
+
+        des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+        des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+        des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
+
+        return 1;
+        }
+
+EVP_CIPHER *EVP_des_ede(void)
+{
+        return &des_ede_ecb;
+}
+
+EVP_CIPHER *EVP_des_ede3(void)
+{
+        return &des_ede3_ecb;
+}
+#endif
diff --git a/src/lib/libcrypto/evp/e_idea.c b/src/lib/libcrypto/evp/e_idea.c
new file mode 100644
index 0000000000..8d3c88deb7
--- /dev/null
+++ b/src/lib/libcrypto/evp/e_idea.c
@@ -0,0 +1,112 @@
+/* crypto/evp/e_idea.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_IDEA
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                         const unsigned char *iv,int enc);
+
+/* NB idea_ecb_encrypt doesn't take an 'encrypt' argument so we treat it as a special
+ * case 
+ */
+
+static int idea_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                           const unsigned char *in, unsigned int inl)
+{
+        BLOCK_CIPHER_ecb_loop()
+                idea_ecb_encrypt(in + i, out + i, &ctx->c.idea_ks);
+        return 1;
+}
+
+/* Can't use IMPLEMENT_BLOCK_CIPHER because idea_ecb_encrypt is different */
+
+BLOCK_CIPHER_func_cbc(idea, idea, idea_ks)
+BLOCK_CIPHER_func_ofb(idea, idea, idea_ks)
+BLOCK_CIPHER_func_cfb(idea, idea, idea_ks)
+
+BLOCK_CIPHER_defs(idea, idea_ks, NID_idea, 8, 16, 8,
+                        0, idea_init_key, NULL, 
+                        EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
+
+static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                         const unsigned char *iv, int enc)
+        {
+        if(!enc) {
+                if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) enc = 1;
+                else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CFB_MODE) enc = 1;
+        }
+        if (enc) idea_set_encrypt_key(key,&(ctx->c.idea_ks));
+        else
+                {
+                IDEA_KEY_SCHEDULE tmp;
+
+                idea_set_encrypt_key(key,&tmp);
+                idea_set_decrypt_key(&tmp,&(ctx->c.idea_ks));
+                memset((unsigned char *)&tmp,0,
+                                sizeof(IDEA_KEY_SCHEDULE));
+                }
+        return 1;
+        }
+
+#endif
diff --git a/src/lib/libcrypto/evp/e_rc2.c b/src/lib/libcrypto/evp/e_rc2.c
new file mode 100644
index 0000000000..3955c3ef84
--- /dev/null
+++ b/src/lib/libcrypto/evp/e_rc2.c
@@ -0,0 +1,222 @@
+/* crypto/evp/e_rc2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC2
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv,int enc);
+static int rc2_meth_to_magic(EVP_CIPHER_CTX *ctx);
+static int rc2_magic_to_meth(int i);
+static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+static int rc2_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr);
+
+IMPLEMENT_BLOCK_CIPHER(rc2, rc2.ks, RC2, rc2, NID_rc2,
+                        8,
+                        EVP_RC2_KEY_SIZE, 8,
+                        EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
+                        rc2_init_key, NULL,
+                        rc2_set_asn1_type_and_iv, rc2_get_asn1_type_and_iv, 
+                        rc2_ctrl)
+
+#define RC2_40_MAGIC    0xa0
+#define RC2_64_MAGIC    0x78
+#define RC2_128_MAGIC   0x3a
+
+static EVP_CIPHER r2_64_cbc_cipher=
+        {
+        NID_rc2_64_cbc,
+        8,8 /* 64 bit */,8,
+        EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
+        rc2_init_key,
+        rc2_cbc_cipher,
+        NULL,
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2)),
+        rc2_set_asn1_type_and_iv,
+        rc2_get_asn1_type_and_iv,
+        rc2_ctrl,
+        NULL
+        };
+
+static EVP_CIPHER r2_40_cbc_cipher=
+        {
+        NID_rc2_40_cbc,
+        8,5 /* 40 bit */,8,
+        EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
+        rc2_init_key,
+        rc2_cbc_cipher,
+        NULL,
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2)),
+        rc2_set_asn1_type_and_iv,
+        rc2_get_asn1_type_and_iv,
+        rc2_ctrl,
+        NULL
+        };
+
+EVP_CIPHER *EVP_rc2_64_cbc(void)
+        {
+        return(&r2_64_cbc_cipher);
+        }
+
+EVP_CIPHER *EVP_rc2_40_cbc(void)
+        {
+        return(&r2_40_cbc_cipher);
+        }
+        
+static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv, int enc)
+        {
+        RC2_set_key(&(ctx->c.rc2.ks),EVP_CIPHER_CTX_key_length(ctx),
+                        key,ctx->c.rc2.key_bits);
+        return 1;
+        }
+
+static int rc2_meth_to_magic(EVP_CIPHER_CTX *e)
+        {
+        int i;
+
+        EVP_CIPHER_CTX_ctrl(e, EVP_CTRL_GET_RC2_KEY_BITS, 0, &i);
+        if      (i == 128) return(RC2_128_MAGIC);
+        else if (i == 64)  return(RC2_64_MAGIC);
+        else if (i == 40)  return(RC2_40_MAGIC);
+        else return(0);
+        }
+
+static int rc2_magic_to_meth(int i)
+        {
+        if      (i == RC2_128_MAGIC) return 128;
+        else if (i == RC2_64_MAGIC)  return 64;
+        else if (i == RC2_40_MAGIC)  return 40;
+        else
+                {
+                EVPerr(EVP_F_RC2_MAGIC_TO_METH,EVP_R_UNSUPPORTED_KEY_SIZE);
+                return(0);
+                }
+        }
+
+static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+        {
+        long num=0;
+        int i=0,l;
+        int key_bits;
+        unsigned char iv[EVP_MAX_IV_LENGTH];
+
+        if (type != NULL)
+                {
+                l=EVP_CIPHER_CTX_iv_length(c);
+                i=ASN1_TYPE_get_int_octetstring(type,&num,iv,l);
+                if (i != l)
+                        return(-1);
+                key_bits =rc2_magic_to_meth((int)num);
+                if (!key_bits)
+                        return(-1);
+                if(i > 0) EVP_CipherInit(c, NULL, NULL, iv, -1);
+                EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
+                EVP_CIPHER_CTX_set_key_length(c, key_bits / 8);
+                }
+        return(i);
+        }
+
+static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+        {
+        long num;
+        int i=0,j;
+
+        if (type != NULL)
+                {
+                num=rc2_meth_to_magic(c);
+                j=EVP_CIPHER_CTX_iv_length(c);
+                i=ASN1_TYPE_set_int_octetstring(type,num,c->oiv,j);
+                }
+        return(i);
+        }
+
+static int rc2_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+        {
+                switch(type) {
+
+                        case EVP_CTRL_INIT:
+                        c->c.rc2.key_bits = EVP_CIPHER_CTX_key_length(c) * 8;
+                        return 1;
+
+                        case EVP_CTRL_GET_RC2_KEY_BITS:
+                        *(int *)ptr = c->c.rc2.key_bits;
+                        return 1;
+                        
+                        
+                        case EVP_CTRL_SET_RC2_KEY_BITS:
+                        if(arg > 0) {
+                                c->c.rc2.key_bits = arg;
+                                return 1;
+                        }
+                        return 0;
+
+                        default:
+                        return -1;
+                }
+        }
+
+#endif
diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h
new file mode 100644
index 0000000000..ce49d5b7d8
--- /dev/null
+++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -0,0 +1,168 @@
+/* evp_locl.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Macros to code block cipher wrappers */
+
+/* Wrapper functions for each cipher mode */
+
+#define BLOCK_CIPHER_ecb_loop() \
+        unsigned int i; \
+        if(inl < 8) return 1;\
+        inl -= 8; \
+        for(i=0; i <= inl; i+=8) \
+
+#define BLOCK_CIPHER_func_ecb(cname, cprefix, kname) \
+static int cname##_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+{\
+        BLOCK_CIPHER_ecb_loop() \
+                cprefix##_ecb_encrypt(in + i, out + i, &ctx->c.kname, ctx->encrypt);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_ofb(cname, cprefix, kname) \
+static int cname##_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+{\
+        cprefix##_ofb64_encrypt(in, out, (long)inl, &ctx->c.kname, ctx->iv, &ctx->num);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_cbc(cname, cprefix, kname) \
+static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+{\
+        cprefix##_cbc_encrypt(in, out, (long)inl, &ctx->c.kname, ctx->iv, ctx->encrypt);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_cfb(cname, cprefix, kname) \
+static int cname##_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+{\
+        cprefix##_cfb64_encrypt(in, out, (long)inl, &ctx->c.kname, ctx->iv, &ctx->num, ctx->encrypt);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_all_funcs(cname, cprefix, kname) \
+        BLOCK_CIPHER_func_cbc(cname, cprefix, kname) \
+        BLOCK_CIPHER_func_cfb(cname, cprefix, kname) \
+        BLOCK_CIPHER_func_ecb(cname, cprefix, kname) \
+        BLOCK_CIPHER_func_ofb(cname, cprefix, kname)
+
+#define BLOCK_CIPHER_defs(cname, kstruct, \
+                                nid, block_size, key_len, iv_len, flags,\
+                                 init_key, cleanup, set_asn1, get_asn1, ctrl)\
+static EVP_CIPHER cname##_cbc = {\
+        nid##_cbc, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_CBC_MODE,\
+        init_key,\
+        cname##_cbc_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl, \
+        NULL \
+};\
+EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\
+static EVP_CIPHER cname##_cfb = {\
+        nid##_cfb64, 1, key_len, iv_len, \
+        flags | EVP_CIPH_CFB_MODE,\
+        init_key,\
+        cname##_cfb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\
+static EVP_CIPHER cname##_ofb = {\
+        nid##_ofb64, 1, key_len, iv_len, \
+        flags | EVP_CIPH_OFB_MODE,\
+        init_key,\
+        cname##_ofb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\
+static EVP_CIPHER cname##_ecb = {\
+        nid##_ecb, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_ECB_MODE,\
+        init_key,\
+        cname##_ecb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
+
+
+
+#define IMPLEMENT_BLOCK_CIPHER(cname, kname, cprefix, kstruct, \
+                                nid, block_size, key_len, iv_len, flags, \
+                                 init_key, cleanup, set_asn1, get_asn1, ctrl) \
+        BLOCK_CIPHER_all_funcs(cname, cprefix, kname) \
+        BLOCK_CIPHER_defs(cname, kstruct, nid, block_size, key_len, iv_len, flags,\
+                 init_key, cleanup, set_asn1, get_asn1, ctrl) 
+
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
new file mode 100644
index 0000000000..353c3ad667
--- /dev/null
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -0,0 +1,134 @@
+/* evp_pbe.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include "cryptlib.h"
+
+/* Password based encryption (PBE) functions */
+
+static STACK *pbe_algs;
+
+/* Setup a cipher context from a PBE algorithm */
+
+typedef struct {
+int pbe_nid;
+EVP_CIPHER *cipher;
+EVP_MD *md;
+EVP_PBE_KEYGEN *keygen;
+} EVP_PBE_CTL;
+
+int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
+             ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de)
+{
+
+        EVP_PBE_CTL *pbetmp, pbelu;
+        int i;
+        pbelu.pbe_nid = OBJ_obj2nid(pbe_obj);
+        if (pbelu.pbe_nid != NID_undef) i = sk_find(pbe_algs, (char *)&pbelu);
+        else i = -1;
+
+        if (i == -1) {
+                char obj_tmp[80];
+                EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM);
+                if (!pbe_obj) strcpy (obj_tmp, "NULL");
+                else i2t_ASN1_OBJECT(obj_tmp, 80, pbe_obj);
+                ERR_add_error_data(2, "TYPE=", obj_tmp);
+                return 0;
+        }
+        if (passlen == -1) passlen = strlen(pass);
+        pbetmp = (EVP_PBE_CTL *)sk_value (pbe_algs, i);
+        i = (*pbetmp->keygen)(ctx, pass, passlen, param, pbetmp->cipher,
+                                                 pbetmp->md, en_de);
+        if (!i) {
+                EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_KEYGEN_FAILURE);
+                return 0;
+        }
+        return 1;       
+}
+
+static int pbe_cmp (EVP_PBE_CTL **pbe1, EVP_PBE_CTL **pbe2)
+{
+        return ((*pbe1)->pbe_nid - (*pbe2)->pbe_nid);
+}
+
+/* Add a PBE algorithm */
+
+int EVP_PBE_alg_add (int nid, EVP_CIPHER *cipher, EVP_MD *md,
+             EVP_PBE_KEYGEN *keygen)
+{
+        EVP_PBE_CTL *pbe_tmp;
+        if (!pbe_algs) pbe_algs = sk_new (pbe_cmp);
+        if (!(pbe_tmp = (EVP_PBE_CTL*) Malloc (sizeof(EVP_PBE_CTL)))) {
+                EVPerr(EVP_F_EVP_PBE_ALG_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        pbe_tmp->pbe_nid = nid;
+        pbe_tmp->cipher = cipher;
+        pbe_tmp->md = md;
+        pbe_tmp->keygen = keygen;
+        sk_push (pbe_algs, (char *)pbe_tmp);
+        return 1;
+}
+
+void EVP_PBE_cleanup(void)
+{
+        sk_pop_free(pbe_algs, FreeFunc);
+        pbe_algs = NULL;
+}
diff --git a/src/lib/libcrypto/evp/evp_pkey.c b/src/lib/libcrypto/evp/evp_pkey.c
new file mode 100644
index 0000000000..421e452db1
--- /dev/null
+++ b/src/lib/libcrypto/evp/evp_pkey.c
@@ -0,0 +1,298 @@
+/* evp_pkey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+
+/* Extract a private key from a PKCS8 structure */
+
+EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
+{
+        EVP_PKEY *pkey;
+#ifndef NO_RSA
+        RSA *rsa;
+#endif
+#ifndef NO_DSA
+        DSA *dsa;
+        ASN1_INTEGER *dsapriv;
+        STACK *ndsa;
+        BN_CTX *ctx;
+        int plen;
+#endif
+        X509_ALGOR *a;
+        unsigned char *p;
+        int pkeylen;
+        char obj_tmp[80];
+
+        switch (p8->broken) {
+                case PKCS8_OK:
+                p = p8->pkey->value.octet_string->data;
+                pkeylen = p8->pkey->value.octet_string->length;
+                break;
+
+                case PKCS8_NO_OCTET:
+                p = p8->pkey->value.sequence->data;
+                pkeylen = p8->pkey->value.sequence->length;
+                break;
+
+                default:
+                EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);
+                return NULL;
+                break;
+        }
+        if (!(pkey = EVP_PKEY_new())) {
+                EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        a = p8->pkeyalg;
+        switch (OBJ_obj2nid(a->algorithm))
+        {
+#ifndef NO_RSA
+                case NID_rsaEncryption:
+                if (!(rsa = d2i_RSAPrivateKey (NULL, &p, pkeylen))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        return NULL;
+                }
+                EVP_PKEY_assign_RSA (pkey, rsa);
+                break;
+#endif
+#ifndef NO_DSA
+                case NID_dsa:
+                /* PKCS#8 DSA is weird: you just get a private key integer
+                 * and parameters in the AlgorithmIdentifier the pubkey must
+                 * be recalculated.
+                 */
+        
+                /* Check for broken Netscape Database DSA PKCS#8, UGH! */
+                if(*p == (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
+                    if(!(ndsa = ASN1_seq_unpack(p, pkeylen, 
+                                        (char *(*)())d2i_ASN1_INTEGER,
+                                                         ASN1_STRING_free))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        return NULL;
+                    }
+                    if(sk_num(ndsa) != 2 ) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        sk_pop_free(ndsa, ASN1_STRING_free);
+                        return NULL;
+                    }
+                    dsapriv = (ASN1_INTEGER *) sk_pop(ndsa);
+                    sk_pop_free(ndsa, ASN1_STRING_free);
+                } else if (!(dsapriv=d2i_ASN1_INTEGER (NULL, &p, pkeylen))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        return NULL;
+                }
+                /* Retrieve parameters */
+                if (a->parameter->type != V_ASN1_SEQUENCE) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_NO_DSA_PARAMETERS);
+                        return NULL;
+                }
+                p = a->parameter->value.sequence->data;
+                plen = a->parameter->value.sequence->length;
+                if (!(dsa = d2i_DSAparams (NULL, &p, plen))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        return NULL;
+                }
+                /* We have parameters now set private key */
+                if (!(dsa->priv_key = ASN1_INTEGER_to_BN(dsapriv, NULL))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_DECODE_ERROR);
+                        DSA_free (dsa);
+                        return NULL;
+                }
+                /* Calculate public key (ouch!) */
+                if (!(dsa->pub_key = BN_new())) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
+                        DSA_free (dsa);
+                        return NULL;
+                }
+                if (!(ctx = BN_CTX_new())) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
+                        DSA_free (dsa);
+                        return NULL;
+                }
+                        
+                if (!BN_mod_exp(dsa->pub_key, dsa->g,
+                                                 dsa->priv_key, dsa->p, ctx)) {
+                        
+                        EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_PUBKEY_ERROR);
+                        BN_CTX_free (ctx);
+                        DSA_free (dsa);
+                        return NULL;
+                }
+
+                EVP_PKEY_assign_DSA (pkey, dsa);
+                BN_CTX_free (ctx);
+                break;
+#endif
+                default:
+                EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
+                if (!a->algorithm) strcpy (obj_tmp, "NULL");
+                else i2t_ASN1_OBJECT(obj_tmp, 80, a->algorithm);
+                ERR_add_error_data(2, "TYPE=", obj_tmp);
+                EVP_PKEY_free (pkey);
+                return NULL;
+        }
+        return pkey;
+}
+
+/* Turn a private key into a PKCS8 structure */
+
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey)
+{
+        PKCS8_PRIV_KEY_INFO *p8;
+#ifndef NO_DSA
+        ASN1_INTEGER *dpkey;
+        unsigned char *p, *q;
+        int len;
+#endif
+        if (!(p8 = PKCS8_PRIV_KEY_INFO_new())) {        
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        ASN1_INTEGER_set (p8->version, 0);
+        if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) {
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                PKCS8_PRIV_KEY_INFO_free (p8);
+                return NULL;
+        }
+        switch (EVP_PKEY_type(pkey->type)) {
+#ifndef NO_RSA
+                case EVP_PKEY_RSA:
+
+                p8->pkeyalg->algorithm = OBJ_nid2obj(NID_rsaEncryption);
+                p8->pkeyalg->parameter->type = V_ASN1_NULL;
+                if (!ASN1_pack_string ((char *)pkey, i2d_PrivateKey,
+                                         &p8->pkey->value.octet_string)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        PKCS8_PRIV_KEY_INFO_free (p8);
+                        return NULL;
+                }
+                break;
+#endif
+#ifndef NO_DSA
+                case EVP_PKEY_DSA:
+                p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa);
+
+                /* get paramaters and place in AlgorithmIdentifier */
+                len = i2d_DSAparams (pkey->pkey.dsa, NULL);
+                if (!(p = Malloc(len))) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        PKCS8_PRIV_KEY_INFO_free (p8);
+                        return NULL;
+                }
+                q = p;
+                i2d_DSAparams (pkey->pkey.dsa, &q);
+                p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
+                p8->pkeyalg->parameter->value.sequence = ASN1_STRING_new();
+                ASN1_STRING_set(p8->pkeyalg->parameter->value.sequence, p, len);
+                Free(p);
+                /* Get private key into an integer and pack */
+                if (!(dpkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
+                        PKCS8_PRIV_KEY_INFO_free (p8);
+                        return NULL;
+                }
+                
+                if (!ASN1_pack_string((char *)dpkey, i2d_ASN1_INTEGER,
+                                         &p8->pkey->value.octet_string)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        ASN1_INTEGER_free (dpkey);
+                        PKCS8_PRIV_KEY_INFO_free (p8);
+                        return NULL;
+                }
+                ASN1_INTEGER_free (dpkey);
+                break;
+#endif
+                default:
+                EVPerr(EVP_F_EVP_PKEY2PKCS8, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
+                PKCS8_PRIV_KEY_INFO_free (p8);
+                return NULL;
+        }
+        p8->pkey->type = V_ASN1_OCTET_STRING;
+        RAND_seed (p8->pkey->value.octet_string->data,
+                                         p8->pkey->value.octet_string->length);
+        return p8;
+}
+
+PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
+{
+        switch (broken) {
+
+                case PKCS8_OK:
+                p8->broken = PKCS8_OK;
+                return p8;
+                break;
+
+                case PKCS8_NO_OCTET:
+                p8->broken = PKCS8_NO_OCTET;
+                p8->pkey->type = V_ASN1_SEQUENCE;
+                return p8;
+                break;
+
+                default:
+                EVPerr(EVP_F_EVP_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);
+                return NULL;
+                break;
+                
+        }
+}
+
+
diff --git a/src/lib/libcrypto/evp/m_md4.c b/src/lib/libcrypto/evp/m_md4.c
new file mode 100644
index 0000000000..6a24ceb86d
--- /dev/null
+++ b/src/lib/libcrypto/evp/m_md4.c
@@ -0,0 +1,83 @@
+/* crypto/evp/m_md4.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_MD4
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_MD md4_md=
+        {
+        NID_md4,
+        0,
+        MD4_DIGEST_LENGTH,
+        MD4_Init,
+        MD4_Update,
+        MD4_Final,
+        EVP_PKEY_RSA_method,
+        MD4_CBLOCK,
+        sizeof(EVP_MD *)+sizeof(MD4_CTX),
+        };
+
+EVP_MD *EVP_md4(void)
+        {
+        return(&md4_md);
+        }
+#endif
diff --git a/src/lib/libcrypto/evp/p5_crpt.c b/src/lib/libcrypto/evp/p5_crpt.c
new file mode 100644
index 0000000000..e3dae52d4d
--- /dev/null
+++ b/src/lib/libcrypto/evp/p5_crpt.c
@@ -0,0 +1,146 @@
+/* p5_crpt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/x509.h>
+#include <openssl/evp.h>
+#include "cryptlib.h"
+
+/* PKCS#5 v1.5 compatible PBE functions: see PKCS#5 v2.0 for more info.
+ */
+
+void PKCS5_PBE_add(void)
+{
+#ifndef NO_DES
+#  ifndef NO_MD5
+EVP_PBE_alg_add(NID_pbeWithMD5AndDES_CBC, EVP_des_cbc(), EVP_md5(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_MD2
+EVP_PBE_alg_add(NID_pbeWithMD2AndDES_CBC, EVP_des_cbc(), EVP_md2(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_SHA
+EVP_PBE_alg_add(NID_pbeWithSHA1AndDES_CBC, EVP_des_cbc(), EVP_sha1(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#endif
+#ifndef NO_RC2
+#  ifndef NO_MD5
+EVP_PBE_alg_add(NID_pbeWithMD5AndRC2_CBC, EVP_rc2_64_cbc(), EVP_md5(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_MD2
+EVP_PBE_alg_add(NID_pbeWithMD2AndRC2_CBC, EVP_rc2_64_cbc(), EVP_md2(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_SHA
+EVP_PBE_alg_add(NID_pbeWithSHA1AndRC2_CBC, EVP_rc2_64_cbc(), EVP_sha1(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#endif
+#ifndef NO_HMAC
+EVP_PBE_alg_add(NID_pbes2, NULL, NULL, PKCS5_v2_PBE_keyivgen);
+#endif
+}
+
+int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
+                         ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md,
+                         int en_de)
+{
+        EVP_MD_CTX ctx;
+        unsigned char md_tmp[EVP_MAX_MD_SIZE];
+        unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+        int i;
+        PBEPARAM *pbe;
+        int saltlen, iter;
+        unsigned char *salt, *pbuf;
+
+        /* Extract useful info from parameter */
+        pbuf = param->value.sequence->data;
+        if (!param || (param->type != V_ASN1_SEQUENCE) ||
+           !(pbe = d2i_PBEPARAM (NULL, &pbuf, param->value.sequence->length))) {
+                EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+                return 0;
+        }
+
+        if (!pbe->iter) iter = 1;
+        else iter = ASN1_INTEGER_get (pbe->iter);
+        salt = pbe->salt->data;
+        saltlen = pbe->salt->length;
+
+        EVP_DigestInit (&ctx, md);
+        EVP_DigestUpdate (&ctx, pass, passlen);
+        EVP_DigestUpdate (&ctx, salt, saltlen);
+        PBEPARAM_free(pbe);
+        EVP_DigestFinal (&ctx, md_tmp, NULL);
+        for (i = 1; i < iter; i++) {
+                EVP_DigestInit(&ctx, md);
+                EVP_DigestUpdate(&ctx, md_tmp, EVP_MD_size(md));
+                EVP_DigestFinal (&ctx, md_tmp, NULL);
+        }
+        memcpy (key, md_tmp, EVP_CIPHER_key_length(cipher));
+        memcpy (iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
+                                                 EVP_CIPHER_iv_length(cipher));
+        EVP_CipherInit(cctx, cipher, key, iv, en_de);
+        memset(md_tmp, 0, EVP_MAX_MD_SIZE);
+        memset(key, 0, EVP_MAX_KEY_LENGTH);
+        memset(iv, 0, EVP_MAX_IV_LENGTH);
+        return 1;
+}
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
new file mode 100644
index 0000000000..27a2c518be
--- /dev/null
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -0,0 +1,247 @@
+/* p5_crpt2.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#if !defined(NO_HMAC) && !defined(NO_SHA)
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/x509.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include "cryptlib.h"
+
+/* set this to print out info about the keygen algorithm */
+/* #define DEBUG_PKCS5V2 */
+
+#ifdef DEBUG_PKCS5V2
+        static void h__dump (const unsigned char *p, int len);
+#endif
+
+/* This is an implementation of PKCS#5 v2.0 password based encryption key
+ * derivation function PBKDF2 using the only currently defined function HMAC
+ * with SHA1. Verified against test vectors posted by Peter Gutmann
+ * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
+ */
+
+int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
+                           unsigned char *salt, int saltlen, int iter,
+                           int keylen, unsigned char *out)
+{
+        unsigned char digtmp[SHA_DIGEST_LENGTH], *p, itmp[4];
+        int cplen, j, k, tkeylen;
+        unsigned long i = 1;
+        HMAC_CTX hctx;
+        p = out;
+        tkeylen = keylen;
+        if(passlen == -1) passlen = strlen(pass);
+        while(tkeylen) {
+                if(tkeylen > SHA_DIGEST_LENGTH) cplen = SHA_DIGEST_LENGTH;
+                else cplen = tkeylen;
+                /* We are unlikely to ever use more than 256 blocks (5120 bits!)
+                 * but just in case...
+                 */
+                itmp[0] = (unsigned char)((i >> 24) & 0xff);
+                itmp[1] = (unsigned char)((i >> 16) & 0xff);
+                itmp[2] = (unsigned char)((i >> 8) & 0xff);
+                itmp[3] = (unsigned char)(i & 0xff);
+                HMAC_Init(&hctx, pass, passlen, EVP_sha1());
+                HMAC_Update(&hctx, salt, saltlen);
+                HMAC_Update(&hctx, itmp, 4);
+                HMAC_Final(&hctx, digtmp, NULL);
+                memcpy(p, digtmp, cplen);
+                for(j = 1; j < iter; j++) {
+                        HMAC(EVP_sha1(), pass, passlen,
+                                 digtmp, SHA_DIGEST_LENGTH, digtmp, NULL);
+                        for(k = 0; k < cplen; k++) p[k] ^= digtmp[k];
+                }
+                tkeylen-= cplen;
+                i++;
+                p+= cplen;
+        }
+        HMAC_cleanup(&hctx);
+#ifdef DEBUG_PKCS5V2
+        fprintf(stderr, "Password:\n");
+        h__dump (pass, passlen);
+        fprintf(stderr, "Salt:\n");
+        h__dump (salt, saltlen);
+        fprintf(stderr, "Iteration count %d\n", iter);
+        fprintf(stderr, "Key:\n");
+        h__dump (out, keylen);
+#endif
+        return 1;
+}
+
+#ifdef DO_TEST
+main()
+{
+        unsigned char out[4];
+        unsigned char salt[] = {0x12, 0x34, 0x56, 0x78};
+        PKCS5_PBKDF2_HMAC_SHA1("password", -1, salt, 4, 5, 4, out);
+        fprintf(stderr, "Out %02X %02X %02X %02X\n",
+                                         out[0], out[1], out[2], out[3]);
+}
+
+#endif
+
+/* Now the key derivation function itself. This is a bit evil because
+ * it has to check the ASN1 parameters are valid: and there are quite a
+ * few of them...
+ */
+
+int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+                         ASN1_TYPE *param, EVP_CIPHER *c, EVP_MD *md,
+                         int en_de)
+{
+        unsigned char *pbuf, *salt, key[EVP_MAX_KEY_LENGTH];
+        int saltlen, keylen, iter, plen;
+        PBE2PARAM *pbe2 = NULL;
+        const EVP_CIPHER *cipher;
+        PBKDF2PARAM *kdf = NULL;
+
+        pbuf = param->value.sequence->data;
+        plen = param->value.sequence->length;
+        if(!param || (param->type != V_ASN1_SEQUENCE) ||
+                                   !(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+                return 0;
+        }
+
+        /* See if we recognise the key derivation function */
+
+        if(OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
+                goto err;
+        }
+
+        /* lets see if we recognise the encryption algorithm.
+         */
+
+        cipher = EVP_get_cipherbyname(
+                        OBJ_nid2sn(OBJ_obj2nid(pbe2->encryption->algorithm)));
+
+        if(!cipher) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                                EVP_R_UNSUPPORTED_CIPHER);
+                goto err;
+        }
+
+        /* Fixup cipher based on AlgorithmIdentifier */
+        EVP_CipherInit(ctx, cipher, NULL, NULL, en_de);
+        if(EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                        EVP_R_CIPHER_PARAMETER_ERROR);
+                goto err;
+        }
+        keylen = EVP_CIPHER_CTX_key_length(ctx);
+
+        /* Now decode key derivation function */
+
+        pbuf = pbe2->keyfunc->parameter->value.sequence->data;
+        plen = pbe2->keyfunc->parameter->value.sequence->length;
+        if(!pbe2->keyfunc->parameter ||
+                 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE) ||
+                                !(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+                goto err;
+        }
+
+        PBE2PARAM_free(pbe2);
+        pbe2 = NULL;
+
+        /* Now check the parameters of the kdf */
+
+        if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != keylen)){
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                                EVP_R_UNSUPPORTED_KEYLENGTH);
+                goto err;
+        }
+
+        if(kdf->prf && (OBJ_obj2nid(kdf->prf->algorithm) != NID_hmacWithSHA1)) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_UNSUPPORTED_PRF);
+                goto err;
+        }
+
+        if(kdf->salt->type != V_ASN1_OCTET_STRING) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                                EVP_R_UNSUPPORTED_SALT_TYPE);
+                goto err;
+        }
+
+        /* it seems that its all OK */
+        salt = kdf->salt->value.octet_string->data;
+        saltlen = kdf->salt->value.octet_string->length;
+        iter = ASN1_INTEGER_get(kdf->iter);
+        PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
+        EVP_CipherInit(ctx, NULL, key, NULL, en_de);
+        memset(key, 0, keylen);
+        PBKDF2PARAM_free(kdf);
+        return 1;
+
+        err:
+        PBE2PARAM_free(pbe2);
+        PBKDF2PARAM_free(kdf);
+        return 0;
+}
+
+#ifdef DEBUG_PKCS5V2
+static void h__dump (const unsigned char *p, int len)
+{
+        for (; len --; p++) fprintf(stderr, "%02X ", *p);
+        fprintf(stderr, "\n");
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h
new file mode 100644
index 0000000000..ae32f5692e
--- /dev/null
+++ b/src/lib/libcrypto/idea/idea.h
@@ -0,0 +1,99 @@
+/* crypto/idea/idea.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_IDEA_H
+#define HEADER_IDEA_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_IDEA
+#error IDEA is disabled.
+#endif
+
+#define IDEA_ENCRYPT    1
+#define IDEA_DECRYPT    0
+
+#include <openssl/opensslconf.h> /* IDEA_INT */
+#define IDEA_BLOCK      8
+#define IDEA_KEY_LENGTH 16
+
+typedef struct idea_key_st
+        {
+        IDEA_INT data[9][6];
+        } IDEA_KEY_SCHEDULE;
+
+const char *idea_options(void);
+void idea_ecb_encrypt(unsigned char *in, unsigned char *out,
+        IDEA_KEY_SCHEDULE *ks);
+void idea_set_encrypt_key(unsigned char *key, IDEA_KEY_SCHEDULE *ks);
+void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
+void idea_cbc_encrypt(unsigned char *in, unsigned char *out,
+        long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv,int enc);
+void idea_cfb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv,
+        int *num,int enc);
+void idea_ofb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv, int *num);
+void idea_encrypt(unsigned long *in, IDEA_KEY_SCHEDULE *ks);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libcrypto/krb5/krb5_asn.c b/src/lib/libcrypto/krb5/krb5_asn.c
new file mode 100644
index 0000000000..1fb741d2a0
--- /dev/null
+++ b/src/lib/libcrypto/krb5/krb5_asn.c
@@ -0,0 +1,167 @@
+/* krb5_asn.c */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project,
+** using ocsp/{*.h,*asn*.c} as a starting point
+*/
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/krb5_asn.h>
+
+
+ASN1_SEQUENCE(KRB5_ENCDATA) = {
+        ASN1_EXP(KRB5_ENCDATA, etype,           ASN1_INTEGER,     0),
+        ASN1_EXP_OPT(KRB5_ENCDATA, kvno,        ASN1_INTEGER,     1),
+        ASN1_EXP(KRB5_ENCDATA, cipher,          ASN1_OCTET_STRING,2)
+} ASN1_SEQUENCE_END(KRB5_ENCDATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_ENCDATA)
+
+
+ASN1_SEQUENCE(KRB5_PRINCNAME) = {
+        ASN1_EXP(KRB5_PRINCNAME, nametype,      ASN1_INTEGER,     0),
+        ASN1_EXP_SEQUENCE_OF(KRB5_PRINCNAME, namestring, ASN1_GENERALSTRING, 1)
+} ASN1_SEQUENCE_END(KRB5_PRINCNAME)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_PRINCNAME)
+
+
+/* [APPLICATION 1] = 0x61 */
+ASN1_SEQUENCE(KRB5_TKTBODY) = {
+        ASN1_EXP(KRB5_TKTBODY, tktvno,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_TKTBODY, realm,           ASN1_GENERALSTRING, 1),
+        ASN1_EXP(KRB5_TKTBODY, sname,           KRB5_PRINCNAME,   2),
+        ASN1_EXP(KRB5_TKTBODY, encdata,         KRB5_ENCDATA,     3)
+} ASN1_SEQUENCE_END(KRB5_TKTBODY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_TKTBODY)
+
+
+ASN1_ITEM_TEMPLATE(KRB5_TICKET) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 1,
+                        KRB5_TICKET, KRB5_TKTBODY)
+ASN1_ITEM_TEMPLATE_END(KRB5_TICKET)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_TICKET)
+
+
+/* [APPLICATION 14] = 0x6e */
+ASN1_SEQUENCE(KRB5_APREQBODY) = {
+        ASN1_EXP(KRB5_APREQBODY, pvno,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_APREQBODY, msgtype,       ASN1_INTEGER,     1),
+        ASN1_EXP(KRB5_APREQBODY, apoptions,     ASN1_BIT_STRING,  2),
+        ASN1_EXP(KRB5_APREQBODY, ticket,        KRB5_TICKET,      3),
+        ASN1_EXP(KRB5_APREQBODY, authenticator, KRB5_ENCDATA,     4),
+} ASN1_SEQUENCE_END(KRB5_APREQBODY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_APREQBODY)
+
+ASN1_ITEM_TEMPLATE(KRB5_APREQ) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 14,
+                        KRB5_APREQ, KRB5_APREQBODY)
+ASN1_ITEM_TEMPLATE_END(KRB5_APREQ)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_APREQ)
+
+
+/*  Authenticator stuff         */
+
+ASN1_SEQUENCE(KRB5_CHECKSUM) = {
+        ASN1_EXP(KRB5_CHECKSUM, ctype,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_CHECKSUM, checksum,       ASN1_OCTET_STRING,1)
+} ASN1_SEQUENCE_END(KRB5_CHECKSUM)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_CHECKSUM)
+
+
+ASN1_SEQUENCE(KRB5_ENCKEY) = {
+        ASN1_EXP(KRB5_ENCKEY,   ktype,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_ENCKEY,   keyvalue,       ASN1_OCTET_STRING,1)
+} ASN1_SEQUENCE_END(KRB5_ENCKEY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_ENCKEY)
+
+
+/* SEQ OF SEQ; see ASN1_EXP_SEQUENCE_OF_OPT() below */
+ASN1_SEQUENCE(KRB5_AUTHDATA) = {
+        ASN1_EXP(KRB5_AUTHDATA, adtype,         ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_AUTHDATA, addata,         ASN1_OCTET_STRING,1)
+} ASN1_SEQUENCE_END(KRB5_AUTHDATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHDATA)
+
+
+/* [APPLICATION 2] = 0x62 */
+ASN1_SEQUENCE(KRB5_AUTHENTBODY) = {
+        ASN1_EXP(KRB5_AUTHENTBODY,      avno,   ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_AUTHENTBODY,      crealm, ASN1_GENERALSTRING, 1),
+        ASN1_EXP(KRB5_AUTHENTBODY,      cname,  KRB5_PRINCNAME,   2),
+        ASN1_EXP_OPT(KRB5_AUTHENTBODY,  cksum,  KRB5_CHECKSUM,    3),
+        ASN1_EXP(KRB5_AUTHENTBODY,      cusec,  ASN1_INTEGER,     4),
+        ASN1_EXP(KRB5_AUTHENTBODY,      ctime,  ASN1_GENERALIZEDTIME, 5),
+        ASN1_EXP_OPT(KRB5_AUTHENTBODY,  subkey, KRB5_ENCKEY,      6),
+        ASN1_EXP_OPT(KRB5_AUTHENTBODY,  seqnum, ASN1_INTEGER,     7),
+        ASN1_EXP_SEQUENCE_OF_OPT
+                    (KRB5_AUTHENTBODY,  authorization,  KRB5_AUTHDATA, 8),
+} ASN1_SEQUENCE_END(KRB5_AUTHENTBODY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHENTBODY)
+
+ASN1_ITEM_TEMPLATE(KRB5_AUTHENT) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 2,
+                        KRB5_AUTHENT, KRB5_AUTHENTBODY)
+ASN1_ITEM_TEMPLATE_END(KRB5_AUTHENT)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHENT)
+
diff --git a/src/lib/libcrypto/krb5/krb5_asn.h b/src/lib/libcrypto/krb5/krb5_asn.h
new file mode 100644
index 0000000000..3329477b07
--- /dev/null
+++ b/src/lib/libcrypto/krb5/krb5_asn.h
@@ -0,0 +1,256 @@
+/* krb5_asn.h */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project,
+** using ocsp/{*.h,*asn*.c} as a starting point
+*/
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_KRB5_ASN_H
+#define HEADER_KRB5_ASN_H
+
+/*
+#include <krb5.h>
+*/
+#include <openssl/safestack.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+/*      ASN.1 from Kerberos RFC 1510
+*/
+
+/*      EncryptedData ::=   SEQUENCE {
+**              etype[0]                      INTEGER, -- EncryptionType
+**              kvno[1]                       INTEGER OPTIONAL,
+**              cipher[2]                     OCTET STRING -- ciphertext
+**      }
+*/
+typedef struct  krb5_encdata_st
+        {
+        ASN1_INTEGER                    *etype;
+        ASN1_INTEGER                    *kvno;
+        ASN1_OCTET_STRING               *cipher;
+        }       KRB5_ENCDATA;
+
+DECLARE_STACK_OF(KRB5_ENCDATA)
+
+/*      PrincipalName ::=   SEQUENCE {
+**              name-type[0]                  INTEGER,
+**              name-string[1]                SEQUENCE OF GeneralString
+**      }
+*/
+typedef struct  krb5_princname_st
+        {
+        ASN1_INTEGER                    *nametype;
+        STACK_OF(ASN1_GENERALSTRING)    *namestring;
+        }       KRB5_PRINCNAME;
+
+DECLARE_STACK_OF(KRB5_PRINCNAME)
+
+
+/*      Ticket ::=      [APPLICATION 1] SEQUENCE {
+**              tkt-vno[0]                    INTEGER,
+**              realm[1]                      Realm,
+**              sname[2]                      PrincipalName,
+**              enc-part[3]                   EncryptedData
+**      }
+*/
+typedef struct  krb5_tktbody_st
+        {
+        ASN1_INTEGER                    *tktvno;
+        ASN1_GENERALSTRING              *realm;
+        KRB5_PRINCNAME                  *sname;
+        KRB5_ENCDATA                    *encdata;
+        }       KRB5_TKTBODY;
+
+typedef STACK_OF(KRB5_TKTBODY) KRB5_TICKET;
+DECLARE_STACK_OF(KRB5_TKTBODY)
+
+
+/*      AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+**              pvno[0]                       INTEGER,
+**              msg-type[1]                   INTEGER,
+**              ap-options[2]                 APOptions,
+**              ticket[3]                     Ticket,
+**              authenticator[4]              EncryptedData
+**      }
+**
+**      APOptions ::=   BIT STRING {
+**              reserved(0), use-session-key(1), mutual-required(2) }
+*/
+typedef struct  krb5_ap_req_st
+        {
+        ASN1_INTEGER                    *pvno;
+        ASN1_INTEGER                    *msgtype;
+        ASN1_BIT_STRING                 *apoptions;
+        KRB5_TICKET                     *ticket;
+        KRB5_ENCDATA                    *authenticator;
+        }       KRB5_APREQBODY;
+
+typedef STACK_OF(KRB5_APREQBODY) KRB5_APREQ;
+DECLARE_STACK_OF(KRB5_APREQBODY)
+
+
+/*      Authenticator Stuff     */
+
+
+/*      Checksum ::=   SEQUENCE {
+**              cksumtype[0]                  INTEGER,
+**              checksum[1]                   OCTET STRING
+**      }
+*/
+typedef struct  krb5_checksum_st
+        {
+        ASN1_INTEGER                    *ctype;
+        ASN1_OCTET_STRING               *checksum;
+        }       KRB5_CHECKSUM;
+
+DECLARE_STACK_OF(KRB5_CHECKSUM)
+
+
+/*      EncryptionKey ::=   SEQUENCE {
+**              keytype[0]                    INTEGER,
+**              keyvalue[1]                   OCTET STRING
+**      }
+*/
+typedef struct  krb5_encryptionkey_st
+        {
+        ASN1_INTEGER                    *ktype;
+        ASN1_OCTET_STRING               *keyvalue;
+        }       KRB5_ENCKEY;
+
+DECLARE_STACK_OF(KRB5_ENCKEY)
+
+
+/*      AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+**              ad-type[0]                    INTEGER,
+**              ad-data[1]                    OCTET STRING
+**      }
+*/
+typedef struct  krb5_authorization_st
+        {
+        ASN1_INTEGER                    *adtype;
+        ASN1_OCTET_STRING               *addata;
+        }       KRB5_AUTHDATA;
+
+DECLARE_STACK_OF(KRB5_AUTHDATA)
+
+                        
+/*      -- Unencrypted authenticator
+**      Authenticator ::=    [APPLICATION 2] SEQUENCE    {
+**              authenticator-vno[0]          INTEGER,
+**              crealm[1]                     Realm,
+**              cname[2]                      PrincipalName,
+**              cksum[3]                      Checksum OPTIONAL,
+**              cusec[4]                      INTEGER,
+**              ctime[5]                      KerberosTime,
+**              subkey[6]                     EncryptionKey OPTIONAL,
+**              seq-number[7]                 INTEGER OPTIONAL,
+**              authorization-data[8]         AuthorizationData OPTIONAL
+**      }
+*/
+typedef struct  krb5_authenticator_st
+        {
+        ASN1_INTEGER                    *avno;
+        ASN1_GENERALSTRING              *crealm;
+        KRB5_PRINCNAME                  *cname;
+        KRB5_CHECKSUM                   *cksum;
+        ASN1_INTEGER                    *cusec;
+        ASN1_GENERALIZEDTIME            *ctime;
+        KRB5_ENCKEY                     *subkey;
+        ASN1_INTEGER                    *seqnum;
+        KRB5_AUTHDATA                   *authorization;
+        }       KRB5_AUTHENTBODY;
+
+typedef STACK_OF(KRB5_AUTHENTBODY) KRB5_AUTHENT;
+DECLARE_STACK_OF(KRB5_AUTHENTBODY)
+
+
+/*  DECLARE_ASN1_FUNCTIONS(type) = DECLARE_ASN1_FUNCTIONS_name(type, type) =
+**      type *name##_new(void);
+**      void name##_free(type *a);
+**      DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) =
+**       DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) =
+**        type *d2i_##name(type **a, unsigned char **in, long len);
+**        int i2d_##name(type *a, unsigned char **out);
+**        DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it
+*/
+
+DECLARE_ASN1_FUNCTIONS(KRB5_ENCDATA)
+DECLARE_ASN1_FUNCTIONS(KRB5_PRINCNAME)
+DECLARE_ASN1_FUNCTIONS(KRB5_TKTBODY)
+DECLARE_ASN1_FUNCTIONS(KRB5_APREQBODY)
+DECLARE_ASN1_FUNCTIONS(KRB5_TICKET)
+DECLARE_ASN1_FUNCTIONS(KRB5_APREQ)
+
+DECLARE_ASN1_FUNCTIONS(KRB5_CHECKSUM)
+DECLARE_ASN1_FUNCTIONS(KRB5_ENCKEY)
+DECLARE_ASN1_FUNCTIONS(KRB5_AUTHDATA)
+DECLARE_ASN1_FUNCTIONS(KRB5_AUTHENTBODY)
+DECLARE_ASN1_FUNCTIONS(KRB5_AUTHENT)
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libcrypto/md32_common.h b/src/lib/libcrypto/md32_common.h
new file mode 100644
index 0000000000..2b91f9eef2
--- /dev/null
+++ b/src/lib/libcrypto/md32_common.h
@@ -0,0 +1,594 @@
+/* crypto/md32_common.h */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * This is a generic 32 bit "collector" for message digest algorithms.
+ * Whenever needed it collects input character stream into chunks of
+ * 32 bit values and invokes a block function that performs actual hash
+ * calculations.
+ *
+ * Porting guide.
+ *
+ * Obligatory macros:
+ *
+ * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
+ *      this macro defines byte order of input stream.
+ * HASH_CBLOCK
+ *      size of a unit chunk HASH_BLOCK operates on.
+ * HASH_LONG
+ *      has to be at lest 32 bit wide, if it's wider, then
+ *      HASH_LONG_LOG2 *has to* be defined along
+ * HASH_CTX
+ *      context structure that at least contains following
+ *      members:
+ *              typedef struct {
+ *                      ...
+ *                      HASH_LONG       Nl,Nh;
+ *                      HASH_LONG       data[HASH_LBLOCK];
+ *                      int             num;
+ *                      ...
+ *                      } HASH_CTX;
+ * HASH_UPDATE
+ *      name of "Update" function, implemented here.
+ * HASH_TRANSFORM
+ *      name of "Transform" function, implemented here.
+ * HASH_FINAL
+ *      name of "Final" function, implemented here.
+ * HASH_BLOCK_HOST_ORDER
+ *      name of "block" function treating *aligned* input message
+ *      in host byte order, implemented externally.
+ * HASH_BLOCK_DATA_ORDER
+ *      name of "block" function treating *unaligned* input message
+ *      in original (data) byte order, implemented externally (it
+ *      actually is optional if data and host are of the same
+ *      "endianess").
+ *
+ * Optional macros:
+ *
+ * B_ENDIAN or L_ENDIAN
+ *      defines host byte-order.
+ * HASH_LONG_LOG2
+ *      defaults to 2 if not states otherwise.
+ * HASH_LBLOCK
+ *      assumed to be HASH_CBLOCK/4 if not stated otherwise.
+ * HASH_BLOCK_DATA_ORDER_ALIGNED
+ *      alternative "block" function capable of treating
+ *      aligned input message in original (data) order,
+ *      implemented externally.
+ *
+ * MD5 example:
+ *
+ *      #define DATA_ORDER_IS_LITTLE_ENDIAN
+ *
+ *      #define HASH_LONG               MD5_LONG
+ *      #define HASH_LONG_LOG2          MD5_LONG_LOG2
+ *      #define HASH_CTX                MD5_CTX
+ *      #define HASH_CBLOCK             MD5_CBLOCK
+ *      #define HASH_LBLOCK             MD5_LBLOCK
+ *      #define HASH_UPDATE             MD5_Update
+ *      #define HASH_TRANSFORM          MD5_Transform
+ *      #define HASH_FINAL              MD5_Final
+ *      #define HASH_BLOCK_HOST_ORDER   md5_block_host_order
+ *      #define HASH_BLOCK_DATA_ORDER   md5_block_data_order
+ *
+ *                                      <appro@fy.chalmers.se>
+ */
+
+#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+#error "DATA_ORDER must be defined!"
+#endif
+
+#ifndef HASH_CBLOCK
+#error "HASH_CBLOCK must be defined!"
+#endif
+#ifndef HASH_LONG
+#error "HASH_LONG must be defined!"
+#endif
+#ifndef HASH_CTX
+#error "HASH_CTX must be defined!"
+#endif
+
+#ifndef HASH_UPDATE
+#error "HASH_UPDATE must be defined!"
+#endif
+#ifndef HASH_TRANSFORM
+#error "HASH_TRANSFORM must be defined!"
+#endif
+#ifndef HASH_FINAL
+#error "HASH_FINAL must be defined!"
+#endif
+
+#ifndef HASH_BLOCK_HOST_ORDER
+#error "HASH_BLOCK_HOST_ORDER must be defined!"
+#endif
+
+#if 0
+/*
+ * Moved below as it's required only if HASH_BLOCK_DATA_ORDER_ALIGNED
+ * isn't defined.
+ */
+#ifndef HASH_BLOCK_DATA_ORDER
+#error "HASH_BLOCK_DATA_ORDER must be defined!"
+#endif
+#endif
+
+#ifndef HASH_LBLOCK
+#define HASH_LBLOCK     (HASH_CBLOCK/4)
+#endif
+
+#ifndef HASH_LONG_LOG2
+#define HASH_LONG_LOG2  2
+#endif
+
+/*
+ * Engage compiler specific rotate intrinsic function if available.
+ */
+#undef ROTATE
+#ifndef PEDANTIC
+# if defined(_MSC_VER)
+#  define ROTATE(a,n)     _lrotl(a,n)
+# elif defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM)
+  /*
+   * Some GNU C inline assembler templates. Note that these are
+   * rotates by *constant* number of bits! But that's exactly
+   * what we need here...
+   *
+   *                                    <appro@fy.chalmers.se>
+   */
+#  if defined(__i386)
+#   define ROTATE(a,n)  ({ register unsigned int ret;   \
+                                asm volatile (          \
+                                "roll %1,%0"            \
+                                : "=r"(ret)             \
+                                : "I"(n), "0"(a)        \
+                                : "cc");                \
+                           ret;                         \
+                        })
+#  elif defined(__powerpc)
+#   define ROTATE(a,n)  ({ register unsigned int ret;   \
+                                asm volatile (          \
+                                "rlwinm %0,%1,%2,0,31"  \
+                                : "=r"(ret)             \
+                                : "r"(a), "I"(n));      \
+                           ret;                         \
+                        })
+#  endif
+# endif
+
+/*
+ * Engage compiler specific "fetch in reverse byte order"
+ * intrinsic function if available.
+ */
+# if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM)
+  /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
+#  if defined(__i386) && !defined(I386_ONLY)
+#   define BE_FETCH32(a)        ({ register unsigned int l=(a);\
+                                asm volatile (          \
+                                "bswapl %0"             \
+                                : "=r"(l) : "0"(l));    \
+                          l;                            \
+                        })
+#  elif defined(__powerpc)
+#   define LE_FETCH32(a)        ({ register unsigned int l;     \
+                                asm volatile (          \
+                                "lwbrx %0,0,%1"         \
+                                : "=r"(l)               \
+                                : "r"(a));              \
+                           l;                           \
+                        })
+
+#  elif defined(__sparc) && defined(ULTRASPARC)
+#  define LE_FETCH32(a) ({ register unsigned int l;             \
+                                asm volatile (                  \
+                                "lda [%1]#ASI_PRIMARY_LITTLE,%0"\
+                                : "=r"(l)                       \
+                                : "r"(a));                      \
+                           l;                                   \
+                        })
+#  endif
+# endif
+#endif /* PEDANTIC */
+
+#if HASH_LONG_LOG2==2   /* Engage only if sizeof(HASH_LONG)== 4 */
+/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
+#ifdef ROTATE
+/* 5 instructions with rotate instruction, else 9 */
+#define REVERSE_FETCH32(a,l)    (                                       \
+                l=*(const HASH_LONG *)(a),                              \
+                ((ROTATE(l,8)&0x00FF00FF)|(ROTATE((l&0x00FF00FF),24)))  \
+                                )
+#else
+/* 6 instructions with rotate instruction, else 8 */
+#define REVERSE_FETCH32(a,l)    (                               \
+                l=*(const HASH_LONG *)(a),                      \
+                l=(((l>>8)&0x00FF00FF)|((l&0x00FF00FF)<<8)),    \
+                ROTATE(l,16)                                    \
+                                )
+/*
+ * Originally the middle line started with l=(((l&0xFF00FF00)>>8)|...
+ * It's rewritten as above for two reasons:
+ *      - RISCs aren't good at long constants and have to explicitely
+ *        compose 'em with several (well, usually 2) instructions in a
+ *        register before performing the actual operation and (as you
+ *        already realized:-) having same constant should inspire the
+ *        compiler to permanently allocate the only register for it;
+ *      - most modern CPUs have two ALUs, but usually only one has
+ *        circuitry for shifts:-( this minor tweak inspires compiler
+ *        to schedule shift instructions in a better way...
+ *
+ *                              <appro@fy.chalmers.se>
+ */
+#endif
+#endif
+
+#ifndef ROTATE
+#define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
+#endif
+
+/*
+ * Make some obvious choices. E.g., HASH_BLOCK_DATA_ORDER_ALIGNED
+ * and HASH_BLOCK_HOST_ORDER ought to be the same if input data
+ * and host are of the same "endianess". It's possible to mask
+ * this with blank #define HASH_BLOCK_DATA_ORDER though...
+ *
+ *                              <appro@fy.chalmers.se>
+ */
+#if defined(B_ENDIAN)
+#  if defined(DATA_ORDER_IS_BIG_ENDIAN)
+#    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
+#      define HASH_BLOCK_DATA_ORDER_ALIGNED     HASH_BLOCK_HOST_ORDER
+#    endif
+#  elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+#    ifndef HOST_FETCH32
+#      ifdef LE_FETCH32
+#        define HOST_FETCH32(p,l)       LE_FETCH32(p)
+#      elif defined(REVERSE_FETCH32)
+#        define HOST_FETCH32(p,l)       REVERSE_FETCH32(p,l)
+#      endif
+#    endif
+#  endif
+#elif defined(L_ENDIAN)
+#  if defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+#    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
+#      define HASH_BLOCK_DATA_ORDER_ALIGNED     HASH_BLOCK_HOST_ORDER
+#    endif
+#  elif defined(DATA_ORDER_IS_BIG_ENDIAN)
+#    ifndef HOST_FETCH32
+#      ifdef BE_FETCH32
+#        define HOST_FETCH32(p,l)       BE_FETCH32(p)
+#      elif defined(REVERSE_FETCH32)
+#        define HOST_FETCH32(p,l)       REVERSE_FETCH32(p,l)
+#      endif
+#    endif
+#  endif
+#endif
+
+#if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
+#ifndef HASH_BLOCK_DATA_ORDER
+#error "HASH_BLOCK_DATA_ORDER must be defined!"
+#endif
+#endif
+
+#if defined(DATA_ORDER_IS_BIG_ENDIAN)
+
+#define HOST_c2l(c,l)   (l =(((unsigned long)(*((c)++)))<<24),          \
+                         l|=(((unsigned long)(*((c)++)))<<16),          \
+                         l|=(((unsigned long)(*((c)++)))<< 8),          \
+                         l|=(((unsigned long)(*((c)++)))    ),          \
+                         l)
+#define HOST_p_c2l(c,l,n)       {                                       \
+                        switch (n) {                                    \
+                        case 0: l =((unsigned long)(*((c)++)))<<24;     \
+                        case 1: l|=((unsigned long)(*((c)++)))<<16;     \
+                        case 2: l|=((unsigned long)(*((c)++)))<< 8;     \
+                        case 3: l|=((unsigned long)(*((c)++)));         \
+                                } }
+#define HOST_p_c2l_p(c,l,sc,len) {                                      \
+                        switch (sc) {                                   \
+                        case 0: l =((unsigned long)(*((c)++)))<<24;     \
+                                if (--len == 0) break;                  \
+                        case 1: l|=((unsigned long)(*((c)++)))<<16;     \
+                                if (--len == 0) break;                  \
+                        case 2: l|=((unsigned long)(*((c)++)))<< 8;     \
+                                } }
+/* NOTE the pointer is not incremented at the end of this */
+#define HOST_c2l_p(c,l,n)       {                                       \
+                        l=0; (c)+=n;                                    \
+                        switch (n) {                                    \
+                        case 3: l =((unsigned long)(*(--(c))))<< 8;     \
+                        case 2: l|=((unsigned long)(*(--(c))))<<16;     \
+                        case 1: l|=((unsigned long)(*(--(c))))<<24;     \
+                                } }
+#define HOST_l2c(l,c)   (*((c)++)=(unsigned char)(((l)>>24)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>>16)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>> 8)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)    )&0xff),      \
+                         l)
+
+#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+
+#define HOST_c2l(c,l)   (l =(((unsigned long)(*((c)++)))    ),          \
+                         l|=(((unsigned long)(*((c)++)))<< 8),          \
+                         l|=(((unsigned long)(*((c)++)))<<16),          \
+                         l|=(((unsigned long)(*((c)++)))<<24),          \
+                         l)
+#define HOST_p_c2l(c,l,n)       {                                       \
+                        switch (n) {                                    \
+                        case 0: l =((unsigned long)(*((c)++)));         \
+                        case 1: l|=((unsigned long)(*((c)++)))<< 8;     \
+                        case 2: l|=((unsigned long)(*((c)++)))<<16;     \
+                        case 3: l|=((unsigned long)(*((c)++)))<<24;     \
+                                } }
+#define HOST_p_c2l_p(c,l,sc,len) {                                      \
+                        switch (sc) {                                   \
+                        case 0: l =((unsigned long)(*((c)++)));         \
+                                if (--len == 0) break;                  \
+                        case 1: l|=((unsigned long)(*((c)++)))<< 8;     \
+                                if (--len == 0) break;                  \
+                        case 2: l|=((unsigned long)(*((c)++)))<<16;     \
+                                } }
+/* NOTE the pointer is not incremented at the end of this */
+#define HOST_c2l_p(c,l,n)       {                                       \
+                        l=0; (c)+=n;                                    \
+                        switch (n) {                                    \
+                        case 3: l =((unsigned long)(*(--(c))))<<16;     \
+                        case 2: l|=((unsigned long)(*(--(c))))<< 8;     \
+                        case 1: l|=((unsigned long)(*(--(c))));         \
+                                } }
+#define HOST_l2c(l,c)   (*((c)++)=(unsigned char)(((l)    )&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>> 8)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>>16)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>>24)&0xff),      \
+                         l)
+
+#endif
+
+/*
+ * Time for some action:-)
+ */
+
+void HASH_UPDATE (HASH_CTX *c, const unsigned char *data, unsigned long len)
+        {
+        register HASH_LONG * p;
+        register unsigned long l;
+        int sw,sc,ew,ec;
+
+        if (len==0) return;
+
+        l=(c->Nl+(len<<3))&0xffffffffL;
+        /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
+         * Wei Dai <weidai@eskimo.com> for pointing it out. */
+        if (l < c->Nl) /* overflow */
+                c->Nh++;
+        c->Nh+=(len>>29);
+        c->Nl=l;
+
+        if (c->num != 0)
+                {
+                p=c->data;
+                sw=c->num>>2;
+                sc=c->num&0x03;
+
+                if ((c->num+len) >= HASH_CBLOCK)
+                        {
+                        l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
+                        for (; sw<HASH_LBLOCK; sw++)
+                                {
+                                HOST_c2l(data,l); p[sw]=l;
+                                }
+                        HASH_BLOCK_HOST_ORDER (c,p,1);
+                        len-=(HASH_CBLOCK-c->num);
+                        c->num=0;
+                        /* drop through and do the rest */
+                        }
+                else
+                        {
+                        c->num+=len;
+                        if ((sc+len) < 4) /* ugly, add char's to a word */
+                                {
+                                l=p[sw]; HOST_p_c2l_p(data,l,sc,len); p[sw]=l;
+                                }
+                        else
+                                {
+                                ew=(c->num>>2);
+                                ec=(c->num&0x03);
+                                l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
+                                for (; sw < ew; sw++)
+                                        {
+                                        HOST_c2l(data,l); p[sw]=l;
+                                        }
+                                if (ec)
+                                        {
+                                        HOST_c2l_p(data,l,ec); p[sw]=l;
+                                        }
+                                }
+                        return;
+                        }
+                }
+
+        sw=len/HASH_CBLOCK;
+        if (sw > 0)
+                {
+#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
+                /*
+                 * Note that HASH_BLOCK_DATA_ORDER_ALIGNED gets defined
+                 * only if sizeof(HASH_LONG)==4.
+                 */
+                if ((((unsigned long)data)%4) == 0)
+                        {
+                        /* data is properly aligned so that we can cast it: */
+                        HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,sw);
+                        sw*=HASH_CBLOCK;
+                        data+=sw;
+                        len-=sw;
+                        }
+                else
+#if !defined(HASH_BLOCK_DATA_ORDER)
+                        while (sw--)
+                                {
+                                memcpy (p=c->data,data,HASH_CBLOCK);
+                                HASH_BLOCK_DATA_ORDER_ALIGNED(c,p,1);
+                                data+=HASH_CBLOCK;
+                                len-=HASH_CBLOCK;
+                                }
+#endif
+#endif
+#if defined(HASH_BLOCK_DATA_ORDER)
+                        {
+                        HASH_BLOCK_DATA_ORDER(c,data,sw);
+                        sw*=HASH_CBLOCK;
+                        data+=sw;
+                        len-=sw;
+                        }
+#endif
+                }
+
+        if (len!=0)
+                {
+                p = c->data;
+                c->num = len;
+                ew=len>>2;      /* words to copy */
+                ec=len&0x03;
+                for (; ew; ew--,p++)
+                        {
+                        HOST_c2l(data,l); *p=l;
+                        }
+                HOST_c2l_p(data,l,ec);
+                *p=l;
+                }
+        }
+
+
+void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
+        {
+#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
+        if ((((unsigned long)data)%4) == 0)
+                /* data is properly aligned so that we can cast it: */
+                HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,1);
+        else
+#if !defined(HASH_BLOCK_DATA_ORDER)
+                {
+                memcpy (c->data,data,HASH_CBLOCK);
+                HASH_BLOCK_DATA_ORDER_ALIGNED (c,c->data,1);
+                }
+#endif
+#endif
+#if defined(HASH_BLOCK_DATA_ORDER)
+        HASH_BLOCK_DATA_ORDER (c,data,1);
+#endif
+        }
+
+
+void HASH_FINAL (unsigned char *md, HASH_CTX *c)
+        {
+        register HASH_LONG *p;
+        register unsigned long l;
+        register int i,j;
+        static const unsigned char end[4]={0x80,0x00,0x00,0x00};
+        const unsigned char *cp=end;
+
+        /* c->num should definitly have room for at least one more byte. */
+        p=c->data;
+        i=c->num>>2;
+        j=c->num&0x03;
+
+#if 0
+        /* purify often complains about the following line as an
+         * Uninitialized Memory Read.  While this can be true, the
+         * following p_c2l macro will reset l when that case is true.
+         * This is because j&0x03 contains the number of 'valid' bytes
+         * already in p[i].  If and only if j&0x03 == 0, the UMR will
+         * occur but this is also the only time p_c2l will do
+         * l= *(cp++) instead of l|= *(cp++)
+         * Many thanks to Alex Tang <altitude@cic.net> for pickup this
+         * 'potential bug' */
+#ifdef PURIFY
+        if (j==0) p[i]=0; /* Yeah, but that's not the way to fix it:-) */
+#endif
+        l=p[i];
+#else
+        l = (j==0) ? 0 : p[i];
+#endif
+        HOST_p_c2l(cp,l,j); p[i++]=l; /* i is the next 'undefined word' */
+
+        if (i>(HASH_LBLOCK-2)) /* save room for Nl and Nh */
+                {
+                if (i<HASH_LBLOCK) p[i]=0;
+                HASH_BLOCK_HOST_ORDER (c,p,1);
+                i=0;
+                }
+        for (; i<(HASH_LBLOCK-2); i++)
+                p[i]=0;
+
+#if   defined(DATA_ORDER_IS_BIG_ENDIAN)
+        p[HASH_LBLOCK-2]=c->Nh;
+        p[HASH_LBLOCK-1]=c->Nl;
+#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+        p[HASH_LBLOCK-2]=c->Nl;
+        p[HASH_LBLOCK-1]=c->Nh;
+#endif
+        HASH_BLOCK_HOST_ORDER (c,p,1);
+
+        l=c->A; HOST_l2c(l,md);
+        l=c->B; HOST_l2c(l,md);
+        l=c->C; HOST_l2c(l,md);
+        l=c->D; HOST_l2c(l,md);
+
+        c->num=0;
+        /* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
+         * but I'm not worried :-)
+        memset((void *)c,0,sizeof(HASH_CTX));
+         */
+        }
diff --git a/src/lib/libcrypto/md4/md4.h b/src/lib/libcrypto/md4/md4.h
new file mode 100644
index 0000000000..c794e186db
--- /dev/null
+++ b/src/lib/libcrypto/md4/md4.h
@@ -0,0 +1,114 @@
+/* crypto/md4/md4.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_MD4_H
+#define HEADER_MD4_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_MD4
+#error MD4 is disabled.
+#endif
+
+/*
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ * ! MD4_LONG has to be at least 32 bits wide. If it's wider, then !
+ * ! MD4_LONG_LOG2 has to be defined along.                        !
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ */
+
+#if defined(WIN16) || defined(__LP32__)
+#define MD4_LONG unsigned long
+#elif defined(_CRAY) || defined(__ILP64__)
+#define MD4_LONG unsigned long
+#define MD4_LONG_LOG2 3
+/*
+ * _CRAY note. I could declare short, but I have no idea what impact
+ * does it have on performance on none-T3E machines. I could declare
+ * int, but at least on C90 sizeof(int) can be chosen at compile time.
+ * So I've chosen long...
+ *                                      <appro@fy.chalmers.se>
+ */
+#else
+#define MD4_LONG unsigned int
+#endif
+
+#define MD4_CBLOCK      64
+#define MD4_LBLOCK      (MD4_CBLOCK/4)
+#define MD4_DIGEST_LENGTH 16
+
+typedef struct MD4state_st
+        {
+        MD4_LONG A,B,C,D;
+        MD4_LONG Nl,Nh;
+        MD4_LONG data[MD4_LBLOCK];
+        int num;
+        } MD4_CTX;
+
+void MD4_Init(MD4_CTX *c);
+void MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
+void MD4_Final(unsigned char *md, MD4_CTX *c);
+unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
+void MD4_Transform(MD4_CTX *c, const unsigned char *b);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libcrypto/md4/md4_dgst.c b/src/lib/libcrypto/md4/md4_dgst.c
new file mode 100644
index 0000000000..81488ae2e2
--- /dev/null
+++ b/src/lib/libcrypto/md4/md4_dgst.c
@@ -0,0 +1,285 @@
+/* crypto/md4/md4_dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "md4_locl.h"
+#include <openssl/opensslv.h>
+
+const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT;
+
+/* Implemented from RFC1186 The MD4 Message-Digest Algorithm
+ */
+
+#define INIT_DATA_A (unsigned long)0x67452301L
+#define INIT_DATA_B (unsigned long)0xefcdab89L
+#define INIT_DATA_C (unsigned long)0x98badcfeL
+#define INIT_DATA_D (unsigned long)0x10325476L
+
+void MD4_Init(MD4_CTX *c)
+        {
+        c->A=INIT_DATA_A;
+        c->B=INIT_DATA_B;
+        c->C=INIT_DATA_C;
+        c->D=INIT_DATA_D;
+        c->Nl=0;
+        c->Nh=0;
+        c->num=0;
+        }
+
+#ifndef md4_block_host_order
+void md4_block_host_order (MD4_CTX *c, const void *data, int num)
+        {
+        const MD4_LONG *X=data;
+        register unsigned long A,B,C,D;
+        /*
+         * In case you wonder why A-D are declared as long and not
+         * as MD4_LONG. Doing so results in slight performance
+         * boost on LP64 architectures. The catch is we don't
+         * really care if 32 MSBs of a 64-bit register get polluted
+         * with eventual overflows as we *save* only 32 LSBs in
+         * *either* case. Now declaring 'em long excuses the compiler
+         * from keeping 32 MSBs zeroed resulting in 13% performance
+         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
+         * Well, to be honest it should say that this *prevents* 
+         * performance degradation.
+         *
+         *                              <appro@fy.chalmers.se>
+         */
+
+        A=c->A;
+        B=c->B;
+        C=c->C;
+        D=c->D;
+
+        for (;num--;X+=HASH_LBLOCK)
+                {
+        /* Round 0 */
+        R0(A,B,C,D,X[ 0], 3,0);
+        R0(D,A,B,C,X[ 1], 7,0);
+        R0(C,D,A,B,X[ 2],11,0);
+        R0(B,C,D,A,X[ 3],19,0);
+        R0(A,B,C,D,X[ 4], 3,0);
+        R0(D,A,B,C,X[ 5], 7,0);
+        R0(C,D,A,B,X[ 6],11,0);
+        R0(B,C,D,A,X[ 7],19,0);
+        R0(A,B,C,D,X[ 8], 3,0);
+        R0(D,A,B,C,X[ 9], 7,0);
+        R0(C,D,A,B,X[10],11,0);
+        R0(B,C,D,A,X[11],19,0);
+        R0(A,B,C,D,X[12], 3,0);
+        R0(D,A,B,C,X[13], 7,0);
+        R0(C,D,A,B,X[14],11,0);
+        R0(B,C,D,A,X[15],19,0);
+        /* Round 1 */
+        R1(A,B,C,D,X[ 0], 3,0x5A827999L);
+        R1(D,A,B,C,X[ 4], 5,0x5A827999L);
+        R1(C,D,A,B,X[ 8], 9,0x5A827999L);
+        R1(B,C,D,A,X[12],13,0x5A827999L);
+        R1(A,B,C,D,X[ 1], 3,0x5A827999L);
+        R1(D,A,B,C,X[ 5], 5,0x5A827999L);
+        R1(C,D,A,B,X[ 9], 9,0x5A827999L);
+        R1(B,C,D,A,X[13],13,0x5A827999L);
+        R1(A,B,C,D,X[ 2], 3,0x5A827999L);
+        R1(D,A,B,C,X[ 6], 5,0x5A827999L);
+        R1(C,D,A,B,X[10], 9,0x5A827999L);
+        R1(B,C,D,A,X[14],13,0x5A827999L);
+        R1(A,B,C,D,X[ 3], 3,0x5A827999L);
+        R1(D,A,B,C,X[ 7], 5,0x5A827999L);
+        R1(C,D,A,B,X[11], 9,0x5A827999L);
+        R1(B,C,D,A,X[15],13,0x5A827999L);
+        /* Round 2 */
+        R2(A,B,C,D,X[ 0], 3,0x6ED9EBA1);
+        R2(D,A,B,C,X[ 8], 9,0x6ED9EBA1);
+        R2(C,D,A,B,X[ 4],11,0x6ED9EBA1);
+        R2(B,C,D,A,X[12],15,0x6ED9EBA1);
+        R2(A,B,C,D,X[ 2], 3,0x6ED9EBA1);
+        R2(D,A,B,C,X[10], 9,0x6ED9EBA1);
+        R2(C,D,A,B,X[ 6],11,0x6ED9EBA1);
+        R2(B,C,D,A,X[14],15,0x6ED9EBA1);
+        R2(A,B,C,D,X[ 1], 3,0x6ED9EBA1);
+        R2(D,A,B,C,X[ 9], 9,0x6ED9EBA1);
+        R2(C,D,A,B,X[ 5],11,0x6ED9EBA1);
+        R2(B,C,D,A,X[13],15,0x6ED9EBA1);
+        R2(A,B,C,D,X[ 3], 3,0x6ED9EBA1);
+        R2(D,A,B,C,X[11], 9,0x6ED9EBA1);
+        R2(C,D,A,B,X[ 7],11,0x6ED9EBA1);
+        R2(B,C,D,A,X[15],15,0x6ED9EBA1);
+
+        A = c->A += A;
+        B = c->B += B;
+        C = c->C += C;
+        D = c->D += D;
+                }
+        }
+#endif
+
+#ifndef md4_block_data_order
+#ifdef X
+#undef X
+#endif
+void md4_block_data_order (MD4_CTX *c, const void *data_, int num)
+        {
+        const unsigned char *data=data_;
+        register unsigned long A,B,C,D,l;
+        /*
+         * In case you wonder why A-D are declared as long and not
+         * as MD4_LONG. Doing so results in slight performance
+         * boost on LP64 architectures. The catch is we don't
+         * really care if 32 MSBs of a 64-bit register get polluted
+         * with eventual overflows as we *save* only 32 LSBs in
+         * *either* case. Now declaring 'em long excuses the compiler
+         * from keeping 32 MSBs zeroed resulting in 13% performance
+         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
+         * Well, to be honest it should say that this *prevents* 
+         * performance degradation.
+         *
+         *                              <appro@fy.chalmers.se>
+         */
+#ifndef MD32_XARRAY
+        /* See comment in crypto/sha/sha_locl.h for details. */
+        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+# define X(i)   XX##i
+#else
+        MD4_LONG XX[MD4_LBLOCK];
+# define X(i)   XX[i]
+#endif
+
+        A=c->A;
+        B=c->B;
+        C=c->C;
+        D=c->D;
+
+        for (;num--;)
+                {
+        HOST_c2l(data,l); X( 0)=l;              HOST_c2l(data,l); X( 1)=l;
+        /* Round 0 */
+        R0(A,B,C,D,X( 0), 3,0); HOST_c2l(data,l); X( 2)=l;
+        R0(D,A,B,C,X( 1), 7,0); HOST_c2l(data,l); X( 3)=l;
+        R0(C,D,A,B,X( 2),11,0); HOST_c2l(data,l); X( 4)=l;
+        R0(B,C,D,A,X( 3),19,0); HOST_c2l(data,l); X( 5)=l;
+        R0(A,B,C,D,X( 4), 3,0); HOST_c2l(data,l); X( 6)=l;
+        R0(D,A,B,C,X( 5), 7,0); HOST_c2l(data,l); X( 7)=l;
+        R0(C,D,A,B,X( 6),11,0); HOST_c2l(data,l); X( 8)=l;
+        R0(B,C,D,A,X( 7),19,0); HOST_c2l(data,l); X( 9)=l;
+        R0(A,B,C,D,X( 8), 3,0); HOST_c2l(data,l); X(10)=l;
+        R0(D,A,B,C,X( 9), 7,0); HOST_c2l(data,l); X(11)=l;
+        R0(C,D,A,B,X(10),11,0); HOST_c2l(data,l); X(12)=l;
+        R0(B,C,D,A,X(11),19,0); HOST_c2l(data,l); X(13)=l;
+        R0(A,B,C,D,X(12), 3,0); HOST_c2l(data,l); X(14)=l;
+        R0(D,A,B,C,X(13), 7,0); HOST_c2l(data,l); X(15)=l;
+        R0(C,D,A,B,X(14),11,0);
+        R0(B,C,D,A,X(15),19,0);
+        /* Round 1 */
+        R1(A,B,C,D,X( 0), 3,0x5A827999L);
+        R1(D,A,B,C,X( 4), 5,0x5A827999L);
+        R1(C,D,A,B,X( 8), 9,0x5A827999L);
+        R1(B,C,D,A,X(12),13,0x5A827999L);
+        R1(A,B,C,D,X( 1), 3,0x5A827999L);
+        R1(D,A,B,C,X( 5), 5,0x5A827999L);
+        R1(C,D,A,B,X( 9), 9,0x5A827999L);
+        R1(B,C,D,A,X(13),13,0x5A827999L);
+        R1(A,B,C,D,X( 2), 3,0x5A827999L);
+        R1(D,A,B,C,X( 6), 5,0x5A827999L);
+        R1(C,D,A,B,X(10), 9,0x5A827999L);
+        R1(B,C,D,A,X(14),13,0x5A827999L);
+        R1(A,B,C,D,X( 3), 3,0x5A827999L);
+        R1(D,A,B,C,X( 7), 5,0x5A827999L);
+        R1(C,D,A,B,X(11), 9,0x5A827999L);
+        R1(B,C,D,A,X(15),13,0x5A827999L);
+        /* Round 2 */
+        R2(A,B,C,D,X( 0), 3,0x6ED9EBA1L);
+        R2(D,A,B,C,X( 8), 9,0x6ED9EBA1L);
+        R2(C,D,A,B,X( 4),11,0x6ED9EBA1L);
+        R2(B,C,D,A,X(12),15,0x6ED9EBA1L);
+        R2(A,B,C,D,X( 2), 3,0x6ED9EBA1L);
+        R2(D,A,B,C,X(10), 9,0x6ED9EBA1L);
+        R2(C,D,A,B,X( 6),11,0x6ED9EBA1L);
+        R2(B,C,D,A,X(14),15,0x6ED9EBA1L);
+        R2(A,B,C,D,X( 1), 3,0x6ED9EBA1L);
+        R2(D,A,B,C,X( 9), 9,0x6ED9EBA1L);
+        R2(C,D,A,B,X( 5),11,0x6ED9EBA1L);
+        R2(B,C,D,A,X(13),15,0x6ED9EBA1L);
+        R2(A,B,C,D,X( 3), 3,0x6ED9EBA1L);
+        R2(D,A,B,C,X(11), 9,0x6ED9EBA1L);
+        R2(C,D,A,B,X( 7),11,0x6ED9EBA1L);
+        R2(B,C,D,A,X(15),15,0x6ED9EBA1L);
+
+        A = c->A += A;
+        B = c->B += B;
+        C = c->C += C;
+        D = c->D += D;
+                }
+        }
+#endif
+
+#ifdef undef
+int printit(unsigned long *l)
+        {
+        int i,ii;
+
+        for (i=0; i<2; i++)
+                {
+                for (ii=0; ii<8; ii++)
+                        {
+                        fprintf(stderr,"%08lx ",l[i*8+ii]);
+                        }
+                fprintf(stderr,"\n");
+                }
+        }
+#endif
diff --git a/src/lib/libcrypto/md4/md4_locl.h b/src/lib/libcrypto/md4/md4_locl.h
new file mode 100644
index 0000000000..0a2b39018d
--- /dev/null
+++ b/src/lib/libcrypto/md4/md4_locl.h
@@ -0,0 +1,154 @@
+/* crypto/md4/md4_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/opensslconf.h>
+#include <openssl/md4.h>
+
+#ifndef MD4_LONG_LOG2
+#define MD4_LONG_LOG2 2 /* default to 32 bits */
+#endif
+
+void md4_block_host_order (MD4_CTX *c, const void *p,int num);
+void md4_block_data_order (MD4_CTX *c, const void *p,int num);
+
+#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+/*
+ * *_block_host_order is expected to handle aligned data while
+ * *_block_data_order - unaligned. As algorithm and host (x86)
+ * are in this case of the same "endianness" these two are
+ * otherwise indistinguishable. But normally you don't want to
+ * call the same function because unaligned access in places
+ * where alignment is expected is usually a "Bad Thing". Indeed,
+ * on RISCs you get punished with BUS ERROR signal or *severe*
+ * performance degradation. Intel CPUs are in turn perfectly
+ * capable of loading unaligned data without such drastic side
+ * effect. Yes, they say it's slower than aligned load, but no
+ * exception is generated and therefore performance degradation
+ * is *incomparable* with RISCs. What we should weight here is
+ * costs of unaligned access against costs of aligning data.
+ * According to my measurements allowing unaligned access results
+ * in ~9% performance improvement on Pentium II operating at
+ * 266MHz. I won't be surprised if the difference will be higher
+ * on faster systems:-)
+ *
+ *                              <appro@fy.chalmers.se>
+ */
+#define md4_block_data_order md4_block_host_order
+#endif
+
+#define DATA_ORDER_IS_LITTLE_ENDIAN
+
+#define HASH_LONG               MD4_LONG
+#define HASH_LONG_LOG2          MD4_LONG_LOG2
+#define HASH_CTX                MD4_CTX
+#define HASH_CBLOCK             MD4_CBLOCK
+#define HASH_LBLOCK             MD4_LBLOCK
+#define HASH_UPDATE             MD4_Update
+#define HASH_TRANSFORM          MD4_Transform
+#define HASH_FINAL              MD4_Final
+#define HASH_MAKE_STRING(c,s)   do {    \
+        unsigned long ll;               \
+        ll=(c)->A; HOST_l2c(ll,(s));    \
+        ll=(c)->B; HOST_l2c(ll,(s));    \
+        ll=(c)->C; HOST_l2c(ll,(s));    \
+        ll=(c)->D; HOST_l2c(ll,(s));    \
+        } while (0)
+#define HASH_BLOCK_HOST_ORDER   md4_block_host_order
+#if !defined(L_ENDIAN) || defined(md4_block_data_order)
+#define HASH_BLOCK_DATA_ORDER   md4_block_data_order
+/*
+ * Little-endians (Intel and Alpha) feel better without this.
+ * It looks like memcpy does better job than generic
+ * md4_block_data_order on copying-n-aligning input data.
+ * But frankly speaking I didn't expect such result on Alpha.
+ * On the other hand I've got this with egcs-1.0.2 and if
+ * program is compiled with another (better?) compiler it
+ * might turn out other way around.
+ *
+ *                              <appro@fy.chalmers.se>
+ */
+#endif
+
+#include "md32_common.h"
+
+/*
+#define F(x,y,z)        (((x) & (y))  |  ((~(x)) & (z)))
+#define G(x,y,z)        (((x) & (y))  |  ((x) & ((z))) | ((y) & ((z))))
+*/
+
+/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
+ * simplified to the code below.  Wei attributes these optimizations
+ * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
+ */
+#define F(b,c,d)        ((((c) ^ (d)) & (b)) ^ (d))
+#define G(b,c,d)        (((b) & (c)) | ((b) & (d)) | ((c) & (d)))
+#define H(b,c,d)        ((b) ^ (c) ^ (d))
+
+#define R0(a,b,c,d,k,s,t) { \
+        a+=((k)+(t)+F((b),(c),(d))); \
+        a=ROTATE(a,s); };
+
+#define R1(a,b,c,d,k,s,t) { \
+        a+=((k)+(t)+G((b),(c),(d))); \
+        a=ROTATE(a,s); };\
+
+#define R2(a,b,c,d,k,s,t) { \
+        a+=((k)+(t)+H((b),(c),(d))); \
+        a=ROTATE(a,s); };
diff --git a/src/lib/libcrypto/md4/md4_one.c b/src/lib/libcrypto/md4/md4_one.c
new file mode 100644
index 0000000000..87a995d38d
--- /dev/null
+++ b/src/lib/libcrypto/md4/md4_one.c
@@ -0,0 +1,95 @@
+/* crypto/md4/md4_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/md4.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md)
+        {
+        MD4_CTX c;
+        static unsigned char m[MD4_DIGEST_LENGTH];
+
+        if (md == NULL) md=m;
+        MD4_Init(&c);
+#ifndef CHARSET_EBCDIC
+        MD4_Update(&c,d,n);
+#else
+        {
+                char temp[1024];
+                unsigned long chunk;
+
+                while (n > 0)
+                {
+                        chunk = (n > sizeof(temp)) ? sizeof(temp) : n;
+                        ebcdic2ascii(temp, d, chunk);
+                        MD4_Update(&c,temp,chunk);
+                        n -= chunk;
+                        d += chunk;
+                }
+        }
+#endif
+        MD4_Final(md,&c);
+        memset(&c,0,sizeof(c)); /* security consideration */
+        return(md);
+        }
+
diff --git a/src/lib/libcrypto/mem_dbg.c b/src/lib/libcrypto/mem_dbg.c
new file mode 100644
index 0000000000..14770c0733
--- /dev/null
+++ b/src/lib/libcrypto/mem_dbg.c
@@ -0,0 +1,703 @@
+/* crypto/mem_dbg.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>       
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/lhash.h>
+#include "cryptlib.h"
+
+static int mh_mode=CRYPTO_MEM_CHECK_OFF;
+/* The state changes to CRYPTO_MEM_CHECK_ON | CRYPTO_MEM_CHECK_ENABLE
+ * when the application asks for it (usually after library initialisation
+ * for which no book-keeping is desired).
+ *
+ * State CRYPTO_MEM_CHECK_ON exists only temporarily when the library
+ * thinks that certain allocations should not be checked (e.g. the data
+ * structures used for memory checking).  It is not suitable as an initial
+ * state: the library will unexpectedly enable memory checking when it
+ * executes one of those sections that want to disable checking
+ * temporarily.
+ *
+ * State CRYPTO_MEM_CHECK_ENABLE without ..._ON makes no sense whatsoever.
+ */
+
+static unsigned long order = 0; /* number of memory requests */
+static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */
+
+
+typedef struct app_mem_info_st
+/* For application-defined information (static C-string `info')
+ * to be displayed in memory leak list.
+ * Each thread has its own stack.  For applications, there is
+ *   CRYPTO_push_info("...")     to push an entry,
+ *   CRYPTO_pop_info()           to pop an entry,
+ *   CRYPTO_remove_all_info()    to pop all entries.
+ */
+        {       
+        unsigned long thread;
+        const char *file;
+        int line;
+        const char *info;
+        struct app_mem_info_st *next; /* tail of thread's stack */
+        int references;
+        } APP_INFO;
+
+static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's
+                          * that are at the top of their thread's stack
+                          * (with `thread' as key) */
+
+typedef struct mem_st
+/* memory-block description */
+        {
+        char *addr;
+        int num;
+        const char *file;
+        int line;
+        unsigned long thread;
+        unsigned long order;
+        time_t time;
+        APP_INFO *app_info;
+        } MEM;
+
+static long options =             /* extra information to be recorded */
+#if defined(CRYPTO_MDEBUG_TIME) || defined(CRYPTO_MDEBUG_ALL)
+        V_CRYPTO_MDEBUG_TIME |
+#endif
+#if defined(CRYPTO_MDEBUG_THREAD) || defined(CRYPTO_MDEBUG_ALL)
+        V_CRYPTO_MDEBUG_THREAD |
+#endif
+        0;
+
+
+static unsigned long disabling_thread = 0;
+
+int CRYPTO_mem_ctrl(int mode)
+        {
+        int ret=mh_mode;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+        switch (mode)
+                {
+        /* for applications: */
+        case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */
+                mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE;
+                disabling_thread = 0;
+                break;
+        case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */
+                mh_mode = 0;
+                disabling_thread = 0;
+                break;
+
+        /* switch off temporarily (for library-internal use): */
+        case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */
+                if (mh_mode & CRYPTO_MEM_CHECK_ON)
+                        {
+                        mh_mode&= ~CRYPTO_MEM_CHECK_ENABLE;
+                        if (disabling_thread != CRYPTO_thread_id()) /* otherwise we already have the MALLOC2 lock */
+                                {
+                                /* Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed while
+                                 * we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock if
+                                 * somebody else holds CRYPTO_LOCK_MALLOC2 (and cannot release
+                                 * it because we block entry to this function).
+                                 * Give them a chance, first, and then claim the locks in
+                                 * appropriate order (long-time lock first).
+                                 */
+                                CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+                                /* Note that after we have waited for CRYPTO_LOCK_MALLOC2
+                                 * and CRYPTO_LOCK_MALLOC, we'll still be in the right
+                                 * "case" and "if" branch because MemCheck_start and
+                                 * MemCheck_stop may never be used while there are multiple
+                                 * OpenSSL threads. */
+                                CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+                                CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+                                disabling_thread=CRYPTO_thread_id();
+                                }
+                        }
+                break;
+        case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */
+                if (mh_mode & CRYPTO_MEM_CHECK_ON)
+                        {
+                        mh_mode|=CRYPTO_MEM_CHECK_ENABLE;
+                        if (disabling_thread != 0)
+                                {
+                                disabling_thread=0;
+                                CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+                                }
+                        }
+                break;
+
+        default:
+                break;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+        return(ret);
+        }
+
+int CRYPTO_is_mem_check_on(void)
+        {
+        int ret = 0;
+
+        if (mh_mode & CRYPTO_MEM_CHECK_ON)
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+
+                ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE)
+                        && disabling_thread != CRYPTO_thread_id();
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+                }
+        return(ret);
+        }       
+
+
+void CRYPTO_dbg_set_options(long bits)
+        {
+        options = bits;
+        }
+
+long CRYPTO_dbg_get_options(void)
+        {
+        return options;
+        }
+
+static int mem_cmp(MEM *a, MEM *b)
+        {
+        return(a->addr - b->addr);
+        }
+
+static unsigned long mem_hash(MEM *a)
+        {
+        unsigned long ret;
+
+        ret=(unsigned long)a->addr;
+
+        ret=ret*17851+(ret>>14)*7+(ret>>4)*251;
+        return(ret);
+        }
+
+static int app_info_cmp(APP_INFO *a, APP_INFO *b)
+        {
+        return(a->thread != b->thread);
+        }
+
+static unsigned long app_info_hash(APP_INFO *a)
+        {
+        unsigned long ret;
+
+        ret=(unsigned long)a->thread;
+
+        ret=ret*17851+(ret>>14)*7+(ret>>4)*251;
+        return(ret);
+        }
+
+static APP_INFO *pop_info()
+        {
+        APP_INFO tmp;
+        APP_INFO *ret = NULL;
+
+        if (amih != NULL)
+                {
+                tmp.thread=CRYPTO_thread_id();
+                if ((ret=(APP_INFO *)lh_delete(amih,&tmp)) != NULL)
+                        {
+                        APP_INFO *next=ret->next;
+
+                        if (next != NULL)
+                                {
+                                next->references++;
+                                lh_insert(amih,(char *)next);
+                                }
+#ifdef LEVITTE_DEBUG
+                        if (ret->thread != tmp.thread)
+                                {
+                                fprintf(stderr, "pop_info(): deleted info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
+                                        ret->thread, tmp.thread);
+                                abort();
+                                }
+#endif
+                        if (--(ret->references) <= 0)
+                                {
+                                ret->next = NULL;
+                                if (next != NULL)
+                                        next->references--;
+                                Free(ret);
+                                }
+                        }
+                }
+        return(ret);
+        }
+
+int CRYPTO_push_info_(const char *info, const char *file, int line)
+        {
+        APP_INFO *ami, *amim;
+        int ret=0;
+
+        if (is_MemCheck_on())
+                {
+                MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+                if ((ami = (APP_INFO *)Malloc(sizeof(APP_INFO))) == NULL)
+                        {
+                        ret=0;
+                        goto err;
+                        }
+                if (amih == NULL)
+                        {
+                        if ((amih=lh_new(app_info_hash,app_info_cmp)) == NULL)
+                                {
+                                Free(ami);
+                                ret=0;
+                                goto err;
+                                }
+                        }
+
+                ami->thread=CRYPTO_thread_id();
+                ami->file=file;
+                ami->line=line;
+                ami->info=info;
+                ami->references=1;
+                ami->next=NULL;
+
+                if ((amim=(APP_INFO *)lh_insert(amih,(char *)ami)) != NULL)
+                        {
+#ifdef LEVITTE_DEBUG
+                        if (ami->thread != amim->thread)
+                                {
+                                fprintf(stderr, "CRYPTO_push_info(): previous info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
+                                        amim->thread, ami->thread);
+                                abort();
+                                }
+#endif
+                        ami->next=amim;
+                        }
+ err:
+                MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                }
+
+        return(ret);
+        }
+
+int CRYPTO_pop_info(void)
+        {
+        int ret=0;
+
+        if (is_MemCheck_on()) /* _must_ be true, or something went severely wrong */
+                {
+                MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+                ret=(pop_info() != NULL);
+
+                MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                }
+        return(ret);
+        }
+
+int CRYPTO_remove_all_info(void)
+        {
+        int ret=0;
+
+        if (is_MemCheck_on()) /* _must_ be true */
+                {
+                MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+                while(pop_info() != NULL)
+                        ret++;
+
+                MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                }
+        return(ret);
+        }
+
+
+static unsigned long break_order_num=0;
+void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line,
+        int before_p)
+        {
+        MEM *m,*mm;
+        APP_INFO tmp,*amim;
+
+        switch(before_p & 127)
+                {
+        case 0:
+                break;
+        case 1:
+                if (addr == NULL)
+                        break;
+
+                if (is_MemCheck_on())
+                        {
+                        MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+                        if ((m=(MEM *)Malloc(sizeof(MEM))) == NULL)
+                                {
+                                Free(addr);
+                                MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                                return;
+                                }
+                        if (mh == NULL)
+                                {
+                                if ((mh=lh_new(mem_hash,mem_cmp)) == NULL)
+                                        {
+                                        Free(addr);
+                                        Free(m);
+                                        addr=NULL;
+                                        goto err;
+                                        }
+                                }
+
+                        m->addr=addr;
+                        m->file=file;
+                        m->line=line;
+                        m->num=num;
+                        if (options & V_CRYPTO_MDEBUG_THREAD)
+                                m->thread=CRYPTO_thread_id();
+                        else
+                                m->thread=0;
+
+                        if (order == break_order_num)
+                                {
+                                /* BREAK HERE */
+                                m->order=order;
+                                }
+                        m->order=order++;
+#ifdef LEVITTE_DEBUG
+                        fprintf(stderr, "LEVITTE_DEBUG: [%5d] %c 0x%p (%d)\n",
+                                m->order,
+                                (before_p & 128) ? '*' : '+',
+                                m->addr, m->num);
+#endif
+                        if (options & V_CRYPTO_MDEBUG_TIME)
+                                m->time=time(NULL);
+                        else
+                                m->time=0;
+
+                        tmp.thread=CRYPTO_thread_id();
+                        m->app_info=NULL;
+                        if (amih != NULL
+                                && (amim=(APP_INFO *)lh_retrieve(amih,(char *)&tmp)) != NULL)
+                                {
+                                m->app_info = amim;
+                                amim->references++;
+                                }
+
+                        if ((mm=(MEM *)lh_insert(mh,(char *)m)) != NULL)
+                                {
+                                /* Not good, but don't sweat it */
+                                if (mm->app_info != NULL)
+                                        {
+                                        mm->app_info->references--;
+                                        }
+                                Free(mm);
+                                }
+                err:
+                        MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                        }
+                break;
+                }
+        return;
+        }
+
+void CRYPTO_dbg_free(void *addr, int before_p)
+        {
+        MEM m,*mp;
+
+        switch(before_p)
+                {
+        case 0:
+                if (addr == NULL)
+                        break;
+
+                if (is_MemCheck_on() && (mh != NULL))
+                        {
+                        MemCheck_off();
+
+                        m.addr=addr;
+                        mp=(MEM *)lh_delete(mh,(char *)&m);
+                        if (mp != NULL)
+                                {
+#ifdef LEVITTE_DEBUG
+                        fprintf(stderr, "LEVITTE_DEBUG: [%5d] - 0x%p (%d)\n",
+                                mp->order, mp->addr, mp->num);
+#endif
+                                if (mp->app_info != NULL)
+                                        {
+                                        mp->app_info->references--;
+                                        }
+                                Free(mp);
+                                }
+
+                        MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                        }
+                break;
+        case 1:
+                break;
+                }
+        }
+
+void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num,
+        const char *file, int line, int before_p)
+        {
+        MEM m,*mp;
+
+#ifdef LEVITTE_DEBUG
+        fprintf(stderr, "LEVITTE_DEBUG: --> CRYPTO_dbg_malloc(addr1 = %p, addr2 = %p, num = %d, file = \"%s\", line = %d, before_p = %d)\n",
+                addr1, addr2, num, file, line, before_p);
+#endif
+
+        switch(before_p)
+                {
+        case 0:
+                break;
+        case 1:
+                if (addr2 == NULL)
+                        break;
+
+                if (addr1 == NULL)
+                        {
+                        CRYPTO_dbg_malloc(addr2, num, file, line, 128 | before_p);
+                        break;
+                        }
+
+                if (is_MemCheck_on())
+                        {
+                        MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+                        m.addr=addr1;
+                        mp=(MEM *)lh_delete(mh,(char *)&m);
+                        if (mp != NULL)
+                                {
+#ifdef LEVITTE_DEBUG
+                                fprintf(stderr, "LEVITTE_DEBUG: [%5d] * 0x%p (%d) -> 0x%p (%d)\n",
+                                        mp->order,
+                                        mp->addr, mp->num,
+                                        addr2, num);
+#endif
+                                mp->addr=addr2;
+                                mp->num=num;
+                                lh_insert(mh,(char *)mp);
+                                }
+
+                        MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                        }
+                break;
+                }
+        return;
+        }
+
+
+typedef struct mem_leak_st
+        {
+        BIO *bio;
+        int chunks;
+        long bytes;
+        } MEM_LEAK;
+
+static void print_leak(MEM *m, MEM_LEAK *l)
+        {
+        char buf[1024];
+        char *bufp = buf;
+        APP_INFO *amip;
+        int ami_cnt;
+        struct tm *lcl = NULL;
+        unsigned long ti;
+
+        if(m->addr == (char *)l->bio)
+            return;
+
+        if (options & V_CRYPTO_MDEBUG_TIME)
+                {
+                lcl = localtime(&m->time);
+        
+                sprintf(bufp, "[%02d:%02d:%02d] ",
+                        lcl->tm_hour,lcl->tm_min,lcl->tm_sec);
+                bufp += strlen(bufp);
+                }
+
+        sprintf(bufp, "%5lu file=%s, line=%d, ",
+                m->order,m->file,m->line);
+        bufp += strlen(bufp);
+
+        if (options & V_CRYPTO_MDEBUG_THREAD)
+                {
+                sprintf(bufp, "thread=%lu, ", m->thread);
+                bufp += strlen(bufp);
+                }
+
+        sprintf(bufp, "number=%d, address=%08lX\n",
+                m->num,(unsigned long)m->addr);
+        bufp += strlen(bufp);
+
+        BIO_puts(l->bio,buf);
+        
+        l->chunks++;
+        l->bytes+=m->num;
+
+        amip=m->app_info;
+        ami_cnt=0;
+        if (!amip)
+                return;
+        ti=amip->thread;
+        
+        do
+                {
+                int buf_len;
+                int info_len;
+
+                ami_cnt++;
+                memset(buf,'>',ami_cnt);
+                sprintf(buf + ami_cnt,
+                        " thread=%lu, file=%s, line=%d, info=\"",
+                        amip->thread, amip->file, amip->line);
+                buf_len=strlen(buf);
+                info_len=strlen(amip->info);
+                if (128 - buf_len - 3 < info_len)
+                        {
+                        memcpy(buf + buf_len, amip->info, 128 - buf_len - 3);
+                        buf_len = 128 - 3;
+                        }
+                else
+                        {
+                        strcpy(buf + buf_len, amip->info);
+                        buf_len = strlen(buf);
+                        }
+                sprintf(buf + buf_len, "\"\n");
+                
+                BIO_puts(l->bio,buf);
+
+                amip = amip->next;
+                }
+        while(amip && amip->thread == ti);
+                
+#ifdef LEVITTE_DEBUG
+        if (amip)
+                {
+                fprintf(stderr, "Thread switch detected in backtrace!!!!\n");
+                abort();
+                }
+#endif
+        }
+
+void CRYPTO_mem_leaks(BIO *b)
+        {
+        MEM_LEAK ml;
+        char buf[80];
+
+        if (mh == NULL) return;
+        ml.bio=b;
+        ml.bytes=0;
+        ml.chunks=0;
+        CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+        lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml);
+        CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+        if (ml.chunks != 0)
+                {
+                sprintf(buf,"%ld bytes leaked in %d chunks\n",
+                        ml.bytes,ml.chunks);
+                BIO_puts(b,buf);
+                }
+
+#if 0
+        lh_stats_bio(mh,b);
+        lh_node_stats_bio(mh,b);
+        lh_node_usage_stats_bio(mh,b);
+#endif
+        }
+
+union void_fn_to_char_u
+        {
+        char *char_p;
+        void (*fn_p)();
+        };
+
+static void cb_leak(MEM *m, char *cb)
+        {
+        union void_fn_to_char_u mem_callback;
+
+        mem_callback.char_p=cb;
+        mem_callback.fn_p(m->order,m->file,m->line,m->num,m->addr);
+        }
+
+void CRYPTO_mem_leaks_cb(void (*cb)())
+        {
+        union void_fn_to_char_u mem_cb;
+
+        if (mh == NULL) return;
+        CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+        mem_cb.fn_p=cb;
+        lh_doall_arg(mh,(void (*)())cb_leak,mem_cb.char_p);
+        mem_cb.char_p=NULL;
+        CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+        }
+
+#ifndef NO_FP_API
+void CRYPTO_mem_leaks_fp(FILE *fp)
+        {
+        BIO *b;
+
+        if (mh == NULL) return;
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+                return;
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        CRYPTO_mem_leaks(b);
+        BIO_free(b);
+        }
+#endif
+
diff --git a/src/lib/libcrypto/o_time.c b/src/lib/libcrypto/o_time.c
new file mode 100644
index 0000000000..1bc0297b36
--- /dev/null
+++ b/src/lib/libcrypto/o_time.c
@@ -0,0 +1,203 @@
+/* crypto/o_time.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/e_os2.h>
+#include <string.h>
+#include "o_time.h"
+
+#ifdef OPENSSL_SYS_VMS
+# include <libdtdef.h>
+# include <lib$routines.h>
+# include <lnmdef.h>
+# include <starlet.h>
+# include <descrip.h>
+# include <stdlib.h>
+#endif
+
+struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
+        {
+        struct tm *ts = NULL;
+
+#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX)
+        /* should return &data, but doesn't on some systems,
+           so we don't even look at the return value */
+        gmtime_r(timer,result);
+        ts = result;
+#elif !defined(OPENSSL_SYS_VMS)
+        ts = gmtime(timer);
+        memcpy(result, ts, sizeof(struct tm));
+        ts = result;
+#endif
+#ifdef OPENSSL_SYS_VMS
+        if (ts == NULL)
+                {
+                static $DESCRIPTOR(tabnam,"LNM$DCL_LOGICAL");
+                static $DESCRIPTOR(lognam,"SYS$TIMEZONE_DIFFERENTIAL");
+                char logvalue[256];
+                unsigned int reslen = 0;
+                struct {
+                        short buflen;
+                        short code;
+                        void *bufaddr;
+                        unsigned int *reslen;
+                } itemlist[] = {
+                        { 0, LNM$_STRING, 0, 0 },
+                        { 0, 0, 0, 0 },
+                };
+                int status;
+                time_t t;
+
+                /* Get the value for SYS$TIMEZONE_DIFFERENTIAL */
+                itemlist[0].buflen = sizeof(logvalue);
+                itemlist[0].bufaddr = logvalue;
+                itemlist[0].reslen = &reslen;
+                status = sys$trnlnm(0, &tabnam, &lognam, 0, itemlist);
+                if (!(status & 1))
+                        return NULL;
+                logvalue[reslen] = '\0';
+
+                /* Get the numerical value of the equivalence string */
+                status = atoi(logvalue);
+
+                /* and use it to move time to GMT */
+                t = *timer - status;
+
+                /* then convert the result to the time structure */
+#ifndef OPENSSL_THREADS
+                ts=(struct tm *)localtime(&t);
+#else
+                /* Since there was no gmtime_r() to do this stuff for us,
+                   we have to do it the hard way. */
+                {
+                /* The VMS epoch is the astronomical Smithsonian date,
+                   if I remember correctly, which is November 17, 1858.
+                   Furthermore, time is measure in thenths of microseconds
+                   and stored in quadwords (64 bit integers).  unix_epoch
+                   below is January 1st 1970 expressed as a VMS time.  The
+                   following code was used to get this number:
+
+                   #include <stdio.h>
+                   #include <stdlib.h>
+                   #include <lib$routines.h>
+                   #include <starlet.h>
+
+                   main()
+                   {
+                     unsigned long systime[2];
+                     unsigned short epoch_values[7] =
+                       { 1970, 1, 1, 0, 0, 0, 0 };
+
+                     lib$cvt_vectim(epoch_values, systime);
+
+                     printf("%u %u", systime[0], systime[1]);
+                   }
+                */
+                unsigned long unix_epoch[2] = { 1273708544, 8164711 };
+                unsigned long deltatime[2];
+                unsigned long systime[2];
+                struct vms_vectime
+                        {
+                        short year, month, day, hour, minute, second,
+                                centi_second;
+                        } time_values;
+                long operation;
+
+                /* Turn the number of seconds since January 1st 1970 to
+                   an internal delta time.
+                   Note that lib$cvt_to_internal_time() will assume
+                   that t is signed, and will therefore break on 32-bit
+                   systems some time in 2038.
+                */
+                operation = LIB$K_DELTA_SECONDS;
+                status = lib$cvt_to_internal_time(&operation,
+                        &t, deltatime);
+
+                /* Add the delta time with the Unix epoch and we have
+                   the current UTC time in internal format */
+                status = lib$add_times(unix_epoch, deltatime, systime);
+
+                /* Turn the internal time into a time vector */
+                status = sys$numtim(&time_values, systime);
+
+                /* Fill in the struct tm with the result */
+                result->tm_sec = time_values.second;
+                result->tm_min = time_values.minute;
+                result->tm_hour = time_values.hour;
+                result->tm_mday = time_values.day;
+                result->tm_mon = time_values.month - 1;
+                result->tm_year = time_values.year - 1900;
+
+                operation = LIB$K_DAY_OF_WEEK;
+                status = lib$cvt_from_internal_time(&operation,
+                        &result->tm_wday, systime);
+                result->tm_wday %= 7;
+
+                operation = LIB$K_DAY_OF_YEAR;
+                status = lib$cvt_from_internal_time(&operation,
+                        &result->tm_yday, systime);
+                result->tm_yday--;
+
+                result->tm_isdst = 0; /* There's no way to know... */
+
+                ts = result;
+#endif
+                }
+                }
+#endif
+        return ts;
+        }       
diff --git a/src/lib/libcrypto/o_time.h b/src/lib/libcrypto/o_time.h
new file mode 100644
index 0000000000..e66044626d
--- /dev/null
+++ b/src/lib/libcrypto/o_time.h
@@ -0,0 +1,66 @@
+/* crypto/o_time.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_O_TIME_H
+#define HEADER_O_TIME_H
+
+#include <time.h>
+
+struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result);
+
+#endif
diff --git a/src/lib/libcrypto/objects/o_names.c b/src/lib/libcrypto/objects/o_names.c
new file mode 100644
index 0000000000..4da5e45b9c
--- /dev/null
+++ b/src/lib/libcrypto/objects/o_names.c
@@ -0,0 +1,243 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/lhash.h>
+#include <openssl/objects.h>
+
+/* I use the ex_data stuff to manage the identifiers for the obj_name_types
+ * that applications may define.  I only really use the free function field.
+ */
+static LHASH *names_lh=NULL;
+static int names_type_num=OBJ_NAME_TYPE_NUM;
+static STACK *names_cmp=NULL;
+static STACK *names_hash=NULL;
+static STACK *names_free=NULL;
+
+static unsigned long obj_name_hash(OBJ_NAME *a);
+static int obj_name_cmp(OBJ_NAME *a,OBJ_NAME *b);
+
+int OBJ_NAME_init(void)
+        {
+        if (names_lh != NULL) return(1);
+        MemCheck_off();
+        names_lh=lh_new(obj_name_hash,obj_name_cmp);
+        MemCheck_on();
+        return(names_lh != NULL);
+        }
+
+int OBJ_NAME_new_index(unsigned long (*hash_func)(), int (*cmp_func)(),
+             void (*free_func)())
+        {
+        int ret;
+        int i;
+
+        if (names_free == NULL)
+                {
+                MemCheck_off();
+                names_hash=sk_new_null();
+                names_cmp=sk_new_null();
+                names_free=sk_new_null();
+                MemCheck_on();
+                }
+        if ((names_free == NULL) || (names_hash == NULL) || (names_cmp == NULL))
+                {
+                /* ERROR */
+                return(0);
+                }
+        ret=names_type_num;
+        names_type_num++;
+        for (i=sk_num(names_free); i<names_type_num; i++)
+                {
+                MemCheck_off();
+                sk_push(names_hash,(char *)strcmp);
+                sk_push(names_cmp,(char *)lh_strhash);
+                sk_push(names_free,NULL);
+                MemCheck_on();
+                }
+        if (hash_func != NULL)
+                sk_set(names_hash,ret,(char *)hash_func);
+        if (cmp_func != NULL)
+                sk_set(names_cmp,ret,(char *)cmp_func);
+        if (free_func != NULL)
+                sk_set(names_free,ret,(char *)free_func);
+        return(ret);
+        }
+
+static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
+        {
+        int ret;
+        int (*cmp)();
+
+        ret=a->type-b->type;
+        if (ret == 0)
+                {
+                if ((names_cmp != NULL) && (sk_num(names_cmp) > a->type))
+                        {
+                        cmp=(int (*)())sk_value(names_cmp,a->type);
+                        ret=cmp(a->name,b->name);
+                        }
+                else
+                        ret=strcmp(a->name,b->name);
+                }
+        return(ret);
+        }
+
+static unsigned long obj_name_hash(OBJ_NAME *a)
+        {
+        unsigned long ret;
+        unsigned long (*hash)();
+
+        if ((names_hash != NULL) && (sk_num(names_hash) > a->type))
+                {
+                hash=(unsigned long (*)())sk_value(names_hash,a->type);
+                ret=hash(a->name);
+                }
+        else
+                {
+                ret=lh_strhash(a->name);
+                }
+        ret^=a->type;
+        return(ret);
+        }
+
+const char *OBJ_NAME_get(const char *name, int type)
+        {
+        OBJ_NAME on,*ret;
+        int num=0,alias;
+
+        if (name == NULL) return(NULL);
+        if ((names_lh == NULL) && !OBJ_NAME_init()) return(NULL);
+
+        alias=type&OBJ_NAME_ALIAS;
+        type&= ~OBJ_NAME_ALIAS;
+
+        on.name=name;
+        on.type=type;
+
+        for (;;)
+                {
+                ret=(OBJ_NAME *)lh_retrieve(names_lh,(char *)&on);
+                if (ret == NULL) return(NULL);
+                if ((ret->alias) && !alias)
+                        {
+                        if (++num > 10) return(NULL);
+                        on.name=ret->data;
+                        }
+                else
+                        {
+                        return(ret->data);
+                        }
+                }
+        }
+
+int OBJ_NAME_add(const char *name, int type, const char *data)
+        {
+        void (*f)();
+        OBJ_NAME *onp,*ret;
+        int alias;
+
+        if ((names_lh == NULL) && !OBJ_NAME_init()) return(0);
+
+        alias=type&OBJ_NAME_ALIAS;
+        type&= ~OBJ_NAME_ALIAS;
+
+        onp=(OBJ_NAME *)Malloc(sizeof(OBJ_NAME));
+        if (onp == NULL)
+                {
+                /* ERROR */
+                return(0);
+                }
+
+        onp->name=name;
+        onp->alias=alias;
+        onp->type=type;
+        onp->data=data;
+
+        ret=(OBJ_NAME *)lh_insert(names_lh,(char *)onp);
+        if (ret != NULL)
+                {
+                /* free things */
+                if ((names_free != NULL) && (sk_num(names_free) > ret->type))
+                        {
+                        f=(void (*)())sk_value(names_free,ret->type);
+                        f(ret->name,ret->type,ret->data);
+                        }
+                Free((char *)ret);
+                }
+        else
+                {
+                if (lh_error(names_lh))
+                        {
+                        /* ERROR */
+                        return(0);
+                        }
+                }
+        return(1);
+        }
+
+int OBJ_NAME_remove(const char *name, int type)
+        {
+        OBJ_NAME on,*ret;
+        void (*f)();
+
+        if (names_lh == NULL) return(0);
+
+        type&= ~OBJ_NAME_ALIAS;
+        on.name=name;
+        on.type=type;
+        ret=(OBJ_NAME *)lh_delete(names_lh,(char *)&on);
+        if (ret != NULL)
+                {
+                /* free things */
+                if ((names_free != NULL) && (sk_num(names_free) > type))
+                        {
+                        f=(void (*)())sk_value(names_free,type);
+                        f(ret->name,ret->type,ret->data);
+                        }
+                Free((char *)ret);
+                return(1);
+                }
+        else
+                return(0);
+        }
+
+static int free_type;
+
+static void names_lh_free(OBJ_NAME *onp, int type)
+{
+        if(onp == NULL)
+            return;
+
+        if ((free_type < 0) || (free_type == onp->type))
+                {
+                OBJ_NAME_remove(onp->name,onp->type);
+                }
+        }
+
+void OBJ_NAME_cleanup(int type)
+        {
+        unsigned long down_load;
+
+        if (names_lh == NULL) return;
+
+        free_type=type;
+        down_load=names_lh->down_load;
+        names_lh->down_load=0;
+
+        lh_doall(names_lh,names_lh_free);
+        if (type < 0)
+                {
+                lh_free(names_lh);
+                sk_free(names_hash);
+                sk_free(names_cmp);
+                sk_free(names_free);
+                names_lh=NULL;
+                names_hash=NULL;
+                names_cmp=NULL;
+                names_free=NULL;
+                }
+        else
+                names_lh->down_load=down_load;
+        }
+
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
new file mode 100644
index 0000000000..d73a51370f
--- /dev/null
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -0,0 +1,392 @@
+undef           0
+rsadsi          1
+pkcs            2
+md2             3
+md5             4
+rc4             5
+rsaEncryption           6
+md2WithRSAEncryption            7
+md5WithRSAEncryption            8
+pbeWithMD2AndDES_CBC            9
+pbeWithMD5AndDES_CBC            10
+X500            11
+X509            12
+commonName              13
+countryName             14
+localityName            15
+stateOrProvinceName             16
+organizationName                17
+organizationalUnitName          18
+rsa             19
+pkcs7           20
+pkcs7_data              21
+pkcs7_signed            22
+pkcs7_enveloped         23
+pkcs7_signedAndEnveloped                24
+pkcs7_digest            25
+pkcs7_encrypted         26
+pkcs3           27
+dhKeyAgreement          28
+des_ecb         29
+des_cfb64               30
+des_cbc         31
+des_ede         32
+des_ede3                33
+idea_cbc                34
+idea_cfb64              35
+idea_ecb                36
+rc2_cbc         37
+rc2_ecb         38
+rc2_cfb64               39
+rc2_ofb64               40
+sha             41
+shaWithRSAEncryption            42
+des_ede_cbc             43
+des_ede3_cbc            44
+des_ofb64               45
+idea_ofb64              46
+pkcs9           47
+pkcs9_emailAddress              48
+pkcs9_unstructuredName          49
+pkcs9_contentType               50
+pkcs9_messageDigest             51
+pkcs9_signingTime               52
+pkcs9_countersignature          53
+pkcs9_challengePassword         54
+pkcs9_unstructuredAddress               55
+pkcs9_extCertAttributes         56
+netscape                57
+netscape_cert_extension         58
+netscape_data_type              59
+des_ede_cfb64           60
+des_ede3_cfb64          61
+des_ede_ofb64           62
+des_ede3_ofb64          63
+sha1            64
+sha1WithRSAEncryption           65
+dsaWithSHA              66
+dsa_2           67
+pbeWithSHA1AndRC2_CBC           68
+id_pbkdf2               69
+dsaWithSHA1_2           70
+netscape_cert_type              71
+netscape_base_url               72
+netscape_revocation_url         73
+netscape_ca_revocation_url              74
+netscape_renewal_url            75
+netscape_ca_policy_url          76
+netscape_ssl_server_name                77
+netscape_comment                78
+netscape_cert_sequence          79
+desx_cbc                80
+id_ce           81
+subject_key_identifier          82
+key_usage               83
+private_key_usage_period                84
+subject_alt_name                85
+issuer_alt_name         86
+basic_constraints               87
+crl_number              88
+certificate_policies            89
+authority_key_identifier                90
+bf_cbc          91
+bf_ecb          92
+bf_cfb64                93
+bf_ofb64                94
+mdc2            95
+mdc2WithRSA             96
+rc4_40          97
+rc2_40_cbc              98
+givenName               99
+surname         100
+initials                101
+uniqueIdentifier                102
+crl_distribution_points         103
+md5WithRSA              104
+serialNumber            105
+title           106
+description             107
+cast5_cbc               108
+cast5_ecb               109
+cast5_cfb64             110
+cast5_ofb64             111
+pbeWithMD5AndCast5_CBC          112
+dsaWithSHA1             113
+md5_sha1                114
+sha1WithRSA             115
+dsa             116
+ripemd160               117
+ripemd160WithRSA                119
+rc5_cbc         120
+rc5_ecb         121
+rc5_cfb64               122
+rc5_ofb64               123
+rle_compression         124
+zlib_compression                125
+ext_key_usage           126
+id_pkix         127
+id_kp           128
+server_auth             129
+client_auth             130
+code_sign               131
+email_protect           132
+time_stamp              133
+ms_code_ind             134
+ms_code_com             135
+ms_ctl_sign             136
+ms_sgc          137
+ms_efs          138
+ns_sgc          139
+delta_crl               140
+crl_reason              141
+invalidity_date         142
+sxnet           143
+pbe_WithSHA1And128BitRC4                144
+pbe_WithSHA1And40BitRC4         145
+pbe_WithSHA1And3_Key_TripleDES_CBC              146
+pbe_WithSHA1And2_Key_TripleDES_CBC              147
+pbe_WithSHA1And128BitRC2_CBC            148
+pbe_WithSHA1And40BitRC2_CBC             149
+keyBag          150
+pkcs8ShroudedKeyBag             151
+certBag         152
+crlBag          153
+secretBag               154
+safeContentsBag         155
+friendlyName            156
+localKeyID              157
+x509Certificate         158
+sdsiCertificate         159
+x509Crl         160
+pbes2           161
+pbmac1          162
+hmacWithSHA1            163
+id_qt_cps               164
+id_qt_unotice           165
+rc2_64_cbc              166
+SMIMECapabilities               167
+pbeWithMD2AndRC2_CBC            168
+pbeWithMD5AndRC2_CBC            169
+pbeWithSHA1AndDES_CBC           170
+ms_ext_req              171
+ext_req         172
+name            173
+dnQualifier             174
+id_pe           175
+id_ad           176
+info_access             177
+ad_OCSP         178
+ad_ca_issuers           179
+OCSP_sign               180
+iso             181
+member_body             182
+ISO_US          183
+X9_57           184
+X9cm            185
+pkcs1           186
+pkcs5           187
+SMIME           188
+id_smime_mod            189
+id_smime_ct             190
+id_smime_aa             191
+id_smime_alg            192
+id_smime_cd             193
+id_smime_spq            194
+id_smime_cti            195
+id_smime_mod_cms                196
+id_smime_mod_ess                197
+id_smime_mod_oid                198
+id_smime_mod_msg_v3             199
+id_smime_mod_ets_eSignature_88          200
+id_smime_mod_ets_eSignature_97          201
+id_smime_mod_ets_eSigPolicy_88          202
+id_smime_mod_ets_eSigPolicy_97          203
+id_smime_ct_receipt             204
+id_smime_ct_authData            205
+id_smime_ct_publishCert         206
+id_smime_ct_TSTInfo             207
+id_smime_ct_TDTInfo             208
+id_smime_ct_contentInfo         209
+id_smime_ct_DVCSRequestData             210
+id_smime_ct_DVCSResponseData            211
+id_smime_aa_receiptRequest              212
+id_smime_aa_securityLabel               213
+id_smime_aa_mlExpandHistory             214
+id_smime_aa_contentHint         215
+id_smime_aa_msgSigDigest                216
+id_smime_aa_encapContentType            217
+id_smime_aa_contentIdentifier           218
+id_smime_aa_macValue            219
+id_smime_aa_equivalentLabels            220
+id_smime_aa_contentReference            221
+id_smime_aa_encrypKeyPref               222
+id_smime_aa_signingCertificate          223
+id_smime_aa_smimeEncryptCerts           224
+id_smime_aa_timeStampToken              225
+id_smime_aa_ets_sigPolicyId             226
+id_smime_aa_ets_commitmentType          227
+id_smime_aa_ets_signerLocation          228
+id_smime_aa_ets_signerAttr              229
+id_smime_aa_ets_otherSigCert            230
+id_smime_aa_ets_contentTimestamp                231
+id_smime_aa_ets_CertificateRefs         232
+id_smime_aa_ets_RevocationRefs          233
+id_smime_aa_ets_certValues              234
+id_smime_aa_ets_revocationValues                235
+id_smime_aa_ets_escTimeStamp            236
+id_smime_aa_ets_certCRLTimestamp                237
+id_smime_aa_ets_archiveTimeStamp                238
+id_smime_aa_signatureType               239
+id_smime_aa_dvcs_dvc            240
+id_smime_alg_ESDHwith3DES               241
+id_smime_alg_ESDHwithRC2                242
+id_smime_alg_3DESwrap           243
+id_smime_alg_RC2wrap            244
+id_smime_alg_ESDH               245
+id_smime_alg_CMS3DESwrap                246
+id_smime_alg_CMSRC2wrap         247
+id_smime_cd_ldap                248
+id_smime_spq_ets_sqt_uri                249
+id_smime_spq_ets_sqt_unotice            250
+id_smime_cti_ets_proofOfOrigin          251
+id_smime_cti_ets_proofOfReceipt         252
+id_smime_cti_ets_proofOfDelivery                253
+id_smime_cti_ets_proofOfSender          254
+id_smime_cti_ets_proofOfApproval                255
+id_smime_cti_ets_proofOfCreation                256
+md4             257
+id_pkix_mod             258
+id_qt           259
+id_it           260
+id_pkip         261
+id_alg          262
+id_cmc          263
+id_on           264
+id_pda          265
+id_aca          266
+id_qcs          267
+id_cct          268
+id_pkix1_explicit_88            269
+id_pkix1_implicit_88            270
+id_pkix1_explicit_93            271
+id_pkix1_implicit_93            272
+id_mod_crmf             273
+id_mod_cmc              274
+id_mod_kea_profile_88           275
+id_mod_kea_profile_93           276
+id_mod_cmp              277
+id_mod_qualified_cert_88                278
+id_mod_qualified_cert_93                279
+id_mod_attribute_cert           280
+id_mod_timestamp_protocol               281
+id_mod_ocsp             282
+id_mod_dvcs             283
+id_mod_cmp2000          284
+biometricInfo           285
+qcStatements            286
+ac_auditEntity          287
+ac_targeting            288
+aaControls              289
+sbqp_ipAddrBlock                290
+sbqp_autonomousSysNum           291
+sbqp_routerIdentifier           292
+textNotice              293
+ipsecEndSystem          294
+ipsecTunnel             295
+ipsecUser               296
+dvcs            297
+id_it_caProtEncCert             298
+id_it_signKeyPairTypes          299
+id_it_encKeyPairTypes           300
+id_it_preferredSymmAlg          301
+id_it_caKeyUpdateInfo           302
+id_it_currentCRL                303
+id_it_unsupportedOIDs           304
+id_it_subscriptionRequest               305
+id_it_subscriptionResponse              306
+id_it_keyPairParamReq           307
+id_it_keyPairParamRep           308
+id_it_revPassphrase             309
+id_it_implicitConfirm           310
+id_it_confirmWaitTime           311
+id_it_origPKIMessage            312
+id_regCtrl              313
+id_regInfo              314
+id_regCtrl_regToken             315
+id_regCtrl_authenticator                316
+id_regCtrl_pkiPublicationInfo           317
+id_regCtrl_pkiArchiveOptions            318
+id_regCtrl_oldCertID            319
+id_regCtrl_protocolEncrKey              320
+id_regInfo_utf8Pairs            321
+id_regInfo_certReq              322
+id_alg_des40            323
+id_alg_noSignature              324
+id_alg_dh_sig_hmac_sha1         325
+id_alg_dh_pop           326
+id_cmc_statusInfo               327
+id_cmc_identification           328
+id_cmc_identityProof            329
+id_cmc_dataReturn               330
+id_cmc_transactionId            331
+id_cmc_senderNonce              332
+id_cmc_recipientNonce           333
+id_cmc_addExtensions            334
+id_cmc_encryptedPOP             335
+id_cmc_decryptedPOP             336
+id_cmc_lraPOPWitness            337
+id_cmc_getCert          338
+id_cmc_getCRL           339
+id_cmc_revokeRequest            340
+id_cmc_regInfo          341
+id_cmc_responseInfo             342
+id_cmc_queryPending             343
+id_cmc_popLinkRandom            344
+id_cmc_popLinkWitness           345
+id_cmc_confirmCertAcceptance            346
+id_on_personalData              347
+id_pda_dateOfBirth              348
+id_pda_placeOfBirth             349
+id_pda_pseudonym                350
+id_pda_gender           351
+id_pda_countryOfCitizenship             352
+id_pda_countryOfResidence               353
+id_aca_authenticationInfo               354
+id_aca_accessIdentity           355
+id_aca_chargingIdentity         356
+id_aca_group            357
+id_aca_role             358
+id_qcs_pkixQCSyntax_v1          359
+id_cct_crs              360
+id_cct_PKIData          361
+id_cct_PKIResponse              362
+ad_timeStamping         363
+ad_dvcs         364
+id_pkix_OCSP_basic              365
+id_pkix_OCSP_Nonce              366
+id_pkix_OCSP_CrlID              367
+id_pkix_OCSP_acceptableResponses                368
+id_pkix_OCSP_noCheck            369
+id_pkix_OCSP_archiveCutoff              370
+id_pkix_OCSP_serviceLocator             371
+id_pkix_OCSP_extendedStatus             372
+id_pkix_OCSP_valid              373
+id_pkix_OCSP_path               374
+id_pkix_OCSP_trustRoot          375
+algorithm               376
+rsaSignature            377
+X500algorithms          378
+org             379
+dod             380
+iana            381
+Directory               382
+Management              383
+Experimental            384
+Private         385
+Security                386
+SNMPv2          387
+Mail            388
+Enterprises             389
+dcObject                390
+domainComponent         391
+Domain          392
diff --git a/src/lib/libcrypto/objects/objects.README b/src/lib/libcrypto/objects/objects.README
new file mode 100644
index 0000000000..4d745508d8
--- /dev/null
+++ b/src/lib/libcrypto/objects/objects.README
@@ -0,0 +1,44 @@
+objects.txt syntax
+------------------
+
+To cover all the naming hacks that were previously in objects.h needed some
+kind of hacks in objects.txt.
+
+The basic syntax for adding an object is as follows:
+
+        1 2 3 4         : shortName     : Long Name
+
+                If the long name doesn't contain spaces, or no short name
+                exists, the long name is used as basis for the base name
+                in C.  Otherwise, the short name is used.
+
+                The base name (let's call it 'base') will then be used to
+                create the C macros SN_base, LN_base, NID_base and OBJ_base.
+
+                Note that if the base name contains spaces, dashes or periods,
+                those will be converte to underscore.
+
+Then there are some extra commands:
+
+        !Alias foo 1 2 3 4
+
+                This juts makes a name foo for an OID.  The C macro
+                OBJ_foo will be created as a result.
+
+        !Cname foo
+
+                This makes sure that the name foo will be used as base name
+                in C.
+
+        !module foo
+        1 2 3 4         : shortName     : Long Name
+        !global
+
+                The !module command was meant to define a kind of modularity.
+                What it does is to make sure the module name is prepended
+                to the base name.  !global turns this off.  This construction
+                is not recursive.
+
+Lines starting with # are treated as comments, as well as any line starting
+with ! and not matching the commands above.
+
diff --git a/src/lib/libcrypto/objects/objects.pl b/src/lib/libcrypto/objects/objects.pl
new file mode 100644
index 0000000000..c956bbb841
--- /dev/null
+++ b/src/lib/libcrypto/objects/objects.pl
@@ -0,0 +1,224 @@
+#!/usr/local/bin/perl
+
+open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]";
+$max_nid=0;
+$o=0;
+while(<NUMIN>)
+        {
+        chop;
+        $o++;
+        s/#.*$//;
+        next if /^\s*$/;
+        ($Cname,$mynum) = split;
+        if (defined($nidn{$mynum}))
+                { die "$ARGV[1]:$o:There's already an object with NID ",$mynum," on line ",$order{$mynum},"\n"; }
+        $nid{$Cname} = $mynum;
+        $nidn{$mynum} = $Cname;
+        $order{$mynum} = $o;
+        $max_nid = $mynum if $mynum > $max_nid;
+        }
+close NUMIN;
+
+open (IN,"$ARGV[0]") || die "Can't open input file $ARGV[0]";
+$Cname="";
+$o=0;
+while (<IN>)
+        {
+        chop;
+        $o++;
+        if (/^!module\s+(.*)$/)
+                {
+                $module = $1."-";
+                $module =~ s/\./_/g;
+                $module =~ s/-/_/g;
+                }
+        if (/^!global$/)
+                { $module = ""; }
+        if (/^!Cname\s+(.*)$/)
+                { $Cname = $1; }
+        if (/^!Alias\s+(.+?)\s+(.*)$/)
+                {
+                $Cname = $module.$1;
+                $myoid = $2;
+                $myoid = &process_oid($myoid);
+                $Cname =~ s/-/_/g;
+                $ordern{$o} = $Cname;
+                $order{$Cname} = $o;
+                $obj{$Cname} = $myoid;
+                $_ = "";
+                $Cname = "";
+                }
+        s/!.*$//;
+        s/#.*$//;
+        next if /^\s*$/;
+        ($myoid,$mysn,$myln) = split ':';
+        $mysn =~ s/^\s*//;
+        $mysn =~ s/\s*$//;
+        $myln =~ s/^\s*//;
+        $myln =~ s/\s*$//;
+        $myoid =~ s/^\s*//;
+        $myoid =~ s/\s*$//;
+        if ($myoid ne "")
+                {
+                $myoid = &process_oid($myoid);
+                }
+
+        if ($Cname eq "" && !($myln =~ / /))
+                {
+                $Cname = $myln;
+                $Cname =~ s/\./_/g;
+                $Cname =~ s/-/_/g;
+                if ($Cname ne "" && defined($ln{$module.$Cname}))
+                        { die "objects.txt:$o:There's already an object with long name ",$ln{$module.$Cname}," on line ",$order{$module.$Cname},"\n"; }
+                }
+        if ($Cname eq "")
+                {
+                $Cname = $mysn;
+                $Cname =~ s/-/_/g;
+                if ($Cname ne "" && defined($sn{$module.$Cname}))
+                        { die "objects.txt:$o:There's already an object with short name ",$sn{$module.$Cname}," on line ",$order{$module.$Cname},"\n"; }
+                }
+        if ($Cname eq "")
+                {
+                $Cname = $myln;
+                $Cname =~ s/-/_/g;
+                $Cname =~ s/\./_/g;
+                $Cname =~ s/ /_/g;
+                if ($Cname ne "" && defined($ln{$module.$Cname}))
+                        { die "objects.txt:$o:There's already an object with long name ",$ln{$module.$Cname}," on line ",$order{$module.$Cname},"\n"; }
+                }
+        $Cname =~ s/\./_/g;
+        $Cname =~ s/-/_/g;
+        $Cname = $module.$Cname;
+        $ordern{$o} = $Cname;
+        $order{$Cname} = $o;
+        $sn{$Cname} = $mysn;
+        $ln{$Cname} = $myln;
+        $obj{$Cname} = $myoid;
+        if (!defined($nid{$Cname}))
+                {
+                $max_nid++;
+                $nid{$Cname} = $max_nid;
+                $nidn{$max_nid} = $Cname;
+                }
+        $Cname="";
+        }
+close IN;
+
+open (NUMOUT,">$ARGV[1]") || die "Can't open output file $ARGV[1]";
+foreach (sort { $a <=> $b } keys %nidn)
+        {
+        print NUMOUT $nidn{$_},"\t\t",$_,"\n";
+        }
+close NUMOUT;
+
+open (OUT,">$ARGV[2]") || die "Can't open output file $ARGV[2]";
+print OUT <<'EOF';
+/* lib/obj/obj_mac.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
+ * following command:
+ * perl objects.pl objects.txt obj_mac.num obj_mac.h
+ */
+
+#define SN_undef                        "UNDEF"
+#define LN_undef                        "undefined"
+#define NID_undef                       0
+#define OBJ_undef                       0L
+
+EOF
+
+foreach (sort { $a <=> $b } keys %ordern)
+        {
+        $Cname=$ordern{$_};
+        print OUT "#define SN_",$Cname,"\t\t\"",$sn{$Cname},"\"\n" if $sn{$Cname} ne "";
+        print OUT "#define LN_",$Cname,"\t\t\"",$ln{$Cname},"\"\n" if $ln{$Cname} ne "";
+        print OUT "#define NID_",$Cname,"\t\t",$nid{$Cname},"\n" if $nid{$Cname} ne "";
+        print OUT "#define OBJ_",$Cname,"\t\t",$obj{$Cname},"\n" if $obj{$Cname} ne "";
+        print OUT "\n";
+        }
+
+close OUT;
+
+sub process_oid
+        {
+        local($oid)=@_;
+        local(@a,$oid_pref);
+
+        @a = split(/\s+/,$myoid);
+        $pref_oid = "";
+        $pref_sep = "";
+        if (!($a[0] =~ /^[0-9]+$/))
+                {
+                $a[0] =~ s/-/_/g;
+                $pref_oid = "OBJ_" . $a[0];
+                $pref_sep = ",";
+                shift @a;
+                }
+        $oids = join('L,',@a) . "L";
+        if ($oids ne "L")
+                {
+                $oids = $pref_oid . $pref_sep . $oids;
+                }
+        else
+                {
+                $oids = $pref_oid;
+                }
+        return($oids);
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
new file mode 100644
index 0000000000..fab3c03182
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp.h
@@ -0,0 +1,619 @@
+/* ocsp.h */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_OCSP_H
+#define HEADER_OCSP_H
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/safestack.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Various flags and values */
+
+#define OCSP_DEFAULT_NONCE_LENGTH       16
+
+#define OCSP_NOCERTS                    0x1
+#define OCSP_NOINTERN                   0x2
+#define OCSP_NOSIGS                     0x4
+#define OCSP_NOCHAIN                    0x8
+#define OCSP_NOVERIFY                   0x10
+#define OCSP_NOEXPLICIT                 0x20
+#define OCSP_NOCASIGN                   0x40
+#define OCSP_NODELEGATED                0x80
+#define OCSP_NOCHECKS                   0x100
+#define OCSP_TRUSTOTHER                 0x200
+#define OCSP_RESPID_KEY                 0x400
+#define OCSP_NOTIME                     0x800
+
+/*   CertID ::= SEQUENCE {
+ *       hashAlgorithm            AlgorithmIdentifier,
+ *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
+ *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
+ *       serialNumber       CertificateSerialNumber }
+ */
+typedef struct ocsp_cert_id_st
+        {
+        X509_ALGOR *hashAlgorithm;
+        ASN1_OCTET_STRING *issuerNameHash;
+        ASN1_OCTET_STRING *issuerKeyHash;
+        ASN1_INTEGER *serialNumber;
+        } OCSP_CERTID;
+
+DECLARE_STACK_OF(OCSP_CERTID)
+
+/*   Request ::=     SEQUENCE {
+ *       reqCert                    CertID,
+ *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_one_request_st
+        {
+        OCSP_CERTID *reqCert;
+        STACK_OF(X509_EXTENSION) *singleRequestExtensions;
+        } OCSP_ONEREQ;
+
+DECLARE_STACK_OF(OCSP_ONEREQ)
+DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
+
+
+/*   TBSRequest      ::=     SEQUENCE {
+ *       version             [0] EXPLICIT Version DEFAULT v1,
+ *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
+ *       requestList             SEQUENCE OF Request,
+ *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_req_info_st
+        {
+        ASN1_INTEGER *version;
+        GENERAL_NAME *requestorName;
+        STACK_OF(OCSP_ONEREQ) *requestList;
+        STACK_OF(X509_EXTENSION) *requestExtensions;
+        } OCSP_REQINFO;
+
+/*   Signature       ::=     SEQUENCE {
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING,
+ *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+typedef struct ocsp_signature_st
+        {
+        X509_ALGOR *signatureAlgorithm;
+        ASN1_BIT_STRING *signature;
+        STACK_OF(X509) *certs;
+        } OCSP_SIGNATURE;
+
+/*   OCSPRequest     ::=     SEQUENCE {
+ *       tbsRequest                  TBSRequest,
+ *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
+ */
+typedef struct ocsp_request_st
+        {
+        OCSP_REQINFO *tbsRequest;
+        OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
+        } OCSP_REQUEST;
+
+/*   OCSPResponseStatus ::= ENUMERATED {
+ *       successful            (0),      --Response has valid confirmations
+ *       malformedRequest      (1),      --Illegal confirmation request
+ *       internalError         (2),      --Internal error in issuer
+ *       tryLater              (3),      --Try again later
+ *                                       --(4) is not used
+ *       sigRequired           (5),      --Must sign the request
+ *       unauthorized          (6)       --Request unauthorized
+ *   }
+ */
+#define OCSP_RESPONSE_STATUS_SUCCESSFUL          0
+#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     1
+#define OCSP_RESPONSE_STATUS_INTERNALERROR        2
+#define OCSP_RESPONSE_STATUS_TRYLATER             3
+#define OCSP_RESPONSE_STATUS_SIGREQUIRED          5
+#define OCSP_RESPONSE_STATUS_UNAUTHORIZED         6
+
+/*   ResponseBytes ::=       SEQUENCE {
+ *       responseType   OBJECT IDENTIFIER,
+ *       response       OCTET STRING }
+ */
+typedef struct ocsp_resp_bytes_st
+        {
+        ASN1_OBJECT *responseType;
+        ASN1_OCTET_STRING *response;
+        } OCSP_RESPBYTES;
+
+/*   OCSPResponse ::= SEQUENCE {
+ *      responseStatus         OCSPResponseStatus,
+ *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
+ */
+typedef struct ocsp_response_st
+        {
+        ASN1_ENUMERATED *responseStatus;
+        OCSP_RESPBYTES  *responseBytes;
+        } OCSP_RESPONSE;
+
+/*   ResponderID ::= CHOICE {
+ *      byName   [1] Name,
+ *      byKey    [2] KeyHash }
+ */
+#define V_OCSP_RESPID_NAME 0
+#define V_OCSP_RESPID_KEY  1
+typedef struct ocsp_responder_id_st
+        {
+        int type;
+        union   {
+                X509_NAME* byName;
+                ASN1_OCTET_STRING *byKey;
+                } value;
+        } OCSP_RESPID;
+/*   KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+ *                            --(excluding the tag and length fields)
+ */
+
+/*   RevokedInfo ::= SEQUENCE {
+ *       revocationTime              GeneralizedTime,
+ *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
+ */
+typedef struct ocsp_revoked_info_st
+        {
+        ASN1_GENERALIZEDTIME *revocationTime;
+        ASN1_ENUMERATED *revocationReason;
+        } OCSP_REVOKEDINFO;
+
+/*   CertStatus ::= CHOICE {
+ *       good                [0]     IMPLICIT NULL,
+ *       revoked             [1]     IMPLICIT RevokedInfo,
+ *       unknown             [2]     IMPLICIT UnknownInfo }
+ */
+#define V_OCSP_CERTSTATUS_GOOD    0
+#define V_OCSP_CERTSTATUS_REVOKED 1
+#define V_OCSP_CERTSTATUS_UNKNOWN 2
+typedef struct ocsp_cert_status_st
+        {
+        int type;
+        union   {
+                ASN1_NULL *good;
+                OCSP_REVOKEDINFO *revoked;
+                ASN1_NULL *unknown;
+                } value;
+        } OCSP_CERTSTATUS;
+
+/*   SingleResponse ::= SEQUENCE {
+ *      certID                       CertID,
+ *      certStatus                   CertStatus,
+ *      thisUpdate                   GeneralizedTime,
+ *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+ *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_single_response_st
+        {
+        OCSP_CERTID *certId;
+        OCSP_CERTSTATUS *certStatus;
+        ASN1_GENERALIZEDTIME *thisUpdate;
+        ASN1_GENERALIZEDTIME *nextUpdate;
+        STACK_OF(X509_EXTENSION) *singleExtensions;
+        } OCSP_SINGLERESP;
+
+DECLARE_STACK_OF(OCSP_SINGLERESP)
+DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
+
+/*   ResponseData ::= SEQUENCE {
+ *      version              [0] EXPLICIT Version DEFAULT v1,
+ *      responderID              ResponderID,
+ *      producedAt               GeneralizedTime,
+ *      responses                SEQUENCE OF SingleResponse,
+ *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_response_data_st
+        {
+        ASN1_INTEGER *version;
+        OCSP_RESPID  *responderId;
+        ASN1_GENERALIZEDTIME *producedAt;
+        STACK_OF(OCSP_SINGLERESP) *responses;
+        STACK_OF(X509_EXTENSION) *responseExtensions;
+        } OCSP_RESPDATA;
+
+/*   BasicOCSPResponse       ::= SEQUENCE {
+ *      tbsResponseData      ResponseData,
+ *      signatureAlgorithm   AlgorithmIdentifier,
+ *      signature            BIT STRING,
+ *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+  /* Note 1:
+     The value for "signature" is specified in the OCSP rfc2560 as follows:
+     "The value for the signature SHALL be computed on the hash of the DER
+     encoding ResponseData."  This means that you must hash the DER-encoded
+     tbsResponseData, and then run it through a crypto-signing function, which
+     will (at least w/RSA) do a hash-'n'-private-encrypt operation.  This seems
+     a bit odd, but that's the spec.  Also note that the data structures do not
+     leave anywhere to independently specify the algorithm used for the initial
+     hash. So, we look at the signature-specification algorithm, and try to do
+     something intelligent.     -- Kathy Weinhold, CertCo */
+  /* Note 2:
+     It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
+     for interpretation.  I've done tests against another responder, and found
+     that it doesn't do the double hashing that the RFC seems to say one
+     should.  Therefore, all relevant functions take a flag saying which
+     variant should be used.    -- Richard Levitte, OpenSSL team and CeloCom */
+typedef struct ocsp_basic_response_st
+        {
+        OCSP_RESPDATA *tbsResponseData;
+        X509_ALGOR *signatureAlgorithm;
+        ASN1_BIT_STRING *signature;
+        STACK_OF(X509) *certs;
+        } OCSP_BASICRESP;
+
+/*
+ *   CRLReason ::= ENUMERATED {
+ *        unspecified             (0),
+ *        keyCompromise           (1),
+ *        cACompromise            (2),
+ *        affiliationChanged      (3),
+ *        superseded              (4),
+ *        cessationOfOperation    (5),
+ *        certificateHold         (6),
+ *        removeFromCRL           (8) }
+ */
+#define OCSP_REVOKED_STATUS_NOSTATUS               -1
+#define OCSP_REVOKED_STATUS_UNSPECIFIED             0
+#define OCSP_REVOKED_STATUS_KEYCOMPROMISE           1
+#define OCSP_REVOKED_STATUS_CACOMPROMISE            2
+#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED      3
+#define OCSP_REVOKED_STATUS_SUPERSEDED              4
+#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION    5
+#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
+#define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
+
+/* CrlID ::= SEQUENCE {
+ *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
+ *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
+ *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
+ */
+typedef struct ocsp_crl_id_st
+        {
+        ASN1_IA5STRING *crlUrl;
+        ASN1_INTEGER *crlNum;
+        ASN1_GENERALIZEDTIME *crlTime;
+        } OCSP_CRLID;
+
+/* ServiceLocator ::= SEQUENCE {
+ *      issuer    Name,
+ *      locator   AuthorityInfoAccessSyntax OPTIONAL }
+ */
+typedef struct ocsp_service_locator_st
+        {
+        X509_NAME* issuer;
+        STACK_OF(ACCESS_DESCRIPTION) *locator;
+        } OCSP_SERVICELOC;
+ 
+#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
+#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
+
+#define d2i_OCSP_REQUEST_bio(bp,p) (OCSP_REQUEST*)ASN1_d2i_bio((char*(*)()) \
+                OCSP_REQUEST_new,(char *(*)())d2i_OCSP_REQUEST, (bp),\
+                (unsigned char **)(p))
+
+#define d2i_OCSP_RESPONSE_bio(bp,p) (OCSP_RESPONSE*)ASN1_d2i_bio((char*(*)())\
+                OCSP_REQUEST_new,(char *(*)())d2i_OCSP_RESPONSE, (bp),\
+                (unsigned char **)(p))
+
+#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
+     (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
+
+#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
+     (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
+
+#define PEM_write_bio_OCSP_REQUEST(bp,o) \
+    PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
+                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+
+#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
+    PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
+                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+
+#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_RESPONSE,bp,\
+                (unsigned char *)o)
+
+#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_REQUEST,bp,\
+                (unsigned char *)o)
+
+#define OCSP_REQUEST_sign(o,pkey,md) \
+        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
+                o->optionalSignature->signatureAlgorithm,NULL,\
+                o->optionalSignature->signature,o->tbsRequest,pkey,md)
+
+#define OCSP_BASICRESP_sign(o,pkey,md,d) \
+        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
+                o->signature,o->tbsResponseData,pkey,md)
+
+#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
+        a->optionalSignature->signatureAlgorithm,\
+        a->optionalSignature->signature,a->tbsRequest,r)
+
+#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+        a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
+
+#define ASN1_BIT_STRING_digest(data,type,md,len) \
+        ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
+
+#define OCSP_CERTID_dup(cid) (OCSP_CERTID*)ASN1_dup((int(*)())i2d_OCSP_CERTID,\
+                (char *(*)())d2i_OCSP_CERTID,(char *)(cid))
+
+#define OCSP_CERTSTATUS_dup(cs)\
+                (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
+                (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
+
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
+
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
+
+OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+                              X509_NAME *issuerName, 
+                              ASN1_BIT_STRING* issuerKey, 
+                              ASN1_INTEGER *serialNumber);
+
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
+
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
+int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
+int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
+
+int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
+int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
+
+int OCSP_request_sign(OCSP_REQUEST   *req,
+                      X509           *signer,
+                      EVP_PKEY       *key,
+                      const EVP_MD   *dgst,
+                      STACK_OF(X509) *certs,
+                      unsigned long flags);
+
+int OCSP_response_status(OCSP_RESPONSE *resp);
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
+
+int OCSP_resp_count(OCSP_BASICRESP *bs);
+OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
+int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
+int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+                                int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
+                        ASN1_GENERALIZEDTIME *nextupd,
+                        long sec, long maxsec);
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
+
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
+
+int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+
+int OCSP_request_onereq_count(OCSP_REQUEST *req);
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+                        ASN1_OCTET_STRING **pikeyHash,
+                        ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+int OCSP_request_is_signed(OCSP_REQUEST *req);
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+                                                OCSP_CERTID *cid,
+                                                int status, int reason,
+                                                ASN1_TIME *revtime,
+                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd);
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+                        STACK_OF(X509) *certs, unsigned long flags);
+
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
+                                char *data, STACK_OF(ASN1_OBJECT) *sk);
+
+X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
+
+X509_EXTENSION *OCSP_accept_responses_new(char **oids);
+
+X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
+
+X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
+
+int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
+int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
+int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
+X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
+void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
+int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
+int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
+int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
+X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
+void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
+int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
+int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
+int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
+X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
+void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
+int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
+int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
+int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
+X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
+void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
+int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
+
+DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
+DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
+DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
+DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
+DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
+DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
+DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
+DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
+DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
+DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
+DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
+
+char *OCSP_response_status_str(long s);
+char *OCSP_cert_status_str(long s);
+char *OCSP_crl_reason_str(long s);
+
+int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
+int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
+
+int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_OCSP_strings(void);
+
+/* Error codes for the OCSP functions. */
+
+/* Function codes. */
+#define OCSP_F_ASN1_STRING_ENCODE                        100
+#define OCSP_F_CERT_ID_NEW                               101
+#define OCSP_F_D2I_OCSP_NONCE                            102
+#define OCSP_F_OCSP_BASIC_ADD1_STATUS                    103
+#define OCSP_F_OCSP_BASIC_SIGN                           104
+#define OCSP_F_OCSP_BASIC_VERIFY                         105
+#define OCSP_F_OCSP_CHECK_DELEGATED                      106
+#define OCSP_F_OCSP_CHECK_IDS                            107
+#define OCSP_F_OCSP_CHECK_ISSUER                         108
+#define OCSP_F_OCSP_CHECK_VALIDITY                       115
+#define OCSP_F_OCSP_MATCH_ISSUERID                       109
+#define OCSP_F_OCSP_PARSE_URL                            114
+#define OCSP_F_OCSP_REQUEST_SIGN                         110
+#define OCSP_F_OCSP_REQUEST_VERIFY                       116
+#define OCSP_F_OCSP_RESPONSE_GET1_BASIC                  111
+#define OCSP_F_OCSP_SENDREQ_BIO                          112
+#define OCSP_F_REQUEST_VERIFY                            113
+
+/* Reason codes. */
+#define OCSP_R_BAD_DATA                                  100
+#define OCSP_R_CERTIFICATE_VERIFY_ERROR                  101
+#define OCSP_R_DIGEST_ERR                                102
+#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD                 122
+#define OCSP_R_ERROR_IN_THISUPDATE_FIELD                 123
+#define OCSP_R_ERROR_PARSING_URL                         121
+#define OCSP_R_MISSING_OCSPSIGNING_USAGE                 103
+#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE              124
+#define OCSP_R_NOT_BASIC_RESPONSE                        104
+#define OCSP_R_NO_CERTIFICATES_IN_CHAIN                  105
+#define OCSP_R_NO_CONTENT                                106
+#define OCSP_R_NO_PUBLIC_KEY                             107
+#define OCSP_R_NO_RESPONSE_DATA                          108
+#define OCSP_R_NO_REVOKED_TIME                           109
+#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE    110
+#define OCSP_R_REQUEST_NOT_SIGNED                        128
+#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA      111
+#define OCSP_R_ROOT_CA_NOT_TRUSTED                       112
+#define OCSP_R_SERVER_READ_ERROR                         113
+#define OCSP_R_SERVER_RESPONSE_ERROR                     114
+#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR               115
+#define OCSP_R_SERVER_WRITE_ERROR                        116
+#define OCSP_R_SIGNATURE_FAILURE                         117
+#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND              118
+#define OCSP_R_STATUS_EXPIRED                            125
+#define OCSP_R_STATUS_NOT_YET_VALID                      126
+#define OCSP_R_STATUS_TOO_OLD                            127
+#define OCSP_R_UNKNOWN_MESSAGE_DIGEST                    119
+#define OCSP_R_UNKNOWN_NID                               120
+#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE            129
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
new file mode 100644
index 0000000000..8c148cda6a
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_asn.c
@@ -0,0 +1,182 @@
+/* ocsp_asn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/ocsp.h>
+
+ASN1_SEQUENCE(OCSP_SIGNATURE) = {
+        ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
+        ASN1_EXP_SEQUENCE_OF(OCSP_SIGNATURE, certs, X509, 0)
+} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)
+
+ASN1_SEQUENCE(OCSP_CERTID) = {
+        ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(OCSP_CERTID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTID)
+
+ASN1_SEQUENCE(OCSP_ONEREQ) = {
+        ASN1_SIMPLE(OCSP_ONEREQ, reqCert, OCSP_CERTID),
+        ASN1_EXP_SEQUENCE_OF_OPT(OCSP_ONEREQ, singleRequestExtensions, X509_EXTENSION, 0)
+} ASN1_SEQUENCE_END(OCSP_ONEREQ)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_ONEREQ)
+
+ASN1_SEQUENCE(OCSP_REQINFO) = {
+        ASN1_EXP_OPT(OCSP_REQINFO, version, ASN1_INTEGER, 0),
+        ASN1_EXP_OPT(OCSP_REQINFO, requestorName, GENERAL_NAME, 1),
+        ASN1_SEQUENCE_OF(OCSP_REQINFO, requestList, OCSP_ONEREQ),
+        ASN1_EXP_SEQUENCE_OF_OPT(OCSP_REQINFO, requestExtensions, X509_EXTENSION, 2)
+} ASN1_SEQUENCE_END(OCSP_REQINFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQINFO)
+
+ASN1_SEQUENCE(OCSP_REQUEST) = {
+        ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
+        ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
+} ASN1_SEQUENCE_END(OCSP_REQUEST)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQUEST)
+
+/* OCSP_RESPONSE templates */
+
+ASN1_SEQUENCE(OCSP_RESPBYTES) = {
+            ASN1_SIMPLE(OCSP_RESPBYTES, responseType, ASN1_OBJECT),
+            ASN1_SIMPLE(OCSP_RESPBYTES, response, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(OCSP_RESPBYTES)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPBYTES)
+
+ASN1_SEQUENCE(OCSP_RESPONSE) = {
+        ASN1_SIMPLE(OCSP_RESPONSE, responseStatus, ASN1_ENUMERATED),
+        ASN1_EXP_OPT(OCSP_RESPONSE, responseBytes, OCSP_RESPBYTES, 0)
+} ASN1_SEQUENCE_END(OCSP_RESPONSE)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPONSE)
+
+ASN1_CHOICE(OCSP_RESPID) = {
+           ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
+           ASN1_IMP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
+} ASN1_CHOICE_END(OCSP_RESPID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPID)
+
+ASN1_SEQUENCE(OCSP_REVOKEDINFO) = {
+        ASN1_SIMPLE(OCSP_REVOKEDINFO, revocationTime, ASN1_GENERALIZEDTIME),
+        ASN1_EXP_OPT(OCSP_REVOKEDINFO, revocationReason, ASN1_ENUMERATED, 0)
+} ASN1_SEQUENCE_END(OCSP_REVOKEDINFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
+
+ASN1_CHOICE(OCSP_CERTSTATUS) = {
+        ASN1_IMP(OCSP_CERTSTATUS, value.good, ASN1_NULL, 0),
+        ASN1_IMP(OCSP_CERTSTATUS, value.revoked, OCSP_REVOKEDINFO, 1),
+        ASN1_IMP(OCSP_CERTSTATUS, value.unknown, ASN1_NULL, 2)
+} ASN1_CHOICE_END(OCSP_CERTSTATUS)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
+
+ASN1_SEQUENCE(OCSP_SINGLERESP) = {
+           ASN1_SIMPLE(OCSP_SINGLERESP, certId, OCSP_CERTID),
+           ASN1_SIMPLE(OCSP_SINGLERESP, certStatus, OCSP_CERTSTATUS),
+           ASN1_SIMPLE(OCSP_SINGLERESP, thisUpdate, ASN1_GENERALIZEDTIME),
+           ASN1_EXP_OPT(OCSP_SINGLERESP, nextUpdate, ASN1_GENERALIZEDTIME, 0),
+           ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SINGLERESP, singleExtensions, X509_EXTENSION, 1)
+} ASN1_SEQUENCE_END(OCSP_SINGLERESP)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_SINGLERESP)
+
+ASN1_SEQUENCE(OCSP_RESPDATA) = {
+           ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
+           ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
+           ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
+           ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
+           ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
+} ASN1_SEQUENCE_END(OCSP_RESPDATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPDATA)
+
+ASN1_SEQUENCE(OCSP_BASICRESP) = {
+           ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
+           ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
+           ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
+           ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
+} ASN1_SEQUENCE_END(OCSP_BASICRESP)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_BASICRESP)
+
+ASN1_SEQUENCE(OCSP_CRLID) = {
+           ASN1_EXP_OPT(OCSP_CRLID, crlUrl, ASN1_IA5STRING, 0),
+           ASN1_EXP_OPT(OCSP_CRLID, crlNum, ASN1_INTEGER, 1),
+           ASN1_EXP_OPT(OCSP_CRLID, crlTime, ASN1_GENERALIZEDTIME, 2)
+} ASN1_SEQUENCE_END(OCSP_CRLID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_CRLID)
+
+ASN1_SEQUENCE(OCSP_SERVICELOC) = {
+        ASN1_SIMPLE(OCSP_SERVICELOC, issuer, X509_NAME),
+        ASN1_SEQUENCE_OF_OPT(OCSP_SERVICELOC, locator, ACCESS_DESCRIPTION)
+} ASN1_SEQUENCE_END(OCSP_SERVICELOC)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_SERVICELOC)
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
new file mode 100644
index 0000000000..9b3e6dd8ca
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -0,0 +1,370 @@
+/* ocsp_cl.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Utility functions related to sending OCSP requests and extracting
+ * relevant information from the response.
+ */
+
+/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ 
+ * pointer: useful if we want to add extensions.
+ */
+
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
+        {
+        OCSP_ONEREQ *one = NULL;
+
+        if (!(one = OCSP_ONEREQ_new())) goto err;
+        if (one->reqCert) OCSP_CERTID_free(one->reqCert);
+        one->reqCert = cid;
+        if (req &&
+                !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
+                                goto err;
+        return one;
+err:
+        OCSP_ONEREQ_free(one);
+        return NULL;
+        }
+
+/* Set requestorName from an X509_NAME structure */
+
+int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
+        {
+        GENERAL_NAME *gen;
+        gen = GENERAL_NAME_new();
+        if (!X509_NAME_set(&gen->d.directoryName, nm))
+                {
+                GENERAL_NAME_free(gen);
+                return 0;
+                }
+        gen->type = GEN_DIRNAME;
+        if (req->tbsRequest->requestorName)
+                GENERAL_NAME_free(req->tbsRequest->requestorName);
+        req->tbsRequest->requestorName = gen;
+        return 1;
+        }
+        
+
+/* Add a certificate to an OCSP request */
+
+int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
+        {
+        OCSP_SIGNATURE *sig;
+        if (!req->optionalSignature)
+                req->optionalSignature = OCSP_SIGNATURE_new();
+        sig = req->optionalSignature;
+        if (!sig) return 0;
+        if (!cert) return 1;
+        if (!sig->certs && !(sig->certs = sk_X509_new_null()))
+                return 0;
+
+        if(!sk_X509_push(sig->certs, cert)) return 0;
+        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+        return 1;
+        }
+
+/* Sign an OCSP request set the requestorName to the subjec
+ * name of an optional signers certificate and include one
+ * or more optional certificates in the request. Behaves
+ * like PKCS7_sign().
+ */
+
+int OCSP_request_sign(OCSP_REQUEST   *req,
+                      X509           *signer,
+                      EVP_PKEY       *key,
+                      const EVP_MD   *dgst,
+                      STACK_OF(X509) *certs,
+                      unsigned long flags)
+        {
+        int i;
+        OCSP_SIGNATURE *sig;
+        X509 *x;
+
+        if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+                        goto err;
+
+        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
+        if (!dgst) dgst = EVP_sha1();
+        if (key)
+                {
+                if (!X509_check_private_key(signer, key))
+                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                        goto err;
+                        }
+                if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
+                }
+
+        if (!(flags & OCSP_NOCERTS))
+                {
+                if(!OCSP_request_add1_cert(req, signer)) goto err;
+                for (i = 0; i < sk_X509_num(certs); i++)
+                        {
+                        x = sk_X509_value(certs, i);
+                        if (!OCSP_request_add1_cert(req, x)) goto err;
+                        }
+                }
+
+        return 1;
+err:
+        OCSP_SIGNATURE_free(req->optionalSignature);
+        req->optionalSignature = NULL;
+        return 0;
+        }
+
+/* Get response status */
+
+int OCSP_response_status(OCSP_RESPONSE *resp)
+        {
+        return ASN1_ENUMERATED_get(resp->responseStatus);
+        }
+
+/* Extract basic response from OCSP_RESPONSE or NULL if
+ * no basic response present.
+ */
+ 
+
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
+        {
+        OCSP_RESPBYTES *rb;
+        rb = resp->responseBytes;
+        if (!rb)
+                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
+                return NULL;
+                }
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
+                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
+                return NULL;
+                }
+
+        return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
+        }
+
+/* Return number of OCSP_SINGLERESP reponses present in
+ * a basic response.
+ */
+
+int OCSP_resp_count(OCSP_BASICRESP *bs)
+        {
+        if (!bs) return -1;
+        return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
+        }
+
+/* Extract an OCSP_SINGLERESP response with a given index */
+
+OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
+        {
+        if (!bs) return NULL;
+        return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
+        }
+
+/* Look single response matching a given certificate ID */
+
+int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
+        {
+        int i;
+        STACK_OF(OCSP_SINGLERESP) *sresp;
+        OCSP_SINGLERESP *single;
+        if (!bs) return -1;
+        if (last < 0) last = 0;
+        else last++;
+        sresp = bs->tbsResponseData->responses;
+        for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+                {
+                single = sk_OCSP_SINGLERESP_value(sresp, i);
+                if (!OCSP_id_cmp(id, single->certId)) return i;
+                }
+        return -1;
+        }
+
+/* Extract status information from an OCSP_SINGLERESP structure.
+ * Note: the revtime and reason values are only set if the 
+ * certificate status is revoked. Returns numerical value of
+ * status.
+ */
+
+int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd)
+        {
+        int ret;
+        OCSP_CERTSTATUS *cst;
+        if(!single) return -1;
+        cst = single->certStatus;
+        ret = cst->type;
+        if (ret == V_OCSP_CERTSTATUS_REVOKED)
+                {
+                OCSP_REVOKEDINFO *rev = cst->value.revoked;
+                if (revtime) *revtime = rev->revocationTime;
+                if (reason) 
+                        {
+                        if(rev->revocationReason)
+                                *reason = ASN1_ENUMERATED_get(rev->revocationReason);
+                        else *reason = -1;
+                        }
+                }
+        if(thisupd) *thisupd = single->thisUpdate;
+        if(nextupd) *nextupd = single->nextUpdate;
+        return ret;
+        }
+
+/* This function combines the previous ones: look up a certificate ID and
+ * if found extract status information. Return 0 is successful.
+ */
+
+int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+                                int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd)
+        {
+        int i;
+        OCSP_SINGLERESP *single;
+        i = OCSP_resp_find(bs, id, -1);
+        /* Maybe check for multiple responses and give an error? */
+        if(i < 0) return 0;
+        single = OCSP_resp_get0(bs, i);
+        i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
+        if(status) *status = i;
+        return 1;
+        }
+
+/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
+ * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
+ * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
+ * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
+ * parameter specifies the maximum age the thisUpdate field can be.
+ */
+
+int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+        {
+        int ret = 1;
+        time_t t_now, t_tmp;
+        time(&t_now);
+        /* Check thisUpdate is valid and not more than nsec in the future */
+        if (!ASN1_GENERALIZEDTIME_check(thisupd))
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
+                ret = 0;
+                }
+        else 
+                {
+                        t_tmp = t_now + nsec;
+                        if (X509_cmp_time(thisupd, &t_tmp) > 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
+                        ret = 0;
+                        }
+
+                /* If maxsec specified check thisUpdate is not more than maxsec in the past */
+                if (maxsec >= 0)
+                        {
+                        t_tmp = t_now - maxsec;
+                        if (X509_cmp_time(thisupd, &t_tmp) < 0)
+                                {
+                                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
+                                ret = 0;
+                                }
+                        }
+                }
+                
+
+        if (!nextupd) return ret;
+
+        /* Check nextUpdate is valid and not more than nsec in the past */
+        if (!ASN1_GENERALIZEDTIME_check(nextupd))
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
+                ret = 0;
+                }
+        else 
+                {
+                t_tmp = t_now - nsec;
+                if (X509_cmp_time(nextupd, &t_tmp) < 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
+                        ret = 0;
+                        }
+                }
+
+        /* Also don't allow nextUpdate to precede thisUpdate */
+        if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
+                ret = 0;
+                }
+
+        return ret;
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
new file mode 100644
index 0000000000..4c4d8306f8
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_err.c
@@ -0,0 +1,139 @@
+/* crypto/ocsp/ocsp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ocsp.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA OCSP_str_functs[]=
+        {
+{ERR_PACK(0,OCSP_F_ASN1_STRING_ENCODE,0),       "ASN1_STRING_encode"},
+{ERR_PACK(0,OCSP_F_CERT_ID_NEW,0),      "CERT_ID_NEW"},
+{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),   "D2I_OCSP_NONCE"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),   "OCSP_basic_add1_status"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0),  "OCSP_basic_sign"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),        "OCSP_basic_verify"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),     "OCSP_CHECK_DELEGATED"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),   "OCSP_CHECK_IDS"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),        "OCSP_CHECK_ISSUER"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_VALIDITY,0),      "OCSP_check_validity"},
+{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),      "OCSP_MATCH_ISSUERID"},
+{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0),   "OCSP_parse_url"},
+{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),        "OCSP_request_sign"},
+{ERR_PACK(0,OCSP_F_OCSP_REQUEST_VERIFY,0),      "OCSP_request_verify"},
+{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"},
+{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"},
+{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),   "REQUEST_VERIFY"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA OCSP_str_reasons[]=
+        {
+{OCSP_R_BAD_DATA                         ,"bad data"},
+{OCSP_R_CERTIFICATE_VERIFY_ERROR         ,"certificate verify error"},
+{OCSP_R_DIGEST_ERR                       ,"digest err"},
+{OCSP_R_ERROR_IN_NEXTUPDATE_FIELD        ,"error in nextupdate field"},
+{OCSP_R_ERROR_IN_THISUPDATE_FIELD        ,"error in thisupdate field"},
+{OCSP_R_ERROR_PARSING_URL                ,"error parsing url"},
+{OCSP_R_MISSING_OCSPSIGNING_USAGE        ,"missing ocspsigning usage"},
+{OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE     ,"nextupdate before thisupdate"},
+{OCSP_R_NOT_BASIC_RESPONSE               ,"not basic response"},
+{OCSP_R_NO_CERTIFICATES_IN_CHAIN         ,"no certificates in chain"},
+{OCSP_R_NO_CONTENT                       ,"no content"},
+{OCSP_R_NO_PUBLIC_KEY                    ,"no public key"},
+{OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
+{OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
+{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
+{OCSP_R_REQUEST_NOT_SIGNED               ,"request not signed"},
+{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
+{OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},
+{OCSP_R_SERVER_READ_ERROR                ,"server read error"},
+{OCSP_R_SERVER_RESPONSE_ERROR            ,"server response error"},
+{OCSP_R_SERVER_RESPONSE_PARSE_ERROR      ,"server response parse error"},
+{OCSP_R_SERVER_WRITE_ERROR               ,"server write error"},
+{OCSP_R_SIGNATURE_FAILURE                ,"signature failure"},
+{OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND     ,"signer certificate not found"},
+{OCSP_R_STATUS_EXPIRED                   ,"status expired"},
+{OCSP_R_STATUS_NOT_YET_VALID             ,"status not yet valid"},
+{OCSP_R_STATUS_TOO_OLD                   ,"status too old"},
+{OCSP_R_UNKNOWN_MESSAGE_DIGEST           ,"unknown message digest"},
+{OCSP_R_UNKNOWN_NID                      ,"unknown nid"},
+{OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE   ,"unsupported requestorname type"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_OCSP_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_OCSP,OCSP_str_functs);
+                ERR_load_strings(ERR_LIB_OCSP,OCSP_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
new file mode 100644
index 0000000000..d6c8899f58
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_ext.c
@@ -0,0 +1,528 @@
+/* ocsp_ext.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/ocsp.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+
+/* Standard wrapper functions for extensions */
+
+/* OCSP request extensions */
+
+int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
+        {
+        return(X509v3_get_ext_count(x->tbsRequest->requestExtensions));
+        }
+
+int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos));
+        }
+
+int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos));
+        }
+
+int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
+        {
+        return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
+        {
+        return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc));
+        }
+
+void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
+        }
+
+int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL);
+        }
+
+/* Single extensions */
+
+int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
+        {
+        return(X509v3_get_ext_count(x->singleRequestExtensions));
+        }
+
+int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos));
+        }
+
+int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos));
+        }
+
+int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
+        {
+        return(X509v3_get_ext(x->singleRequestExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
+        {
+        return(X509v3_delete_ext(x->singleRequestExtensions,loc));
+        }
+
+void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
+        }
+
+int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL);
+        }
+
+/* OCSP Basic response */
+
+int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
+        {
+        return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
+        }
+
+int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos));
+        }
+
+int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos));
+        }
+
+int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
+        {
+        return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
+        {
+        return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc));
+        }
+
+void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx);
+        }
+
+int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL);
+        }
+
+/* OCSP single response extensions */
+
+int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
+        {
+        return(X509v3_get_ext_count(x->singleExtensions));
+        }
+
+int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos));
+        }
+
+int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos));
+        }
+
+int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
+        {
+        return(X509v3_get_ext(x->singleExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
+        {
+        return(X509v3_delete_ext(x->singleExtensions,loc));
+        }
+
+void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
+        }
+
+int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL);
+        }
+
+/* also CRL Entry Extensions */
+
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
+                                char *data, STACK_OF(ASN1_OBJECT) *sk)
+        {
+        int i;
+        unsigned char *p, *b = NULL;
+
+        if (data)
+                {
+                if ((i=i2d(data,NULL)) <= 0) goto err;
+                if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+                        goto err;
+                if (i2d(data, &p) <= 0) goto err;
+                }
+        else if (sk)
+                {
+                if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,i2d,V_ASN1_SEQUENCE,
+                                   V_ASN1_UNIVERSAL,IS_SEQUENCE))<=0) goto err;
+                if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+                        goto err;
+                if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,i2d,V_ASN1_SEQUENCE,
+                                 V_ASN1_UNIVERSAL,IS_SEQUENCE)<=0) goto err;
+                }
+        else
+                {
+                OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA);
+                goto err;
+                }
+        if (!s && !(s = ASN1_STRING_new())) goto err;
+        if (!(ASN1_STRING_set(s, b, i))) goto err;
+        OPENSSL_free(b);
+        return s;
+err:
+        if (b) OPENSSL_free(b);
+        return NULL;
+        }
+
+/* Nonce handling functions */
+
+/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
+ * a random nonce will be generated.
+ */
+
+static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
+        {
+        unsigned char *tmpval;
+        ASN1_OCTET_STRING os;
+        int ret = 0;
+        if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
+        if (val) tmpval = val;
+        else
+                {
+                if (!(tmpval = OPENSSL_malloc(len))) goto err;
+                RAND_pseudo_bytes(tmpval, len);
+                }
+        os.data = tmpval;
+        os.length = len;
+        if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
+                        &os, 0, X509V3_ADD_REPLACE))
+                                goto err;
+        ret = 1;
+        err:
+        if(!val) OPENSSL_free(tmpval);
+        return ret;
+        }
+
+
+/* Add nonce to an OCSP request */
+
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
+        {
+        return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
+        }
+
+/* Same as above but for a response */
+
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
+        {
+        return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
+        }
+
+/* Check nonce validity in a request and response.
+ * Return value reflects result:
+ *  1: nonces present and equal.
+ *  2: nonces both absent.
+ *  3: nonce present in response only.
+ *  0: nonces both present and not equal.
+ * -1: nonce in request only.
+ *
+ *  For most responders clients can check return > 0.
+ *  If responder doesn't handle nonces return != 0 may be
+ *  necessary. return == 0 is always an error.
+ */
+
+int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
+        {
+        /*
+         * Since we are only interested in the presence or absence of
+         * the nonce and comparing its value there is no need to use
+         * the X509V3 routines: this way we can avoid them allocating an
+         * ASN1_OCTET_STRING structure for the value which would be
+         * freed immediately anyway.
+         */
+
+        int req_idx, resp_idx;
+        X509_EXTENSION *req_ext, *resp_ext;
+        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
+        resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
+        /* Check both absent */
+        if((req_idx < 0) && (resp_idx < 0))
+                return 2;
+        /* Check in request only */
+        if((req_idx >= 0) && (resp_idx < 0))
+                return -1;
+        /* Check in response but not request */
+        if((req_idx < 0) && (resp_idx >= 0))
+                return 3;
+        /* Otherwise nonce in request and response so retrieve the extensions */
+        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
+        resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
+        if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
+                return 0;
+        return 1;
+        }
+
+/* Copy the nonce value (if any) from an OCSP request to 
+ * a response.
+ */
+
+int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
+        {
+        X509_EXTENSION *req_ext;
+        int req_idx;
+        /* Check for nonce in request */
+        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
+        /* If no nonce that's OK */
+        if (req_idx < 0) return 2;
+        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
+        return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
+        }
+
+X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
+        {
+        X509_EXTENSION *x = NULL;
+        OCSP_CRLID *cid = NULL;
+        
+        if (!(cid = OCSP_CRLID_new())) goto err;
+        if (url)
+                {
+                if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err;
+                if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err;
+                }
+        if (n)
+                {
+                if (!(cid->crlNum = ASN1_INTEGER_new())) goto err;
+                if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err;
+                }
+        if (tim)
+                {
+                if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err;
+                if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) 
+                        goto err;
+                }
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) goto err;
+        if (!(ASN1_STRING_encode(x->value,i2d_OCSP_CRLID,(char*)cid,NULL)))
+                goto err;
+        OCSP_CRLID_free(cid);
+        return x;
+err:
+        if (x) X509_EXTENSION_free(x);
+        if (cid) OCSP_CRLID_free(cid);
+        return NULL;
+        }
+
+/*   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
+X509_EXTENSION *OCSP_accept_responses_new(char **oids)
+        {
+        int nid;
+        STACK_OF(ASN1_OBJECT) *sk = NULL;
+        ASN1_OBJECT *o = NULL;
+        X509_EXTENSION *x = NULL;
+
+        if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
+        while (oids && *oids)
+                {
+                if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid))) 
+                        sk_ASN1_OBJECT_push(sk, o);
+                oids++;
+                }
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses)))
+                goto err;
+        if (!(ASN1_STRING_encode(x->value,i2d_ASN1_OBJECT,NULL,sk)))
+                goto err;
+        sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+        return x;
+err:
+        if (x) X509_EXTENSION_free(x);
+        if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+        return NULL;
+        }
+
+/*  ArchiveCutoff ::= GeneralizedTime */
+X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
+        {
+        X509_EXTENSION *x=NULL;
+        ASN1_GENERALIZEDTIME *gt = NULL;
+
+        if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
+        if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object=OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))goto err;
+        if (!(ASN1_STRING_encode(x->value,i2d_ASN1_GENERALIZEDTIME,
+                                 (char*)gt,NULL))) goto err;
+        ASN1_GENERALIZEDTIME_free(gt);
+        return x;
+err:
+        if (gt) ASN1_GENERALIZEDTIME_free(gt);
+        if (x) X509_EXTENSION_free(x);
+        return NULL;
+        }
+
+/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
+ * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This
+ * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
+ */
+X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
+        {
+        X509_EXTENSION *x = NULL;
+        ASN1_IA5STRING *ia5 = NULL;
+        OCSP_SERVICELOC *sloc = NULL;
+        ACCESS_DESCRIPTION *ad = NULL;
+        
+        if (!(sloc = OCSP_SERVICELOC_new())) goto err;
+        if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
+        if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
+        while (urls && *urls)
+                {
+                if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
+                if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err;
+                if (!(ad->location = GENERAL_NAME_new())) goto err;
+                if (!(ia5 = ASN1_IA5STRING_new())) goto err;
+                if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err;
+                ad->location->type = GEN_URI;
+                ad->location->d.ia5 = ia5;
+                if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
+                urls++;
+                }
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator))) 
+                goto err;
+        if (!(ASN1_STRING_encode(x->value, i2d_OCSP_SERVICELOC,
+                                 (char*)sloc, NULL))) goto err;
+        OCSP_SERVICELOC_free(sloc);
+        return x;
+err:
+        if (x) X509_EXTENSION_free(x);
+        if (sloc) OCSP_SERVICELOC_free(sloc);
+        return NULL;
+        }
+
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
new file mode 100644
index 0000000000..b78cd37092
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -0,0 +1,164 @@
+/* ocsp_ht.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/asn1.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <openssl/ocsp.h>
+#include <openssl/err.h>
+#include <openssl/buffer.h>
+
+/* Quick and dirty HTTP OCSP request handler.
+ * Could make this a bit cleverer by adding
+ * support for non blocking BIOs and a few
+ * other refinements.
+ */
+
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+{
+        BIO *mem = NULL;
+        char tmpbuf[1024];
+        OCSP_RESPONSE *resp = NULL;
+        char *p, *q, *r;
+        int len, retcode;
+        static char req_txt[] =
+"POST %s HTTP/1.0\r\n\
+Content-Type: application/ocsp-request\r\n\
+Content-Length: %d\r\n\r\n";
+
+        len = i2d_OCSP_REQUEST(req, NULL);
+        if(BIO_printf(b, req_txt, path, len) < 0) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
+                goto err;
+        }
+        if(i2d_OCSP_REQUEST_bio(b, req) <= 0) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
+                goto err;
+        }
+        if(!(mem = BIO_new(BIO_s_mem()))) goto err;
+        /* Copy response to a memory BIO: socket bios can't do gets! */
+        while ((len = BIO_read(b, tmpbuf, 1024))) {
+                if(len < 0) {
+                        OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_READ_ERROR);
+                        goto err;
+                }
+                BIO_write(mem, tmpbuf, len);
+        }
+        if(BIO_gets(mem, tmpbuf, 512) <= 0) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Parse the HTTP response. This will look like this:
+         * "HTTP/1.0 200 OK". We need to obtain the numeric code and
+         * informational message.
+         */
+
+        /* Skip to first white space (passed protocol info) */
+        for(p = tmpbuf; *p && !isspace((unsigned char)*p); p++) continue;
+        if(!*p) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Skip past white space to start of response code */
+        while(*p && isspace((unsigned char)*p)) p++;
+        if(!*p) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Find end of response code: first whitespace after start of code */
+        for(q = p; *q && !isspace((unsigned char)*q); q++) continue;
+        if(!*q) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Set end of response code and start of message */ 
+        *q++ = 0;
+        /* Attempt to parse numeric code */
+        retcode = strtoul(p, &r, 10);
+        if(*r) goto err;
+        /* Skip over any leading white space in message */
+        while(*q && isspace((unsigned char)*q))  q++;
+        if(!*q) goto err;
+        /* Finally zap any trailing white space in message (include CRLF) */
+        /* We know q has a non white space character so this is OK */
+        for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
+        if(retcode != 200) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR);
+                ERR_add_error_data(4, "Code=", p, ",Reason=", q);
+                goto err;
+        }
+        /* Find blank line marking beginning of content */      
+        while(BIO_gets(mem, tmpbuf, 512) > 0)
+        {
+                for(p = tmpbuf; *p && isspace((unsigned char)*p); p++) continue;
+                if(!*p) break;
+        }
+        if(*p) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_NO_CONTENT);
+                goto err;
+        }
+        if(!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL))) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+        }
+        err:
+        BIO_free(mem);
+        return resp;
+}
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
new file mode 100644
index 0000000000..3875af165c
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -0,0 +1,261 @@
+/* ocsp_lib.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Convert a certificate and its issuer to an OCSP_CERTID */
+
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
+{
+        X509_NAME *iname;
+        ASN1_INTEGER *serial;
+        ASN1_BIT_STRING *ikey;
+#ifndef OPENSSL_NO_SHA1
+        if(!dgst) dgst = EVP_sha1();
+#endif
+        if (subject)
+                {
+                iname = X509_get_issuer_name(subject);
+                serial = X509_get_serialNumber(subject);
+                }
+        else
+                {
+                iname = X509_get_subject_name(issuer);
+                serial = NULL;
+                }
+        ikey = X509_get0_pubkey_bitstr(issuer);
+        return OCSP_cert_id_new(dgst, iname, ikey, serial);
+}
+
+
+OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+                              X509_NAME *issuerName, 
+                              ASN1_BIT_STRING* issuerKey, 
+                              ASN1_INTEGER *serialNumber)
+        {
+        int nid;
+        unsigned int i;
+        X509_ALGOR *alg;
+        OCSP_CERTID *cid = NULL;
+        unsigned char md[EVP_MAX_MD_SIZE];
+
+        if (!(cid = OCSP_CERTID_new())) goto err;
+
+        alg = cid->hashAlgorithm;
+        if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
+        if ((nid = EVP_MD_type(dgst)) == NID_undef)
+                {
+                OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
+                goto err;
+                }
+        if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
+        if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
+        alg->parameter->type=V_ASN1_NULL;
+
+        if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr;
+        if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
+
+        /* Calculate the issuerKey hash, excluding tag and length */
+        EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL);
+
+        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
+
+        if (serialNumber)
+                {
+                ASN1_INTEGER_free(cid->serialNumber);
+                if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
+                }
+        return cid;
+digerr:
+        OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
+err:
+        if (cid) OCSP_CERTID_free(cid);
+        return NULL;
+        }
+
+int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+        {
+        int ret;
+        ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
+        if (ret) return ret;
+        ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
+        if (ret) return ret;
+        return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
+        }
+
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+        {
+        int ret;
+        ret = OCSP_id_issuer_cmp(a, b);
+        if (ret) return ret;
+        return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
+        }
+
+
+/* Parse a URL and split it up into host, port and path components and whether
+ * it is SSL.
+ */
+
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
+        {
+        char *p, *buf;
+
+        char *host, *port;
+
+        /* dup the buffer since we are going to mess with it */
+        buf = BUF_strdup(url);
+        if (!buf) goto mem_err;
+
+        *phost = NULL;
+        *pport = NULL;
+        *ppath = NULL;
+
+        /* Check for initial colon */
+        p = strchr(buf, ':');
+
+        if (!p) goto parse_err;
+
+        *(p++) = '\0';
+
+        if (!strcmp(buf, "http"))
+                {
+                *pssl = 0;
+                port = "80";
+                }
+        else if (!strcmp(buf, "https"))
+                {
+                *pssl = 1;
+                port = "443";
+                }
+        else
+                goto parse_err;
+
+        /* Check for double slash */
+        if ((p[0] != '/') || (p[1] != '/'))
+                goto parse_err;
+
+        p += 2;
+
+        host = p;
+
+        /* Check for trailing part of path */
+
+        p = strchr(p, '/');
+
+        if (!p) 
+                *ppath = BUF_strdup("/");
+        else
+                {
+                *ppath = BUF_strdup(p);
+                /* Set start of path to 0 so hostname is valid */
+                *p = '\0';
+                }
+
+        if (!*ppath) goto mem_err;
+
+        /* Look for optional ':' for port number */
+        if ((p = strchr(host, ':')))
+                {
+                *p = 0;
+                port = p + 1;
+                }
+        else
+                {
+                /* Not found: set default port */
+                if (*pssl) port = "443";
+                else port = "80";
+                }
+
+        *pport = BUF_strdup(port);
+        if (!*pport) goto mem_err;
+
+        *phost = BUF_strdup(host);
+
+        if (!*phost) goto mem_err;
+
+        OPENSSL_free(buf);
+
+        return 1;
+
+        mem_err:
+        OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
+        goto err;
+
+        parse_err:
+        OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
+
+
+        err:
+        if (*ppath) OPENSSL_free(*ppath);
+        if (*pport) OPENSSL_free(*pport);
+        if (*phost) OPENSSL_free(*phost);
+        return 0;
+
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
new file mode 100644
index 0000000000..4b7bc28769
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_prn.c
@@ -0,0 +1,291 @@
+/* ocsp_prn.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was originally part of ocsp.c and was transfered to Richard
+   Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included
+   in OpenSSL or released as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ocsp.h>
+#include <openssl/pem.h>
+
+static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
+        {
+        BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
+        indent += 2;
+        BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
+        i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
+        BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
+        i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
+        BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
+        i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
+        BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
+        i2a_ASN1_INTEGER(bp, a->serialNumber);
+        BIO_printf(bp, "\n");
+        return 1;
+        }
+
+typedef struct
+        {
+        long t;
+        char *m;
+        } OCSP_TBLSTR;
+
+static char *table2string(long s, OCSP_TBLSTR *ts, int len)
+{
+        OCSP_TBLSTR *p;
+        for (p=ts; p < ts + len; p++)
+                if (p->t == s)
+                         return p->m;
+        return "(UNKNOWN)";
+}
+
+char *OCSP_response_status_str(long s)
+        {
+        static OCSP_TBLSTR rstat_tbl[] = {
+                { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
+                { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
+                { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
+                { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
+                { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
+                { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } };
+        return table2string(s, rstat_tbl, 6);
+        } 
+
+char *OCSP_cert_status_str(long s)
+        {
+        static OCSP_TBLSTR cstat_tbl[] = {
+                { V_OCSP_CERTSTATUS_GOOD, "good" },
+                { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
+                { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } };
+        return table2string(s, cstat_tbl, 3);
+        } 
+
+char *OCSP_crl_reason_str(long s)
+        {
+        OCSP_TBLSTR reason_tbl[] = {
+          { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
+          { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
+          { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
+          { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
+          { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
+          { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
+          { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
+          { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } };
+        return table2string(s, reason_tbl, 8);
+        } 
+
+int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
+        {
+        int i;
+        long l;
+        OCSP_CERTID* cid = NULL;
+        OCSP_ONEREQ *one = NULL;
+        OCSP_REQINFO *inf = o->tbsRequest;
+        OCSP_SIGNATURE *sig = o->optionalSignature;
+
+        if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
+        l=ASN1_INTEGER_get(inf->version);
+        if (BIO_printf(bp,"    Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
+        if (inf->requestorName != NULL)
+                {
+                if (BIO_write(bp,"\n    Requestor Name: ",21) <= 0) 
+                        goto err;
+                GENERAL_NAME_print(bp, inf->requestorName);
+                }
+        if (BIO_write(bp,"\n    Requestor List:\n",21) <= 0) goto err;
+        for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
+                {
+                one = sk_OCSP_ONEREQ_value(inf->requestList, i);
+                cid = one->reqCert;
+                ocsp_certid_print(bp, cid, 8);
+                if (!X509V3_extensions_print(bp,
+                                        "Request Single Extensions",
+                                        one->singleRequestExtensions, flags, 8))
+                                                        goto err;
+                }
+        if (!X509V3_extensions_print(bp, "Request Extensions",
+                        inf->requestExtensions, flags, 4))
+                                                        goto err;
+        if (sig)
+                {
+                X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
+                for (i=0; i<sk_X509_num(sig->certs); i++)
+                        {
+                        X509_print(bp, sk_X509_value(sig->certs,i));
+                        PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
+                        }
+                }
+        return 1;
+err:
+        return 0;
+        }
+
+int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
+        {
+        int i, ret = 0;
+        long l;
+        unsigned char *p;
+        OCSP_CERTID *cid = NULL;
+        OCSP_BASICRESP *br = NULL;
+        OCSP_RESPID *rid = NULL;
+        OCSP_RESPDATA  *rd = NULL;
+        OCSP_CERTSTATUS *cst = NULL;
+        OCSP_REVOKEDINFO *rev = NULL;
+        OCSP_SINGLERESP *single = NULL;
+        OCSP_RESPBYTES *rb = o->responseBytes;
+
+        if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
+        l=ASN1_ENUMERATED_get(o->responseStatus);
+        if (BIO_printf(bp,"    OCSP Response Status: %s (0x%x)\n",
+                       OCSP_response_status_str(l), l) <= 0) goto err;
+        if (rb == NULL) return 1;
+        if (BIO_puts(bp,"    Response Type: ") <= 0)
+                goto err;
+        if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
+                goto err;
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) 
+                {
+                BIO_puts(bp," (unknown response type)\n");
+                return 1;
+                }
+
+        p = ASN1_STRING_data(rb->response);
+        i = ASN1_STRING_length(rb->response);
+        if (!(br = OCSP_response_get1_basic(o))) goto err;
+        rd = br->tbsResponseData;
+        l=ASN1_INTEGER_get(rd->version);
+        if (BIO_printf(bp,"\n    Version: %lu (0x%lx)\n",
+                       l+1,l) <= 0) goto err;
+        if (BIO_puts(bp,"    Responder Id: ") <= 0) goto err;
+
+        rid =  rd->responderId;
+        switch (rid->type)
+                {
+                case V_OCSP_RESPID_NAME:
+                        X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
+                        break;
+                case V_OCSP_RESPID_KEY:
+                        i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
+                        break;
+                }
+
+        if (BIO_printf(bp,"\n    Produced At: ")<=0) goto err;
+        if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
+        if (BIO_printf(bp,"\n    Responses:\n") <= 0) goto err;
+        for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
+                {
+                if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
+                single = sk_OCSP_SINGLERESP_value(rd->responses, i);
+                cid = single->certId;
+                if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
+                cst = single->certStatus;
+                if (BIO_printf(bp,"    Cert Status: %s",
+                               OCSP_cert_status_str(cst->type)) <= 0)
+                        goto err;
+                if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
+                        {
+                        rev = cst->value.revoked;
+                        if (BIO_printf(bp, "\n    Revocation Time: ") <= 0) 
+                                goto err;
+                        if (!ASN1_GENERALIZEDTIME_print(bp, 
+                                                        rev->revocationTime)) 
+                                goto err;
+                        if (rev->revocationReason) 
+                                {
+                                l=ASN1_ENUMERATED_get(rev->revocationReason);
+                                if (BIO_printf(bp, 
+                                         "\n    Revocation Reason: %s (0x%x)",
+                                               OCSP_crl_reason_str(l), l) <= 0)
+                                        goto err;
+                                }
+                        }
+                if (BIO_printf(bp,"\n    This Update: ") <= 0) goto err;
+                if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate)) 
+                        goto err;
+                if (single->nextUpdate)
+                        {
+                        if (BIO_printf(bp,"\n    Next Update: ") <= 0)goto err;
+                        if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
+                                goto err;
+                        }
+                if (!BIO_write(bp,"\n",1)) goto err;
+                if (!X509V3_extensions_print(bp,
+                                        "Response Single Extensions",
+                                        single->singleExtensions, flags, 8))
+                                                        goto err;
+                if (!BIO_write(bp,"\n",1)) goto err;
+                }
+        if (!X509V3_extensions_print(bp, "Response Extensions",
+                                        rd->responseExtensions, flags, 4))
+        if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
+                                                        goto err;
+
+        for (i=0; i<sk_X509_num(br->certs); i++)
+                {
+                X509_print(bp, sk_X509_value(br->certs,i));
+                PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
+                }
+
+        ret = 1;
+err:
+        OCSP_BASICRESP_free(br);
+        return ret;
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
new file mode 100644
index 0000000000..fffa134e75
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -0,0 +1,264 @@
+/* ocsp_srv.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Utility functions related to sending OCSP responses and extracting
+ * relevant information from the request.
+ */
+
+int OCSP_request_onereq_count(OCSP_REQUEST *req)
+        {
+        return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
+        }
+
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+        {
+        return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
+        }
+
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+        {
+        return one->reqCert;
+        }
+
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+                        ASN1_OCTET_STRING **pikeyHash,
+                        ASN1_INTEGER **pserial, OCSP_CERTID *cid)
+        {
+        if (!cid) return 0;
+        if (pmd) *pmd = cid->hashAlgorithm->algorithm;
+        if(piNameHash) *piNameHash = cid->issuerNameHash;
+        if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
+        if (pserial) *pserial = cid->serialNumber;
+        return 1;
+        }
+
+int OCSP_request_is_signed(OCSP_REQUEST *req)
+        {
+        if(req->optionalSignature) return 1;
+        return 0;
+        }
+
+/* Create an OCSP response and encode an optional basic response */
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
+        {
+        OCSP_RESPONSE *rsp = NULL;
+
+        if (!(rsp = OCSP_RESPONSE_new())) goto err;
+        if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
+        if (!bs) return rsp;
+        if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
+        rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
+        if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
+                                goto err;
+        return rsp;
+err:
+        if (rsp) OCSP_RESPONSE_free(rsp);
+        return NULL;
+        }
+
+
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+                                                OCSP_CERTID *cid,
+                                                int status, int reason,
+                                                ASN1_TIME *revtime,
+                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd)
+        {
+        OCSP_SINGLERESP *single = NULL;
+        OCSP_CERTSTATUS *cs;
+        OCSP_REVOKEDINFO *ri;
+
+        if(!rsp->tbsResponseData->responses &&
+            !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
+                goto err;
+
+        if (!(single = OCSP_SINGLERESP_new()))
+                goto err;
+
+
+
+        if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
+                goto err;
+        if (nextupd &&
+                !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
+                goto err;
+
+        OCSP_CERTID_free(single->certId);
+
+        if(!(single->certId = OCSP_CERTID_dup(cid)))
+                goto err;
+
+        cs = single->certStatus;
+        switch(cs->type = status)
+                {
+        case V_OCSP_CERTSTATUS_REVOKED:
+                if (!revtime)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
+                        goto err;
+                        }
+                if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
+                if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
+                        goto err;       
+                if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
+                        {
+                        if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
+                                goto err;
+                        if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
+                                                  reason)))
+                                goto err;       
+                        }
+                break;
+
+        case V_OCSP_CERTSTATUS_GOOD:
+                cs->value.good = ASN1_NULL_new();
+                break;
+
+        case V_OCSP_CERTSTATUS_UNKNOWN:
+                cs->value.unknown = ASN1_NULL_new();
+                break;
+
+        default:
+                goto err;
+
+                }
+        if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
+                goto err;
+        return single;
+err:
+        OCSP_SINGLERESP_free(single);
+        return NULL;
+        }
+
+/* Add a certificate to an OCSP request */
+
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
+        {
+        if (!resp->certs && !(resp->certs = sk_X509_new_null()))
+                return 0;
+
+        if(!sk_X509_push(resp->certs, cert)) return 0;
+        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+        return 1;
+        }
+
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+                        STACK_OF(X509) *certs, unsigned long flags)
+        {
+        int i;
+        OCSP_RESPID *rid;
+
+        if (!X509_check_private_key(signer, key))
+                {
+                OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                goto err;
+                }
+
+        if(!(flags & OCSP_NOCERTS))
+                {
+                if(!OCSP_basic_add1_cert(brsp, signer))
+                        goto err;
+                for (i = 0; i < sk_X509_num(certs); i++)
+                        {
+                        X509 *tmpcert = sk_X509_value(certs, i);
+                        if(!OCSP_basic_add1_cert(brsp, tmpcert))
+                                goto err;
+                        }
+                }
+
+        rid = brsp->tbsResponseData->responderId;
+        if (flags & OCSP_RESPID_KEY)
+                {
+                unsigned char md[SHA_DIGEST_LENGTH];
+                X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
+                if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
+                        goto err;
+                if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
+                                goto err;
+                rid->type = V_OCSP_RESPID_KEY;
+                }
+        else
+                {
+                if (!X509_NAME_set(&rid->value.byName,
+                                        X509_get_subject_name(signer)))
+                                goto err;
+                rid->type = V_OCSP_RESPID_NAME;
+                }
+
+        if (!(flags & OCSP_NOTIME) &&
+                !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+                goto err;
+
+        /* Right now, I think that not doing double hashing is the right
+           thing.       -- Richard Levitte */
+
+        if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
+
+        return 1;
+err:
+        return 0;
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
new file mode 100644
index 0000000000..1f5fda7ca3
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -0,0 +1,444 @@
+/* ocsp_vfy.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/ocsp.h>
+#include <openssl/err.h>
+#include <string.h>
+
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags);
+static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
+static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
+static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
+static int ocsp_check_delegated(X509 *x, int flags);
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags);
+
+/* Verify a basic response message */
+
+int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags)
+        {
+        X509 *signer, *x;
+        STACK_OF(X509) *chain = NULL;
+        X509_STORE_CTX ctx;
+        int i, ret = 0;
+        ret = ocsp_find_signer(&signer, bs, certs, st, flags);
+        if (!ret)
+                {
+                OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                goto end;
+                }
+        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+                flags |= OCSP_NOVERIFY;
+        if (!(flags & OCSP_NOSIGS))
+                {
+                EVP_PKEY *skey;
+                skey = X509_get_pubkey(signer);
+                ret = OCSP_BASICRESP_verify(bs, skey, 0);
+                EVP_PKEY_free(skey);
+                if(ret <= 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                        goto end;
+                        }
+                }
+        if (!(flags & OCSP_NOVERIFY))
+                {
+                int init_res;
+                if(flags & OCSP_NOCHAIN)
+                        init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
+                else
+                        init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+                if(!init_res)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
+                        goto end;
+                        }
+
+                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+                ret = X509_verify_cert(&ctx);
+                chain = X509_STORE_CTX_get1_chain(&ctx);
+                X509_STORE_CTX_cleanup(&ctx);
+                if (ret <= 0)
+                        {
+                        i = X509_STORE_CTX_get_error(&ctx);     
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        ERR_add_error_data(2, "Verify error:",
+                                        X509_verify_cert_error_string(i));
+                        goto end;
+                        }
+                if(flags & OCSP_NOCHECKS)
+                        {
+                        ret = 1;
+                        goto end;
+                        }
+                /* At this point we have a valid certificate chain
+                 * need to verify it against the OCSP issuer criteria.
+                 */
+                ret = ocsp_check_issuer(bs, chain, flags);
+
+                /* If fatal error or valid match then finish */
+                if (ret != 0) goto end;
+
+                /* Easy case: explicitly trusted. Get root CA and
+                 * check for explicit trust
+                 */
+                if(flags & OCSP_NOEXPLICIT) goto end;
+
+                x = sk_X509_value(chain, sk_X509_num(chain) - 1);
+                if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED);
+                        goto end;
+                        }
+                ret = 1;
+                }
+
+
+
+        end:
+        if(chain) sk_X509_pop_free(chain, X509_free);
+        return ret;
+        }
+
+
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags)
+        {
+        X509 *signer;
+        OCSP_RESPID *rid = bs->tbsResponseData->responderId;
+        if ((signer = ocsp_find_signer_sk(certs, rid)))
+                {
+                *psigner = signer;
+                return 2;
+                }
+        if(!(flags & OCSP_NOINTERN) &&
+            (signer = ocsp_find_signer_sk(bs->certs, rid)))
+                {
+                *psigner = signer;
+                return 1;
+                }
+        /* Maybe lookup from store if by subject name */
+
+        *psigner = NULL;
+        return 0;
+        }
+
+
+static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+        {
+        int i;
+        unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
+        X509 *x;
+
+        /* Easy if lookup by name */
+        if (id->type == V_OCSP_RESPID_NAME)
+                return X509_find_by_subject(certs, id->value.byName);
+
+        /* Lookup by key hash */
+
+        /* If key hash isn't SHA1 length then forget it */
+        if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
+        keyhash = id->value.byKey->data;
+        /* Calculate hash of each key and compare */
+        for (i = 0; i < sk_X509_num(certs); i++)
+                {
+                x = sk_X509_value(certs, i);
+                X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
+                if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
+                        return x;
+                }
+        return NULL;
+        }
+
+
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags)
+        {
+        STACK_OF(OCSP_SINGLERESP) *sresp;
+        X509 *signer, *sca;
+        OCSP_CERTID *caid = NULL;
+        int i;
+        sresp = bs->tbsResponseData->responses;
+
+        if (sk_X509_num(chain) <= 0)
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
+                return -1;
+                }
+
+        /* See if the issuer IDs match. */
+        i = ocsp_check_ids(sresp, &caid);
+
+        /* If ID mismatch or other error then return */
+        if (i <= 0) return i;
+
+        signer = sk_X509_value(chain, 0);
+        /* Check to see if OCSP responder CA matches request CA */
+        if (sk_X509_num(chain) > 1)
+                {
+                sca = sk_X509_value(chain, 1);
+                i = ocsp_match_issuerid(sca, caid, sresp);
+                if (i < 0) return i;
+                if (i)
+                        {
+                        /* We have a match, if extensions OK then success */
+                        if (ocsp_check_delegated(signer, flags)) return 1;
+                        return 0;
+                        }
+                }
+
+        /* Otherwise check if OCSP request signed directly by request CA */
+        return ocsp_match_issuerid(signer, caid, sresp);
+        }
+
+
+/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
+ * algorithm then there's no point trying to match any certificates against the issuer.
+ * If the issuer IDs all match then we just need to check equality against one of them.
+ */
+        
+static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
+        {
+        OCSP_CERTID *tmpid, *cid;
+        int i, idcount;
+
+        idcount = sk_OCSP_SINGLERESP_num(sresp);
+        if (idcount <= 0)
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
+                return -1;
+                }
+
+        cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+
+        *ret = NULL;
+
+        for (i = 1; i < idcount; i++)
+                {
+                tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                /* Check to see if IDs match */
+                if (OCSP_id_issuer_cmp(cid, tmpid))
+                        {
+                        /* If algoritm mismatch let caller deal with it */
+                        if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
+                                        cid->hashAlgorithm->algorithm))
+                                        return 2;
+                        /* Else mismatch */
+                        return 0;
+                        }
+                }
+
+        /* All IDs match: only need to check one ID */
+        *ret = cid;
+        return 1;
+        }
+
+
+static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
+                        STACK_OF(OCSP_SINGLERESP) *sresp)
+        {
+        /* If only one ID to match then do it */
+        if(cid)
+                {
+                const EVP_MD *dgst;
+                X509_NAME *iname;
+                int mdlen;
+                unsigned char md[EVP_MAX_MD_SIZE];
+                if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
+                        {
+                        OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
+                        return -1;
+                        }
+
+                mdlen = EVP_MD_size(dgst);
+                if ((cid->issuerNameHash->length != mdlen) ||
+                   (cid->issuerKeyHash->length != mdlen))
+                        return 0;
+                iname = X509_get_subject_name(cert);
+                if (!X509_NAME_digest(iname, dgst, md, NULL))
+                        return -1;
+                if (memcmp(md, cid->issuerNameHash->data, mdlen))
+                        return 0;
+                X509_pubkey_digest(cert, EVP_sha1(), md, NULL);
+                if (memcmp(md, cid->issuerKeyHash->data, mdlen))
+                        return 0;
+
+                return 1;
+
+                }
+        else
+                {
+                /* We have to match the whole lot */
+                int i, ret;
+                OCSP_CERTID *tmpid;
+                for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+                        {
+                        tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                        ret = ocsp_match_issuerid(cert, tmpid, NULL);
+                        if (ret <= 0) return ret;
+                        }
+                return 1;
+                }
+                        
+        }
+
+static int ocsp_check_delegated(X509 *x, int flags)
+        {
+        X509_check_purpose(x, -1, 0);
+        if ((x->ex_flags & EXFLAG_XKUSAGE) &&
+            (x->ex_xkusage & XKU_OCSP_SIGN))
+                return 1;
+        OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
+        return 0;
+        }
+
+/* Verify an OCSP request. This is fortunately much easier than OCSP
+ * response verify. Just find the signers certificate and verify it
+ * against a given trust value.
+ */
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
+        {
+        X509 *signer;
+        X509_NAME *nm;
+        GENERAL_NAME *gen;
+        int ret;
+        X509_STORE_CTX ctx;
+        if (!req->optionalSignature) 
+                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
+                return 0;
+                }
+        gen = req->tbsRequest->requestorName;
+        if (gen->type != GEN_DIRNAME)
+                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+                return 0;
+                }
+        nm = gen->d.directoryName;
+        ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
+        if (ret <= 0)
+                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                return 0;
+                }
+        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+                flags |= OCSP_NOVERIFY;
+        if (!(flags & OCSP_NOSIGS))
+                {
+                EVP_PKEY *skey;
+                skey = X509_get_pubkey(signer);
+                ret = OCSP_REQUEST_verify(req, skey);
+                EVP_PKEY_free(skey);
+                if(ret <= 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                        return 0;
+                        }
+                }
+        if (!(flags & OCSP_NOVERIFY))
+                {
+                int init_res;
+                if(flags & OCSP_NOCHAIN)
+                        init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
+                else
+                        init_res = X509_STORE_CTX_init(&ctx, store, signer,
+                                        req->optionalSignature->certs);
+                if(!init_res)
+                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
+                        return 0;
+                        }
+
+                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+                X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
+                ret = X509_verify_cert(&ctx);
+                X509_STORE_CTX_cleanup(&ctx);
+                if (ret <= 0)
+                        {
+                        ret = X509_STORE_CTX_get_error(&ctx);   
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        ERR_add_error_data(2, "Verify error:",
+                                        X509_verify_cert_error_string(ret));
+                        return 0;
+                        }
+                }
+        return 1;
+        }
+
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags)
+        {
+        X509 *signer;
+        if(!(flags & OCSP_NOINTERN))
+                {
+                signer = X509_find_by_subject(req->optionalSignature->certs, nm);
+                *psigner = signer;
+                return 1;
+                }
+
+        signer = X509_find_by_subject(certs, nm);
+        if (signer)
+                {
+                *psigner = signer;
+                return 2;
+                }
+        return 0;
+        }
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
new file mode 100644
index 0000000000..b841347f05
--- /dev/null
+++ b/src/lib/libcrypto/opensslv.h
@@ -0,0 +1,21 @@
+#ifndef HEADER_OPENSSLV_H
+#define HEADER_OPENSSLV_H
+
+/* Numeric release version identifier:
+ * MMNNFFRBB: major minor fix final beta/patch
+ * For example:
+ * 0.9.3-dev      0x00903000
+ * 0.9.3beta1     0x00903001
+ * 0.9.3beta2-dev 0x00903002
+ * 0.9.3beta2     0x00903002
+ * 0.9.3          0x00903100
+ * 0.9.3a         0x00903101
+ * 0.9.4          0x00904100
+ * 1.2.3z         0x1020311a
+ * (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.)
+ */
+#define OPENSSL_VERSION_NUMBER  0x00904100L
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.4 09 Aug 1999"
+#define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
+
+#endif /* HEADER_OPENSSLV_H */
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
new file mode 100644
index 0000000000..6bd42aee4d
--- /dev/null
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_OPENSSL_TYPES_H
+#define HEADER_OPENSSL_TYPES_H
+
+#ifdef NO_ASN1_TYPEDEFS
+#define ASN1_INTEGER            ASN1_STRING
+#define ASN1_ENUMERATED         ASN1_STRING
+#define ASN1_BIT_STRING         ASN1_STRING
+#define ASN1_OCTET_STRING       ASN1_STRING
+#define ASN1_PRINTABLESTRING    ASN1_STRING
+#define ASN1_T61STRING          ASN1_STRING
+#define ASN1_IA5STRING          ASN1_STRING
+#define ASN1_UTCTIME            ASN1_STRING
+#define ASN1_GENERALIZEDTIME    ASN1_STRING
+#define ASN1_TIME               ASN1_STRING
+#define ASN1_GENERALSTRING      ASN1_STRING
+#define ASN1_UNIVERSALSTRING    ASN1_STRING
+#define ASN1_BMPSTRING          ASN1_STRING
+#define ASN1_VISIBLESTRING      ASN1_STRING
+#define ASN1_UTF8STRING         ASN1_STRING
+#define ASN1_BOOLEAN            int
+#define ASN1_NULL               int
+#else
+typedef struct asn1_string_st ASN1_INTEGER;
+typedef struct asn1_string_st ASN1_ENUMERATED;
+typedef struct asn1_string_st ASN1_BIT_STRING;
+typedef struct asn1_string_st ASN1_OCTET_STRING;
+typedef struct asn1_string_st ASN1_PRINTABLESTRING;
+typedef struct asn1_string_st ASN1_T61STRING;
+typedef struct asn1_string_st ASN1_IA5STRING;
+typedef struct asn1_string_st ASN1_GENERALSTRING;
+typedef struct asn1_string_st ASN1_UNIVERSALSTRING;
+typedef struct asn1_string_st ASN1_BMPSTRING;
+typedef struct asn1_string_st ASN1_UTCTIME;
+typedef struct asn1_string_st ASN1_TIME;
+typedef struct asn1_string_st ASN1_GENERALIZEDTIME;
+typedef struct asn1_string_st ASN1_VISIBLESTRING;
+typedef struct asn1_string_st ASN1_UTF8STRING;
+typedef int ASN1_BOOLEAN;
+typedef int ASN1_NULL;
+#endif
+
+#ifdef OPENSSL_SYS_WIN32
+#undef X509_NAME
+#undef PKCS7_ISSUER_AND_SERIAL
+#endif
+
+typedef struct evp_cipher_st EVP_CIPHER;
+typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
+typedef struct env_md_st EVP_MD;
+typedef struct env_md_ctx_st EVP_MD_CTX;
+typedef struct evp_pkey_st EVP_PKEY;
+
+typedef struct x509_st X509;
+typedef struct X509_algor_st X509_ALGOR;
+typedef struct X509_crl_st X509_CRL;
+typedef struct X509_name_st X509_NAME;
+typedef struct x509_store_st X509_STORE;
+typedef struct x509_store_ctx_st X509_STORE_CTX;
+
+typedef struct engine_st ENGINE;
+
+  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
+#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
+#define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */
+
+#endif /* def HEADER_OPENSSL_TYPES_H */
diff --git a/src/lib/libcrypto/pem/pem2.h b/src/lib/libcrypto/pem/pem2.h
new file mode 100644
index 0000000000..4a016aacd2
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem2.h
@@ -0,0 +1,60 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * This header only exists to break a circular dependency between pem and err
+ * Ben 30 Jan 1999.
+ */
+
+void ERR_load_PEM_strings(void);
diff --git a/src/lib/libcrypto/pem/pem_oth.c b/src/lib/libcrypto/pem/pem_oth.c
new file mode 100644
index 0000000000..8d9064ea7c
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_oth.c
@@ -0,0 +1,85 @@
+/* crypto/pem/pem_oth.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+/* Handle 'other' PEMs: not private keys */
+
+char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
+             pem_password_cb *cb, void *u)
+        {
+        unsigned char *p=NULL,*data=NULL;
+        long len;
+        char *ret=NULL;
+
+        if (!PEM_bytes_read_bio(&data, &len, NULL, name, bp, cb, u))
+                return NULL;
+        p = data;
+        ret=d2i(x,&p,len);
+        if (ret == NULL)
+                PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
+        OPENSSL_free(data);
+        return(ret);
+        }
diff --git a/src/lib/libcrypto/pem/pem_pk8.c b/src/lib/libcrypto/pem/pem_pk8.c
new file mode 100644
index 0000000000..f44182ffb5
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_pk8.c
@@ -0,0 +1,243 @@
+/* crypto/pem/pem_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs12.h>
+#include <openssl/pem.h>
+
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
+                                int nid, const EVP_CIPHER *enc,
+                                char *kstr, int klen,
+                                pem_password_cb *cb, void *u);
+static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
+                                int nid, const EVP_CIPHER *enc,
+                                char *kstr, int klen,
+                                pem_password_cb *cb, void *u);
+
+/* These functions write a private key in PKCS#8 format: it is a "drop in"
+ * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
+ * is NULL then it uses the unencrypted private key form. The 'nid' versions
+ * uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
+ */
+
+int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        X509_SIG *p8;
+        PKCS8_PRIV_KEY_INFO *p8inf;
+        char buf[PEM_BUFSIZE];
+        int ret;
+        if(!(p8inf = EVP_PKEY2PKCS8(x))) {
+                PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+                                        PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
+                return 0;
+        }
+        if(enc || (nid != -1)) {
+                if(!kstr) {
+                        if(!cb) klen = PEM_def_callback(buf, PEM_BUFSIZE, 1, u);
+                        else klen = cb(buf, PEM_BUFSIZE, 1, u);
+                        if(klen <= 0) {
+                                PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+                                                                PEM_R_READ_KEY);
+                                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                                return 0;
+                        }
+                                
+                        kstr = buf;
+                }
+                p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
+                if(kstr == buf) memset(buf, 0, klen);
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                if(isder) ret = i2d_PKCS8_bio(bp, p8);
+                else ret = PEM_write_bio_PKCS8(bp, p8);
+                X509_SIG_free(p8);
+                return ret;
+        } else {
+                if(isder) ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
+                else ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                return ret;
+        }
+}
+
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+        PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+        X509_SIG *p8 = NULL;
+        int klen;
+        EVP_PKEY *ret;
+        char psbuf[PEM_BUFSIZE];
+        p8 = d2i_PKCS8_bio(bp, NULL);
+        if(!p8) return NULL;
+        if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+        else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
+        if (klen <= 0) {
+                PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
+                X509_SIG_free(p8);
+                return NULL;    
+        }
+        p8inf = PKCS8_decrypt(p8, psbuf, klen);
+        X509_SIG_free(p8);
+        if(!p8inf) return NULL;
+        ret = EVP_PKCS82PKEY(p8inf);
+        PKCS8_PRIV_KEY_INFO_free(p8inf);
+        if(!ret) return NULL;
+        if(x) {
+                if(*x) EVP_PKEY_free(*x);
+                *x = ret;
+        }
+        return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+
+int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                              char *kstr, int klen, pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey_fp(FILE *fp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        BIO *bp;
+        int ret;
+        if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+                PEMerr(PEM_F_PEM_F_DO_PK8KEY_FP,ERR_R_BUF_LIB);
+                return(0);
+        }
+        ret = do_pk8pkey(bp, x, isder, nid, enc, kstr, klen, cb, u);
+        BIO_free(bp);
+        return ret;
+}
+
+EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+        BIO *bp;
+        EVP_PKEY *ret;
+        if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+                PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_FP,ERR_R_BUF_LIB);
+                return NULL;
+        }
+        ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);
+        BIO_free(bp);
+        return ret;
+}
+
+#endif
+
+IMPLEMENT_PEM_rw(PKCS8, X509_SIG, PEM_STRING_PKCS8, X509_SIG)
+IMPLEMENT_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO, PEM_STRING_PKCS8INF,
+                                                         PKCS8_PRIV_KEY_INFO)
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
new file mode 100644
index 0000000000..270892d72b
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -0,0 +1,139 @@
+/* crypto/pem/pem_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs12.h>
+#include <openssl/pem.h>
+
+
+EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+        {
+        char *nm=NULL;
+        unsigned char *p=NULL,*data=NULL;
+        long len;
+        EVP_PKEY *ret=NULL;
+
+        if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, cb, u))
+                return NULL;
+        p = data;
+
+        if (strcmp(nm,PEM_STRING_RSA) == 0)
+                ret=d2i_PrivateKey(EVP_PKEY_RSA,x,&p,len);
+        else if (strcmp(nm,PEM_STRING_DSA) == 0)
+                ret=d2i_PrivateKey(EVP_PKEY_DSA,x,&p,len);
+        else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) {
+                PKCS8_PRIV_KEY_INFO *p8inf;
+                p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
+                ret = EVP_PKCS82PKEY(p8inf);
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+        } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
+                PKCS8_PRIV_KEY_INFO *p8inf;
+                X509_SIG *p8;
+                int klen;
+                char psbuf[PEM_BUFSIZE];
+                p8 = d2i_X509_SIG(NULL, &p, len);
+                if(!p8) goto p8err;
+                if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+                else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
+                if (klen <= 0) {
+                        PEMerr(PEM_F_PEM_ASN1_READ_BIO,
+                                        PEM_R_BAD_PASSWORD_READ);
+                        goto err;
+                }
+                p8inf = PKCS8_decrypt(p8, psbuf, klen);
+                X509_SIG_free(p8);
+                if(!p8inf) goto p8err;
+                ret = EVP_PKCS82PKEY(p8inf);
+                if(x) {
+                        if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
+                        *x = ret;
+                }
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+        }
+p8err:
+        if (ret == NULL)
+                PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
+err:
+        OPENSSL_free(nm);
+        OPENSSL_free(data);
+        return(ret);
+        }
+
+#ifndef OPENSSL_NO_FP_API
+EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+        {
+        BIO *b;
+        EVP_PKEY *ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+                {
+                PEMerr(PEM_F_PEM_ASN1_READ,ERR_R_BUF_LIB);
+                return(0);
+                }
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=PEM_read_bio_PrivateKey(b,x,cb,u);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
diff --git a/src/lib/libcrypto/pem/pem_x509.c b/src/lib/libcrypto/pem/pem_x509.c
new file mode 100644
index 0000000000..19f88d8d3a
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_x509.c
@@ -0,0 +1,69 @@
+/* pem_x509.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#undef SSLEAY_MACROS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+IMPLEMENT_PEM_rw(X509, X509, PEM_STRING_X509, X509)
+
diff --git a/src/lib/libcrypto/pem/pem_xaux.c b/src/lib/libcrypto/pem/pem_xaux.c
new file mode 100644
index 0000000000..2f579b5421
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_xaux.c
@@ -0,0 +1,68 @@
+/* pem_xaux.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#undef SSLEAY_MACROS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
new file mode 100644
index 0000000000..ae3d9de3b4
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -0,0 +1,214 @@
+/* p12_add.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Pack an object into an OCTET STRING and turn into a safebag */
+
+PKCS12_SAFEBAG *PKCS12_pack_safebag (char *obj, int (*i2d)(), int nid1,
+             int nid2)
+{
+        PKCS12_BAGS *bag;
+        PKCS12_SAFEBAG *safebag;
+        if (!(bag = PKCS12_BAGS_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        bag->type = OBJ_nid2obj(nid1);
+        if (!ASN1_pack_string(obj, i2d, &bag->value.octet)) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        if (!(safebag = PKCS12_SAFEBAG_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        safebag->value.bag = bag;
+        safebag->type = OBJ_nid2obj(nid2);
+        return safebag;
+}
+
+/* Turn PKCS8 object into a keybag */
+
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG (PKCS8_PRIV_KEY_INFO *p8)
+{
+        PKCS12_SAFEBAG *bag;
+        if (!(bag = PKCS12_SAFEBAG_new())) {
+                PKCS12err(PKCS12_F_PKCS12_MAKE_KEYBAG,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        bag->type = OBJ_nid2obj(NID_keyBag);
+        bag->value.keybag = p8;
+        return bag;
+}
+
+/* Turn PKCS8 object into a shrouded keybag */
+
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG (int pbe_nid, const char *pass,
+             int passlen, unsigned char *salt, int saltlen, int iter,
+             PKCS8_PRIV_KEY_INFO *p8)
+{
+        PKCS12_SAFEBAG *bag;
+
+        /* Set up the safe bag */
+        if (!(bag = PKCS12_SAFEBAG_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
+        if (!(bag->value.shkeybag = 
+          PKCS8_encrypt(pbe_nid, NULL, pass, passlen, salt, saltlen, iter,
+                                                                         p8))) {
+                PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        return bag;
+}
+
+/* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
+PKCS7 *PKCS12_pack_p7data (STACK *sk)
+{
+        PKCS7 *p7;
+        if (!(p7 = PKCS7_new())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p7->type = OBJ_nid2obj(NID_pkcs7_data);
+        if (!(p7->d.data = ASN1_OCTET_STRING_new())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        
+        if (!ASN1_seq_pack(sk, i2d_PKCS12_SAFEBAG, &p7->d.data->data,
+                                        &p7->d.data->length)) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, PKCS12_R_CANT_PACK_STRUCTURE);
+                return NULL;
+        }
+        return p7;
+}
+
+/* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */
+
+PKCS7 *PKCS12_pack_p7encdata (int pbe_nid, const char *pass, int passlen,
+             unsigned char *salt, int saltlen, int iter, STACK *bags)
+{
+        PKCS7 *p7;
+        X509_ALGOR *pbe;
+        if (!(p7 = PKCS7_new())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p7->type = OBJ_nid2obj(NID_pkcs7_encrypted);
+        if (!(p7->d.encrypted = PKCS7_ENCRYPT_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        ASN1_INTEGER_set (p7->d.encrypted->version, 0);
+        p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
+        if (!(pbe = PKCS5_pbe_set (pbe_nid, iter, salt, saltlen))) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm);
+        p7->d.encrypted->enc_data->algorithm = pbe;
+        ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
+        if (!(p7->d.encrypted->enc_data->enc_data =
+        PKCS12_i2d_encrypt (pbe, i2d_PKCS12_SAFEBAG, pass, passlen,
+                                 (char *)bags, 1))) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ENCRYPT_ERROR);
+                return NULL;
+        }
+
+        return p7;
+}
+
+X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
+                         const char *pass, int passlen,
+                         unsigned char *salt, int saltlen, int iter,
+                                                PKCS8_PRIV_KEY_INFO *p8inf)
+{
+        X509_SIG *p8;
+        X509_ALGOR *pbe;
+
+        if (!(p8 = X509_SIG_new())) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
+        else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+        if(!pbe) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        X509_ALGOR_free(p8->algor);
+        p8->algor = pbe;
+        ASN1_OCTET_STRING_free(p8->digest);
+        if (!(p8->digest = 
+        PKCS12_i2d_encrypt (pbe, i2d_PKCS8_PRIV_KEY_INFO, pass, passlen,
+                                                 (char *)p8inf, 0))) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
+                return NULL;
+        }
+
+        return p8;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_asn.c b/src/lib/libcrypto/pkcs12/p12_asn.c
new file mode 100644
index 0000000000..c327bdba03
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_asn.c
@@ -0,0 +1,125 @@
+/* p12_asn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/pkcs12.h>
+
+/* PKCS#12 ASN1 module */
+
+ASN1_SEQUENCE(PKCS12) = {
+        ASN1_SIMPLE(PKCS12, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS12, authsafes, PKCS7),
+        ASN1_OPT(PKCS12, mac, PKCS12_MAC_DATA)
+} ASN1_SEQUENCE_END(PKCS12)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12)
+
+ASN1_SEQUENCE(PKCS12_MAC_DATA) = {
+        ASN1_SIMPLE(PKCS12_MAC_DATA, dinfo, X509_SIG),
+        ASN1_SIMPLE(PKCS12_MAC_DATA, salt, ASN1_OCTET_STRING),
+        ASN1_OPT(PKCS12_MAC_DATA, iter, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(PKCS12_MAC_DATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12_MAC_DATA)
+
+ASN1_ADB_TEMPLATE(bag_default) = ASN1_EXP(PKCS12_BAGS, value.other, ASN1_ANY, 0);
+
+ASN1_ADB(PKCS12_BAGS) = {
+        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509cert, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509crl, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.sdsicert, ASN1_IA5STRING, 0)),
+} ASN1_ADB_END(PKCS12_BAGS, 0, type, 0, &bag_default_tt, NULL);
+
+ASN1_SEQUENCE(PKCS12_BAGS) = {
+        ASN1_SIMPLE(PKCS12_BAGS, type, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(PKCS12_BAGS),
+} ASN1_SEQUENCE_END(PKCS12_BAGS)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12_BAGS)
+
+ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ANY, 0);
+
+ASN1_ADB(PKCS12_SAFEBAG) = {
+        ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
+        ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, X509_SIG, 0)),
+        ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
+        ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
+        ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
+        ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0))
+} ASN1_ADB_END(PKCS12_SAFEBAG, 0, type, 0, &safebag_default_tt, NULL);
+
+ASN1_SEQUENCE(PKCS12_SAFEBAG) = {
+        ASN1_SIMPLE(PKCS12_SAFEBAG, type, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(PKCS12_SAFEBAG),
+        ASN1_SET_OF_OPT(PKCS12_SAFEBAG, attrib, X509_ATTRIBUTE)
+} ASN1_SEQUENCE_END(PKCS12_SAFEBAG)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12_SAFEBAG)
+
+/* SEQUENCE OF SafeBag */
+ASN1_ITEM_TEMPLATE(PKCS12_SAFEBAGS) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_SAFEBAGS, PKCS12_SAFEBAG)
+ASN1_ITEM_TEMPLATE_END(PKCS12_SAFEBAGS)
+
+/* Authsafes: SEQUENCE OF PKCS7 */
+ASN1_ITEM_TEMPLATE(PKCS12_AUTHSAFES) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_AUTHSAFES, PKCS7)
+ASN1_ITEM_TEMPLATE_END(PKCS12_AUTHSAFES)
+
diff --git a/src/lib/libcrypto/pkcs12/p12_attr.c b/src/lib/libcrypto/pkcs12/p12_attr.c
new file mode 100644
index 0000000000..31c9782b77
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_attr.c
@@ -0,0 +1,238 @@
+/* p12_attr.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Add a local keyid to a safebag */
+
+int PKCS12_add_localkeyid (PKCS12_SAFEBAG *bag, unsigned char *name,
+             int namelen)
+{
+        X509_ATTRIBUTE *attrib;
+        ASN1_BMPSTRING *oct;
+        ASN1_TYPE *keyid;
+        if (!(keyid = ASN1_TYPE_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        keyid->type = V_ASN1_OCTET_STRING;
+        if (!(oct = ASN1_OCTET_STRING_new())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if (!ASN1_OCTET_STRING_set(oct, name, namelen)) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        keyid->value.octet_string = oct;
+        if (!(attrib = X509_ATTRIBUTE_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        attrib->object = OBJ_nid2obj(NID_localKeyID);
+        if (!(attrib->value.set = sk_ASN1_TYPE_new(NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_ASN1_TYPE_push (attrib->value.set,keyid);
+        attrib->set = 1;
+        if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new (NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
+        return 1;
+}
+
+/* Add key usage to PKCS#8 structure */
+
+int PKCS8_add_keyusage (PKCS8_PRIV_KEY_INFO *p8, int usage)
+{
+        X509_ATTRIBUTE *attrib;
+        ASN1_BIT_STRING *bstr;
+        ASN1_TYPE *keyid;
+        unsigned char us_val;
+        us_val = (unsigned char) usage;
+        if (!(keyid = ASN1_TYPE_new ())) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        keyid->type = V_ASN1_BIT_STRING;
+        if (!(bstr = ASN1_BIT_STRING_new())) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if (!ASN1_BIT_STRING_set(bstr, &us_val, 1)) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        keyid->value.bit_string = bstr;
+        if (!(attrib = X509_ATTRIBUTE_new ())) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        attrib->object = OBJ_nid2obj(NID_key_usage);
+        if (!(attrib->value.set = sk_ASN1_TYPE_new(NULL))) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_ASN1_TYPE_push (attrib->value.set,keyid);
+        attrib->set = 1;
+        if (!p8->attributes
+            && !(p8->attributes = sk_X509_ATTRIBUTE_new (NULL))) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_X509_ATTRIBUTE_push (p8->attributes, attrib);
+        return 1;
+}
+
+/* Add a friendlyname to a safebag */
+
+int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name,
+                                 int namelen)
+{
+        unsigned char *uniname;
+        int ret, unilen;
+        if (!asc2uni(name, &uniname, &unilen)) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        ret = PKCS12_add_friendlyname_uni (bag, uniname, unilen);
+        Free(uniname);
+        return ret;
+}
+        
+
+int PKCS12_add_friendlyname_uni (PKCS12_SAFEBAG *bag,
+                                 const unsigned char *name, int namelen)
+{
+        X509_ATTRIBUTE *attrib;
+        ASN1_BMPSTRING *bmp;
+        ASN1_TYPE *fname;
+        /* Zap ending double null if included */
+        if(!name[namelen - 1] && !name[namelen - 2]) namelen -= 2;
+        if (!(fname = ASN1_TYPE_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        fname->type = V_ASN1_BMPSTRING;
+        if (!(bmp = ASN1_BMPSTRING_new())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if (!(bmp->data = Malloc (namelen))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        memcpy (bmp->data, name, namelen);
+        bmp->length = namelen;
+        fname->value.bmpstring = bmp;
+        if (!(attrib = X509_ATTRIBUTE_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        attrib->object = OBJ_nid2obj(NID_friendlyName);
+        if (!(attrib->value.set = sk_ASN1_TYPE_new(NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_ASN1_TYPE_push (attrib->value.set,fname);
+        attrib->set = 1;
+        if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new (NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
+        return PKCS12_OK;
+}
+
+ASN1_TYPE *PKCS12_get_attr_gen (STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
+{
+        X509_ATTRIBUTE *attrib;
+        int i;
+        if (!attrs) return NULL;
+        for (i = 0; i < sk_X509_ATTRIBUTE_num (attrs); i++) {
+                attrib = sk_X509_ATTRIBUTE_value (attrs, i);
+                if (OBJ_obj2nid (attrib->object) == attr_nid) {
+                        if (sk_ASN1_TYPE_num (attrib->value.set))
+                            return sk_ASN1_TYPE_value(attrib->value.set, 0);
+                        else return NULL;
+                }
+        }
+        return NULL;
+}
+
+char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
+{
+        ASN1_TYPE *atype;
+        if (!(atype = PKCS12_get_attr(bag, NID_friendlyName))) return NULL;
+        if (atype->type != V_ASN1_BMPSTRING) return NULL;
+        return uni2asc(atype->value.bmpstring->data,
+                                 atype->value.bmpstring->length);
+}
+
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
new file mode 100644
index 0000000000..6de6f8128f
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -0,0 +1,122 @@
+/* p12_crpt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* PKCS#12 specific PBE functions */
+
+void PKCS12_PBE_add(void)
+{
+#ifndef NO_RC4
+EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC4, EVP_rc4(), EVP_sha1(),
+                                                         PKCS12_PBE_keyivgen);
+EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC4, EVP_rc4_40(), EVP_sha1(),
+                                                         PKCS12_PBE_keyivgen);
+#endif
+EVP_PBE_alg_add(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
+                        EVP_des_ede3_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
+EVP_PBE_alg_add(NID_pbe_WithSHA1And2_Key_TripleDES_CBC, 
+                        EVP_des_ede_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
+#ifndef NO_RC2
+EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC2_CBC, EVP_rc2_cbc(),
+                                        EVP_sha1(), PKCS12_PBE_keyivgen);
+EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
+                                        EVP_sha1(), PKCS12_PBE_keyivgen);
+#endif
+}
+
+int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+                ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md, int en_de)
+{
+        PBEPARAM *pbe;
+        int saltlen, iter;
+        unsigned char *salt, *pbuf;
+        unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+
+        /* Extract useful info from parameter */
+        pbuf = param->value.sequence->data;
+        if (!param || (param->type != V_ASN1_SEQUENCE) ||
+           !(pbe = d2i_PBEPARAM (NULL, &pbuf, param->value.sequence->length))) {
+                EVPerr(PKCS12_F_PKCS12_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+                return 0;
+        }
+
+        if (!pbe->iter) iter = 1;
+        else iter = ASN1_INTEGER_get (pbe->iter);
+        salt = pbe->salt->data;
+        saltlen = pbe->salt->length;
+        if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_KEY_ID,
+                             iter, EVP_CIPHER_key_length(cipher), key, md)) {
+                PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_KEY_GEN_ERROR);
+                PBEPARAM_free(pbe);
+                return 0;
+        }
+        if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_IV_ID,
+                                iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
+                PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_IV_GEN_ERROR);
+                PBEPARAM_free(pbe);
+                return 0;
+        }
+        PBEPARAM_free(pbe);
+        EVP_CipherInit(ctx, cipher, key, iv, en_de);
+        memset(key, 0, EVP_MAX_KEY_LENGTH);
+        memset(iv, 0, EVP_MAX_IV_LENGTH);
+        return 1;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
new file mode 100644
index 0000000000..56d88b0759
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -0,0 +1,159 @@
+/* p12_crt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
+             STACK *ca, int nid_key, int nid_cert, int iter, int mac_iter,
+             int keytype)
+{
+        PKCS12 *p12;
+        STACK *bags, *safes;
+        PKCS12_SAFEBAG *bag;
+        PKCS8_PRIV_KEY_INFO *p8;
+        PKCS7 *authsafe;
+        X509 *tcert;
+        int i;
+        unsigned char keyid[EVP_MAX_MD_SIZE];
+        unsigned int keyidlen;
+
+        /* Set defaults */
+        if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+        if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+        if(!iter) iter = PKCS12_DEFAULT_ITER;
+        if(!mac_iter) mac_iter = 1;
+
+        if(!pkey || !cert) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT);
+                return NULL;
+        }
+
+        if(!(bags = sk_new (NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        /* Add user certificate */
+        if(!(bag = M_PKCS12_x5092certbag(cert))) return NULL;
+        if(name && !PKCS12_add_friendlyname(bag, name, -1)) return NULL;
+        X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
+        if(!PKCS12_add_localkeyid(bag, keyid, keyidlen)) return NULL;
+
+        if(!sk_push(bags, (char *)bag)) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        
+        /* Add all other certificates */
+        if(ca) {
+                for(i = 0; i < sk_num(ca); i++) {
+                        tcert = (X509 *)sk_value(ca, i);
+                        if(!(bag = M_PKCS12_x5092certbag(tcert))) return NULL;
+                        if(!sk_push(bags, (char *)bag)) {
+                                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                                return NULL;
+                        }
+                }
+        }
+
+        /* Turn certbags into encrypted authsafe */
+        authsafe = PKCS12_pack_p7encdata (nid_cert, pass, -1, NULL, 0,
+                                          iter, bags);
+        sk_pop_free(bags, PKCS12_SAFEBAG_free);
+
+        if (!authsafe) return NULL;
+
+        if(!(safes = sk_new (NULL)) || !sk_push(safes, (char *)authsafe)) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        /* Make a shrouded key bag */
+        if(!(p8 = EVP_PKEY2PKCS8 (pkey))) return NULL;
+        if(keytype && !PKCS8_add_keyusage(p8, keytype)) return NULL;
+        bag = PKCS12_MAKE_SHKEYBAG (nid_key, pass, -1, NULL, 0, iter, p8);
+        if(!bag) return NULL;
+        PKCS8_PRIV_KEY_INFO_free(p8);
+        if (name && !PKCS12_add_friendlyname (bag, name, -1)) return NULL;
+        if(!PKCS12_add_localkeyid (bag, keyid, keyidlen)) return NULL;
+        if(!(bags = sk_new(NULL)) || !sk_push (bags, (char *)bag)) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        /* Turn it into unencrypted safe bag */
+        if(!(authsafe = PKCS12_pack_p7data (bags))) return NULL;
+        sk_pop_free(bags, PKCS12_SAFEBAG_free);
+        if(!sk_push(safes, (char *)authsafe)) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        if(!(p12 = PKCS12_init (NID_pkcs7_data))) return NULL;
+
+        if(!M_PKCS12_pack_authsafes (p12, safes)) return NULL;
+
+        sk_pop_free(safes, PKCS7_free);
+
+        if(!PKCS12_set_mac (p12, pass, -1, NULL, 0, mac_iter, NULL))
+            return NULL;
+
+        return p12;
+
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
new file mode 100644
index 0000000000..d3d288e187
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -0,0 +1,185 @@
+/* p12_decr.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Define this to dump decrypted output to files called DERnnn */
+/*#define DEBUG_DECRYPT*/
+
+
+/* Encrypt/Decrypt a buffer based on password and algor, result in a
+ * Malloc'ed buffer
+ */
+
+unsigned char * PKCS12_pbe_crypt (X509_ALGOR *algor, const char *pass,
+             int passlen, unsigned char *in, int inlen, unsigned char **data,
+             int *datalen, int en_de)
+{
+        unsigned char *out;
+        int outlen, i;
+        EVP_CIPHER_CTX ctx;
+
+        /* Decrypt data */
+        if (!EVP_PBE_CipherInit (algor->algorithm, pass, passlen,
+                                         algor->parameter, &ctx, en_de)) {
+                PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
+                return NULL;
+        }
+
+        if(!(out = Malloc (inlen + EVP_CIPHER_CTX_block_size(&ctx)))) {
+                PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        EVP_CipherUpdate (&ctx, out, &i, in, inlen);
+        outlen = i;
+        if(!EVP_CipherFinal (&ctx, out + i, &i)) {
+                Free (out);
+                PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_CIPHERFINAL_ERROR);
+                return NULL;
+        }
+        outlen += i;
+        if (datalen) *datalen = outlen;
+        if (data) *data = out;
+        return out;
+
+}
+
+/* Decrypt an OCTET STRING and decode ASN1 structure 
+ * if seq & 1 'obj' is a stack of structures to be encoded
+ * if seq & 2 zero buffer after use
+ * as a sequence.
+ */
+
+char * PKCS12_decrypt_d2i (X509_ALGOR *algor, char * (*d2i)(),
+             void (*free_func)(), const char *pass, int passlen,
+             ASN1_OCTET_STRING *oct, int seq)
+{
+        unsigned char *out, *p;
+        char *ret;
+        int outlen;
+
+        if (!PKCS12_pbe_crypt (algor, pass, passlen, oct->data, oct->length,
+                               &out, &outlen, 0)) {
+                PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
+                return NULL;
+        }
+        p = out;
+#ifdef DEBUG_DECRYPT
+        {
+                FILE *op;
+
+                char fname[30];
+                static int fnm = 1;
+                sprintf(fname, "DER%d", fnm++);
+                op = fopen(fname, "wb");
+                fwrite (p, 1, outlen, op);
+                fclose(op);
+        }
+#endif
+        if (seq & 1) ret = (char *) d2i_ASN1_SET(NULL, &p, outlen, d2i,
+                                free_func, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+        else ret = d2i(NULL, &p, outlen);
+        if (seq & 2) memset(out, 0, outlen);
+        if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
+        Free (out);
+        return ret;
+}
+
+/* Encode ASN1 structure and encrypt, return OCTET STRING 
+ * if 'seq' is non-zero 'obj' is a stack of structures to be encoded
+ * as a sequence
+ */
+
+ASN1_OCTET_STRING *PKCS12_i2d_encrypt (X509_ALGOR *algor, int (*i2d)(),
+                                       const char *pass, int passlen,
+                                       char *obj, int seq)
+{
+        ASN1_OCTET_STRING *oct;
+        unsigned char *in, *p;
+        int inlen;
+        if (!(oct = ASN1_OCTET_STRING_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        if (seq) inlen = i2d_ASN1_SET((STACK *)obj, NULL, i2d, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+        else inlen = i2d (obj, NULL);
+        if (!inlen) {
+                PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR);
+                return NULL;
+        }
+        if (!(in = Malloc (inlen))) {
+                PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p = in;
+        if (seq) i2d_ASN1_SET((STACK *)obj, &p, i2d, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+        else i2d (obj, &p);
+        if (!PKCS12_pbe_crypt (algor, pass, passlen, in, inlen, &oct->data,
+                                 &oct->length, 1)) {
+                PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR);
+                Free(in);
+                return NULL;
+        }
+        Free (in);
+        return oct;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_init.c b/src/lib/libcrypto/pkcs12/p12_init.c
new file mode 100644
index 0000000000..dc6ab41db8
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_init.c
@@ -0,0 +1,98 @@
+/* p12_init.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Initialise a PKCS12 structure to take data */
+
+PKCS12 *PKCS12_init (int mode)
+{
+        PKCS12 *pkcs12;
+        if (!(pkcs12 = PKCS12_new())) {
+                PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        if (!(pkcs12->version = ASN1_INTEGER_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        ASN1_INTEGER_set (pkcs12->version, 3);
+        if (!(pkcs12->authsafes = PKCS7_new())) {
+                PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        pkcs12->authsafes->type = OBJ_nid2obj(mode);
+        switch (mode) {
+                case NID_pkcs7_data:
+                        if (!(pkcs12->authsafes->d.data =
+                                 ASN1_OCTET_STRING_new())) {
+                        PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+                        return NULL;
+                }
+                break;
+                default:
+                        PKCS12err(PKCS12_F_PKCS12_INIT,PKCS12_R_UNSUPPORTED_PKCS12_MODE);
+                        PKCS12_free(pkcs12);
+                        return NULL;
+                break;
+        }
+                
+        return pkcs12;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
new file mode 100644
index 0000000000..25d8cdae57
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -0,0 +1,182 @@
+/* p12_key.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+
+/* Uncomment out this line to get debugging info about key generation */
+/*#define DEBUG_KEYGEN*/
+#ifdef DEBUG_KEYGEN
+#include <bio.h>
+extern BIO *bio_err;
+void h__dump (unsigned char *p, int len);
+#endif
+
+/* PKCS12 compatible key/IV generation */
+#ifndef min
+#define min(a,b) ((a) < (b) ? (a) : (b))
+#endif
+
+int PKCS12_key_gen_asc (const char *pass, int passlen, unsigned char *salt,
+             int saltlen, int id, int iter, int n, unsigned char *out,
+             const EVP_MD *md_type)
+{
+        int ret;
+        unsigned char *unipass;
+        int uniplen;
+        if (!asc2uni (pass, &unipass, &uniplen)) {
+                PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        ret = PKCS12_key_gen_uni (unipass, uniplen, salt, saltlen,
+                                                 id, iter, n, out, md_type);
+        memset(unipass, 0, uniplen);    /* Clear password from memory */
+        Free(unipass);
+        return ret;
+}
+
+int PKCS12_key_gen_uni (unsigned char *pass, int passlen, unsigned char *salt,
+             int saltlen, int id, int iter, int n, unsigned char *out,
+             const EVP_MD *md_type)
+{
+        unsigned char *B, *D, *I, *p, *Ai;
+        int Slen, Plen, Ilen;
+        int i, j, u, v;
+        BIGNUM *Ij, *Bpl1;      /* These hold Ij and B + 1 */
+        EVP_MD_CTX ctx;
+#ifdef  DEBUG_KEYGEN
+        unsigned char *tmpout = out;
+        int tmpn = n;
+        BIO_printf (bio_err, "KEYGEN DEBUG\n");
+        BIO_printf (bio_err, "ID %d, ITER %d\n", id, iter);
+        BIO_printf (bio_err, "Password (length %d):\n", passlen);
+        h__dump (pass, passlen);
+        BIO_printf (bio_err, "Salt (length %d):\n", saltlen);
+        h__dump (salt, saltlen);
+        BIO_printf (bio_err, "ID %d, ITER %d\n\n", id, iter);
+#endif
+        v = EVP_MD_block_size (md_type);
+        u = EVP_MD_size (md_type);
+        D = Malloc (v);
+        Ai = Malloc (u);
+        B = Malloc (v + 1);
+        Slen = v * ((saltlen+v-1)/v);
+        Plen = v * ((passlen+v-1)/v);
+        Ilen = Slen + Plen;
+        I = Malloc (Ilen);
+        Ij = BN_new();
+        Bpl1 = BN_new();
+        if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
+                PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        for (i = 0; i < v; i++) D[i] = id;
+        p = I;
+        for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen];
+        for (i = 0; i < Plen; i++) *p++ = pass[i % passlen];
+        for (;;) {
+                EVP_DigestInit (&ctx, md_type);
+                EVP_DigestUpdate (&ctx, D, v);
+                EVP_DigestUpdate (&ctx, I, Ilen);
+                EVP_DigestFinal (&ctx, Ai, NULL);
+                for (j = 1; j < iter; j++) {
+                        EVP_DigestInit (&ctx, md_type);
+                        EVP_DigestUpdate (&ctx, Ai, u);
+                        EVP_DigestFinal (&ctx, Ai, NULL);
+                }
+                memcpy (out, Ai, min (n, u));
+                if (u >= n) {
+                        Free (Ai);
+                        Free (B);
+                        Free (D);
+                        Free (I);
+                        BN_free (Ij);
+                        BN_free (Bpl1);
+#ifdef DEBUG_KEYGEN
+                        BIO_printf (bio_err, "Output KEY (length %d)\n", tmpn);
+                        h__dump (tmpout, tmpn);
+#endif
+                        return 1;       
+                }
+                n -= u;
+                out += u;
+                for (j = 0; j < v; j++) B[j] = Ai[j % u];
+                /* Work out B + 1 first then can use B as tmp space */
+                BN_bin2bn (B, v, Bpl1);
+                BN_add_word (Bpl1, 1);
+                for (j = 0; j < Ilen ; j+=v) {
+                        BN_bin2bn (I + j, v, Ij);
+                        BN_add (Ij, Ij, Bpl1);
+                        BN_bn2bin (Ij, B);
+                        /* If more than 2^(v*8) - 1 cut off MSB */
+                        if (BN_num_bytes (Ij) > v) {
+                                BN_bn2bin (Ij, B);
+                                memcpy (I + j, B + 1, v);
+                        } else BN_bn2bin (Ij, I + j);
+                }
+        }
+}
+#ifdef DEBUG_KEYGEN
+void h__dump (unsigned char *p, int len)
+{
+        for (; len --; p++) BIO_printf (bio_err, "%02X", *p);
+        BIO_printf (bio_err, "\n");     
+}
+#endif
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
new file mode 100644
index 0000000000..767e1303da
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -0,0 +1,238 @@
+/* p12_kiss.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Simplified PKCS#12 routines */
+
+static int parse_pk12( PKCS12 *p12, const char *pass, int passlen, EVP_PKEY **pkey, X509 **cert, STACK **ca);
+static int parse_bags( STACK *bags, const char *pass, int passlen, EVP_PKEY **pkey, X509 **cert, STACK **ca, ASN1_OCTET_STRING **keyid, char *keymatch);
+static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey, X509 **cert, STACK **ca, ASN1_OCTET_STRING **keyid, char *keymatch);
+/* Parse and decrypt a PKCS#12 structure returning user key, user cert
+ * and other (CA) certs. Note either ca should be NULL, *ca should be NULL,
+ * or it should point to a valid STACK structure. pkey and cert can be
+ * passed unitialised.
+ */
+
+int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+             STACK **ca)
+{
+
+/* Check for NULL PKCS12 structure */
+
+if(!p12) {
+        PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
+        return 0;
+}
+
+/* Allocate stack for ca certificates if needed */
+if ((ca != NULL) && (*ca == NULL)) {
+        if (!(*ca = sk_new(NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+}
+
+if(pkey) *pkey = NULL;
+if(cert) *cert = NULL;
+
+/* Check the mac */
+
+if (!PKCS12_verify_mac (p12, pass, -1)) {
+        PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE);
+        goto err;
+}
+
+if (!parse_pk12 (p12, pass, -1, pkey, cert, ca)) {
+        PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);
+        goto err;
+}
+
+return 1;
+
+err:
+
+if (pkey && *pkey) EVP_PKEY_free (*pkey);
+if (cert && *cert) X509_free (*cert);
+if (ca) sk_pop_free (*ca, X509_free);
+return 0;
+
+}
+
+/* Parse the outer PKCS#12 structure */
+
+static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
+             EVP_PKEY **pkey, X509 **cert, STACK **ca)
+{
+        STACK *asafes, *bags;
+        int i, bagnid;
+        PKCS7 *p7;
+        ASN1_OCTET_STRING *keyid = NULL;
+        char keymatch = 0;
+        if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
+        for (i = 0; i < sk_num (asafes); i++) {
+                p7 = (PKCS7 *) sk_value (asafes, i);
+                bagnid = OBJ_obj2nid (p7->type);
+                if (bagnid == NID_pkcs7_data) {
+                        bags = M_PKCS12_unpack_p7data (p7);
+                } else if (bagnid == NID_pkcs7_encrypted) {
+                        bags = M_PKCS12_unpack_p7encdata (p7, pass, passlen);
+                } else continue;
+                if (!bags) {
+                        sk_pop_free (asafes, PKCS7_free);
+                        return 0;
+                }
+                if (!parse_bags (bags, pass, passlen, pkey, cert, ca,
+                                                         &keyid, &keymatch)) {
+                        sk_pop_free (bags, PKCS12_SAFEBAG_free);
+                        sk_pop_free (asafes, PKCS7_free);
+                        return 0;
+                }
+                sk_pop_free (bags, PKCS12_SAFEBAG_free);
+        }
+        sk_pop_free (asafes, PKCS7_free);
+        if (keyid) ASN1_OCTET_STRING_free (keyid);
+        return 1;
+}
+
+
+static int parse_bags (STACK *bags, const char *pass, int passlen,
+                       EVP_PKEY **pkey, X509 **cert, STACK **ca,
+                       ASN1_OCTET_STRING **keyid, char *keymatch)
+{
+        int i;
+        for (i = 0; i < sk_num (bags); i++) {
+                if (!parse_bag ((PKCS12_SAFEBAG *)sk_value (bags, i),
+                         pass, passlen, pkey, cert, ca, keyid,
+                                                         keymatch)) return 0;
+        }
+        return 1;
+}
+
+#define MATCH_KEY  0x1
+#define MATCH_CERT 0x2
+#define MATCH_ALL  0x3
+
+static int parse_bag (PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+                      EVP_PKEY **pkey, X509 **cert, STACK **ca,
+                      ASN1_OCTET_STRING **keyid,
+             char *keymatch)
+{
+        PKCS8_PRIV_KEY_INFO *p8;
+        X509 *x509;
+        ASN1_OCTET_STRING *lkey = NULL;
+        ASN1_TYPE *attrib;
+
+
+        if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
+                                            lkey = attrib->value.octet_string;
+
+        /* Check for any local key id matching (if needed) */
+        if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
+                if (*keyid) {
+                        if (ASN1_OCTET_STRING_cmp (*keyid, lkey)) lkey = NULL;
+                } else {
+                        if (!(*keyid = ASN1_OCTET_STRING_dup (lkey))) {
+                                PKCS12err(PKCS12_F_PARSE_BAGS,ERR_R_MALLOC_FAILURE);
+                                return 0;
+                    }
+                }
+        }
+        
+        switch (M_PKCS12_bag_type(bag))
+        {
+        case NID_keyBag:
+                if (!lkey || !pkey) return 1;   
+                if (!(*pkey = EVP_PKCS82PKEY (bag->value.keybag))) return 0;
+                *keymatch |= MATCH_KEY;
+        break;
+
+        case NID_pkcs8ShroudedKeyBag:
+                if (!lkey || !pkey) return 1;   
+                if (!(p8 = M_PKCS12_decrypt_skey (bag, pass, passlen)))
+                                return 0;
+                *pkey = EVP_PKCS82PKEY (p8);
+                PKCS8_PRIV_KEY_INFO_free (p8);
+                if (!(*pkey)) return 0;
+                *keymatch |= MATCH_KEY;
+        break;
+
+        case NID_certBag:
+                if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
+                                                                 return 1;
+                if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0;
+                if (lkey) {
+                        *keymatch |= MATCH_CERT;
+                        if (cert) *cert = x509;
+                } else if (ca) sk_push (*ca, (char *)x509);
+        break;
+
+        case NID_safeContentsBag:
+                return parse_bags(bag->value.safes, pass, passlen,
+                                        pkey, cert, ca, keyid, keymatch);
+        break;
+
+        default:
+                return 1;
+        break;
+        }
+        return 1;
+}
+
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
new file mode 100644
index 0000000000..bac558d6b9
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -0,0 +1,170 @@
+/* p12_mutl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef NO_HMAC
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+#include <openssl/pkcs12.h>
+
+/* Generate a MAC */
+int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
+                    unsigned char *mac, unsigned int *maclen)
+{
+        const EVP_MD *md_type;
+        HMAC_CTX hmac;
+        unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt;
+        int saltlen, iter;
+        salt = p12->mac->salt->data;
+        saltlen = p12->mac->salt->length;
+        if (!p12->mac->iter) iter = 1;
+        else iter = ASN1_INTEGER_get (p12->mac->iter);
+        if(!(md_type =
+                 EVP_get_digestbyobj (p12->mac->dinfo->algor->algorithm))) {
+                PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
+                return 0;
+        }
+        if(!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
+                                 PKCS12_MAC_KEY_LENGTH, key, md_type)) {
+                PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR);
+                return 0;
+        }
+        HMAC_Init (&hmac, key, PKCS12_MAC_KEY_LENGTH, md_type);
+        HMAC_Update (&hmac, p12->authsafes->d.data->data,
+                                         p12->authsafes->d.data->length);
+        HMAC_Final (&hmac, mac, maclen);
+        return 1;
+}
+
+/* Verify the mac */
+int PKCS12_verify_mac (PKCS12 *p12, const char *pass, int passlen)
+{
+        unsigned char mac[EVP_MAX_MD_SIZE];
+        unsigned int maclen;
+        if(p12->mac == NULL) {
+                PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_ABSENT);
+                return 0;
+        }
+        if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
+                PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR);
+                return 0;
+        }
+        if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
+        || memcmp (mac, p12->mac->dinfo->digest->data, maclen)) {
+                PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_VERIFY_ERROR);
+                return 0;
+        }
+        return 1;
+}
+
+/* Set a mac */
+
+int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
+             unsigned char *salt, int saltlen, int iter, EVP_MD *md_type)
+{
+        unsigned char mac[EVP_MAX_MD_SIZE];
+        unsigned int maclen;
+
+        if (!md_type) md_type = EVP_sha1();
+        if (PKCS12_setup_mac (p12, iter, salt, saltlen, md_type) ==
+                                        PKCS12_ERROR) {
+                PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_SETUP_ERROR);
+                return 0;
+        }
+        if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
+                PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_GENERATION_ERROR);
+                return 0;
+        }
+        if (!(ASN1_OCTET_STRING_set (p12->mac->dinfo->digest, mac, maclen))) {
+                PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_STRING_SET_ERROR);
+                                                return 0;
+        }
+        return 1;
+}
+
+/* Set up a mac structure */
+int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
+             EVP_MD *md_type)
+{
+        if (!(p12->mac = PKCS12_MAC_DATA_new ())) return PKCS12_ERROR;
+        if (iter > 1) {
+                if(!(p12->mac->iter = ASN1_INTEGER_new())) {
+                        PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                ASN1_INTEGER_set (p12->mac->iter, iter);
+        }
+        if (!saltlen) saltlen = PKCS12_SALT_LEN;
+        p12->mac->salt->length = saltlen;
+        if (!(p12->mac->salt->data = Malloc (saltlen))) {
+                PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if (!salt) RAND_bytes (p12->mac->salt->data, saltlen);
+        else memcpy (p12->mac->salt->data, salt, saltlen);
+        p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
+        if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
+                PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL;
+        
+        return 1;
+}
+#endif
diff --git a/src/lib/libcrypto/pkcs12/p12_npas.c b/src/lib/libcrypto/pkcs12/p12_npas.c
new file mode 100644
index 0000000000..ee71707e2c
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_npas.c
@@ -0,0 +1,212 @@
+/* p12_npas.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+/* PKCS#12 password change routine */
+
+static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass);
+static int newpass_bags(STACK *bags, char *oldpass,  char *newpass);
+static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass);
+static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
+
+/* 
+ * Change the password on a PKCS#12 structure.
+ */
+
+int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
+{
+
+/* Check for NULL PKCS12 structure */
+
+if(!p12) {
+        PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
+        return 0;
+}
+
+/* Check the mac */
+
+if (!PKCS12_verify_mac(p12, oldpass, -1)) {
+        PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE);
+        return 0;
+}
+
+if (!newpass_p12(p12, oldpass, newpass)) {
+        PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR);
+        return 0;
+}
+
+return 1;
+
+}
+
+/* Parse the outer PKCS#12 structure */
+
+static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
+{
+        STACK *asafes, *newsafes, *bags;
+        int i, bagnid, pbe_nid, pbe_iter, pbe_saltlen;
+        PKCS7 *p7, *p7new;
+        ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
+        unsigned char mac[EVP_MAX_MD_SIZE];
+        unsigned int maclen;
+        if (!(asafes = M_PKCS12_unpack_authsafes(p12))) return 0;
+        if(!(newsafes = sk_new(NULL))) return 0;
+        for (i = 0; i < sk_num (asafes); i++) {
+                p7 = (PKCS7 *) sk_value(asafes, i);
+                bagnid = OBJ_obj2nid(p7->type);
+                if (bagnid == NID_pkcs7_data) {
+                        bags = M_PKCS12_unpack_p7data(p7);
+                } else if (bagnid == NID_pkcs7_encrypted) {
+                        bags = M_PKCS12_unpack_p7encdata(p7, oldpass, -1);
+                        alg_get(p7->d.encrypted->enc_data->algorithm,
+                                &pbe_nid, &pbe_iter, &pbe_saltlen);
+                } else continue;
+                if (!bags) {
+                        sk_pop_free(asafes, PKCS7_free);
+                        return 0;
+                }
+                if (!newpass_bags(bags, oldpass, newpass)) {
+                        sk_pop_free(bags, PKCS12_SAFEBAG_free);
+                        sk_pop_free(asafes, PKCS7_free);
+                        return 0;
+                }
+                /* Repack bag in same form with new password */
+                if (bagnid == NID_pkcs7_data) p7new = PKCS12_pack_p7data(bags);
+                else p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1, NULL,
+                                                 pbe_saltlen, pbe_iter, bags);
+                sk_pop_free(bags, PKCS12_SAFEBAG_free);
+                if(!p7new) {
+                        sk_pop_free(asafes, PKCS7_free);
+                        return 0;
+                }
+                sk_push(newsafes, (char *)p7new);
+        }
+        sk_pop_free(asafes, PKCS7_free);
+
+        /* Repack safe: save old safe in case of error */
+
+        p12_data_tmp = p12->authsafes->d.data;
+        if(!(p12->authsafes->d.data = ASN1_OCTET_STRING_new())) goto saferr;
+        if(!M_PKCS12_pack_authsafes(p12, newsafes)) goto saferr;
+
+        if(!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) goto saferr;
+        if(!(macnew = ASN1_OCTET_STRING_new())) goto saferr;
+        if(!ASN1_OCTET_STRING_set(macnew, mac, maclen)) goto saferr;
+        ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);
+        p12->mac->dinfo->digest = macnew;
+        ASN1_OCTET_STRING_free(p12_data_tmp);
+
+        return 1;
+
+        saferr:
+        /* Restore old safe */
+        ASN1_OCTET_STRING_free(p12->authsafes->d.data);
+        ASN1_OCTET_STRING_free(macnew);
+        p12->authsafes->d.data = p12_data_tmp;
+        return 0;
+
+}
+
+
+static int newpass_bags(STACK *bags, char *oldpass,  char *newpass)
+{
+        int i;
+        for (i = 0; i < sk_num(bags); i++) {
+                if (!newpass_bag((PKCS12_SAFEBAG *)sk_value(bags, i),
+                                                 oldpass, newpass)) return 0;
+        }
+        return 1;
+}
+
+/* Change password of safebag: only needs handle shrouded keybags */
+
+static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
+{
+        PKCS8_PRIV_KEY_INFO *p8;
+        X509_SIG *p8new;
+        int p8_nid, p8_saltlen, p8_iter;
+
+        if(M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag) return 1;
+
+        if (!(p8 = M_PKCS12_decrypt_skey(bag, oldpass, -1))) return 0;
+        alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen);
+        if(!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
+                                                     p8_iter, p8))) return 0;
+        X509_SIG_free(bag->value.shkeybag);
+        bag->value.shkeybag = p8new;
+        return 1;
+}
+
+static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
+{
+        PBEPARAM *pbe;
+        unsigned char *p;
+        p = alg->parameter->value.sequence->data;
+        pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
+        *pnid = OBJ_obj2nid(alg->algorithm);
+        *piter = ASN1_INTEGER_get(pbe->iter);
+        *psaltlen = pbe->salt->length;
+        PBEPARAM_free(pbe);
+        return 0;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_p8d.c b/src/lib/libcrypto/pkcs12/p12_p8d.c
new file mode 100644
index 0000000000..3c6f377933
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_p8d.c
@@ -0,0 +1,68 @@
+/* p12_p8d.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen)
+{
+        return PKCS12_item_decrypt_d2i(p8->algor, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass,
+                                        passlen, p8->digest, 1);
+}
+
diff --git a/src/lib/libcrypto/pkcs12/p12_p8e.c b/src/lib/libcrypto/pkcs12/p12_p8e.c
new file mode 100644
index 0000000000..3d47956652
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_p8e.c
@@ -0,0 +1,97 @@
+/* p12_p8e.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
+                         const char *pass, int passlen,
+                         unsigned char *salt, int saltlen, int iter,
+                                                PKCS8_PRIV_KEY_INFO *p8inf)
+{
+        X509_SIG *p8 = NULL;
+        X509_ALGOR *pbe;
+
+        if (!(p8 = X509_SIG_new())) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+
+        if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
+        else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+        if(!pbe) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
+                goto err;
+        }
+        X509_ALGOR_free(p8->algor);
+        p8->algor = pbe;
+        M_ASN1_OCTET_STRING_free(p8->digest);
+        p8->digest = PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO),
+                                        pass, passlen, p8inf, 1);
+        if(!p8->digest) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
+                goto err;
+        }
+
+        return p8;
+
+        err:
+        X509_SIG_free(p8);
+        return NULL;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_utl.c b/src/lib/libcrypto/pkcs12/p12_utl.c
new file mode 100644
index 0000000000..2adcbc95e1
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_utl.c
@@ -0,0 +1,118 @@
+/* p12_utl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Cheap and nasty Unicode stuff */
+
+unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen)
+{
+        int ulen, i;
+        unsigned char *unitmp;
+        ulen = strlen(asc)*2  + 2;
+        if (!(unitmp = Malloc (ulen))) return NULL;
+        for (i = 0; i < ulen; i+=2) {
+                unitmp[i] = 0;
+                unitmp[i + 1] = asc[i>>1];
+        }
+        if (unilen) *unilen = ulen;
+        if (uni) *uni = unitmp;
+        return unitmp;
+}
+
+char *uni2asc (unsigned char *uni, int unilen)
+{
+        int asclen, i;
+        char *asctmp;
+        asclen = unilen / 2;
+        /* If no terminating zero allow for one */
+        if (uni[unilen - 1]) asclen++;
+        uni++;
+        if (!(asctmp = Malloc (asclen))) return NULL;
+        for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i];
+        asctmp[asclen - 1] = 0;
+        return asctmp;
+}
+
+int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12)
+{
+        return ASN1_i2d_bio((int(*)())i2d_PKCS12, bp, (unsigned char *)p12);
+}
+
+#ifndef NO_FP_API
+int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12)
+{
+        return ASN1_i2d_fp((int(*)())i2d_PKCS12, fp, (unsigned char *)p12);
+}
+#endif
+
+PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12)
+{
+        return (PKCS12 *)ASN1_d2i_bio((char *(*)())PKCS12_new,
+         (char *(*)())d2i_PKCS12, bp, (unsigned char **)p12);
+}
+#ifndef NO_FP_API
+PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
+{
+        return (PKCS12 *)ASN1_d2i_fp((char *(*)())PKCS12_new, 
+         (char *(*)())d2i_PKCS12, fp, (unsigned char **)(p12));
+}
+#endif
+
diff --git a/src/lib/libcrypto/pkcs12/pk12err.c b/src/lib/libcrypto/pkcs12/pk12err.c
new file mode 100644
index 0000000000..38d7be7675
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/pk12err.c
@@ -0,0 +1,136 @@
+/* crypto/pkcs12/pk12err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA PKCS12_str_functs[]=
+        {
+{ERR_PACK(0,PKCS12_F_PARSE_BAGS,0),     "PARSE_BAGS"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME,0),        "PKCS12_ADD_FRIENDLYNAME"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,0),    "PKCS12_add_friendlyname_asc"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,0),    "PKCS12_add_friendlyname_uni"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_LOCALKEYID,0),  "PKCS12_add_localkeyid"},
+{ERR_PACK(0,PKCS12_F_PKCS12_CREATE,0),  "PKCS12_create"},
+{ERR_PACK(0,PKCS12_F_PKCS12_DECRYPT_D2I,0),     "PKCS12_decrypt_d2i"},
+{ERR_PACK(0,PKCS12_F_PKCS12_GEN_MAC,0), "PKCS12_gen_mac"},
+{ERR_PACK(0,PKCS12_F_PKCS12_I2D_ENCRYPT,0),     "PKCS12_i2d_encrypt"},
+{ERR_PACK(0,PKCS12_F_PKCS12_INIT,0),    "PKCS12_init"},
+{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_ASC,0),     "PKCS12_key_gen_asc"},
+{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_UNI,0),     "PKCS12_key_gen_uni"},
+{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_KEYBAG,0),     "PKCS12_MAKE_KEYBAG"},
+{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_SHKEYBAG,0),   "PKCS12_MAKE_SHKEYBAG"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7DATA,0),     "PKCS12_pack_p7data"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7ENCDATA,0),  "PKCS12_pack_p7encdata"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PACK_SAFEBAG,0),    "PKCS12_pack_safebag"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PARSE,0),   "PKCS12_parse"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PBE_CRYPT,0),       "PKCS12_pbe_crypt"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PBE_KEYIVGEN,0),    "PKCS12_PBE_keyivgen"},
+{ERR_PACK(0,PKCS12_F_PKCS12_SETUP_MAC,0),       "PKCS12_setup_mac"},
+{ERR_PACK(0,PKCS12_F_PKCS12_SET_MAC,0), "PKCS12_set_mac"},
+{ERR_PACK(0,PKCS12_F_PKCS8_ADD_KEYUSAGE,0),     "PKCS8_add_keyusage"},
+{ERR_PACK(0,PKCS12_F_PKCS8_ENCRYPT,0),  "PKCS8_encrypt"},
+{ERR_PACK(0,PKCS12_F_VERIFY_MAC,0),     "VERIFY_MAC"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA PKCS12_str_reasons[]=
+        {
+{PKCS12_R_CANT_PACK_STRUCTURE            ,"cant pack structure"},
+{PKCS12_R_DECODE_ERROR                   ,"decode error"},
+{PKCS12_R_ENCODE_ERROR                   ,"encode error"},
+{PKCS12_R_ENCRYPT_ERROR                  ,"encrypt error"},
+{PKCS12_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
+{PKCS12_R_INVALID_NULL_PKCS12_POINTER    ,"invalid null pkcs12 pointer"},
+{PKCS12_R_IV_GEN_ERROR                   ,"iv gen error"},
+{PKCS12_R_KEY_GEN_ERROR                  ,"key gen error"},
+{PKCS12_R_MAC_ABSENT                     ,"mac absent"},
+{PKCS12_R_MAC_GENERATION_ERROR           ,"mac generation error"},
+{PKCS12_R_MAC_SETUP_ERROR                ,"mac setup error"},
+{PKCS12_R_MAC_STRING_SET_ERROR           ,"mac string set error"},
+{PKCS12_R_MAC_VERIFY_ERROR               ,"mac verify error"},
+{PKCS12_R_MAC_VERIFY_FAILURE             ,"mac verify failure"},
+{PKCS12_R_PARSE_ERROR                    ,"parse error"},
+{PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR  ,"pkcs12 algor cipherinit error"},
+{PKCS12_R_PKCS12_CIPHERFINAL_ERROR       ,"pkcs12 cipherfinal error"},
+{PKCS12_R_PKCS12_PBE_CRYPT_ERROR         ,"pkcs12 pbe crypt error"},
+{PKCS12_R_UNKNOWN_DIGEST_ALGORITHM       ,"unknown digest algorithm"},
+{PKCS12_R_UNSUPPORTED_PKCS12_MODE        ,"unsupported pkcs12 mode"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_PKCS12_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_functs);
+                ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
new file mode 100644
index 0000000000..4cfba5e6c6
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -0,0 +1,337 @@
+/* pkcs12.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_PKCS12_H
+#define HEADER_PKCS12_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+
+#define PKCS12_KEY_ID   1
+#define PKCS12_IV_ID    2
+#define PKCS12_MAC_ID   3
+
+/* Default iteration count */
+#ifndef PKCS12_DEFAULT_ITER
+#define PKCS12_DEFAULT_ITER     PKCS5_DEFAULT_ITER
+#endif
+
+#define PKCS12_MAC_KEY_LENGTH 20
+
+#define PKCS12_SALT_LEN 8
+
+/* Uncomment out next line for unicode password and names, otherwise ASCII */
+
+/*#define PBE_UNICODE*/
+
+#ifdef PBE_UNICODE
+#define PKCS12_key_gen PKCS12_key_gen_uni
+#define PKCS12_add_friendlyname PKCS12_add_friendlyname_uni
+#else
+#define PKCS12_key_gen PKCS12_key_gen_asc
+#define PKCS12_add_friendlyname PKCS12_add_friendlyname_asc
+#endif
+
+/* MS key usage constants */
+
+#define KEY_EX  0x10
+#define KEY_SIG 0x80
+
+typedef struct {
+X509_SIG *dinfo;
+ASN1_OCTET_STRING *salt;
+ASN1_INTEGER *iter;     /* defaults to 1 */
+} PKCS12_MAC_DATA;
+
+typedef struct {
+ASN1_INTEGER *version;
+PKCS12_MAC_DATA *mac;
+PKCS7 *authsafes;
+} PKCS12;
+
+typedef struct {
+ASN1_OBJECT *type;
+union {
+        struct pkcs12_bag_st *bag; /* secret, crl and certbag */
+        struct pkcs8_priv_key_info_st   *keybag; /* keybag */
+        X509_SIG *shkeybag; /* shrouded key bag */
+        STACK /* PKCS12_SAFEBAG */ *safes;
+        ASN1_TYPE *other;
+}value;
+STACK_OF(X509_ATTRIBUTE) *attrib;
+ASN1_TYPE *rest;
+} PKCS12_SAFEBAG;
+
+typedef struct pkcs12_bag_st {
+ASN1_OBJECT *type;
+union {
+        ASN1_OCTET_STRING *x509cert;
+        ASN1_OCTET_STRING *x509crl;
+        ASN1_OCTET_STRING *octet;
+        ASN1_IA5STRING *sdsicert;
+        ASN1_TYPE *other; /* Secret or other bag */
+}value;
+} PKCS12_BAGS;
+
+#define PKCS12_ERROR    0
+#define PKCS12_OK       1
+
+#define M_PKCS12_bag_type(bag) OBJ_obj2nid(bag->type)
+#define M_PKCS12_cert_bag_type(bag) OBJ_obj2nid(bag->value.bag->type)
+#define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
+
+#define M_PKCS12_x5092certbag(x509) \
+PKCS12_pack_safebag ((char *)(x509), i2d_X509, NID_x509Certificate, NID_certBag)
+
+#define M_PKCS12_x509crl2certbag(crl) \
+PKCS12_pack_safebag ((char *)(crl), i2d_X509CRL, NID_x509Crl, NID_crlBag)
+
+#define M_PKCS12_certbag2x509(bg) \
+(X509 *) ASN1_unpack_string ((bg)->value.bag->value.octet, \
+(char *(*)())d2i_X509)
+
+#define M_PKCS12_certbag2x509crl(bg) \
+(X509CRL *) ASN1_unpack_string ((bg)->value.bag->value.octet, \
+(char *(*)())d2i_X509CRL)
+
+/*#define M_PKCS12_pkcs82rsa(p8) \
+(RSA *) ASN1_unpack_string ((p8)->pkey, (char *(*)())d2i_RSAPrivateKey)*/
+
+#define M_PKCS12_unpack_p7data(p7) \
+ASN1_seq_unpack ((p7)->d.data->data, p7->d.data->length, \
+                         (char *(*)())d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free)
+
+#define M_PKCS12_pack_authsafes(p12, safes) \
+ASN1_seq_pack((safes), (int (*)())i2d_PKCS7,\
+        &(p12)->authsafes->d.data->data, &(p12)->authsafes->d.data->length)
+
+#define M_PKCS12_unpack_authsafes(p12) \
+ASN1_seq_unpack((p12)->authsafes->d.data->data, \
+                (p12)->authsafes->d.data->length, (char *(*)())d2i_PKCS7, \
+                                                        PKCS7_free)
+
+#define M_PKCS12_unpack_p7encdata(p7, pass, passlen) \
+(STACK *) PKCS12_decrypt_d2i ((p7)->d.encrypted->enc_data->algorithm,\
+                         (char *(*)())d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free, \
+                                                        (pass), (passlen), \
+                        (p7)->d.encrypted->enc_data->enc_data, 3)
+
+#define M_PKCS12_decrypt_skey(bag, pass, passlen) \
+(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i ((bag)->value.shkeybag->algor, \
+(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free, \
+                                                (pass), (passlen), \
+                         (bag)->value.shkeybag->digest, 2)
+
+#define M_PKCS8_decrypt(p8, pass, passlen) \
+(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i ((p8)->algor, \
+(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free,\
+                         (pass), (passlen), (p8)->digest, 2)
+
+#define PKCS12_get_attr(bag, attr_nid) \
+                         PKCS12_get_attr_gen(bag->attrib, attr_nid)
+
+#define PKCS8_get_attr(p8, attr_nid) \
+                PKCS12_get_attr_gen(p8->attributes, attr_nid)
+
+#define PKCS12_mac_present(p12) ((p12)->mac ? 1 : 0)
+
+
+PKCS12_SAFEBAG *PKCS12_pack_safebag(char *obj, int (*i2d)(), int nid1, int nid2);
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
+X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, 
+                        const char *pass, int passlen,
+                        unsigned char *salt, int saltlen, int iter,
+                        PKCS8_PRIV_KEY_INFO *p8);
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
+                                     int passlen, unsigned char *salt,
+                                     int saltlen, int iter,
+                                     PKCS8_PRIV_KEY_INFO *p8);
+PKCS7 *PKCS12_pack_p7data(STACK *sk);
+PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
+                             unsigned char *salt, int saltlen, int iter,
+                             STACK *bags);
+int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen);
+int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
+                                int namelen);
+int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name,
+                                int namelen);
+int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
+ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid);
+char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
+unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
+                                int passlen, unsigned char *in, int inlen,
+                                unsigned char **data, int *datalen, int en_de);
+char *PKCS12_decrypt_d2i(X509_ALGOR *algor, char *(*d2i)(),
+                         void (*free_func)(), const char *pass, int passlen,
+                         ASN1_STRING *oct, int seq);
+ASN1_STRING *PKCS12_i2d_encrypt(X509_ALGOR *algor, int (*i2d)(),
+                                const char *pass, int passlen, char *obj,
+                                int seq);
+PKCS12 *PKCS12_init(int mode);
+int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
+                       int saltlen, int id, int iter, int n,
+                       unsigned char *out, const EVP_MD *md_type);
+int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type);
+int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+                         ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md_type,
+                         int en_de);
+int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+                         unsigned char *mac, unsigned int *maclen);
+int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen);
+int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
+                   unsigned char *salt, int saltlen, int iter,
+                   EVP_MD *md_type);
+int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
+                                         int saltlen, EVP_MD *md_type);
+unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen);
+char *uni2asc(unsigned char *uni, int unilen);
+int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp);
+PKCS12_BAGS *PKCS12_BAGS_new(void);
+PKCS12_BAGS *d2i_PKCS12_BAGS(PKCS12_BAGS **a, unsigned char **pp, long length);
+void PKCS12_BAGS_free(PKCS12_BAGS *a);
+int i2d_PKCS12(PKCS12 *a, unsigned char **pp);
+PKCS12 *d2i_PKCS12(PKCS12 **a, unsigned char **pp, long length);
+PKCS12 *PKCS12_new(void);
+void PKCS12_free(PKCS12 *a);
+int i2d_PKCS12_MAC_DATA(PKCS12_MAC_DATA *a, unsigned char **pp);
+PKCS12_MAC_DATA *PKCS12_MAC_DATA_new(void);
+PKCS12_MAC_DATA *d2i_PKCS12_MAC_DATA(PKCS12_MAC_DATA **a, unsigned char **pp,
+                                                                 long length);
+void PKCS12_MAC_DATA_free(PKCS12_MAC_DATA *a);
+int i2d_PKCS12_SAFEBAG(PKCS12_SAFEBAG *a, unsigned char **pp);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_new(void);
+PKCS12_SAFEBAG *d2i_PKCS12_SAFEBAG(PKCS12_SAFEBAG **a, unsigned char **pp,
+                                                                 long length);
+void PKCS12_SAFEBAG_free(PKCS12_SAFEBAG *a);
+void ERR_load_PKCS12_strings(void);
+void PKCS12_PBE_add(void);
+int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+                 STACK **ca);
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
+                         STACK *ca, int nid_key, int nid_cert, int iter,
+                                                 int mac_iter, int keytype);
+int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
+int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12);
+PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12);
+PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the PKCS12 functions. */
+
+/* Function codes. */
+#define PKCS12_F_PARSE_BAGS                              103
+#define PKCS12_F_PKCS12_ADD_FRIENDLYNAME                 100
+#define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC             127
+#define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI             102
+#define PKCS12_F_PKCS12_ADD_LOCALKEYID                   104
+#define PKCS12_F_PKCS12_CREATE                           105
+#define PKCS12_F_PKCS12_DECRYPT_D2I                      106
+#define PKCS12_F_PKCS12_GEN_MAC                          107
+#define PKCS12_F_PKCS12_I2D_ENCRYPT                      108
+#define PKCS12_F_PKCS12_INIT                             109
+#define PKCS12_F_PKCS12_KEY_GEN_ASC                      110
+#define PKCS12_F_PKCS12_KEY_GEN_UNI                      111
+#define PKCS12_F_PKCS12_MAKE_KEYBAG                      112
+#define PKCS12_F_PKCS12_MAKE_SHKEYBAG                    113
+#define PKCS12_F_PKCS12_PACK_P7DATA                      114
+#define PKCS12_F_PKCS12_PACK_P7ENCDATA                   115
+#define PKCS12_F_PKCS12_PACK_SAFEBAG                     117
+#define PKCS12_F_PKCS12_PARSE                            118
+#define PKCS12_F_PKCS12_PBE_CRYPT                        119
+#define PKCS12_F_PKCS12_PBE_KEYIVGEN                     120
+#define PKCS12_F_PKCS12_SETUP_MAC                        122
+#define PKCS12_F_PKCS12_SET_MAC                          123
+#define PKCS12_F_PKCS8_ADD_KEYUSAGE                      124
+#define PKCS12_F_PKCS8_ENCRYPT                           125
+#define PKCS12_F_VERIFY_MAC                              126
+
+/* Reason codes. */
+#define PKCS12_R_CANT_PACK_STRUCTURE                     100
+#define PKCS12_R_DECODE_ERROR                            101
+#define PKCS12_R_ENCODE_ERROR                            102
+#define PKCS12_R_ENCRYPT_ERROR                           103
+#define PKCS12_R_INVALID_NULL_ARGUMENT                   104
+#define PKCS12_R_INVALID_NULL_PKCS12_POINTER             105
+#define PKCS12_R_IV_GEN_ERROR                            106
+#define PKCS12_R_KEY_GEN_ERROR                           107
+#define PKCS12_R_MAC_ABSENT                              108
+#define PKCS12_R_MAC_GENERATION_ERROR                    109
+#define PKCS12_R_MAC_SETUP_ERROR                         110
+#define PKCS12_R_MAC_STRING_SET_ERROR                    111
+#define PKCS12_R_MAC_VERIFY_ERROR                        112
+#define PKCS12_R_MAC_VERIFY_FAILURE                      113
+#define PKCS12_R_PARSE_ERROR                             114
+#define PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR           115
+#define PKCS12_R_PKCS12_CIPHERFINAL_ERROR                116
+#define PKCS12_R_PKCS12_PBE_CRYPT_ERROR                  117
+#define PKCS12_R_UNKNOWN_DIGEST_ALGORITHM                118
+#define PKCS12_R_UNSUPPORTED_PKCS12_MODE                 119
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libcrypto/pkcs7/pk7_asn1.c b/src/lib/libcrypto/pkcs7/pk7_asn1.c
new file mode 100644
index 0000000000..46f0fc9375
--- /dev/null
+++ b/src/lib/libcrypto/pkcs7/pk7_asn1.c
@@ -0,0 +1,213 @@
+/* pk7_asn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/pkcs7.h>
+#include <openssl/x509.h>
+
+/* PKCS#7 ASN1 module */
+
+/* This is the ANY DEFINED BY table for the top level PKCS#7 structure */
+
+ASN1_ADB_TEMPLATE(p7default) = ASN1_EXP_OPT(PKCS7, d.other, ASN1_ANY, 0);
+
+ASN1_ADB(PKCS7) = {
+        ADB_ENTRY(NID_pkcs7_data, ASN1_EXP_OPT(PKCS7, d.data, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_pkcs7_signed, ASN1_EXP_OPT(PKCS7, d.sign, PKCS7_SIGNED, 0)),
+        ADB_ENTRY(NID_pkcs7_enveloped, ASN1_EXP_OPT(PKCS7, d.enveloped, PKCS7_ENVELOPE, 0)),
+        ADB_ENTRY(NID_pkcs7_signedAndEnveloped, ASN1_EXP_OPT(PKCS7, d.signed_and_enveloped, PKCS7_SIGN_ENVELOPE, 0)),
+        ADB_ENTRY(NID_pkcs7_digest, ASN1_EXP_OPT(PKCS7, d.digest, PKCS7_DIGEST, 0)),
+        ADB_ENTRY(NID_pkcs7_encrypted, ASN1_EXP_OPT(PKCS7, d.encrypted, PKCS7_ENCRYPT, 0))
+} ASN1_ADB_END(PKCS7, 0, type, 0, &p7default_tt, NULL);
+
+ASN1_SEQUENCE(PKCS7) = {
+        ASN1_SIMPLE(PKCS7, type, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(PKCS7)
+}ASN1_SEQUENCE_END(PKCS7)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7)
+IMPLEMENT_ASN1_DUP_FUNCTION(PKCS7)
+
+ASN1_SEQUENCE(PKCS7_SIGNED) = {
+        ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER),
+        ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7),
+        ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1),
+        ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO)
+} ASN1_SEQUENCE_END(PKCS7_SIGNED)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGNED)
+
+/* Minor tweak to operation: free up EVP_PKEY */
+static int si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_FREE_POST) {
+                PKCS7_SIGNER_INFO *si = (PKCS7_SIGNER_INFO *)*pval;
+                EVP_PKEY_free(si->pkey);
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(PKCS7_SIGNER_INFO, si_cb) = {
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, issuer_and_serial, PKCS7_ISSUER_AND_SERIAL),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, digest_alg, X509_ALGOR),
+        /* NB this should be a SET OF but we use a SEQUENCE OF so the
+         * original order * is retained when the structure is reencoded.
+         * Since the attributes are implicitly tagged this will not affect
+         * the encoding.
+         */
+        ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNER_INFO, auth_attr, X509_ATTRIBUTE, 0),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, digest_enc_alg, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, enc_digest, ASN1_OCTET_STRING),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGNER_INFO, unauth_attr, X509_ATTRIBUTE, 1)
+} ASN1_SEQUENCE_END_cb(PKCS7_SIGNER_INFO, PKCS7_SIGNER_INFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGNER_INFO)
+
+ASN1_SEQUENCE(PKCS7_ISSUER_AND_SERIAL) = {
+        ASN1_SIMPLE(PKCS7_ISSUER_AND_SERIAL, issuer, X509_NAME),
+        ASN1_SIMPLE(PKCS7_ISSUER_AND_SERIAL, serial, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(PKCS7_ISSUER_AND_SERIAL)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SERIAL)
+
+ASN1_SEQUENCE(PKCS7_ENVELOPE) = {
+        ASN1_SIMPLE(PKCS7_ENVELOPE, version, ASN1_INTEGER),
+        ASN1_SET_OF(PKCS7_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO),
+        ASN1_SIMPLE(PKCS7_ENVELOPE, enc_data, PKCS7_ENC_CONTENT)
+} ASN1_SEQUENCE_END(PKCS7_ENVELOPE)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENVELOPE)
+
+/* Minor tweak to operation: free up X509 */
+static int ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_FREE_POST) {
+                PKCS7_RECIP_INFO *ri = (PKCS7_RECIP_INFO *)*pval;
+                X509_free(ri->cert);
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(PKCS7_RECIP_INFO, ri_cb) = {
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, issuer_and_serial, PKCS7_ISSUER_AND_SERIAL),
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, key_enc_algor, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, enc_key, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END_cb(PKCS7_RECIP_INFO, PKCS7_RECIP_INFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_RECIP_INFO)
+
+ASN1_SEQUENCE(PKCS7_ENC_CONTENT) = {
+        ASN1_SIMPLE(PKCS7_ENC_CONTENT, content_type, ASN1_OBJECT),
+        ASN1_SIMPLE(PKCS7_ENC_CONTENT, algorithm, X509_ALGOR),
+        ASN1_IMP_OPT(PKCS7_ENC_CONTENT, enc_data, ASN1_OCTET_STRING, 0)
+} ASN1_SEQUENCE_END(PKCS7_ENC_CONTENT)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENC_CONTENT)
+
+ASN1_SEQUENCE(PKCS7_SIGN_ENVELOPE) = {
+        ASN1_SIMPLE(PKCS7_SIGN_ENVELOPE, version, ASN1_INTEGER),
+        ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO),
+        ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, md_algs, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_SIGN_ENVELOPE, enc_data, PKCS7_ENC_CONTENT),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, cert, X509, 0),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, crl, X509_CRL, 1),
+        ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, signer_info, PKCS7_SIGNER_INFO)
+} ASN1_SEQUENCE_END(PKCS7_SIGN_ENVELOPE)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGN_ENVELOPE)
+
+ASN1_SEQUENCE(PKCS7_ENCRYPT) = {
+        ASN1_SIMPLE(PKCS7_ENCRYPT, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_ENCRYPT, enc_data, PKCS7_ENC_CONTENT)
+} ASN1_SEQUENCE_END(PKCS7_ENCRYPT)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENCRYPT)
+
+ASN1_SEQUENCE(PKCS7_DIGEST) = {
+        ASN1_SIMPLE(PKCS7_DIGEST, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_DIGEST, md, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_DIGEST, contents, PKCS7),
+        ASN1_SIMPLE(PKCS7_DIGEST, digest, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(PKCS7_DIGEST)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_DIGEST)
+
+/* Specials for authenticated attributes */
+
+/* When signing attributes we want to reorder them to match the sorted
+ * encoding.
+ */
+
+ASN1_ITEM_TEMPLATE(PKCS7_ATTR_SIGN) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_ORDER, 0, PKCS7_ATTRIBUTES, X509_ATTRIBUTE)
+ASN1_ITEM_TEMPLATE_END(PKCS7_ATTR_SIGN)
+
+/* When verifying attributes we need to use the received order. So 
+ * we use SEQUENCE OF and tag it to SET OF
+ */
+
+ASN1_ITEM_TEMPLATE(PKCS7_ATTR_VERIFY) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_IMPTAG | ASN1_TFLG_UNIVERSAL,
+                                V_ASN1_SET, PKCS7_ATTRIBUTES, X509_ATTRIBUTE)
+ASN1_ITEM_TEMPLATE_END(PKCS7_ATTR_VERIFY)
diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c
new file mode 100644
index 0000000000..3b9c0fe3f2
--- /dev/null
+++ b/src/lib/libcrypto/pkcs7/pk7_attr.c
@@ -0,0 +1,85 @@
+/* pk7_attr.c */
+/* S/MIME code.
+ * Copyright (C) 1997-8 Dr S N Henson (shenson@bigfoot.com) 
+ * All Rights Reserved. 
+ * Redistribution of this code without the authors permission is expressly
+ * prohibited.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs7.h>
+#include <openssl/err.h>
+
+int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK *cap)
+{
+        ASN1_STRING *seq;
+        unsigned char *p, *pp;
+        int len;
+        len=i2d_ASN1_SET(cap,NULL,i2d_X509_ALGOR, V_ASN1_SEQUENCE,
+                                                V_ASN1_UNIVERSAL, IS_SEQUENCE);
+        if(!(pp=(unsigned char *)Malloc(len))) {
+                PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        p=pp;
+        i2d_ASN1_SET(cap,&p,i2d_X509_ALGOR, V_ASN1_SEQUENCE,
+                                                V_ASN1_UNIVERSAL, IS_SEQUENCE);
+        if(!(seq = ASN1_STRING_new())) {
+                PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if(!ASN1_STRING_set (seq, pp, len)) {
+                PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        Free (pp);
+        return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
+                                                        V_ASN1_SEQUENCE, seq);
+}
+
+STACK *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
+{
+        ASN1_TYPE *cap;
+        unsigned char *p;
+        cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
+        if (!cap) return NULL;
+        p = cap->value.sequence->data;
+        return d2i_ASN1_SET (NULL, &p, cap->value.sequence->length, 
+                (char *(*)())d2i_X509_ALGOR, X509_ALGOR_free, V_ASN1_SEQUENCE,
+                                                         V_ASN1_UNIVERSAL);
+}
+
+/* Basic smime-capabilities OID and optional integer arg */
+int PKCS7_simple_smimecap(STACK *sk, int nid, int arg)
+{
+        X509_ALGOR *alg;
+        if(!(alg = X509_ALGOR_new())) {
+                PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        ASN1_OBJECT_free(alg->algorithm);
+        alg->algorithm = OBJ_nid2obj (nid);
+        if (arg > 0) {
+                ASN1_INTEGER *nbit;
+                if(!(alg->parameter = ASN1_TYPE_new())) {
+                        PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if(!(nbit = ASN1_INTEGER_new())) {
+                        PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if(!ASN1_INTEGER_set (nbit, arg)) {
+                        PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                alg->parameter->value.integer = nbit;
+                alg->parameter->type = V_ASN1_INTEGER;
+        }
+        sk_push (sk, (char *)alg);
+        return 1;
+}
diff --git a/src/lib/libcrypto/pkcs7/pk7_mime.c b/src/lib/libcrypto/pkcs7/pk7_mime.c
new file mode 100644
index 0000000000..734643be28
--- /dev/null
+++ b/src/lib/libcrypto/pkcs7/pk7_mime.c
@@ -0,0 +1,673 @@
+/* pk7_mime.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+
+/* MIME and related routines */
+
+/* MIME format structures
+ * Note that all are translated to lower case apart from
+ * parameter values. Quotes are stripped off
+ */
+
+typedef struct {
+char *name;                             /* Name of line e.g. "content-type" */
+char *value;                            /* Value of line e.g. "text/plain" */
+STACK /* MIME_PARAM */ *params;         /* Zero or more parameters */
+} MIME_HEADER;
+
+typedef struct {
+char *param_name;                       /* Param name e.g. "micalg" */
+char *param_value;                      /* Param value e.g. "sha1" */
+} MIME_PARAM;
+
+
+static int B64_write_PKCS7(BIO *bio, PKCS7 *p7);
+static PKCS7 *B64_read_PKCS7(BIO *bio);
+static char * strip_ends(char *name);
+static char * strip_start(char *name);
+static char * strip_end(char *name);
+static MIME_HEADER *mime_hdr_new(char *name, char *value);
+static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value);
+static STACK *mime_parse_hdr(BIO *bio);
+static int mime_hdr_cmp(MIME_HEADER **a, MIME_HEADER **b);
+static int mime_param_cmp(MIME_PARAM **a, MIME_PARAM **b);
+static void mime_param_free(MIME_PARAM *param);
+static int mime_bound_check(char *line, int linelen, char *bound, int blen);
+static int multi_split(BIO *bio, char *bound, STACK **ret);
+static int iscrlf(char c);
+static MIME_HEADER *mime_hdr_find(STACK *hdrs, char *name);
+static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name);
+static void mime_hdr_free(MIME_HEADER *hdr);
+
+#define MAX_SMLEN 1024
+#define mime_debug(x) /* x */
+
+
+typedef void (*stkfree)();
+
+/* Base 64 read and write of PKCS#7 structure */
+
+static int B64_write_PKCS7(BIO *bio, PKCS7 *p7)
+{
+        BIO *b64;
+        if(!(b64 = BIO_new(BIO_f_base64()))) {
+                PKCS7err(PKCS7_F_B64_WRITE_PKCS7,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        bio = BIO_push(b64, bio);
+        i2d_PKCS7_bio(bio, p7);
+        BIO_flush(bio);
+        bio = BIO_pop(bio);
+        BIO_free(b64);
+        return 1;
+}
+
+static PKCS7 *B64_read_PKCS7(BIO *bio)
+{
+        BIO *b64;
+        PKCS7 *p7;
+        if(!(b64 = BIO_new(BIO_f_base64()))) {
+                PKCS7err(PKCS7_F_B64_READ_PKCS7,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        bio = BIO_push(b64, bio);
+        if(!(p7 = d2i_PKCS7_bio(bio, NULL))) 
+                PKCS7err(PKCS7_F_B64_READ_PKCS7,PKCS7_R_DECODE_ERROR);
+        BIO_flush(bio);
+        bio = BIO_pop(bio);
+        BIO_free(b64);
+        return p7;
+}
+
+/* SMIME sender */
+
+int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
+{
+        char linebuf[MAX_SMLEN];
+        char bound[33], c;
+        int i;
+        if((flags & PKCS7_DETACHED) && data) {
+        /* We want multipart/signed */
+                /* Generate a random boundary */
+                RAND_pseudo_bytes((unsigned char *)bound, 32);
+                for(i = 0; i < 32; i++) {
+                        c = bound[i] & 0xf;
+                        if(c < 10) c += '0';
+                        else c += 'A' - 10;
+                        bound[i] = c;
+                }
+                bound[32] = 0;
+                BIO_printf(bio, "MIME-Version: 1.0\n");
+                BIO_printf(bio, "Content-Type: multipart/signed ; ");
+                BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; ");
+                BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound);
+                BIO_printf(bio, "This is an S/MIME signed message\n\n");
+                /* Now write out the first part */
+                BIO_printf(bio, "------%s\r\n", bound);
+                if(flags & PKCS7_TEXT) BIO_printf(bio, "Content-Type: text/plain\n\n");
+                while((i = BIO_read(data, linebuf, MAX_SMLEN)) > 0) 
+                                                BIO_write(bio, linebuf, i);
+                BIO_printf(bio, "\n------%s\n", bound);
+
+                /* Headers for signature */
+
+                BIO_printf(bio, "Content-Type: application/x-pkcs7-signature; name=\"smime.p7s\"\n");
+                BIO_printf(bio, "Content-Transfer-Encoding: base64\n");
+                BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7s\"\n\n");
+                B64_write_PKCS7(bio, p7);
+                BIO_printf(bio,"\n------%s--\n\n", bound);
+                return 1;
+        }
+        /* MIME headers */
+        BIO_printf(bio, "MIME-Version: 1.0\n");
+        BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7m\"\n");
+        BIO_printf(bio, "Content-Type: application/x-pkcs7-mime; name=\"smime.p7m\"\n");
+        BIO_printf(bio, "Content-Transfer-Encoding: base64\n\n");
+        B64_write_PKCS7(bio, p7);
+        BIO_printf(bio, "\n");
+        return 1;
+}
+
+/* SMIME reader: handle multipart/signed and opaque signing.
+ * in multipart case the content is placed in a memory BIO
+ * pointed to by "bcont". In opaque this is set to NULL
+ */
+
+PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont)
+{
+        BIO *p7in;
+        STACK *headers = NULL;
+        STACK *parts = NULL;
+        MIME_HEADER *hdr;
+        MIME_PARAM *prm;
+        PKCS7 *p7;
+        int ret;
+
+        if(bcont) *bcont = NULL;
+
+        if (!(headers = mime_parse_hdr(bio))) {
+                PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_MIME_PARSE_ERROR);
+                return NULL;
+        }
+
+        if(!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
+                sk_pop_free(headers, mime_hdr_free);
+                PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_CONTENT_TYPE);
+                return NULL;
+        }
+
+        /* Handle multipart/signed */
+
+        if(!strcmp(hdr->value, "multipart/signed")) {
+                /* Split into two parts */
+                prm = mime_param_find(hdr, "boundary");
+                if(!prm || !prm->param_value) {
+                        sk_pop_free(headers, mime_hdr_free);
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_BOUNDARY);
+                        return NULL;
+                }
+                ret = multi_split(bio, prm->param_value, &parts);
+                sk_pop_free(headers, mime_hdr_free);
+                if(!ret || (sk_num(parts) != 2) ) {
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_BODY_FAILURE);
+                        sk_pop_free(parts, (stkfree)BIO_free);
+                        return NULL;
+                }
+
+                /* Parse the signature piece */
+                p7in = (BIO *)sk_value(parts, 1);
+
+                if (!(headers = mime_parse_hdr(p7in))) {
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_MIME_SIG_PARSE_ERROR);
+                        sk_pop_free(parts, (stkfree)BIO_free);
+                        return NULL;
+                }
+
+                /* Get content type */
+
+                if(!(hdr = mime_hdr_find(headers, "content-type")) ||
+                                                                 !hdr->value) {
+                        sk_pop_free(headers, mime_hdr_free);
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_SIG_CONTENT_TYPE);
+                        return NULL;
+                }
+
+                if(strcmp(hdr->value, "application/x-pkcs7-signature") &&
+                        strcmp(hdr->value, "application/pkcs7-signature")) {
+                        sk_pop_free(headers, mime_hdr_free);
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_SIG_INVALID_MIME_TYPE);
+                        ERR_add_error_data(2, "type: ", hdr->value);
+                        sk_pop_free(parts, (stkfree)BIO_free);
+                        return NULL;
+                }
+                sk_pop_free(headers, mime_hdr_free);
+                /* Read in PKCS#7 */
+                if(!(p7 = B64_read_PKCS7(p7in))) {
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_PKCS7_SIG_PARSE_ERROR);
+                        sk_pop_free(parts, (stkfree)BIO_free);
+                        return NULL;
+                }
+
+                if(bcont) {
+                        *bcont = (BIO *)sk_value(parts, 0);
+                        BIO_free(p7in);
+                        sk_free(parts);
+                } else sk_pop_free(parts, (stkfree)BIO_free);
+                return p7;
+        }
+                
+        /* OK, if not multipart/signed try opaque signature */
+
+        if (strcmp (hdr->value, "application/x-pkcs7-mime") &&
+            strcmp (hdr->value, "application/pkcs7-mime")) {
+                PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_INVALID_MIME_TYPE);
+                ERR_add_error_data(2, "type: ", hdr->value);
+                sk_pop_free(headers, mime_hdr_free);
+                return NULL;
+        }
+
+        sk_pop_free(headers, mime_hdr_free);
+        
+        if(!(p7 = B64_read_PKCS7(bio))) {
+                PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_PKCS7_PARSE_ERROR);
+                return NULL;
+        }
+        return p7;
+
+}
+
+/* Copy text from one BIO to another making the output CRLF at EOL */
+int SMIME_crlf_copy(BIO *in, BIO *out, int flags)
+{
+        char eol;
+        int len;
+        char linebuf[MAX_SMLEN];
+        if(flags & PKCS7_BINARY) {
+                while((len = BIO_read(in, linebuf, MAX_SMLEN)) > 0)
+                                                BIO_write(out, linebuf, len);
+                return 1;
+        }
+        if(flags & PKCS7_TEXT) BIO_printf(out, "Content-Type: text/plain\r\n\r\n");
+        while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) {
+                eol = 0;
+                while(iscrlf(linebuf[len - 1])) {
+                        len--;
+                        eol = 1;
+                }       
+                BIO_write(out, linebuf, len);
+                if(eol) BIO_write(out, "\r\n", 2);
+        }
+        return 1;
+}
+
+/* Strip off headers if they are text/plain */
+int SMIME_text(BIO *in, BIO *out)
+{
+        char iobuf[4096];
+        int len;
+        STACK *headers;
+        MIME_HEADER *hdr;
+        if (!(headers = mime_parse_hdr(in))) {
+                PKCS7err(PKCS7_F_SMIME_TEXT,PKCS7_R_MIME_PARSE_ERROR);
+                return 0;
+        }
+        if(!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
+                PKCS7err(PKCS7_F_SMIME_TEXT,PKCS7_R_MIME_NO_CONTENT_TYPE);
+                sk_pop_free(headers, mime_hdr_free);
+                return 0;
+        }
+        if (strcmp (hdr->value, "text/plain")) {
+                PKCS7err(PKCS7_F_SMIME_TEXT,PKCS7_R_INVALID_MIME_TYPE);
+                ERR_add_error_data(2, "type: ", hdr->value);
+                sk_pop_free(headers, mime_hdr_free);
+                return 0;
+        }
+        sk_pop_free(headers, mime_hdr_free);
+        while ((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0)
+                                                BIO_write(out, iobuf, len);
+        return 1;
+}
+
+/* Split a multipart/XXX message body into component parts: result is
+ * canonical parts in a STACK of bios
+ */
+
+static int multi_split(BIO *bio, char *bound, STACK **ret)
+{
+        char linebuf[MAX_SMLEN];
+        int len, blen;
+        BIO *bpart = NULL;
+        STACK *parts;
+        char state, part, first;
+        blen = strlen(bound);
+        part = 0;
+        state = 0;
+        first = 1;
+        parts = sk_new(NULL);
+        *ret = parts;
+        while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
+                state = mime_bound_check(linebuf, len, bound, blen);
+                if(state == 1) {
+                        first = 1;
+                        part++;
+                } else if(state == 2) {
+                        sk_push(parts, (char *)bpart);
+                        return 1;
+                } else if(part) {
+                        if(first) {
+                                first = 0;
+                                if(bpart) sk_push(parts, (char *)bpart);
+                                bpart = BIO_new(BIO_s_mem());
+                                
+                        } else BIO_write(bpart, "\r\n", 2);
+                        /* Strip CR+LF from linebuf */
+                        while(iscrlf(linebuf[len - 1])) len--;
+                        BIO_write(bpart, linebuf, len);
+                }
+        }
+        return 0;
+}
+
+static int iscrlf(char c)
+{
+        if(c == '\r' || c == '\n') return 1;
+        return 0;
+}
+
+/* This is the big one: parse MIME header lines up to message body */
+
+#define MIME_INVALID    0
+#define MIME_START      1
+#define MIME_TYPE       2
+#define MIME_NAME       3
+#define MIME_VALUE      4
+#define MIME_QUOTE      5
+#define MIME_COMMENT    6
+
+
+static STACK *mime_parse_hdr(BIO *bio)
+{
+        char *p, *q, c;
+        char *ntmp;
+        char linebuf[MAX_SMLEN];
+        MIME_HEADER *mhdr = NULL;
+        STACK *headers;
+        int len, state, save_state = 0;
+        headers = sk_new(mime_hdr_cmp);
+        while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
+        /* If whitespace at line start then continuation line */
+        if(mhdr && isspace((unsigned char)linebuf[0])) state = MIME_NAME;
+        else state = MIME_START;
+        ntmp = NULL;
+        /* Go through all characters */
+        for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
+
+        /* State machine to handle MIME headers
+         * if this looks horrible that's because it *is*
+         */
+
+                switch(state) {
+                        case MIME_START:
+                        if(c == ':') {
+                                state = MIME_TYPE;
+                                *p = 0;
+                                ntmp = strip_ends(q);
+                                q = p + 1;
+                        }
+                        break;
+
+                        case MIME_TYPE:
+                        if(c == ';') {
+                                mime_debug("Found End Value\n");
+                                *p = 0;
+                                mhdr = mime_hdr_new(ntmp, strip_ends(q));
+                                sk_push(headers, (char *)mhdr);
+                                ntmp = NULL;
+                                q = p + 1;
+                                state = MIME_NAME;
+                        } else if(c == '(') {
+                                save_state = state;
+                                state = MIME_COMMENT;
+                        }
+                        break;
+
+                        case MIME_COMMENT:
+                        if(c == ')') {
+                                state = save_state;
+                        }
+                        break;
+
+                        case MIME_NAME:
+                        if(c == '=') {
+                                state = MIME_VALUE;
+                                *p = 0;
+                                ntmp = strip_ends(q);
+                                q = p + 1;
+                        }
+                        break ;
+
+                        case MIME_VALUE:
+                        if(c == ';') {
+                                state = MIME_NAME;
+                                *p = 0;
+                                mime_hdr_addparam(mhdr, ntmp, strip_ends(q));
+                                ntmp = NULL;
+                                q = p + 1;
+                        } else if (c == '"') {
+                                mime_debug("Found Quote\n");
+                                state = MIME_QUOTE;
+                        } else if(c == '(') {
+                                save_state = state;
+                                state = MIME_COMMENT;
+                        }
+                        break;
+
+                        case MIME_QUOTE:
+                        if(c == '"') {
+                                mime_debug("Found Match Quote\n");
+                                state = MIME_VALUE;
+                        }
+                        break;
+                }
+        }
+
+        if(state == MIME_TYPE) {
+                mhdr = mime_hdr_new(ntmp, strip_ends(q));
+                sk_push(headers, (char *)mhdr);
+        } else if(state == MIME_VALUE)
+                         mime_hdr_addparam(mhdr, ntmp, strip_ends(q));
+        if(p == linebuf) break; /* Blank line means end of headers */
+}
+
+return headers;
+
+}
+
+static char *strip_ends(char *name)
+{
+        return strip_end(strip_start(name));
+}
+
+/* Strip a parameter of whitespace from start of param */
+static char *strip_start(char *name)
+{
+        char *p, c;
+        /* Look for first non white space or quote */
+        for(p = name; (c = *p) ;p++) {
+                if(c == '"') {
+                        /* Next char is start of string if non null */
+                        if(p[1]) return p + 1;
+                        /* Else null string */
+                        return NULL;
+                }
+                if(!isspace((unsigned char)c)) return p;
+        }
+        return NULL;
+}
+
+/* As above but strip from end of string : maybe should handle brackets? */
+static char *strip_end(char *name)
+{
+        char *p, c;
+        if(!name) return NULL;
+        /* Look for first non white space or quote */
+        for(p = name + strlen(name) - 1; p >= name ;p--) {
+                c = *p;
+                if(c == '"') {
+                        if(p - 1 == name) return NULL;
+                        *p = 0;
+                        return name;
+                }
+                if(isspace((unsigned char)c)) *p = 0;   
+                else return name;
+        }
+        return NULL;
+}
+
+static MIME_HEADER *mime_hdr_new(char *name, char *value)
+{
+        MIME_HEADER *mhdr;
+        char *tmpname, *tmpval, *p;
+        int c;
+        if(name) {
+                if(!(tmpname = BUF_strdup(name))) return NULL;
+                for(p = tmpname ; *p; p++) {
+                        c = *p;
+                        if(isupper(c)) {
+                                c = tolower(c);
+                                *p = c;
+                        }
+                }
+        } else tmpname = NULL;
+        if(value) {
+                if(!(tmpval = BUF_strdup(value))) return NULL;
+                for(p = tmpval ; *p; p++) {
+                        c = *p;
+                        if(isupper(c)) {
+                                c = tolower(c);
+                                *p = c;
+                        }
+                }
+        } else tmpval = NULL;
+        mhdr = (MIME_HEADER *) Malloc(sizeof(MIME_HEADER));
+        if(!mhdr) return NULL;
+        mhdr->name = tmpname;
+        mhdr->value = tmpval;
+        if(!(mhdr->params = sk_new(mime_param_cmp))) return NULL;
+        return mhdr;
+}
+                
+static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
+{
+        char *tmpname, *tmpval, *p;
+        int c;
+        MIME_PARAM *mparam;
+        if(name) {
+                tmpname = BUF_strdup(name);
+                if(!tmpname) return 0;
+                for(p = tmpname ; *p; p++) {
+                        c = *p;
+                        if(isupper(c)) {
+                                c = tolower(c);
+                                *p = c;
+                        }
+                }
+        } else tmpname = NULL;
+        if(value) {
+                tmpval = BUF_strdup(value);
+                if(!tmpval) return 0;
+        } else tmpval = NULL;
+        /* Parameter values are case sensitive so leave as is */
+        mparam = (MIME_PARAM *) Malloc(sizeof(MIME_PARAM));
+        if(!mparam) return 0;
+        mparam->param_name = tmpname;
+        mparam->param_value = tmpval;
+        sk_push(mhdr->params, (char *)mparam);
+        return 1;
+}
+
+static int mime_hdr_cmp(MIME_HEADER **a, MIME_HEADER **b)
+{
+        return(strcmp((*a)->name, (*b)->name));
+}
+
+static int mime_param_cmp(MIME_PARAM **a, MIME_PARAM **b)
+{
+        return(strcmp((*a)->param_name, (*b)->param_name));
+}
+
+/* Find a header with a given name (if possible) */
+
+static MIME_HEADER *mime_hdr_find(STACK *hdrs, char *name)
+{
+        MIME_HEADER htmp;
+        int idx;
+        htmp.name = name;
+        idx = sk_find(hdrs, (char *)&htmp);
+        if(idx < 0) return NULL;
+        return (MIME_HEADER *)sk_value(hdrs, idx);
+}
+
+static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name)
+{
+        MIME_PARAM param;
+        int idx;
+        param.param_name = name;
+        idx = sk_find(hdr->params, (char *)&param);
+        if(idx < 0) return NULL;
+        return (MIME_PARAM *)sk_value(hdr->params, idx);
+}
+
+static void mime_hdr_free(MIME_HEADER *hdr)
+{
+        if(hdr->name) Free(hdr->name);
+        if(hdr->value) Free(hdr->value);
+        if(hdr->params) sk_pop_free(hdr->params, mime_param_free);
+        Free(hdr);
+}
+
+static void mime_param_free(MIME_PARAM *param)
+{
+        if(param->param_name) Free(param->param_name);
+        if(param->param_value) Free(param->param_value);
+        Free(param);
+}
+
+/* Check for a multipart boundary. Returns:
+ * 0 : no boundary
+ * 1 : part boundary
+ * 2 : final boundary
+ */
+static int mime_bound_check(char *line, int linelen, char *bound, int blen)
+{
+        if(linelen == -1) linelen = strlen(line);
+        if(blen == -1) blen = strlen(bound);
+        /* Quickly eliminate if line length too short */
+        if(blen + 2 > linelen) return 0;
+        /* Check for part boundary */
+        if(!strncmp(line, "--", 2) && !strncmp(line + 2, bound, blen)) {
+                if(!strncmp(line + blen + 2, "--", 2)) return 2;
+                else return 1;
+        }
+        return 0;
+}
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
new file mode 100644
index 0000000000..b41f42ed04
--- /dev/null
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -0,0 +1,427 @@
+/* pk7_smime.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Simple PKCS#7 processing functions */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+                                                        BIO *data, int flags)
+{
+        PKCS7 *p7;
+        PKCS7_SIGNER_INFO *si;
+        BIO *p7bio;
+        STACK *smcap;
+        int i;
+
+        if(!X509_check_private_key(signcert, pkey)) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                return NULL;
+        }
+
+        if(!(p7 = PKCS7_new())) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        PKCS7_set_type(p7, NID_pkcs7_signed);
+
+        PKCS7_content_new(p7, NID_pkcs7_data);
+
+        if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
+                return NULL;
+        }
+
+        if(!(flags & PKCS7_NOCERTS)) {
+                PKCS7_add_certificate(p7, signcert);
+                if(certs) for(i = 0; i < sk_X509_num(certs); i++)
+                        PKCS7_add_certificate(p7, sk_X509_value(certs, i));
+        }
+
+        if(!(p7bio = PKCS7_dataInit(p7, NULL))) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+
+        SMIME_crlf_copy(data, p7bio, flags);
+
+        if(!(flags & PKCS7_NOATTR)) {
+                PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
+                                V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data));
+                /* Add SMIMECapabilities */
+                if(!(smcap = sk_new(NULL))) {
+                        PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+                        return NULL;
+                }
+#ifndef NO_DES
+                PKCS7_simple_smimecap (smcap, NID_des_ede3_cbc, -1);
+#endif
+#ifndef NO_RC2
+                PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128);
+                PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 64);
+#endif
+#ifndef NO_DES
+                PKCS7_simple_smimecap (smcap, NID_des_cbc, -1);
+#endif
+#ifndef NO_RC2
+                PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 40);
+#endif
+                PKCS7_add_attrib_smimecap (si, smcap);
+                sk_pop_free(smcap, X509_ALGOR_free);
+        }
+
+        if(flags & PKCS7_DETACHED)PKCS7_set_detached(p7, 1);
+
+        if (!PKCS7_dataFinal(p7,p7bio)) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_DATASIGN);
+                return NULL;
+        }
+
+        BIO_free_all(p7bio);
+        return p7;
+}
+
+int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+                                        BIO *indata, BIO *out, int flags)
+{
+        STACK_OF(X509) *signers;
+        X509 *signer;
+        STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+        PKCS7_SIGNER_INFO *si;
+        X509_STORE_CTX cert_ctx;
+        char buf[4096];
+        int i, j=0;
+        BIO *p7bio;
+        BIO *tmpout;
+
+        if(!p7) {
+                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER);
+                return 0;
+        }
+
+        if(!PKCS7_type_is_signed(p7)) {
+                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_WRONG_CONTENT_TYPE);
+                return 0;
+        }
+
+        /* Check for no data and no content: no data to verify signature */
+        if(PKCS7_get_detached(p7) && !indata) {
+                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_NO_CONTENT);
+                return 0;
+        }
+
+        /* Check for data and content: two sets of data */
+        if(!PKCS7_get_detached(p7) && indata) {
+                                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CONTENT_AND_DATA_PRESENT);
+                return 0;
+        }
+
+        sinfos = PKCS7_get_signer_info(p7);
+
+        if(!sinfos || !sk_PKCS7_SIGNER_INFO_num(sinfos)) {
+                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_NO_SIGNATURES_ON_DATA);
+                return 0;
+        }
+
+
+        signers = PKCS7_get0_signers(p7, certs, flags);
+
+        if(!signers) return 0;
+
+        /* Now verify the certificates */
+
+        if (!(flags & PKCS7_NOVERIFY)) for (i = 0; i < sk_X509_num(signers); i++) {
+                signer = sk_X509_value (signers, i);
+                if (!(flags & PKCS7_NOCHAIN)) {
+                        X509_STORE_CTX_init(&cert_ctx, store, signer,
+                                                        p7->d.sign->cert);
+                        X509_STORE_CTX_set_purpose(&cert_ctx,
+                                                X509_PURPOSE_SMIME_SIGN);
+                } else X509_STORE_CTX_init (&cert_ctx, store, signer, NULL);
+                i = X509_verify_cert(&cert_ctx);
+                if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
+                X509_STORE_CTX_cleanup(&cert_ctx);
+                if (i <= 0) {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY_ERROR);
+                        ERR_add_error_data(2, "Verify error:",
+                                         X509_verify_cert_error_string(j));
+                        sk_X509_free(signers);
+                        return 0;
+                }
+                /* Check for revocation status here */
+        }
+
+        p7bio=PKCS7_dataInit(p7,indata);
+
+        if(flags & PKCS7_TEXT) {
+                if(!(tmpout = BIO_new(BIO_s_mem()))) {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+        } else tmpout = out;
+
+        /* We now have to 'read' from p7bio to calculate digests etc. */
+        for (;;)
+        {
+                i=BIO_read(p7bio,buf,sizeof(buf));
+                if (i <= 0) break;
+                if (tmpout) BIO_write(tmpout, buf, i);
+        }
+
+        if(flags & PKCS7_TEXT) {
+                if(!SMIME_text(tmpout, out)) {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_SMIME_TEXT_ERROR);
+                        BIO_free(tmpout);
+                        goto err;
+                }
+                BIO_free(tmpout);
+        }
+
+        /* Now Verify All Signatures */
+        if (!(flags & PKCS7_NOSIGS))
+            for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
+                {
+                si=sk_PKCS7_SIGNER_INFO_value(sinfos,i);
+                signer = sk_X509_value (signers, i);
+                j=PKCS7_signatureVerify(p7bio,p7,si, signer);
+                if (j <= 0) {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_SIGNATURE_FAILURE);
+                        goto err;
+                }
+        }
+
+        sk_X509_free(signers);
+        if(indata) BIO_pop(p7bio);
+        BIO_free_all(p7bio);
+
+        return 1;
+
+        err:
+
+        sk_X509_free(signers);
+        BIO_free(p7bio);
+
+        return 0;
+}
+
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
+{
+        STACK_OF(X509) *signers;
+        STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+        PKCS7_SIGNER_INFO *si;
+        PKCS7_ISSUER_AND_SERIAL *ias;
+        X509 *signer;
+        int i;
+
+        if(!p7) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_INVALID_NULL_POINTER);
+                return NULL;
+        }
+
+        if(!PKCS7_type_is_signed(p7)) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE);
+                return NULL;
+        }
+        if(!(signers = sk_X509_new(NULL))) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        /* Collect all the signers together */
+
+        sinfos = PKCS7_get_signer_info(p7);
+
+        if(sk_PKCS7_SIGNER_INFO_num(sinfos) <= 0) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_NO_SIGNERS);
+                return 0;
+        }
+
+        for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
+        {
+            si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
+            ias = si->issuer_and_serial;
+            signer = NULL;
+                /* If any certificates passed they take priority */
+            if (certs) signer = X509_find_by_issuer_and_serial (certs,
+                                                ias->issuer, ias->serial);
+            if (!signer && !(flags & PKCS7_NOINTERN)
+                        && p7->d.sign->cert) signer =
+                              X509_find_by_issuer_and_serial (p7->d.sign->cert,
+                                                ias->issuer, ias->serial);
+            if (!signer) {
+                        PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                        sk_X509_free(signers);
+                        return 0;
+            }
+
+            sk_X509_push(signers, signer);
+        }
+        return signers;
+}
+
+
+/* Build a complete PKCS#7 enveloped data */
+
+PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, EVP_CIPHER *cipher,
+                                                                int flags)
+{
+        PKCS7 *p7;
+        BIO *p7bio = NULL;
+        int i;
+        X509 *x509;
+        if(!(p7 = PKCS7_new())) {
+                PKCS7err(PKCS7_F_PKCS7_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        PKCS7_set_type(p7, NID_pkcs7_enveloped);
+        if(!PKCS7_set_cipher(p7, cipher)) {
+                PKCS7err(PKCS7_F_PKCS7_ENCRYPT,PKCS7_R_ERROR_SETTING_CIPHER);
+                goto err;
+        }
+
+        for(i = 0; i < sk_X509_num(certs); i++) {
+                x509 = sk_X509_value(certs, i);
+                if(!PKCS7_add_recipient(p7, x509)) {
+                        PKCS7err(PKCS7_F_PKCS7_ENCRYPT,
+                                        PKCS7_R_ERROR_ADDING_RECIPIENT);
+                        goto err;
+                }
+        }
+
+        if(!(p7bio = PKCS7_dataInit(p7, NULL))) {
+                PKCS7err(PKCS7_F_PKCS7_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+
+        SMIME_crlf_copy(in, p7bio, flags);
+
+        BIO_flush(p7bio);
+
+        if (!PKCS7_dataFinal(p7,p7bio)) {
+                PKCS7err(PKCS7_F_PKCS7_ENCRYPT,PKCS7_R_PKCS7_DATAFINAL_ERROR);
+                goto err;
+        }
+        BIO_free_all(p7bio);
+
+        return p7;
+
+        err:
+
+        BIO_free(p7bio);
+        PKCS7_free(p7);
+        return NULL;
+
+}
+
+int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
+{
+        BIO *tmpmem;
+        int ret, i;
+        char buf[4096];
+
+        if(!p7) {
+                PKCS7err(PKCS7_F_PKCS7_DECRYPT,PKCS7_R_INVALID_NULL_POINTER);
+                return 0;
+        }
+
+        if(!PKCS7_type_is_enveloped(p7)) {
+                PKCS7err(PKCS7_F_PKCS7_DECRYPT,PKCS7_R_WRONG_CONTENT_TYPE);
+                return 0;
+        }
+
+        if(!X509_check_private_key(cert, pkey)) {
+                PKCS7err(PKCS7_F_PKCS7_DECRYPT,
+                                PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                return 0;
+        }
+
+        if(!(tmpmem = PKCS7_dataDecode(p7, pkey, NULL, cert))) {
+                PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_DECRYPT_ERROR);
+                return 0;
+        }
+
+        if (flags & PKCS7_TEXT) {
+                BIO *tmpbuf, *bread;
+                /* Encrypt BIOs can't do BIO_gets() so add a buffer BIO */
+                if(!(tmpbuf = BIO_new(BIO_f_buffer()))) {
+                        PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if(!(bread = BIO_push(tmpbuf, tmpmem))) {
+                        PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                ret = SMIME_text(bread, data);
+                BIO_free_all(bread);
+                return ret;
+        } else {
+                for(;;) {
+                        i = BIO_read(tmpmem, buf, sizeof(buf));
+                        if(i <= 0) break;
+                        BIO_write(data, buf, i);
+                }
+                BIO_free_all(tmpmem);
+                return 1;
+        }
+}
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
new file mode 100644
index 0000000000..d1263edf80
--- /dev/null
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -0,0 +1,93 @@
+/* crypto/rand/rand_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA RAND_str_functs[]=
+        {
+{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0),        "SSLEAY_RAND_BYTES"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA RAND_str_reasons[]=
+        {
+{RAND_R_PRNG_NOT_SEEDED                  ,"prng not seeded"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_RAND_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_RAND,RAND_str_functs);
+                ERR_load_strings(ERR_LIB_RAND,RAND_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
new file mode 100644
index 0000000000..34c6d5b968
--- /dev/null
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -0,0 +1,98 @@
+/* crypto/rand/rand_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <time.h>
+#include <openssl/rand.h>
+
+#ifdef NO_RAND
+static RAND_METHOD *rand_meth=NULL;
+#else
+extern RAND_METHOD rand_ssleay_meth;
+static RAND_METHOD *rand_meth= &rand_ssleay_meth;
+#endif
+
+void RAND_set_rand_method(RAND_METHOD *meth)
+        {
+        rand_meth=meth;
+        }
+
+RAND_METHOD *RAND_get_rand_method(void)
+        {
+        return(rand_meth);
+        }
+
+void RAND_cleanup(void)
+        {
+        if (rand_meth != NULL)
+                rand_meth->cleanup();
+        }
+
+void RAND_seed(const void *buf, int num)
+        {
+        if (rand_meth != NULL)
+                rand_meth->seed(buf,num);
+        }
+
+void RAND_bytes(unsigned char *buf, int num)
+        {
+        if (rand_meth != NULL)
+                rand_meth->bytes(buf,num);
+        }
+
diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h
new file mode 100644
index 0000000000..9571efb755
--- /dev/null
+++ b/src/lib/libcrypto/rc2/rc2.h
@@ -0,0 +1,99 @@
+/* crypto/rc2/rc2.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RC2_H
+#define HEADER_RC2_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_RC2
+#error RC2 is disabled.
+#endif
+
+#define RC2_ENCRYPT     1
+#define RC2_DECRYPT     0
+
+#include <openssl/opensslconf.h> /* RC2_INT */
+#define RC2_BLOCK       8
+#define RC2_KEY_LENGTH  16
+
+typedef struct rc2_key_st
+        {
+        RC2_INT data[64];
+        } RC2_KEY;
+
+ 
+void RC2_set_key(RC2_KEY *key, int len, unsigned char *data,int bits);
+void RC2_ecb_encrypt(unsigned char *in,unsigned char *out,RC2_KEY *key,
+        int enc);
+void RC2_encrypt(unsigned long *data,RC2_KEY *key);
+void RC2_decrypt(unsigned long *data,RC2_KEY *key);
+void RC2_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
+        RC2_KEY *ks, unsigned char *iv, int enc);
+void RC2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        RC2_KEY *schedule, unsigned char *ivec, int *num, int enc);
+void RC2_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        RC2_KEY *schedule, unsigned char *ivec, int *num);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h
new file mode 100644
index 0000000000..7418c2a9a2
--- /dev/null
+++ b/src/lib/libcrypto/rc4/rc4.h
@@ -0,0 +1,88 @@
+/* crypto/rc4/rc4.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RC4_H
+#define HEADER_RC4_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_RC4
+#error RC4 is disabled.
+#endif
+
+#include <openssl/opensslconf.h> /* RC4_INT */
+
+typedef struct rc4_key_st
+        {
+        RC4_INT x,y;
+        RC4_INT data[256];
+        } RC4_KEY;
+
+ 
+const char *RC4_options(void);
+void RC4_set_key(RC4_KEY *key, int len, unsigned char *data);
+void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata,
+                unsigned char *outdata);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libcrypto/rc4/rc4_locl.h b/src/lib/libcrypto/rc4/rc4_locl.h
new file mode 100644
index 0000000000..3bb80b6ce9
--- /dev/null
+++ b/src/lib/libcrypto/rc4/rc4_locl.h
@@ -0,0 +1,4 @@
+#ifndef HEADER_RC4_LOCL_H
+#define HEADER_RC4_LOCL_H
+#include <openssl/opensslconf.h>
+#endif
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
new file mode 100644
index 0000000000..1455a7e0e4
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_asn1.c
@@ -0,0 +1,121 @@
+/* rsa_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/asn1t.h>
+
+static ASN1_METHOD method={
+        (int (*)())  i2d_RSAPrivateKey,
+        (char *(*)())d2i_RSAPrivateKey,
+        (char *(*)())RSA_new,
+        (void (*)()) RSA_free};
+
+ASN1_METHOD *RSAPrivateKey_asn1_meth(void)
+        {
+        return(&method);
+        }
+
+/* Override the default free and new methods */
+static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_NEW_PRE) {
+                *pval = (ASN1_VALUE *)RSA_new();
+                if(*pval) return 2;
+                return 0;
+        } else if(operation == ASN1_OP_FREE_PRE) {
+                RSA_free((RSA *)*pval);
+                *pval = NULL;
+                return 2;
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(RSAPrivateKey, rsa_cb) = {
+        ASN1_SIMPLE(RSA, version, LONG),
+        ASN1_SIMPLE(RSA, n, BIGNUM),
+        ASN1_SIMPLE(RSA, e, BIGNUM),
+        ASN1_SIMPLE(RSA, d, BIGNUM),
+        ASN1_SIMPLE(RSA, p, BIGNUM),
+        ASN1_SIMPLE(RSA, q, BIGNUM),
+        ASN1_SIMPLE(RSA, dmp1, BIGNUM),
+        ASN1_SIMPLE(RSA, dmq1, BIGNUM),
+        ASN1_SIMPLE(RSA, iqmp, BIGNUM)
+} ASN1_SEQUENCE_END_cb(RSA, RSAPrivateKey)
+
+
+ASN1_SEQUENCE_cb(RSAPublicKey, rsa_cb) = {
+        ASN1_SIMPLE(RSA, n, BIGNUM),
+        ASN1_SIMPLE(RSA, e, BIGNUM),
+} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
+
+RSA *RSAPublicKey_dup(RSA *rsa)
+        {
+        return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
+        }
+
+RSA *RSAPrivateKey_dup(RSA *rsa)
+        {
+        return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
+        }
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
new file mode 100644
index 0000000000..91b9115798
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -0,0 +1,184 @@
+/* crypto/rsa/rsa_chk.c  -*- Mode: C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+
+
+int RSA_check_key(RSA *key)
+        {
+        BIGNUM *i, *j, *k, *l, *m;
+        BN_CTX *ctx;
+        int r;
+        int ret=1;
+        
+        i = BN_new();
+        j = BN_new();
+        k = BN_new();
+        l = BN_new();
+        m = BN_new();
+        ctx = BN_CTX_new();
+        if (i == NULL || j == NULL || k == NULL || l == NULL ||
+                m == NULL || ctx == NULL)
+                {
+                ret = -1;
+                RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        
+        /* p prime? */
+        r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL);
+        if (r != 1)
+                {
+                ret = r;
+                if (r != 0)
+                        goto err;
+                RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
+                }
+        
+        /* q prime? */
+        r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL);
+        if (r != 1)
+                {
+                ret = r;
+                if (r != 0)
+                        goto err;
+                RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
+                }
+        
+        /* n = p*q? */
+        r = BN_mul(i, key->p, key->q, ctx);
+        if (!r) { ret = -1; goto err; }
+        
+        if (BN_cmp(i, key->n) != 0)
+                {
+                ret = 0;
+                RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
+                }
+        
+        /* d*e = 1  mod lcm(p-1,q-1)? */
+
+        r = BN_sub(i, key->p, BN_value_one());
+        if (!r) { ret = -1; goto err; }
+        r = BN_sub(j, key->q, BN_value_one());
+        if (!r) { ret = -1; goto err; }
+
+        /* now compute k = lcm(i,j) */
+        r = BN_mul(l, i, j, ctx);
+        if (!r) { ret = -1; goto err; }
+        r = BN_gcd(m, i, j, ctx);
+        if (!r) { ret = -1; goto err; }
+        r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
+        if (!r) { ret = -1; goto err; }
+
+        r = BN_mod_mul(i, key->d, key->e, k, ctx);
+        if (!r) { ret = -1; goto err; }
+
+        if (!BN_is_one(i))
+                {
+                ret = 0;
+                RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
+                }
+        
+        if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL)
+                {
+                /* dmp1 = d mod (p-1)? */
+                r = BN_sub(i, key->p, BN_value_one());
+                if (!r) { ret = -1; goto err; }
+
+                r = BN_mod(j, key->d, i, ctx);
+                if (!r) { ret = -1; goto err; }
+
+                if (BN_cmp(j, key->dmp1) != 0)
+                        {
+                        ret = 0;
+                        RSAerr(RSA_F_RSA_CHECK_KEY,
+                                RSA_R_DMP1_NOT_CONGRUENT_TO_D);
+                        }
+        
+                /* dmq1 = d mod (q-1)? */    
+                r = BN_sub(i, key->q, BN_value_one());
+                if (!r) { ret = -1; goto err; }
+        
+                r = BN_mod(j, key->d, i, ctx);
+                if (!r) { ret = -1; goto err; }
+
+                if (BN_cmp(j, key->dmq1) != 0)
+                        {
+                        ret = 0;
+                        RSAerr(RSA_F_RSA_CHECK_KEY,
+                                RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
+                        }
+        
+                /* iqmp = q^-1 mod p? */
+                if(!BN_mod_inverse(i, key->q, key->p, ctx))
+                        {
+                        ret = -1;
+                        goto err;
+                        }
+
+                if (BN_cmp(i, key->iqmp) != 0)
+                        {
+                        ret = 0;
+                        RSAerr(RSA_F_RSA_CHECK_KEY,
+                                RSA_R_IQMP_NOT_INVERSE_OF_Q);
+                        }
+                }
+
+ err:
+        if (i != NULL) BN_free(i);
+        if (j != NULL) BN_free(j);
+        if (k != NULL) BN_free(k);
+        if (l != NULL) BN_free(l);
+        if (m != NULL) BN_free(m);
+        if (ctx != NULL) BN_CTX_free(ctx);
+        return (ret);
+        }
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
new file mode 100644
index 0000000000..843c40c864
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -0,0 +1,162 @@
+/* crypto/rsa/rsa_oaep.c */
+/* Written by Ulf Moeller. This software is distributed on an "AS IS"
+   basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
+
+/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+
+#if !defined(NO_SHA) && !defined(NO_SHA1)
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/sha.h>
+#include <openssl/rand.h>
+
+int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen);
+
+int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+             unsigned char *from, int flen, unsigned char *param, int plen)
+    {
+    int i, emlen = tlen - 1;
+    unsigned char *db, *seed;
+    unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
+
+    if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
+               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+        return (0);
+        }
+
+    if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
+        return (0);
+        }
+    
+    dbmask = Malloc(emlen - SHA_DIGEST_LENGTH);
+    if (dbmask == NULL)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+        return (0);
+        }
+
+    to[0] = 0;
+    seed = to + 1;
+    db = to + SHA_DIGEST_LENGTH + 1;
+
+    SHA1(param, plen, db);
+    memset(db + SHA_DIGEST_LENGTH, 0,
+           emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
+    db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
+    memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
+    RAND_bytes(seed, SHA_DIGEST_LENGTH);
+#ifdef PKCS_TESTVECT
+    memcpy(seed,
+           "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
+           20);
+#endif
+
+    MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
+    for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
+        db[i] ^= dbmask[i];
+
+    MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
+    for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+        seed[i] ^= seedmask[i];
+
+    Free(dbmask);
+    return (1);
+    }
+
+int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+             unsigned char *from, int flen, int num, unsigned char *param,
+             int plen)
+    {
+    int i, dblen, mlen = -1;
+    unsigned char *maskeddb;
+    int lzero;
+    unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+
+    if (--num < 2 * SHA_DIGEST_LENGTH + 1)
+        {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+        return (-1);
+        }
+
+    dblen = num - SHA_DIGEST_LENGTH;
+    db = Malloc(dblen);
+    if (db == NULL)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+        return (-1);
+        }
+
+    lzero = num - flen;
+    maskeddb = from - lzero + SHA_DIGEST_LENGTH;
+    
+    MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
+    for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
+        seed[i] ^= from[i - lzero];
+  
+    MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
+    for (i = 0; i < dblen; i++)
+        db[i] ^= maskeddb[i];
+
+    SHA1(param, plen, phash);
+
+    if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+    else
+        {
+        for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
+            if (db[i] != 0x00)
+                break;
+        if (db[i] != 0x01 || i++ >= dblen)
+            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
+                   RSA_R_OAEP_DECODING_ERROR);
+        else
+            {
+            mlen = dblen - i;
+            if (tlen < mlen)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
+                mlen = -1;
+                }
+            else
+                memcpy(to, db + i, mlen);
+            }
+        }
+    Free(db);
+    return (mlen);
+    }
+
+int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)
+    {
+    long i, outlen = 0;
+    unsigned char cnt[4];
+    SHA_CTX c;
+    unsigned char md[SHA_DIGEST_LENGTH];
+
+    for (i = 0; outlen < len; i++)
+        {
+        cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
+          cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
+        SHA1_Init(&c);
+        SHA1_Update(&c, seed, seedlen);
+        SHA1_Update(&c, cnt, 4);
+        if (outlen + SHA_DIGEST_LENGTH <= len)
+            {
+            SHA1_Final(mask + outlen, &c);
+            outlen += SHA_DIGEST_LENGTH;
+            }
+        else
+            {
+            SHA1_Final(md, &c);
+            memcpy(mask + outlen, md, len - outlen);
+            outlen = len;
+            }
+        }
+    return (0);
+    }
+#endif
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
new file mode 100644
index 0000000000..38934981e3
--- /dev/null
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -0,0 +1,129 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_SAFESTACK_H
+#define HEADER_SAFESTACK_H
+
+#include <openssl/stack.h>
+
+#define STACK_OF(type)  STACK_##type
+
+#define DECLARE_STACK_OF(type) \
+typedef struct stack_st_##type  \
+    { \
+    STACK stack; \
+    } STACK_OF(type); \
+STACK_OF(type) *sk_##type##_new(int (*cmp)(type **,type **)); \
+STACK_OF(type) *sk_##type##_new_null(void); \
+void sk_##type##_free(STACK_OF(type) *sk); \
+int sk_##type##_num(const STACK_OF(type) *sk); \
+type *sk_##type##_value(const STACK_OF(type) *sk,int n); \
+type *sk_##type##_set(STACK_OF(type) *sk,int n,type *v); \
+void sk_##type##_zero(STACK_OF(type) *sk); \
+int sk_##type##_push(STACK_OF(type) *sk,type *v); \
+int sk_##type##_unshift(STACK_OF(type) *sk,type *v); \
+int sk_##type##_find(STACK_OF(type) *sk,type *v); \
+type *sk_##type##_delete(STACK_OF(type) *sk,int n); \
+void sk_##type##_delete_ptr(STACK_OF(type) *sk,type *v); \
+int sk_##type##_insert(STACK_OF(type) *sk,type *v,int n); \
+int (*sk_##type##_set_cmp_func(STACK_OF(type) *sk, \
+                               int (*cmp)(type **,type **)))(type **,type **); \
+STACK_OF(type) *sk_##type##_dup(STACK_OF(type) *sk); \
+void sk_##type##_pop_free(STACK_OF(type) *sk,void (*func)(type *)); \
+type *sk_##type##_shift(STACK_OF(type) *sk); \
+type *sk_##type##_pop(STACK_OF(type) *sk); \
+void sk_##type##_sort(STACK_OF(type) *sk);
+
+#define IMPLEMENT_STACK_OF(type) \
+STACK_OF(type) *sk_##type##_new(int (*cmp)(type **,type **)) \
+    { return (STACK_OF(type) *)sk_new(cmp); } \
+STACK_OF(type) *sk_##type##_new_null() \
+    { return (STACK_OF(type) *)sk_new_null(); } \
+void sk_##type##_free(STACK_OF(type) *sk) \
+    { sk_free((STACK *)sk); } \
+int sk_##type##_num(const STACK_OF(type) *sk) \
+    { return M_sk_num((const STACK *)sk); } \
+type *sk_##type##_value(const STACK_OF(type) *sk,int n) \
+    { return (type *)sk_value((STACK *)sk,n); } \
+type *sk_##type##_set(STACK_OF(type) *sk,int n,type *v) \
+    { return (type *)(sk_set((STACK *)sk,n,(char *)v)); } \
+void sk_##type##_zero(STACK_OF(type) *sk) \
+    { sk_zero((STACK *)sk); } \
+int sk_##type##_push(STACK_OF(type) *sk,type *v) \
+    { return sk_push((STACK *)sk,(char *)v); } \
+int sk_##type##_unshift(STACK_OF(type) *sk,type *v) \
+    { return sk_unshift((STACK *)sk,(char *)v); } \
+int sk_##type##_find(STACK_OF(type) *sk,type *v) \
+    { return sk_find((STACK *)sk,(char *)v); } \
+type *sk_##type##_delete(STACK_OF(type) *sk,int n) \
+    { return (type *)sk_delete((STACK *)sk,n); } \
+void sk_##type##_delete_ptr(STACK_OF(type) *sk,type *v) \
+    { sk_delete_ptr((STACK *)sk,(char *)v); } \
+int sk_##type##_insert(STACK_OF(type) *sk,type *v,int n) \
+    { return sk_insert((STACK *)sk,(char *)v,n); } \
+int (*sk_##type##_set_cmp_func(STACK_OF(type) *sk, \
+                               int (*cmp)(type **,type **)))(type **,type **) \
+    { return (int (*)(type **,type **))sk_set_cmp_func((STACK *)sk,cmp); } \
+STACK_OF(type) *sk_##type##_dup(STACK_OF(type) *sk) \
+    { return (STACK_OF(type) *)sk_dup((STACK *)sk); } \
+void sk_##type##_pop_free(STACK_OF(type) *sk,void (*func)(type *)) \
+    { sk_pop_free((STACK *)sk,func); } \
+type *sk_##type##_shift(STACK_OF(type) *sk) \
+    { return (type *)sk_shift((STACK *)sk); } \
+type *sk_##type##_pop(STACK_OF(type) *sk) \
+    { return (type *)sk_pop((STACK *)sk); } \
+void sk_##type##_sort(STACK_OF(type) *sk) \
+    { sk_sort((STACK *)sk); }
+
+#endif /* ndef HEADER_SAFESTACK_H */
diff --git a/src/lib/libcrypto/ui/ui.h b/src/lib/libcrypto/ui/ui.h
new file mode 100644
index 0000000000..735a2d988e
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui.h
@@ -0,0 +1,387 @@
+/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UI_H
+#define HEADER_UI_H
+
+#include <openssl/crypto.h>
+#include <openssl/safestack.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* The UI type is a holder for a specific user interface session.  It can
+   contain an illimited number of informational or error strings as well
+   as things to prompt for, both passwords (noecho mode) and others (echo
+   mode), and verification of the same.  All of these are called strings,
+   and are further described below. */
+typedef struct ui_st UI;
+
+/* All instances of UI have a reference to a method structure, which is a
+   ordered vector of functions that implement the lower level things to do.
+   There is an instruction on the implementation further down, in the section
+   for method implementors. */
+typedef struct ui_method_st UI_METHOD;
+
+
+/* All the following functions return -1 or NULL on error and in some cases
+   (UI_process()) -2 if interrupted or in some other way cancelled.
+   When everything is fine, they return 0, a positive value or a non-NULL
+   pointer, all depending on their purpose. */
+
+/* Creators and destructor.   */
+UI *UI_new(void);
+UI *UI_new_method(const UI_METHOD *method);
+void UI_free(UI *ui);
+
+/* The following functions are used to add strings to be printed and prompt
+   strings to prompt for data.  The names are UI_{add,dup}_<function>_string
+   and UI_{add,dup}_input_boolean.
+
+   UI_{add,dup}_<function>_string have the following meanings:
+        add     add a text or prompt string.  The pointers given to these
+                functions are used verbatim, no copying is done.
+        dup     make a copy of the text or prompt string, then add the copy
+                to the collection of strings in the user interface.
+        <function>
+                The function is a name for the functionality that the given
+                string shall be used for.  It can be one of:
+                        input   use the string as data prompt.
+                        verify  use the string as verification prompt.  This
+                                is used to verify a previous input.
+                        info    use the string for informational output.
+                        error   use the string for error output.
+   Honestly, there's currently no difference between info and error for the
+   moment.
+
+   UI_{add,dup}_input_boolean have the same semantics for "add" and "dup",
+   and are typically used when one wants to prompt for a yes/no response.
+
+
+   All of the functions in this group take a UI and a prompt string.
+   The string input and verify addition functions also take a flag argument,
+   a buffer for the result to end up with, a minimum input size and a maximum
+   input size (the result buffer MUST be large enough to be able to contain
+   the maximum number of characters).  Additionally, the verify addition
+   functions takes another buffer to compare the result against.
+   The boolean input functions take an action description string (which should
+   be safe to ignore if the expected user action is obvious, for example with
+   a dialog box with an OK button and a Cancel button), a string of acceptable
+   characters to mean OK and to mean Cancel.  The two last strings are checked
+   to make sure they don't have common characters.  Additionally, the same
+   flag argument as for the string input is taken, as well as a result buffer.
+   The result buffer is required to be at least one byte long.  Depending on
+   the answer, the first character from the OK or the Cancel character strings
+   will be stored in the first byte of the result buffer.  No NUL will be
+   added, so the result is *not* a string.
+
+   On success, the all return an index of the added information.  That index
+   is usefull when retrieving results with UI_get0_result(). */
+int UI_add_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize);
+int UI_dup_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize);
+int UI_add_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf);
+int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf);
+int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf);
+int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf);
+int UI_add_info_string(UI *ui, const char *text);
+int UI_dup_info_string(UI *ui, const char *text);
+int UI_add_error_string(UI *ui, const char *text);
+int UI_dup_error_string(UI *ui, const char *text);
+
+/* These are the possible flags.  They can be or'ed together. */
+/* Use to have echoing of input */
+#define UI_INPUT_FLAG_ECHO              0x01
+/* Use a default password.  Where that password is found is completely
+   up to the application, it might for example be in the user data set
+   with UI_add_user_data().  It is not recommended to have more than
+   one input in each UI being marked with this flag, or the application
+   might get confused. */
+#define UI_INPUT_FLAG_DEFAULT_PWD       0x02
+
+/* The user of these routines may want to define flags of their own.  The core
+   UI won't look at those, but will pass them on to the method routines.  They
+   must use higher bits so they don't get confused with the UI bits above.
+   UI_INPUT_FLAG_USER_BASE tells which is the lowest bit to use.  A good
+   example of use is this:
+
+        #define MY_UI_FLAG1     (0x01 << UI_INPUT_FLAG_USER_BASE)
+
+*/
+#define UI_INPUT_FLAG_USER_BASE 16
+
+
+/* The following function helps construct a prompt.  object_desc is a
+   textual short description of the object, for example "pass phrase",
+   and object_name is the name of the object (might be a card name or
+   a file name.
+   The returned string shall always be allocated on the heap with
+   OPENSSL_malloc(), and need to be free'd with OPENSSL_free().
+
+   If the ui_method doesn't contain a pointer to a user-defined prompt
+   constructor, a default string is built, looking like this:
+
+        "Enter {object_desc} for {object_name}:"
+
+   So, if object_desc has the value "pass phrase" and object_name has
+   the value "foo.key", the resulting string is:
+
+        "Enter pass phrase for foo.key:"
+*/
+char *UI_construct_prompt(UI *ui_method,
+        const char *object_desc, const char *object_name);
+
+
+/* The following function is used to store a pointer to user-specific data.
+   Any previous such pointer will be returned and replaced.
+
+   For callback purposes, this function makes a lot more sense than using
+   ex_data, since the latter requires that different parts of OpenSSL or
+   applications share the same ex_data index.
+
+   Note that the UI_OpenSSL() method completely ignores the user data.
+   Other methods may not, however.  */
+void *UI_add_user_data(UI *ui, void *user_data);
+/* We need a user data retrieving function as well.  */
+void *UI_get0_user_data(UI *ui);
+
+/* Return the result associated with a prompt given with the index i. */
+const char *UI_get0_result(UI *ui, int i);
+
+/* When all strings have been added, process the whole thing. */
+int UI_process(UI *ui);
+
+/* Give a user interface parametrised control commands.  This can be used to
+   send down an integer, a data pointer or a function pointer, as well as
+   be used to get information from a UI. */
+int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)());
+
+/* The commands */
+/* Use UI_CONTROL_PRINT_ERRORS with the value 1 to have UI_process print the
+   OpenSSL error stack before printing any info or added error messages and
+   before any prompting. */
+#define UI_CTRL_PRINT_ERRORS            1
+/* Check if a UI_process() is possible to do again with the same instance of
+   a user interface.  This makes UI_ctrl() return 1 if it is redoable, and 0
+   if not. */
+#define UI_CTRL_IS_REDOABLE             2
+
+
+/* Some methods may use extra data */
+#define UI_set_app_data(s,arg)         UI_set_ex_data(s,0,arg)
+#define UI_get_app_data(s)             UI_get_ex_data(s,0)
+int UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int UI_set_ex_data(UI *r,int idx,void *arg);
+void *UI_get_ex_data(UI *r, int idx);
+
+/* Use specific methods instead of the built-in one */
+void UI_set_default_method(const UI_METHOD *meth);
+const UI_METHOD *UI_get_default_method(void);
+const UI_METHOD *UI_get_method(UI *ui);
+const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth);
+
+/* The method with all the built-in thingies */
+UI_METHOD *UI_OpenSSL(void);
+
+
+/* ---------- For method writers ---------- */
+/* A method contains a number of functions that implement the low level
+   of the User Interface.  The functions are:
+
+        an opener       This function starts a session, maybe by opening
+                        a channel to a tty, or by opening a window.
+        a writer        This function is called to write a given string,
+                        maybe to the tty, maybe as a field label in a
+                        window.
+        a flusher       This function is called to flush everything that
+                        has been output so far.  It can be used to actually
+                        display a dialog box after it has been built.
+        a reader        This function is called to read a given prompt,
+                        maybe from the tty, maybe from a field in a
+                        window.  Note that it's called wth all string
+                        structures, not only the prompt ones, so it must
+                        check such things itself.
+        a closer        This function closes the session, maybe by closing
+                        the channel to the tty, or closing the window.
+
+   All these functions are expected to return:
+
+        0       on error.
+        1       on success.
+        -1      on out-of-band events, for example if some prompting has
+                been canceled (by pressing Ctrl-C, for example).  This is
+                only checked when returned by the flusher or the reader.
+
+   The way this is used, the opener is first called, then the writer for all
+   strings, then the flusher, then the reader for all strings and finally the
+   closer.  Note that if you want to prompt from a terminal or other command
+   line interface, the best is to have the reader also write the prompts
+   instead of having the writer do it.  If you want to prompt from a dialog
+   box, the writer can be used to build up the contents of the box, and the
+   flusher to actually display the box and run the event loop until all data
+   has been given, after which the reader only grabs the given data and puts
+   them back into the UI strings.
+
+   All method functions take a UI as argument.  Additionally, the writer and
+   the reader take a UI_STRING.
+*/
+
+/* The UI_STRING type is the data structure that contains all the needed info
+   about a string or a prompt, including test data for a verification prompt.
+*/
+DECLARE_STACK_OF(UI_STRING)
+typedef struct ui_string_st UI_STRING;
+
+/* The different types of strings that are currently supported.
+   This is only needed by method authors. */
+enum UI_string_types
+        {
+        UIT_NONE=0,
+        UIT_PROMPT,             /* Prompt for a string */
+        UIT_VERIFY,             /* Prompt for a string and verify */
+        UIT_BOOLEAN,            /* Prompt for a yes/no response */
+        UIT_INFO,               /* Send info to the user */
+        UIT_ERROR               /* Send an error message to the user */
+        };
+
+/* Create and manipulate methods */
+UI_METHOD *UI_create_method(char *name);
+void UI_destroy_method(UI_METHOD *ui_method);
+int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui));
+int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis));
+int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui));
+int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis));
+int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui));
+int (*UI_method_get_opener(UI_METHOD *method))(UI*);
+int (*UI_method_get_writer(UI_METHOD *method))(UI*,UI_STRING*);
+int (*UI_method_get_flusher(UI_METHOD *method))(UI*);
+int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*);
+int (*UI_method_get_closer(UI_METHOD *method))(UI*);
+
+/* The following functions are helpers for method writers to access relevant
+   data from a UI_STRING. */
+
+/* Return type of the UI_STRING */
+enum UI_string_types UI_get_string_type(UI_STRING *uis);
+/* Return input flags of the UI_STRING */
+int UI_get_input_flags(UI_STRING *uis);
+/* Return the actual string to output (the prompt, info or error) */
+const char *UI_get0_output_string(UI_STRING *uis);
+/* Return the optional action string to output (the boolean promtp instruction) */
+const char *UI_get0_action_string(UI_STRING *uis);
+/* Return the result of a prompt */
+const char *UI_get0_result_string(UI_STRING *uis);
+/* Return the string to test the result against.  Only useful with verifies. */
+const char *UI_get0_test_string(UI_STRING *uis);
+/* Return the required minimum size of the result */
+int UI_get_result_minsize(UI_STRING *uis);
+/* Return the required maximum size of the result */
+int UI_get_result_maxsize(UI_STRING *uis);
+/* Set the result of a UI_STRING. */
+int UI_set_result(UI *ui, UI_STRING *uis, const char *result);
+
+
+/* A couple of popular utility functions */
+int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify);
+int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_UI_strings(void);
+
+/* Error codes for the UI functions. */
+
+/* Function codes. */
+#define UI_F_GENERAL_ALLOCATE_BOOLEAN                    108
+#define UI_F_GENERAL_ALLOCATE_PROMPT                     109
+#define UI_F_GENERAL_ALLOCATE_STRING                     100
+#define UI_F_UI_CTRL                                     111
+#define UI_F_UI_DUP_ERROR_STRING                         101
+#define UI_F_UI_DUP_INFO_STRING                          102
+#define UI_F_UI_DUP_INPUT_BOOLEAN                        110
+#define UI_F_UI_DUP_INPUT_STRING                         103
+#define UI_F_UI_DUP_VERIFY_STRING                        106
+#define UI_F_UI_GET0_RESULT                              107
+#define UI_F_UI_NEW_METHOD                               104
+#define UI_F_UI_SET_RESULT                               105
+
+/* Reason codes. */
+#define UI_R_COMMON_OK_AND_CANCEL_CHARACTERS             104
+#define UI_R_INDEX_TOO_LARGE                             102
+#define UI_R_INDEX_TOO_SMALL                             103
+#define UI_R_NO_RESULT_BUFFER                            105
+#define UI_R_RESULT_TOO_LARGE                            100
+#define UI_R_RESULT_TOO_SMALL                            101
+#define UI_R_UNKNOWN_CONTROL_COMMAND                     106
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/ui/ui_compat.h b/src/lib/libcrypto/ui/ui_compat.h
new file mode 100644
index 0000000000..b35c9bb7fd
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_compat.h
@@ -0,0 +1,83 @@
+/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UI_COMPAT_H
+#define HEADER_UI_COMPAT_H
+
+#include <openssl/opensslconf.h>
+#include <openssl/ui.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* The following functions were previously part of the DES section,
+   and are provided here for backward compatibility reasons. */
+
+#define des_read_pw_string(b,l,p,v) \
+        _ossl_old_des_read_pw_string((b),(l),(p),(v))
+#define des_read_pw(b,bf,s,p,v) \
+        _ossl_old_des_read_pw((b),(bf),(s),(p),(v))
+
+int _ossl_old_des_read_pw_string(char *buf,int length,const char *prompt,int verify);
+int _ossl_old_des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/ui/ui_err.c b/src/lib/libcrypto/ui/ui_err.c
new file mode 100644
index 0000000000..39a62ae737
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_err.c
@@ -0,0 +1,111 @@
+/* crypto/ui/ui_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ui.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA UI_str_functs[]=
+        {
+{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_BOOLEAN,0),   "GENERAL_ALLOCATE_BOOLEAN"},
+{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_PROMPT,0),    "GENERAL_ALLOCATE_PROMPT"},
+{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_STRING,0),    "GENERAL_ALLOCATE_STRING"},
+{ERR_PACK(0,UI_F_UI_CTRL,0),    "UI_ctrl"},
+{ERR_PACK(0,UI_F_UI_DUP_ERROR_STRING,0),        "UI_dup_error_string"},
+{ERR_PACK(0,UI_F_UI_DUP_INFO_STRING,0), "UI_dup_info_string"},
+{ERR_PACK(0,UI_F_UI_DUP_INPUT_BOOLEAN,0),       "UI_dup_input_boolean"},
+{ERR_PACK(0,UI_F_UI_DUP_INPUT_STRING,0),        "UI_dup_input_string"},
+{ERR_PACK(0,UI_F_UI_DUP_VERIFY_STRING,0),       "UI_dup_verify_string"},
+{ERR_PACK(0,UI_F_UI_GET0_RESULT,0),     "UI_get0_result"},
+{ERR_PACK(0,UI_F_UI_NEW_METHOD,0),      "UI_new_method"},
+{ERR_PACK(0,UI_F_UI_SET_RESULT,0),      "UI_set_result"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA UI_str_reasons[]=
+        {
+{UI_R_COMMON_OK_AND_CANCEL_CHARACTERS    ,"common ok and cancel characters"},
+{UI_R_INDEX_TOO_LARGE                    ,"index too large"},
+{UI_R_INDEX_TOO_SMALL                    ,"index too small"},
+{UI_R_NO_RESULT_BUFFER                   ,"no result buffer"},
+{UI_R_RESULT_TOO_LARGE                   ,"result too large"},
+{UI_R_RESULT_TOO_SMALL                   ,"result too small"},
+{UI_R_UNKNOWN_CONTROL_COMMAND            ,"unknown control command"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_UI_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_UI,UI_str_functs);
+                ERR_load_strings(ERR_LIB_UI,UI_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/ui/ui_lib.c b/src/lib/libcrypto/ui/ui_lib.c
new file mode 100644
index 0000000000..16946cad95
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_lib.c
@@ -0,0 +1,899 @@
+/* crypto/ui/ui_lib.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/e_os2.h>
+#include <openssl/buffer.h>
+#include <openssl/ui.h>
+#include <openssl/err.h>
+#include "ui_locl.h"
+
+IMPLEMENT_STACK_OF(UI_STRING_ST)
+
+static const UI_METHOD *default_UI_meth=NULL;
+
+UI *UI_new(void)
+        {
+        return(UI_new_method(NULL));
+        }
+
+UI *UI_new_method(const UI_METHOD *method)
+        {
+        UI *ret;
+
+        ret=(UI *)OPENSSL_malloc(sizeof(UI));
+        if (ret == NULL)
+                {
+                UIerr(UI_F_UI_NEW_METHOD,ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        if (method == NULL)
+                ret->meth=UI_get_default_method();
+        else
+                ret->meth=method;
+
+        ret->strings=NULL;
+        ret->user_data=NULL;
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data);
+        return ret;
+        }
+
+static void free_string(UI_STRING *uis)
+        {
+        if (uis->flags & OUT_STRING_FREEABLE)
+                {
+                OPENSSL_free((char *)uis->out_string);
+                switch(uis->type)
+                        {
+                case UIT_BOOLEAN:
+                        OPENSSL_free((char *)uis->_.boolean_data.action_desc);
+                        OPENSSL_free((char *)uis->_.boolean_data.ok_chars);
+                        OPENSSL_free((char *)uis->_.boolean_data.cancel_chars);
+                        break;
+                default:
+                        break;
+                        }
+                }
+        OPENSSL_free(uis);
+        }
+
+void UI_free(UI *ui)
+        {
+        if (ui == NULL)
+                return;
+        sk_UI_STRING_pop_free(ui->strings,free_string);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_UI, ui, &ui->ex_data);
+        OPENSSL_free(ui);
+        }
+
+static int allocate_string_stack(UI *ui)
+        {
+        if (ui->strings == NULL)
+                {
+                ui->strings=sk_UI_STRING_new_null();
+                if (ui->strings == NULL)
+                        {
+                        return -1;
+                        }
+                }
+        return 0;
+        }
+
+static UI_STRING *general_allocate_prompt(UI *ui, const char *prompt,
+        int prompt_freeable, enum UI_string_types type, int input_flags,
+        char *result_buf)
+        {
+        UI_STRING *ret = NULL;
+
+        if (prompt == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,ERR_R_PASSED_NULL_PARAMETER);
+                }
+        else if (result_buf == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,UI_R_NO_RESULT_BUFFER);
+                }
+        else if ((ret = (UI_STRING *)OPENSSL_malloc(sizeof(UI_STRING))))
+                {
+                ret->out_string=prompt;
+                ret->flags=prompt_freeable ? OUT_STRING_FREEABLE : 0;
+                ret->input_flags=input_flags;
+                ret->type=type;
+                ret->result_buf=result_buf;
+                }
+        return ret;
+        }
+
+static int general_allocate_string(UI *ui, const char *prompt,
+        int prompt_freeable, enum UI_string_types type, int input_flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf)
+        {
+        int ret = -1;
+        UI_STRING *s = general_allocate_prompt(ui, prompt, prompt_freeable,
+                type, input_flags, result_buf);
+
+        if (s)
+                {
+                if (allocate_string_stack(ui) >= 0)
+                        {
+                        s->_.string_data.result_minsize=minsize;
+                        s->_.string_data.result_maxsize=maxsize;
+                        s->_.string_data.test_buf=test_buf;
+                        ret=sk_UI_STRING_push(ui->strings, s);
+                        /* sk_push() returns 0 on error.  Let's addapt that */
+                        if (ret <= 0) ret--;
+                        }
+                else
+                        free_string(s);
+                }
+        return ret;
+        }
+
+static int general_allocate_boolean(UI *ui,
+        const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int prompt_freeable, enum UI_string_types type, int input_flags,
+        char *result_buf)
+        {
+        int ret = -1;
+        UI_STRING *s;
+        const char *p;
+
+        if (ok_chars == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,ERR_R_PASSED_NULL_PARAMETER);
+                }
+        else if (cancel_chars == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,ERR_R_PASSED_NULL_PARAMETER);
+                }
+        else
+                {
+                for(p = ok_chars; *p; p++)
+                        {
+                        if (strchr(cancel_chars, *p))
+                                {
+                                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,
+                                        UI_R_COMMON_OK_AND_CANCEL_CHARACTERS);
+                                }
+                        }
+
+                s = general_allocate_prompt(ui, prompt, prompt_freeable,
+                        type, input_flags, result_buf);
+
+                if (s)
+                        {
+                        if (allocate_string_stack(ui) >= 0)
+                                {
+                                s->_.boolean_data.action_desc = action_desc;
+                                s->_.boolean_data.ok_chars = ok_chars;
+                                s->_.boolean_data.cancel_chars = cancel_chars;
+                                ret=sk_UI_STRING_push(ui->strings, s);
+                                /* sk_push() returns 0 on error.
+                                   Let's addapt that */
+                                if (ret <= 0) ret--;
+                                }
+                        else
+                                free_string(s);
+                        }
+                }
+        return ret;
+        }
+
+/* Returns the index to the place in the stack or 0 for error.  Uses a
+   direct reference to the prompt.  */
+int UI_add_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize)
+        {
+        return general_allocate_string(ui, prompt, 0,
+                UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL);
+        }
+
+/* Same as UI_add_input_string(), excepts it takes a copy of the prompt */
+int UI_dup_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize)
+        {
+        char *prompt_copy=NULL;
+
+        if (prompt)
+                {
+                prompt_copy=BUF_strdup(prompt);
+                if (prompt_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_STRING,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                }
+        
+        return general_allocate_string(ui, prompt_copy, 1,
+                UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL);
+        }
+
+int UI_add_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf)
+        {
+        return general_allocate_string(ui, prompt, 0,
+                UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf);
+        }
+
+int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf)
+        {
+        char *prompt_copy=NULL;
+
+        if (prompt)
+                {
+                prompt_copy=BUF_strdup(prompt);
+                if (prompt_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_VERIFY_STRING,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                        }
+                }
+        
+        return general_allocate_string(ui, prompt_copy, 1,
+                UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf);
+        }
+
+int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf)
+        {
+        return general_allocate_boolean(ui, prompt, action_desc,
+                ok_chars, cancel_chars, 0, UIT_BOOLEAN, flags, result_buf);
+        }
+
+int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf)
+        {
+        char *prompt_copy = NULL;
+        char *action_desc_copy = NULL;
+        char *ok_chars_copy = NULL;
+        char *cancel_chars_copy = NULL;
+
+        if (prompt)
+                {
+                prompt_copy=BUF_strdup(prompt);
+                if (prompt_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        if (action_desc)
+                {
+                action_desc_copy=BUF_strdup(action_desc);
+                if (action_desc_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        if (ok_chars)
+                {
+                ok_chars_copy=BUF_strdup(ok_chars);
+                if (ok_chars_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        if (cancel_chars)
+                {
+                cancel_chars_copy=BUF_strdup(cancel_chars);
+                if (cancel_chars_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        return general_allocate_boolean(ui, prompt_copy, action_desc_copy,
+                ok_chars_copy, cancel_chars_copy, 1, UIT_BOOLEAN, flags,
+                result_buf);
+ err:
+        if (prompt_copy) OPENSSL_free(prompt_copy);
+        if (action_desc_copy) OPENSSL_free(action_desc_copy);
+        if (ok_chars_copy) OPENSSL_free(ok_chars_copy);
+        if (cancel_chars_copy) OPENSSL_free(cancel_chars_copy);
+        return -1;
+        }
+
+int UI_add_info_string(UI *ui, const char *text)
+        {
+        return general_allocate_string(ui, text, 0, UIT_INFO, 0, NULL, 0, 0,
+                NULL);
+        }
+
+int UI_dup_info_string(UI *ui, const char *text)
+        {
+        char *text_copy=NULL;
+
+        if (text)
+                {
+                text_copy=BUF_strdup(text);
+                if (text_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INFO_STRING,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                        }
+                }
+
+        return general_allocate_string(ui, text_copy, 1, UIT_INFO, 0, NULL,
+                0, 0, NULL);
+        }
+
+int UI_add_error_string(UI *ui, const char *text)
+        {
+        return general_allocate_string(ui, text, 0, UIT_ERROR, 0, NULL, 0, 0,
+                NULL);
+        }
+
+int UI_dup_error_string(UI *ui, const char *text)
+        {
+        char *text_copy=NULL;
+
+        if (text)
+                {
+                text_copy=BUF_strdup(text);
+                if (text_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_ERROR_STRING,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                        }
+                }
+        return general_allocate_string(ui, text_copy, 1, UIT_ERROR, 0, NULL,
+                0, 0, NULL);
+        }
+
+char *UI_construct_prompt(UI *ui, const char *object_desc,
+        const char *object_name)
+        {
+        char *prompt = NULL;
+
+        if (ui->meth->ui_construct_prompt)
+                prompt = ui->meth->ui_construct_prompt(ui,
+                        object_desc, object_name);
+        else
+                {
+                char prompt1[] = "Enter ";
+                char prompt2[] = " for ";
+                char prompt3[] = ":";
+                int len = 0;
+
+                if (object_desc == NULL)
+                        return NULL;
+                len = sizeof(prompt1) - 1 + strlen(object_desc);
+                if (object_name)
+                        len += sizeof(prompt2) - 1 + strlen(object_name);
+                len += sizeof(prompt3) - 1;
+
+                prompt = (char *)OPENSSL_malloc(len + 1);
+                strcpy(prompt, prompt1);
+                strcat(prompt, object_desc);
+                if (object_name)
+                        {
+                        strcat(prompt, prompt2);
+                        strcat(prompt, object_name);
+                        }
+                strcat(prompt, prompt3);
+                }
+        return prompt;
+        }
+
+void *UI_add_user_data(UI *ui, void *user_data)
+        {
+        void *old_data = ui->user_data;
+        ui->user_data = user_data;
+        return old_data;
+        }
+
+void *UI_get0_user_data(UI *ui)
+        {
+        return ui->user_data;
+        }
+
+const char *UI_get0_result(UI *ui, int i)
+        {
+        if (i < 0)
+                {
+                UIerr(UI_F_UI_GET0_RESULT,UI_R_INDEX_TOO_SMALL);
+                return NULL;
+                }
+        if (i >= sk_UI_STRING_num(ui->strings))
+                {
+                UIerr(UI_F_UI_GET0_RESULT,UI_R_INDEX_TOO_LARGE);
+                return NULL;
+                }
+        return UI_get0_result_string(sk_UI_STRING_value(ui->strings, i));
+        }
+
+static int print_error(const char *str, size_t len, UI *ui)
+        {
+        UI_STRING uis;
+
+        memset(&uis, 0, sizeof(uis));
+        uis.type = UIT_ERROR;
+        uis.out_string = str;
+
+        if (ui->meth->ui_write_string
+                && !ui->meth->ui_write_string(ui, &uis))
+                return -1;
+        return 0;
+        }
+
+int UI_process(UI *ui)
+        {
+        int i, ok=0;
+
+        if (ui->meth->ui_open_session && !ui->meth->ui_open_session(ui))
+                return -1;
+
+        if (ui->flags & UI_FLAG_PRINT_ERRORS)
+                ERR_print_errors_cb(
+                        (int (*)(const char *, size_t, void *))print_error,
+                        (void *)ui);
+
+        for(i=0; i<sk_UI_STRING_num(ui->strings); i++)
+                {
+                if (ui->meth->ui_write_string
+                        && !ui->meth->ui_write_string(ui,
+                                sk_UI_STRING_value(ui->strings, i)))
+                        {
+                        ok=-1;
+                        goto err;
+                        }
+                }
+
+        if (ui->meth->ui_flush)
+                switch(ui->meth->ui_flush(ui))
+                        {
+                case -1: /* Interrupt/Cancel/something... */
+                        ok = -2;
+                        goto err;
+                case 0: /* Errors */
+                        ok = -1;
+                        goto err;
+                default: /* Success */
+                        ok = 0;
+                        break;
+                        }
+
+        for(i=0; i<sk_UI_STRING_num(ui->strings); i++)
+                {
+                if (ui->meth->ui_read_string)
+                        {
+                        switch(ui->meth->ui_read_string(ui,
+                                sk_UI_STRING_value(ui->strings, i)))
+                                {
+                        case -1: /* Interrupt/Cancel/something... */
+                                ok = -2;
+                                goto err;
+                        case 0: /* Errors */
+                                ok = -1;
+                                goto err;
+                        default: /* Success */
+                                ok = 0;
+                                break;
+                                }
+                        }
+                }
+ err:
+        if (ui->meth->ui_close_session && !ui->meth->ui_close_session(ui))
+                return -1;
+        return ok;
+        }
+
+int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)())
+        {
+        if (ui == NULL)
+                {
+                UIerr(UI_F_UI_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return -1;
+                }
+        switch(cmd)
+                {
+        case UI_CTRL_PRINT_ERRORS:
+                {
+                int save_flag = !!(ui->flags & UI_FLAG_PRINT_ERRORS);
+                if (i)
+                        ui->flags |= UI_FLAG_PRINT_ERRORS;
+                else
+                        ui->flags &= ~UI_FLAG_PRINT_ERRORS;
+                return save_flag;
+                }
+        case UI_CTRL_IS_REDOABLE:
+                return !!(ui->flags & UI_FLAG_REDOABLE);
+        default:
+                break;
+                }
+        UIerr(UI_F_UI_CTRL,UI_R_UNKNOWN_CONTROL_COMMAND);
+        return -1;
+        }
+
+int UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_UI, argl, argp,
+                                new_func, dup_func, free_func);
+        }
+
+int UI_set_ex_data(UI *r, int idx, void *arg)
+        {
+        return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
+        }
+
+void *UI_get_ex_data(UI *r, int idx)
+        {
+        return(CRYPTO_get_ex_data(&r->ex_data,idx));
+        }
+
+void UI_set_default_method(const UI_METHOD *meth)
+        {
+        default_UI_meth=meth;
+        }
+
+const UI_METHOD *UI_get_default_method(void)
+        {
+        if (default_UI_meth == NULL)
+                {
+                default_UI_meth=UI_OpenSSL();
+                }
+        return default_UI_meth;
+        }
+
+const UI_METHOD *UI_get_method(UI *ui)
+        {
+        return ui->meth;
+        }
+
+const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth)
+        {
+        ui->meth=meth;
+        return ui->meth;
+        }
+
+
+UI_METHOD *UI_create_method(char *name)
+        {
+        UI_METHOD *ui_method = (UI_METHOD *)OPENSSL_malloc(sizeof(UI_METHOD));
+
+        if (ui_method)
+                memset(ui_method, 0, sizeof(*ui_method));
+        ui_method->name = BUF_strdup(name);
+        return ui_method;
+        }
+
+/* BIG FSCKING WARNING!!!!  If you use this on a statically allocated method
+   (that is, it hasn't been allocated using UI_create_method(), you deserve
+   anything Murphy can throw at you and more!  You have been warned. */
+void UI_destroy_method(UI_METHOD *ui_method)
+        {
+        OPENSSL_free(ui_method->name);
+        ui_method->name = NULL;
+        OPENSSL_free(ui_method);
+        }
+
+int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui))
+        {
+        if (method)
+                {
+                method->ui_open_session = opener;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis))
+        {
+        if (method)
+                {
+                method->ui_write_string = writer;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui))
+        {
+        if (method)
+                {
+                method->ui_flush = flusher;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis))
+        {
+        if (method)
+                {
+                method->ui_read_string = reader;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui))
+        {
+        if (method)
+                {
+                method->ui_close_session = closer;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int (*UI_method_get_opener(UI_METHOD *method))(UI*)
+        {
+        if (method)
+                return method->ui_open_session;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_writer(UI_METHOD *method))(UI*,UI_STRING*)
+        {
+        if (method)
+                return method->ui_write_string;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_flusher(UI_METHOD *method))(UI*)
+        {
+        if (method)
+                return method->ui_flush;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*)
+        {
+        if (method)
+                return method->ui_read_string;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_closer(UI_METHOD *method))(UI*)
+        {
+        if (method)
+                return method->ui_close_session;
+        else
+                return NULL;
+        }
+
+enum UI_string_types UI_get_string_type(UI_STRING *uis)
+        {
+        if (!uis)
+                return UIT_NONE;
+        return uis->type;
+        }
+
+int UI_get_input_flags(UI_STRING *uis)
+        {
+        if (!uis)
+                return 0;
+        return uis->input_flags;
+        }
+
+const char *UI_get0_output_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        return uis->out_string;
+        }
+
+const char *UI_get0_action_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_BOOLEAN:
+                return uis->_.boolean_data.action_desc;
+        default:
+                return NULL;
+                }
+        }
+
+const char *UI_get0_result_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                return uis->result_buf;
+        default:
+                return NULL;
+                }
+        }
+
+const char *UI_get0_test_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        switch(uis->type)
+                {
+        case UIT_VERIFY:
+                return uis->_.string_data.test_buf;
+        default:
+                return NULL;
+                }
+        }
+
+int UI_get_result_minsize(UI_STRING *uis)
+        {
+        if (!uis)
+                return -1;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                return uis->_.string_data.result_minsize;
+        default:
+                return -1;
+                }
+        }
+
+int UI_get_result_maxsize(UI_STRING *uis)
+        {
+        if (!uis)
+                return -1;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                return uis->_.string_data.result_maxsize;
+        default:
+                return -1;
+                }
+        }
+
+int UI_set_result(UI *ui, UI_STRING *uis, const char *result)
+        {
+        int l = strlen(result);
+
+        ui->flags &= ~UI_FLAG_REDOABLE;
+
+        if (!uis)
+                return -1;
+        switch (uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                {
+                char number1[20];
+                char number2[20];
+
+                BIO_snprintf(number1, sizeof(number1), "%d",
+                        uis->_.string_data.result_minsize);
+                BIO_snprintf(number2, sizeof(number2), "%d",
+                        uis->_.string_data.result_maxsize);
+
+                if (l < uis->_.string_data.result_minsize)
+                        {
+                        ui->flags |= UI_FLAG_REDOABLE;
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_RESULT_TOO_SMALL);
+                        ERR_add_error_data(5,"You must type in ",
+                                number1," to ",number2," characters");
+                        return -1;
+                        }
+                if (l > uis->_.string_data.result_maxsize)
+                        {
+                        ui->flags |= UI_FLAG_REDOABLE;
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_RESULT_TOO_LARGE);
+                        ERR_add_error_data(5,"You must type in ",
+                                number1," to ",number2," characters");
+                        return -1;
+                        }
+                }
+
+                if (!uis->result_buf)
+                        {
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_NO_RESULT_BUFFER);
+                        return -1;
+                        }
+
+                strcpy(uis->result_buf, result);
+                break;
+        case UIT_BOOLEAN:
+                {
+                const char *p;
+
+                if (!uis->result_buf)
+                        {
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_NO_RESULT_BUFFER);
+                        return -1;
+                        }
+
+                uis->result_buf[0] = '\0';
+                for(p = result; *p; p++)
+                        {
+                        if (strchr(uis->_.boolean_data.ok_chars, *p))
+                                {
+                                uis->result_buf[0] =
+                                        uis->_.boolean_data.ok_chars[0];
+                                break;
+                                }
+                        if (strchr(uis->_.boolean_data.cancel_chars, *p))
+                                {
+                                uis->result_buf[0] =
+                                        uis->_.boolean_data.cancel_chars[0];
+                                break;
+                                }
+                        }
+        default:
+                break;
+                }
+                }
+        return 0;
+        }
diff --git a/src/lib/libcrypto/ui/ui_locl.h b/src/lib/libcrypto/ui/ui_locl.h
new file mode 100644
index 0000000000..7d3a75a619
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_locl.h
@@ -0,0 +1,148 @@
+/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UI_LOCL_H
+#define HEADER_UI_LOCL_H
+
+#include <openssl/ui.h>
+
+struct ui_method_st
+        {
+        char *name;
+
+        /* All the functions return 1 or non-NULL for success and 0 or NULL
+           for failure */
+
+        /* Open whatever channel for this, be it the console, an X window
+           or whatever.
+           This function should use the ex_data structure to save
+           intermediate data. */
+        int (*ui_open_session)(UI *ui);
+
+        int (*ui_write_string)(UI *ui, UI_STRING *uis);
+
+        /* Flush the output.  If a GUI dialog box is used, this function can
+           be used to actually display it. */
+        int (*ui_flush)(UI *ui);
+
+        int (*ui_read_string)(UI *ui, UI_STRING *uis);
+
+        int (*ui_close_session)(UI *ui);
+
+        /* Construct a prompt in a user-defined manner.  object_desc is a
+           textual short description of the object, for example "pass phrase",
+           and object_name is the name of the object (might be a card name or
+           a file name.
+           The returned string shall always be allocated on the heap with
+           OPENSSL_malloc(), and need to be free'd with OPENSSL_free(). */
+        char *(*ui_construct_prompt)(UI *ui, const char *object_desc,
+                const char *object_name);
+        };
+
+struct ui_string_st
+        {
+        enum UI_string_types type; /* Input */
+        const char *out_string; /* Input */
+        int input_flags;        /* Flags from the user */
+
+        /* The following parameters are completely irrelevant for UIT_INFO,
+           and can therefore be set to 0 or NULL */
+        char *result_buf;       /* Input and Output: If not NULL, user-defined
+                                   with size in result_maxsize.  Otherwise, it
+                                   may be allocated by the UI routine, meaning
+                                   result_minsize is going to be overwritten.*/
+        union
+                {
+                struct
+                        {
+                        int result_minsize;     /* Input: minimum required
+                                                   size of the result.
+                                                */
+                        int result_maxsize;     /* Input: maximum permitted
+                                                   size of the result */
+
+                        const char *test_buf;   /* Input: test string to verify
+                                                   against */
+                        } string_data;
+                struct
+                        {
+                        const char *action_desc; /* Input */
+                        const char *ok_chars; /* Input */
+                        const char *cancel_chars; /* Input */
+                        } boolean_data;
+                } _;
+
+#define OUT_STRING_FREEABLE 0x01
+        int flags;              /* flags for internal use */
+        };
+
+struct ui_st
+        {
+        const UI_METHOD *meth;
+        STACK_OF(UI_STRING) *strings; /* We might want to prompt for more
+                                         than one thing at a time, and
+                                         with different echoing status.  */
+        void *user_data;
+        CRYPTO_EX_DATA ex_data;
+
+#define UI_FLAG_REDOABLE        0x0001
+#define UI_FLAG_PRINT_ERRORS    0x0100
+        int flags;
+        };
+
+#endif
diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c
new file mode 100644
index 0000000000..3aa03f74aa
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_openssl.c
@@ -0,0 +1,661 @@
+/* crypto/ui/ui_openssl.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) and others
+ * for the OpenSSL project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* The lowest level part of this file was previously in crypto/des/read_pwd.c,
+ * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+
+#include <openssl/e_os2.h>
+
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS)
+# ifdef OPENSSL_UNISTD
+#  include OPENSSL_UNISTD
+# else
+#  include <unistd.h>
+# endif
+/* If unistd.h defines _POSIX_VERSION, we conclude that we
+ * are on a POSIX system and have sigaction and termios. */
+# if defined(_POSIX_VERSION)
+
+#  define SIGACTION
+#  if !defined(TERMIOS) && !defined(TERMIO) && !defined(SGTTY)
+#   define TERMIOS
+#  endif
+
+# endif
+#endif
+
+#ifdef WIN16TTY
+# undef OPENSSL_SYS_WIN16
+# undef WIN16
+# undef _WINDOWS
+# include <graph.h>
+#endif
+
+/* 06-Apr-92 Luke Brennan    Support for VMS */
+#include "ui_locl.h"
+#include "cryptlib.h"
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+#ifdef OPENSSL_SYS_VMS          /* prototypes for sys$whatever */
+# include <starlet.h>
+# ifdef __DECC
+#  pragma message disable DOLLARID
+# endif
+#endif
+
+#ifdef WIN_CONSOLE_BUG
+# include <windows.h>
+# include <wincon.h>
+#endif
+
+
+/* There are 5 types of terminal interface supported,
+ * TERMIO, TERMIOS, VMS, MSDOS and SGTTY
+ */
+
+#if defined(__sgi) && !defined(TERMIOS)
+# define TERMIOS
+# undef  TERMIO
+# undef  SGTTY
+#endif
+
+#if defined(linux) && !defined(TERMIO)
+# undef  TERMIOS
+# define TERMIO
+# undef  SGTTY
+#endif
+
+#ifdef _LIBC
+# undef  TERMIOS
+# define TERMIO
+# undef  SGTTY
+#endif
+
+#if !defined(TERMIO) && !defined(TERMIOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(MAC_OS_GUSI_SOURCE)
+# undef  TERMIOS
+# undef  TERMIO
+# define SGTTY
+#endif
+
+#if defined(OPENSSL_SYS_VSWORKS)
+#undef TERMIOS
+#undef TERMIO
+#undef SGTTY
+#endif
+
+#ifdef TERMIOS
+# include <termios.h>
+# define TTY_STRUCT             struct termios
+# define TTY_FLAGS              c_lflag
+# define TTY_get(tty,data)      tcgetattr(tty,data)
+# define TTY_set(tty,data)      tcsetattr(tty,TCSANOW,data)
+#endif
+
+#ifdef TERMIO
+# include <termio.h>
+# define TTY_STRUCT             struct termio
+# define TTY_FLAGS              c_lflag
+# define TTY_get(tty,data)      ioctl(tty,TCGETA,data)
+# define TTY_set(tty,data)      ioctl(tty,TCSETA,data)
+#endif
+
+#ifdef SGTTY
+# include <sgtty.h>
+# define TTY_STRUCT             struct sgttyb
+# define TTY_FLAGS              sg_flags
+# define TTY_get(tty,data)      ioctl(tty,TIOCGETP,data)
+# define TTY_set(tty,data)      ioctl(tty,TIOCSETP,data)
+#endif
+
+#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC)
+# include <sys/ioctl.h>
+#endif
+
+#ifdef OPENSSL_SYS_MSDOS
+# include <conio.h>
+#endif
+
+#ifdef OPENSSL_SYS_VMS
+# include <ssdef.h>
+# include <iodef.h>
+# include <ttdef.h>
+# include <descrip.h>
+struct IOSB {
+        short iosb$w_value;
+        short iosb$w_count;
+        long  iosb$l_info;
+        };
+#endif
+
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(MAC_OS_GUSI_SOURCE)
+/*
+ * This one needs work. As a matter of fact the code is unoperational
+ * and this is only a trick to get it compiled.
+ *                                      <appro@fy.chalmers.se>
+ */
+# define TTY_STRUCT int
+#endif
+
+#ifndef NX509_SIG
+# define NX509_SIG 32
+#endif
+
+
+/* Define globals.  They are protected by a lock */
+#ifdef SIGACTION
+static struct sigaction savsig[NX509_SIG];
+#else
+static void (*savsig[NX509_SIG])(int );
+#endif
+
+#ifdef OPENSSL_SYS_VMS
+static struct IOSB iosb;
+static $DESCRIPTOR(terminal,"TT");
+static long tty_orig[3], tty_new[3]; /* XXX   Is there any guarantee that this will always suffice for the actual structures? */
+static long status;
+static unsigned short channel = 0;
+#else
+#ifndef OPENSSL_SYS_MSDOS
+static TTY_STRUCT tty_orig,tty_new;
+#endif
+#endif
+static FILE *tty_in, *tty_out;
+static int is_a_tty;
+
+/* Declare static functions */
+static void read_till_nl(FILE *);
+static void recsig(int);
+static void pushsig(void);
+static void popsig(void);
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+static int noecho_fgets(char *buf, int size, FILE *tty);
+#endif
+static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl);
+
+static int read_string(UI *ui, UI_STRING *uis);
+static int write_string(UI *ui, UI_STRING *uis);
+
+static int open_console(UI *ui);
+static int echo_console(UI *ui);
+static int noecho_console(UI *ui);
+static int close_console(UI *ui);
+
+static UI_METHOD ui_openssl =
+        {
+        "OpenSSL default user interface",
+        open_console,
+        write_string,
+        NULL,                   /* No flusher is needed for command lines */
+        read_string,
+        close_console,
+        NULL
+        };
+
+/* The method with all the built-in thingies */
+UI_METHOD *UI_OpenSSL(void)
+        {
+        return &ui_openssl;
+        }
+
+/* The following function makes sure that info and error strings are printed
+   before any prompt. */
+static int write_string(UI *ui, UI_STRING *uis)
+        {
+        switch (UI_get_string_type(uis))
+                {
+        case UIT_ERROR:
+        case UIT_INFO:
+                fputs(UI_get0_output_string(uis), tty_out);
+                fflush(tty_out);
+                break;
+        default:
+                break;
+                }
+        return 1;
+        }
+
+static int read_string(UI *ui, UI_STRING *uis)
+        {
+        int ok = 0;
+
+        switch (UI_get_string_type(uis))
+                {
+        case UIT_BOOLEAN:
+                fputs(UI_get0_output_string(uis), tty_out);
+                fputs(UI_get0_action_string(uis), tty_out);
+                fflush(tty_out);
+                return read_string_inner(ui, uis,
+                        UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 0);
+        case UIT_PROMPT:
+                fputs(UI_get0_output_string(uis), tty_out);
+                fflush(tty_out);
+                return read_string_inner(ui, uis,
+                        UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 1);
+        case UIT_VERIFY:
+                fprintf(tty_out,"Verifying - %s",
+                        UI_get0_output_string(uis));
+                fflush(tty_out);
+                if ((ok = read_string_inner(ui, uis,
+                        UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 1)) <= 0)
+                        return ok;
+                if (strcmp(UI_get0_result_string(uis),
+                        UI_get0_test_string(uis)) != 0)
+                        {
+                        fprintf(tty_out,"Verify failure\n");
+                        fflush(tty_out);
+                        return 0;
+                        }
+                break;
+        default:
+                break;
+                }
+        return 1;
+        }
+
+
+/* Internal functions to read a string without echoing */
+static void read_till_nl(FILE *in)
+        {
+#define SIZE 4
+        char buf[SIZE+1];
+
+        do      {
+                fgets(buf,SIZE,in);
+                } while (strchr(buf,'\n') == NULL);
+        }
+
+static sig_atomic_t intr_signal;
+
+static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
+        {
+        static int ps;
+        int ok;
+        char result[BUFSIZ];
+        int maxsize = BUFSIZ-1;
+        char *p;
+
+#ifndef OPENSSL_SYS_WIN16
+        intr_signal=0;
+        ok=0;
+        ps=0;
+
+        pushsig();
+        ps=1;
+
+        if (!echo && !noecho_console(ui))
+                goto error;
+        ps=2;
+
+        result[0]='\0';
+#ifdef OPENSSL_SYS_MSDOS
+        if (!echo)
+                {
+                noecho_fgets(result,maxsize,tty_in);
+                p=result; /* FIXME: noecho_fgets doesn't return errors */
+                }
+        else
+                p=fgets(result,maxsize,tty_in);
+#else
+        p=fgets(result,maxsize,tty_in);
+#endif
+        if(!p)
+                goto error;
+        if (feof(tty_in)) goto error;
+        if (ferror(tty_in)) goto error;
+        if ((p=(char *)strchr(result,'\n')) != NULL)
+                {
+                if (strip_nl)
+                        *p='\0';
+                }
+        else
+                read_till_nl(tty_in);
+        if (UI_set_result(ui, uis, result) >= 0)
+                ok=1;
+
+error:
+        if (intr_signal == SIGINT)
+                ok=-1;
+        if (!echo) fprintf(tty_out,"\n");
+        if (ps >= 2 && !echo && !echo_console(ui))
+                ok=0;
+
+        if (ps >= 1)
+                popsig();
+#else
+        ok=1;
+#endif
+
+        memset(result,0,BUFSIZ);
+        return ok;
+        }
+
+
+/* Internal functions to open, handle and close a channel to the console.  */
+static int open_console(UI *ui)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_UI);
+        is_a_tty = 1;
+
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VSWORKS)
+        tty_in=stdin;
+        tty_out=stderr;
+#else
+#  ifdef OPENSSL_SYS_MSDOS
+#    define DEV_TTY "con"
+#  else
+#    define DEV_TTY "/dev/tty"
+#  endif
+        if ((tty_in=fopen(DEV_TTY,"r")) == NULL)
+                tty_in=stdin;
+        if ((tty_out=fopen(DEV_TTY,"w")) == NULL)
+                tty_out=stderr;
+#endif
+
+#if defined(TTY_get) && !defined(VMS)
+        if (TTY_get(fileno(tty_in),&tty_orig) == -1)
+                {
+#ifdef ENOTTY
+                if (errno == ENOTTY)
+                        is_a_tty=0;
+                else
+#endif
+#ifdef EINVAL
+                /* Ariel Glenn ariel@columbia.edu reports that solaris
+                 * can return EINVAL instead.  This should be ok */
+                if (errno == EINVAL)
+                        is_a_tty=0;
+                else
+#endif
+                        return 0;
+                }
+#endif
+#ifdef OPENSSL_SYS_VMS
+        status = sys$assign(&terminal,&channel,0,0);
+        if (status != SS$_NORMAL)
+                return 0;
+        status=sys$qiow(0,channel,IO$_SENSEMODE,&iosb,0,0,tty_orig,12,0,0,0,0);
+        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+                return 0;
+#endif
+        return 1;
+        }
+
+static int noecho_console(UI *ui)
+        {
+#ifdef TTY_FLAGS
+        memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig));
+        tty_new.TTY_FLAGS &= ~ECHO;
+#endif
+
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
+        if (is_a_tty && (TTY_set(fileno(tty_in),&tty_new) == -1))
+                return 0;
+#endif
+#ifdef OPENSSL_SYS_VMS
+        tty_new[0] = tty_orig[0];
+        tty_new[1] = tty_orig[1] | TT$M_NOECHO;
+        tty_new[2] = tty_orig[2];
+        status = sys$qiow(0,channel,IO$_SETMODE,&iosb,0,0,tty_new,12,0,0,0,0);
+        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+                return 0;
+#endif
+        return 1;
+        }
+
+static int echo_console(UI *ui)
+        {
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
+        memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig));
+        tty_new.TTY_FLAGS |= ECHO;
+#endif
+
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
+        if (is_a_tty && (TTY_set(fileno(tty_in),&tty_new) == -1))
+                return 0;
+#endif
+#ifdef OPENSSL_SYS_VMS
+        tty_new[0] = tty_orig[0];
+        tty_new[1] = tty_orig[1] & ~TT$M_NOECHO;
+        tty_new[2] = tty_orig[2];
+        status = sys$qiow(0,channel,IO$_SETMODE,&iosb,0,0,tty_new,12,0,0,0,0);
+        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+                return 0;
+#endif
+        return 1;
+        }
+
+static int close_console(UI *ui)
+        {
+        if (tty_in != stderr) fclose(tty_in);
+        if (tty_out != stderr) fclose(tty_out);
+#ifdef OPENSSL_SYS_VMS
+        status = sys$dassgn(channel);
+#endif
+        CRYPTO_w_unlock(CRYPTO_LOCK_UI);
+
+        return 1;
+        }
+
+
+/* Internal functions to handle signals and act on them */
+static void pushsig(void)
+        {
+        int i;
+#ifdef SIGACTION
+        struct sigaction sa;
+
+        memset(&sa,0,sizeof sa);
+        sa.sa_handler=recsig;
+#endif
+
+        for (i=1; i<NX509_SIG; i++)
+                {
+#ifdef SIGUSR1
+                if (i == SIGUSR1)
+                        continue;
+#endif
+#ifdef SIGUSR2
+                if (i == SIGUSR2)
+                        continue;
+#endif
+#ifdef SIGKILL
+                if (i == SIGKILL) /* We can't make any action on that. */
+                        continue;
+#endif
+#ifdef SIGACTION
+                sigaction(i,&sa,&savsig[i]);
+#else
+                savsig[i]=signal(i,recsig);
+#endif
+                }
+
+#ifdef SIGWINCH
+        signal(SIGWINCH,SIG_DFL);
+#endif
+        }
+
+static void popsig(void)
+        {
+        int i;
+
+        for (i=1; i<NX509_SIG; i++)
+                {
+#ifdef SIGUSR1
+                if (i == SIGUSR1)
+                        continue;
+#endif
+#ifdef SIGUSR2
+                if (i == SIGUSR2)
+                        continue;
+#endif
+#ifdef SIGACTION
+                sigaction(i,&savsig[i],NULL);
+#else
+                signal(i,savsig[i]);
+#endif
+                }
+        }
+
+static void recsig(int i)
+        {
+        intr_signal=i;
+        }
+
+/* Internal functions specific for Windows */
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+static int noecho_fgets(char *buf, int size, FILE *tty)
+        {
+        int i;
+        char *p;
+
+        p=buf;
+        for (;;)
+                {
+                if (size == 0)
+                        {
+                        *p='\0';
+                        break;
+                        }
+                size--;
+#ifdef WIN16TTY
+                i=_inchar();
+#else
+                i=getch();
+#endif
+                if (i == '\r') i='\n';
+                *(p++)=i;
+                if (i == '\n')
+                        {
+                        *p='\0';
+                        break;
+                        }
+                }
+#ifdef WIN_CONSOLE_BUG
+/* Win95 has several evil console bugs: one of these is that the
+ * last character read using getch() is passed to the next read: this is
+ * usually a CR so this can be trouble. No STDIO fix seems to work but
+ * flushing the console appears to do the trick.
+ */
+                {
+                        HANDLE inh;
+                        inh = GetStdHandle(STD_INPUT_HANDLE);
+                        FlushConsoleInputBuffer(inh);
+                }
+#endif
+        return(strlen(buf));
+        }
+#endif
diff --git a/src/lib/libcrypto/ui/ui_util.c b/src/lib/libcrypto/ui/ui_util.c
new file mode 100644
index 0000000000..7c6f7d3a73
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_util.c
@@ -0,0 +1,86 @@
+/* crypto/ui/ui_util.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/ui.h>
+
+int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify)
+        {
+        char buff[BUFSIZ];
+        int ret;
+
+        ret=UI_UTIL_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
+        memset(buff,0,BUFSIZ);
+        return(ret);
+        }
+
+int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify)
+        {
+        int ok = 0;
+        UI *ui;
+
+        ui = UI_new();
+        if (ui)
+                {
+                ok = UI_add_input_string(ui,prompt,0,buf,0,BUFSIZ-1);
+                if (ok == 0 && verify)
+                        ok = UI_add_verify_string(ui,prompt,0,buff,0,BUFSIZ-1,
+                                buf);
+                if (ok == 0)
+                        ok=UI_process(ui);
+                UI_free(ui);
+                }
+        return(ok);
+        }
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
new file mode 100644
index 0000000000..4b3bccb13e
--- /dev/null
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -0,0 +1,503 @@
+#!/usr/local/bin/perl -w
+
+my $config = "crypto/err/openssl.ec";
+my $debug = 0;
+my $rebuild = 0;
+my $static = 1;
+my $recurse = 0;
+my $reindex = 0;
+my $dowrite = 0;
+
+
+while (@ARGV) {
+        my $arg = $ARGV[0];
+        if($arg eq "-conf") {
+                shift @ARGV;
+                $config = shift @ARGV;
+        } elsif($arg eq "-debug") {
+                $debug = 1;
+                shift @ARGV;
+        } elsif($arg eq "-rebuild") {
+                $rebuild = 1;
+                shift @ARGV;
+        } elsif($arg eq "-recurse") {
+                $recurse = 1;
+                shift @ARGV;
+        } elsif($arg eq "-reindex") {
+                $reindex = 1;
+                shift @ARGV;
+        } elsif($arg eq "-nostatic") {
+                $static = 0;
+                shift @ARGV;
+        } elsif($arg eq "-write") {
+                $dowrite = 1;
+                shift @ARGV;
+        } else {
+                last;
+        }
+}
+
+if($recurse) {
+        @source = (<crypto/*.c>, <crypto/*/*.c>, ,<rsaref/*.c>, <ssl/*.c>);
+} else {
+        @source = @ARGV;
+}
+
+# Read in the config file
+
+open(IN, "<$config") || die "Can't open config file $config";
+
+# Parse config file
+
+while(<IN>)
+{
+        if(/^L\s+(\S+)\s+(\S+)\s+(\S+)/) {
+                $hinc{$1} = $2;
+                $cskip{$3} = $1;
+                if($3 ne "NONE") {
+                        $csrc{$1} = $3;
+                        $fmax{$1} = 99;
+                        $rmax{$1} = 99;
+                        $fnew{$1} = 0;
+                        $rnew{$1} = 0;
+                }
+        } elsif (/^F\s+(\S+)/) {
+        # Add extra function with $1
+        } elsif (/^R\s+(\S+)\s+(\S+)/) {
+                $rextra{$1} = $2;
+                $rcodes{$1} = $2;
+        }
+}
+
+close IN;
+
+# Scan each header file in turn and make a list of error codes
+# and function names
+
+while (($lib, $hdr) = each %hinc)
+{
+        next if($hdr eq "NONE");
+        print STDERR "Scanning header file $hdr\n" if $debug; 
+        open(IN, "<$hdr") || die "Can't open Header file $hdr\n";
+        my $line = "", $def= "";
+        while(<IN>) {
+            last if(/BEGIN\s+ERROR\s+CODES/);
+            if ($line ne '') {
+                $_ = $line . $_;
+                $line = '';
+            }
+
+            if (/\\$/) {
+                $line = $_;
+                next;
+            }
+
+            $cpp = 1 if /^#.*ifdef.*cplusplus/;  # skip "C" declaration
+            if ($cpp) {
+                $cpp = 0 if /^#.*endif/;
+                next;
+            }
+
+            next if (/^#/);                      # skip preprocessor directives
+
+            s/\/\*.*?\*\///gs;                   # ignore comments
+            s/{[^{}]*}//gs;                      # ignore {} blocks
+
+            if (/{|\/\*/) { # Add a } so editor works...
+                $line = $_;
+            } else {
+                $def .= $_;
+            }
+        }
+
+        foreach (split /;/, $def) {
+            s/^[\n\s]*//g;
+            s/[\n\s]*$//g;
+            next if(/typedef\W/);
+            if (/\(\*(\w*)\([^\)]+/) {
+                my $name = $1;
+                $name =~ tr/[a-z]/[A-Z]/;
+                $ftrans{$name} = $1;
+            } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s){
+                # K&R C
+                next ;
+            } elsif (/\w+\W+\w+\W*\(.*\)$/s) {
+                while (not /\(\)$/s) {
+                    s/[^\(\)]*\)$/\)/s;
+                    s/\([^\(\)]*\)\)$/\)/s;
+                }
+                s/\(void\)//;
+                /(\w+)\W*\(\)/s;
+                my $name = $1;
+                $name =~ tr/[a-z]/[A-Z]/;
+                $ftrans{$name} = $1;
+            } elsif (/\(/ and not (/=/ or /DECLARE_STACK/)) {
+                print STDERR "Header $hdr: cannot parse: $_;\n";
+            }
+        }
+
+        next if $reindex;
+
+        # Scan function and reason codes and store them: keep a note of the
+        # maximum code used.
+
+        while(<IN>) {
+                if(/^#define\s+(\S+)\s+(\S+)/) {
+                        $name = $1;
+                        $code = $2;
+                        unless($name =~ /^${lib}_([RF])_(\w+)$/) {
+                                print STDERR "Invalid error code $name\n";
+                                next;
+                        }
+                        if($1 eq "R") {
+                                $rcodes{$name} = $code;
+                                if(!(exists $rextra{$name}) &&
+                                         ($code > $rmax{$lib}) ) {
+                                        $rmax{$lib} = $code;
+                                }
+                        } else {
+                                if($code > $fmax{$lib}) {
+                                        $fmax{$lib} = $code;
+                                }
+                                $fcodes{$name} = $code;
+                        }
+                }
+        }
+        close IN;
+}
+
+# Scan each C source file and look for function and reason codes
+# This is done by looking for strings that "look like" function or
+# reason codes: basically anything consisting of all upper case and
+# numerics which has _F_ or _R_ in it and which has the name of an
+# error library at the start. This seems to work fine except for the
+# oddly named structure BIO_F_CTX which needs to be ignored.
+# If a code doesn't exist in list compiled from headers then mark it
+# with the value "X" as a place holder to give it a value later.
+# Store all function and reason codes found in %ufcodes and %urcodes
+# so all those unreferenced can be printed out.
+
+
+foreach $file (@source) {
+        # Don't parse the error source file.
+        next if exists $cskip{$file};
+        open(IN, "<$file") || die "Can't open source file $file\n";
+        while(<IN>) {
+                if(/(([A-Z0-9]+)_F_([A-Z0-9_]+))/) {
+                        next unless exists $csrc{$2};
+                        next if($1 eq "BIO_F_BUFFER_CTX");
+                        $ufcodes{$1} = 1;
+                        if(!exists $fcodes{$1}) {
+                                $fcodes{$1} = "X";
+                                $fnew{$2}++;
+                        }
+                        $notrans{$1} = 1 unless exists $ftrans{$3};
+                }
+                if(/(([A-Z0-9]+)_R_[A-Z0-9_]+)/) {
+                        next unless exists $csrc{$2};
+                        $urcodes{$1} = 1;
+                        if(!exists $rcodes{$1}) {
+                                $rcodes{$1} = "X";
+                                $rnew{$2}++;
+                        }
+                } 
+        }
+        close IN;
+}
+
+# Now process each library in turn.
+
+foreach $lib (keys %csrc)
+{
+        my $hfile = $hinc{$lib};
+        my $cfile = $csrc{$lib};
+        if(!$fnew{$lib} && !$rnew{$lib}) {
+                print STDERR "$lib:\t\tNo new error codes\n";
+                next unless $rebuild;
+        } else {
+                print STDERR "$lib:\t\t$fnew{$lib} New Functions,";
+                print STDERR " $rnew{$lib} New Reasons.\n";
+                next unless $dowrite;
+        }
+
+        # If we get here then we have some new error codes so we
+        # need to rebuild the header file and C file.
+
+        # Make a sorted list of error and reason codes for later use.
+
+        my @function = sort grep(/^${lib}_/,keys %fcodes);
+        my @reasons = sort grep(/^${lib}_/,keys %rcodes);
+
+        # Rewrite the header file
+
+        open(IN, "<$hfile") || die "Can't Open Header File $hfile\n";
+
+        # Copy across the old file
+        while(<IN>) {
+                push @out, $_;
+                last if (/BEGIN ERROR CODES/);
+        }
+        close IN;
+
+        open (OUT, ">$hfile") || die "Can't Open File $hfile for writing\n";
+
+        print OUT @out;
+        undef @out;
+        print OUT <<"EOF";
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the $lib functions. */
+
+/* Function codes. */
+EOF
+
+        foreach $i (@function) {
+                $z=6-int(length($i)/8);
+                if($fcodes{$i} eq "X") {
+                        $fcodes{$i} = ++$fmax{$lib};
+                        print STDERR "New Function code $i\n" if $debug;
+                }
+                printf OUT "#define $i%s $fcodes{$i}\n","\t" x $z;
+        }
+
+        print OUT "\n/* Reason codes. */\n";
+
+        foreach $i (@reasons) {
+                $z=6-int(length($i)/8);
+                if($rcodes{$i} eq "X") {
+                        $rcodes{$i} = ++$rmax{$lib};
+                        print STDERR "New Reason code   $i\n" if $debug;
+                }
+                printf OUT "#define $i%s $rcodes{$i}\n","\t" x $z;
+        }
+        print OUT <<"EOF";
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
+EOF
+        close OUT;
+
+        # Rewrite the C source file containing the error details.
+
+        my $hincf;
+        if($static) {
+                $hfile =~ /([^\/]+)$/;
+                $hincf = "<openssl/$1>";
+        } else {
+                $hincf = "\"$hfile\"";
+        }
+
+
+        open (OUT,">$cfile") || die "Can't open $cfile for writing";
+
+        print OUT <<"EOF";
+/* $cfile */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core\@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay\@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh\@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include $hincf
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA ${lib}_str_functs[]=
+        {
+EOF
+        # Add each function code: if a function name is found then use it.
+        foreach $i (@function) {
+                my $fn;
+                $i =~ /^${lib}_F_(\S+)$/;
+                $fn = $1;
+                if(exists $ftrans{$fn}) {
+                        $fn = $ftrans{$fn};
+                }
+                print OUT "{ERR_PACK(0,$i,0),\t\"$fn\"},\n";
+        }
+        print OUT <<"EOF";
+{0,NULL}
+        };
+
+static ERR_STRING_DATA ${lib}_str_reasons[]=
+        {
+EOF
+        # Add each reason code.
+        foreach $i (@reasons) {
+                my $rn;
+                my $nspc = 0;
+                $i =~ /^${lib}_R_(\S+)$/;
+                $rn = $1;
+                $rn =~ tr/_[A-Z]/ [a-z]/;
+                $nspc = 40 - length($i) unless length($i) > 40;
+                $nspc = " " x $nspc;
+                print OUT "{${i}${nspc},\"$rn\"},\n";
+        }
+if($static) {
+        print OUT <<"EOF";
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_${lib}_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_${lib},${lib}_str_functs);
+                ERR_load_strings(ERR_LIB_${lib},${lib}_str_reasons);
+#endif
+
+                }
+        }
+EOF
+} else {
+        print OUT <<"EOF";
+{0,NULL}
+        };
+
+#endif
+
+#ifdef ${lib}_LIB_NAME
+static ERR_STRING_DATA ${lib}_lib_name[]=
+        {
+{0      ,${lib}_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+int ${lib}_lib_error_code=0;
+
+void ERR_load_${lib}_strings(void)
+        {
+        static int init=1;
+
+        if (${lib}_lib_error_code == 0)
+                ${lib}_lib_error_code=ERR_get_next_error_library();
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(${lib}_lib_error_code,${lib}_str_functs);
+                ERR_load_strings(${lib}_lib_error_code,${lib}_str_reasons);
+#endif
+
+#ifdef ${lib}_LIB_NAME
+                ${lib}_lib_name->error = ERR_PACK(${lib}_lib_error_code,0,0);
+                ERR_load_strings(0,${lib}_lib_name);
+#endif;
+                }
+        }
+
+void ERR_${lib}_error(int function, int reason, char *file, int line)
+        {
+        if (${lib}_lib_error_code == 0)
+                ${lib}_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(${lib}_lib_error_code,function,reason,file,line);
+        }
+EOF
+
+}
+
+        close OUT;
+
+}
+
+if($debug && defined(%notrans)) {
+        print STDERR "The following function codes were not translated:\n";
+        foreach(sort keys %notrans)
+        {
+                print STDERR "$_\n";
+        }
+}
+
+# Make a list of unreferenced function and reason codes
+
+foreach (keys %fcodes) {
+        push (@funref, $_) unless exists $ufcodes{$_};
+}
+
+foreach (keys %rcodes) {
+        push (@runref, $_) unless exists $urcodes{$_};
+}
+
+if($debug && defined(@funref) ) {
+        print STDERR "The following function codes were not referenced:\n";
+        foreach(sort @funref)
+        {
+                print STDERR "$_\n";
+        }
+}
+
+if($debug && defined(@runref) ) {
+        print STDERR "The following reason codes were not referenced:\n";
+        foreach(sort @runref)
+        {
+                print STDERR "$_\n";
+        }
+}
diff --git a/src/lib/libcrypto/util/mkstack.pl b/src/lib/libcrypto/util/mkstack.pl
new file mode 100644
index 0000000000..3ee13fe7c9
--- /dev/null
+++ b/src/lib/libcrypto/util/mkstack.pl
@@ -0,0 +1,124 @@
+#!/usr/local/bin/perl -w
+
+# This is a utility that searches out "DECLARE_STACK_OF()"
+# declarations in .h and .c files, and updates/creates/replaces
+# the corresponding macro declarations in crypto/stack/safestack.h.
+# As it's not generally possible to have macros that generate macros,
+# we need to control this from the "outside", here in this script.
+#
+# Geoff Thorpe, June, 2000 (with massive Perl-hacking
+#                           help from Steve Robb)
+
+my $safestack = "crypto/stack/safestack";
+
+my $do_write;
+while (@ARGV) {
+        my $arg = $ARGV[0];
+        if($arg eq "-write") {
+                $do_write = 1;
+        }
+        shift @ARGV;
+}
+
+
+@source = (<crypto/*.[ch]>, <crypto/*/*.[ch]>, <rsaref/*.[ch]>, <ssl/*.[ch]>);
+foreach $file (@source) {
+        next if -l $file;
+
+        # Open the .c/.h file for reading
+        open(IN, "< $file") || die "Can't open $file for reading: $!";
+
+        while(<IN>) {
+                if (/^DECLARE_STACK_OF\(([^)]+)\)/) {
+                        push @stacklst, $1;
+                } if (/^DECLARE_ASN1_SET_OF\(([^)]+)\)/) {
+                        push @asn1setlst, $1;
+                } if (/^DECLARE_PKCS12_STACK_OF\(([^)]+)\)/) {
+                        push @p12stklst, $1;
+                }
+        }
+        close(IN);
+}
+
+
+
+my $old_stackfile = "";
+my $new_stackfile = "";
+my $inside_block = 0;
+my $type_thing;
+
+open(IN, "< $safestack.h") || die "Can't open input file: $!";
+while(<IN>) {
+        $old_stackfile .= $_;
+
+        if (m|^/\* This block of defines is updated by util/mkstack.pl, please do not touch! \*/|) {
+                $inside_block = 1;
+        }
+        if (m|^/\* End of util/mkstack.pl block, you may now edit :-\) \*/|) {
+                $inside_block = 0;
+        } elsif ($inside_block == 0) {
+                $new_stackfile .= $_;
+        }
+        next if($inside_block != 1);
+        $new_stackfile .= "/* This block of defines is updated by util/mkstack.pl, please do not touch! */";
+                
+        foreach $type_thing (sort @stacklst) {
+                $new_stackfile .= <<EOF;
+
+#define sk_${type_thing}_new(st) SKM_sk_new($type_thing, (st))
+#define sk_${type_thing}_new_null() SKM_sk_new_null($type_thing)
+#define sk_${type_thing}_free(st) SKM_sk_free($type_thing, (st))
+#define sk_${type_thing}_num(st) SKM_sk_num($type_thing, (st))
+#define sk_${type_thing}_value(st, i) SKM_sk_value($type_thing, (st), (i))
+#define sk_${type_thing}_set(st, i, val) SKM_sk_set($type_thing, (st), (i), (val))
+#define sk_${type_thing}_zero(st) SKM_sk_zero($type_thing, (st))
+#define sk_${type_thing}_push(st, val) SKM_sk_push($type_thing, (st), (val))
+#define sk_${type_thing}_unshift(st, val) SKM_sk_unshift($type_thing, (st), (val))
+#define sk_${type_thing}_find(st, val) SKM_sk_find($type_thing, (st), (val))
+#define sk_${type_thing}_delete(st, i) SKM_sk_delete($type_thing, (st), (i))
+#define sk_${type_thing}_delete_ptr(st, ptr) SKM_sk_delete_ptr($type_thing, (st), (ptr))
+#define sk_${type_thing}_insert(st, val, i) SKM_sk_insert($type_thing, (st), (val), (i))
+#define sk_${type_thing}_set_cmp_func(st, cmp) SKM_sk_set_cmp_func($type_thing, (st), (cmp))
+#define sk_${type_thing}_dup(st) SKM_sk_dup($type_thing, st)
+#define sk_${type_thing}_pop_free(st, free_func) SKM_sk_pop_free($type_thing, (st), (free_func))
+#define sk_${type_thing}_shift(st) SKM_sk_shift($type_thing, (st))
+#define sk_${type_thing}_pop(st) SKM_sk_pop($type_thing, (st))
+#define sk_${type_thing}_sort(st) SKM_sk_sort($type_thing, (st))
+EOF
+        }
+        foreach $type_thing (sort @asn1setlst) {
+                $new_stackfile .= <<EOF;
+
+#define d2i_ASN1_SET_OF_${type_thing}(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \\
+        SKM_ASN1_SET_OF_d2i($type_thing, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
+#define i2d_ASN1_SET_OF_${type_thing}(st, pp, i2d_func, ex_tag, ex_class, is_set) \\
+        SKM_ASN1_SET_OF_i2d($type_thing, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
+#define ASN1_seq_pack_${type_thing}(st, i2d_func, buf, len) \\
+        SKM_ASN1_seq_pack($type_thing, (st), (i2d_func), (buf), (len))
+#define ASN1_seq_unpack_${type_thing}(buf, len, d2i_func, free_func) \\
+        SKM_ASN1_seq_unpack($type_thing, (buf), (len), (d2i_func), (free_func))
+EOF
+        }
+        foreach $type_thing (sort @p12stklst) {
+                $new_stackfile .= <<EOF;
+
+#define PKCS12_decrypt_d2i_${type_thing}(algor, d2i_func, free_func, pass, passlen, oct, seq) \\
+        SKM_PKCS12_decrypt_d2i($type_thing, (algor), (d2i_func), (free_func), (pass), (passlen), (oct), (seq))
+EOF
+        }
+        $new_stackfile .= "/* End of util/mkstack.pl block, you may now edit :-) */\n";
+        $inside_block = 2;
+}
+
+
+if ($new_stackfile eq $old_stackfile) {
+        print "No changes to $safestack.h.\n";
+        exit 0; # avoid unnecessary rebuild
+}
+
+if ($do_write) {
+        print "Writing new $safestack.h.\n";
+        open OUT, ">$safestack.h" || die "Can't open output file";
+        print OUT $new_stackfile;
+        close OUT;
+}
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
new file mode 100644
index 0000000000..caafde658f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -0,0 +1,326 @@
+/* crypto/x509/x509_att.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/stack.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
+{
+        if (!x) return 0;
+        return(sk_X509_ATTRIBUTE_num(x));
+}
+
+int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
+                          int lastpos)
+{
+        ASN1_OBJECT *obj;
+
+        obj=OBJ_nid2obj(nid);
+        if (obj == NULL) return(-2);
+        return(X509at_get_attr_by_OBJ(x,obj,lastpos));
+}
+
+int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
+                          int lastpos)
+{
+        int n;
+        X509_ATTRIBUTE *ex;
+
+        if (sk == NULL) return(-1);
+        lastpos++;
+        if (lastpos < 0)
+                lastpos=0;
+        n=sk_X509_ATTRIBUTE_num(sk);
+        for ( ; lastpos < n; lastpos++)
+                {
+                ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
+                if (OBJ_cmp(ex->object,obj) == 0)
+                        return(lastpos);
+                }
+        return(-1);
+}
+
+X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc)
+{
+        if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
+                return NULL;
+        else
+                return sk_X509_ATTRIBUTE_value(x,loc);
+}
+
+X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc)
+{
+        X509_ATTRIBUTE *ret;
+
+        if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
+                return(NULL);
+        ret=sk_X509_ATTRIBUTE_delete(x,loc);
+        return(ret);
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+                                         X509_ATTRIBUTE *attr)
+{
+        X509_ATTRIBUTE *new_attr=NULL;
+        STACK_OF(X509_ATTRIBUTE) *sk=NULL;
+
+        if ((x != NULL) && (*x == NULL))
+                {
+                if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
+                        goto err;
+                }
+        else
+                sk= *x;
+
+        if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
+                goto err2;
+        if (!sk_X509_ATTRIBUTE_push(sk,new_attr))
+                goto err;
+        if ((x != NULL) && (*x == NULL))
+                *x=sk;
+        return(sk);
+err:
+        X509err(X509_F_X509_ADD_ATTR,ERR_R_MALLOC_FAILURE);
+err2:
+        if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr);
+        if (sk != NULL) sk_X509_ATTRIBUTE_free(sk);
+        return(NULL);
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
+                        ASN1_OBJECT *obj, int type,
+                        unsigned char *bytes, int len)
+{
+        X509_ATTRIBUTE *attr;
+        STACK_OF(X509_ATTRIBUTE) *ret;
+        attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
+        if(!attr) return 0;
+        ret = X509at_add1_attr(x, attr);
+        X509_ATTRIBUTE_free(attr);
+        return ret;
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
+                        int nid, int type,
+                        unsigned char *bytes, int len)
+{
+        X509_ATTRIBUTE *attr;
+        STACK_OF(X509_ATTRIBUTE) *ret;
+        attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
+        if(!attr) return 0;
+        ret = X509at_add1_attr(x, attr);
+        X509_ATTRIBUTE_free(attr);
+        return ret;
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
+                        char *attrname, int type,
+                        unsigned char *bytes, int len)
+{
+        X509_ATTRIBUTE *attr;
+        STACK_OF(X509_ATTRIBUTE) *ret;
+        attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len);
+        if(!attr) return 0;
+        ret = X509at_add1_attr(x, attr);
+        X509_ATTRIBUTE_free(attr);
+        return ret;
+}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
+             int atrtype, void *data, int len)
+{
+        ASN1_OBJECT *obj;
+        X509_ATTRIBUTE *ret;
+
+        obj=OBJ_nid2obj(nid);
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
+                return(NULL);
+                }
+        ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
+        if (ret == NULL) ASN1_OBJECT_free(obj);
+        return(ret);
+}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
+             ASN1_OBJECT *obj, int atrtype, void *data, int len)
+{
+        X509_ATTRIBUTE *ret;
+
+        if ((attr == NULL) || (*attr == NULL))
+                {
+                if ((ret=X509_ATTRIBUTE_new()) == NULL)
+                        {
+                        X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
+                        return(NULL);
+                        }
+                }
+        else
+                ret= *attr;
+
+        if (!X509_ATTRIBUTE_set1_object(ret,obj))
+                goto err;
+        if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
+                goto err;
+        
+        if ((attr != NULL) && (*attr == NULL)) *attr=ret;
+        return(ret);
+err:
+        if ((attr == NULL) || (ret != *attr))
+                X509_ATTRIBUTE_free(ret);
+        return(NULL);
+}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
+                char *atrname, int type, unsigned char *bytes, int len)
+        {
+        ASN1_OBJECT *obj;
+        X509_ATTRIBUTE *nattr;
+
+        obj=OBJ_txt2obj(atrname, 0);
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
+                                                X509_R_INVALID_FIELD_NAME);
+                ERR_add_error_data(2, "name=", atrname);
+                return(NULL);
+                }
+        nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
+        ASN1_OBJECT_free(obj);
+        return nattr;
+        }
+
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj)
+{
+        if ((attr == NULL) || (obj == NULL))
+                return(0);
+        ASN1_OBJECT_free(attr->object);
+        attr->object=OBJ_dup(obj);
+        return(1);
+}
+
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len)
+{
+        ASN1_TYPE *ttmp;
+        ASN1_STRING *stmp;
+        int atype;
+        if (!attr) return 0;
+        if(attrtype & MBSTRING_FLAG) {
+                stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype,
+                                                OBJ_obj2nid(attr->object));
+                if(!stmp) {
+                        X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_ASN1_LIB);
+                        return 0;
+                }
+                atype = stmp->type;
+        } else {
+                if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err;
+                if(!ASN1_STRING_set(stmp, data, len)) goto err;
+                atype = attrtype;
+        }
+        if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+        if(!(ttmp = ASN1_TYPE_new())) goto err;
+        if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
+        attr->set = 1;
+        ASN1_TYPE_set(ttmp, atype, stmp);
+        return 1;
+        err:
+        X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
+        return 0;
+}
+
+int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
+{
+        if(attr->set) return sk_ASN1_TYPE_num(attr->value.set);
+        if(attr->value.single) return 1;
+        return 0;
+}
+
+ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
+{
+        if (attr == NULL) return(NULL);
+        return(attr->object);
+}
+
+void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
+                                        int atrtype, void *data)
+{
+        ASN1_TYPE *ttmp;
+        ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
+        if(!ttmp) return NULL;
+        if(atrtype != ASN1_TYPE_get(ttmp)){
+                X509err(X509_F_X509_ATTRIBUTE_GET0_DATA, X509_R_WRONG_TYPE);
+                return NULL;
+        }
+        return ttmp->value.ptr;
+}
+
+ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
+{
+        if (attr == NULL) return(NULL);
+        if(idx >= X509_ATTRIBUTE_count(attr)) return NULL;
+        if(attr->set) return sk_ASN1_TYPE_value(attr->value.set, idx);
+        else return attr->value.single;
+}
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
new file mode 100644
index 0000000000..9f7d67952d
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -0,0 +1,263 @@
+/* x509_trs.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+
+static int tr_cmp(X509_TRUST **a, X509_TRUST **b);
+static void trtable_free(X509_TRUST *p);
+
+static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
+static int trust_any(X509_TRUST *trust, X509 *x, int flags);
+
+static int obj_trust(int id, X509 *x, int flags);
+static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
+
+/* WARNING: the following table should be kept in order of trust
+ * and without any gaps so we can just subtract the minimum trust
+ * value to get an index into the table
+ */
+
+static X509_TRUST trstandard[] = {
+{X509_TRUST_ANY, 0, trust_any, "Any", 0, NULL},
+{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
+{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL},
+{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+};
+
+#define X509_TRUST_COUNT        (sizeof(trstandard)/sizeof(X509_TRUST))
+
+IMPLEMENT_STACK_OF(X509_TRUST)
+
+static STACK_OF(X509_TRUST) *trtable = NULL;
+
+static int tr_cmp(X509_TRUST **a, X509_TRUST **b)
+{
+        return (*a)->trust - (*b)->trust;
+}
+
+int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
+{
+int (*oldtrust)(int , X509 *, int);
+oldtrust = default_trust;
+default_trust = trust;
+return oldtrust;
+}
+
+
+int X509_check_trust(X509 *x, int id, int flags)
+{
+        X509_TRUST *pt;
+        int idx;
+        if(id == -1) return 1;
+        if(!(idx = X509_TRUST_get_by_id(id)))
+                        return default_trust(id, x, flags);
+        pt = X509_TRUST_get0(idx);
+        return pt->check_trust(pt, x, flags);
+}
+
+int X509_TRUST_get_count(void)
+{
+        if(!trtable) return X509_TRUST_COUNT;
+        return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
+}
+
+X509_TRUST * X509_TRUST_get0(int idx)
+{
+        if(idx < 0) return NULL;
+        if(idx < X509_TRUST_COUNT) return trstandard + idx;
+        return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
+}
+
+int X509_TRUST_get_by_id(int id)
+{
+        X509_TRUST tmp;
+        int idx;
+        if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
+                                 return id - X509_TRUST_MIN;
+        tmp.trust = id;
+        if(!trtable) return -1;
+        idx = sk_X509_TRUST_find(trtable, &tmp);
+        if(idx == -1) return -1;
+        return idx + X509_TRUST_COUNT;
+}
+
+int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
+                                        char *name, int arg1, void *arg2)
+{
+        int idx;
+        X509_TRUST *trtmp;
+        /* This is set according to what we change: application can't set it */
+        flags &= ~X509_TRUST_DYNAMIC;
+        /* This will always be set for application modified trust entries */
+        flags |= X509_TRUST_DYNAMIC_NAME;
+        /* Get existing entry if any */
+        idx = X509_TRUST_get_by_id(id);
+        /* Need a new entry */
+        if(idx == -1) {
+                if(!(trtmp = Malloc(sizeof(X509_TRUST)))) {
+                        X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                trtmp->flags = X509_TRUST_DYNAMIC;
+        } else trtmp = X509_TRUST_get0(idx);
+
+        /* Free existing name if dynamic */
+        if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) Free(trtmp->name);
+        /* dup supplied name */
+        if(!(trtmp->name = BUF_strdup(name))) {
+                X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        /* Keep the dynamic flag of existing entry */
+        trtmp->flags &= X509_TRUST_DYNAMIC;
+        /* Set all other flags */
+        trtmp->flags |= flags;
+
+        trtmp->trust = id;
+        trtmp->check_trust = ck;
+        trtmp->arg1 = arg1;
+        trtmp->arg2 = arg2;
+
+        /* If its a new entry manage the dynamic table */
+        if(idx == -1) {
+                if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
+                        X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if (!sk_X509_TRUST_push(trtable, trtmp)) {
+                        X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+        }
+        return 1;
+}
+
+static void trtable_free(X509_TRUST *p)
+        {
+        if(!p) return;
+        if (p->flags & X509_TRUST_DYNAMIC) 
+                {
+                if (p->flags & X509_TRUST_DYNAMIC_NAME)
+                        Free(p->name);
+                Free(p);
+                }
+        }
+
+void X509_TRUST_cleanup(void)
+{
+        int i;
+        for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
+        sk_X509_TRUST_pop_free(trtable, trtable_free);
+        trtable = NULL;
+}
+
+int X509_TRUST_get_flags(X509_TRUST *xp)
+{
+        return xp->flags;
+}
+
+char *X509_TRUST_get0_name(X509_TRUST *xp)
+{
+        return xp->name;
+}
+
+int X509_TRUST_get_trust(X509_TRUST *xp)
+{
+        return xp->trust;
+}
+
+static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
+{
+        if(x->aux) return obj_trust(trust->arg1, x, flags);
+        /* we don't have any trust settings: for compatibility
+         * we return trusted if it is self signed
+         */
+        X509_check_purpose(x, -1, 0);
+        if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
+        else return X509_TRUST_UNTRUSTED;
+}
+
+static int obj_trust(int id, X509 *x, int flags)
+{
+        ASN1_OBJECT *obj;
+        int i;
+        X509_CERT_AUX *ax;
+        ax = x->aux;
+        if(!ax) return X509_TRUST_UNTRUSTED;
+        if(ax->reject) {
+                for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
+                        obj = sk_ASN1_OBJECT_value(ax->reject, i);
+                        if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
+                }
+        }       
+        if(ax->trust) {
+                for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
+                        obj = sk_ASN1_OBJECT_value(ax->trust, i);
+                        if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
+                }
+        }
+        return X509_TRUST_UNTRUSTED;
+}
+
+static int trust_any(X509_TRUST *trust, X509 *x, int flags)
+{
+        return X509_TRUST_TRUSTED;
+}
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
new file mode 100644
index 0000000000..6cac440ea9
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509cset.c
@@ -0,0 +1,169 @@
+/* crypto/x509/x509cset.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+int X509_CRL_set_version(X509_CRL *x, long version)
+        {
+        if (x == NULL) return(0);
+        if (x->crl->version == NULL)
+                {
+                if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
+                        return(0);
+                }
+        return(ASN1_INTEGER_set(x->crl->version,version));
+        }
+
+int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
+        {
+        if ((x == NULL) || (x->crl == NULL)) return(0);
+        return(X509_NAME_set(&x->crl->issuer,name));
+        }
+
+
+int X509_CRL_set_lastUpdate(X509_CRL *x, ASN1_TIME *tm)
+        {
+        ASN1_TIME *in;
+
+        if (x == NULL) return(0);
+        in=x->crl->lastUpdate;
+        if (in != tm)
+                {
+                in=M_ASN1_TIME_dup(tm);
+                if (in != NULL)
+                        {
+                        M_ASN1_TIME_free(x->crl->lastUpdate);
+                        x->crl->lastUpdate=in;
+                        }
+                }
+        return(in != NULL);
+        }
+
+int X509_CRL_set_nextUpdate(X509_CRL *x, ASN1_TIME *tm)
+        {
+        ASN1_TIME *in;
+
+        if (x == NULL) return(0);
+        in=x->crl->nextUpdate;
+        if (in != tm)
+                {
+                in=M_ASN1_TIME_dup(tm);
+                if (in != NULL)
+                        {
+                        M_ASN1_TIME_free(x->crl->nextUpdate);
+                        x->crl->nextUpdate=in;
+                        }
+                }
+        return(in != NULL);
+        }
+
+int X509_CRL_sort(X509_CRL *c)
+        {
+        int i;
+        X509_REVOKED *r;
+        /* sort the data so it will be written in serial
+         * number order */
+        sk_X509_REVOKED_sort(c->crl->revoked);
+        for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++)
+                {
+                r=sk_X509_REVOKED_value(c->crl->revoked,i);
+                r->sequence=i;
+                }
+        return 1;
+        }
+
+int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
+        {
+        ASN1_TIME *in;
+
+        if (x == NULL) return(0);
+        in=x->revocationDate;
+        if (in != tm)
+                {
+                in=M_ASN1_TIME_dup(tm);
+                if (in != NULL)
+                        {
+                        M_ASN1_TIME_free(x->revocationDate);
+                        x->revocationDate=in;
+                        }
+                }
+        return(in != NULL);
+        }
+
+int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
+        {
+        ASN1_INTEGER *in;
+
+        if (x == NULL) return(0);
+        in=x->serialNumber;
+        if (in != serial)
+                {
+                in=M_ASN1_INTEGER_dup(serial);
+                if (in != NULL)
+                        {
+                        M_ASN1_INTEGER_free(x->serialNumber);
+                        x->serialNumber=in;
+                        }
+                }
+        return(in != NULL);
+        }
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
new file mode 100644
index 0000000000..b35c3f92e7
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -0,0 +1,121 @@
+/* x509spki.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/asn1_mac.h>
+
+int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
+{
+        if ((x == NULL) || (x->spkac == NULL)) return(0);
+        return(X509_PUBKEY_set(&(x->spkac->pubkey),pkey));
+}
+
+EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x)
+{
+        if ((x == NULL) || (x->spkac == NULL))
+                return(NULL);
+        return(X509_PUBKEY_get(x->spkac->pubkey));
+}
+
+/* Load a Netscape SPKI from a base64 encoded string */
+
+NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
+{
+        unsigned char *spki_der, *p;
+        int spki_len;
+        NETSCAPE_SPKI *spki;
+        if(len <= 0) len = strlen(str);
+        if (!(spki_der = Malloc(len + 1))) {
+                X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        spki_len = EVP_DecodeBlock(spki_der, (const unsigned char *)str, len);
+        if(spki_len < 0) {
+                X509err(X509_F_NETSCAPE_SPKI_B64_DECODE,
+                                                X509_R_BASE64_DECODE_ERROR);
+                Free(spki_der);
+                return NULL;
+        }
+        p = spki_der;
+        spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);
+        Free(spki_der);
+        return spki;
+}
+
+/* Generate a base64 encoded string from an SPKI */
+
+char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
+{
+        unsigned char *der_spki, *p;
+        char *b64_str;
+        int der_len;
+        der_len = i2d_NETSCAPE_SPKI(spki, NULL);
+        der_spki = Malloc(der_len);
+        b64_str = Malloc(der_len * 2);
+        if(!der_spki || !b64_str) {
+                X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p = der_spki;
+        i2d_NETSCAPE_SPKI(spki, &p);
+        EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);
+        Free(der_spki);
+        return b64_str;
+}
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
new file mode 100644
index 0000000000..801a585a52
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -0,0 +1,97 @@
+/* ext_dat.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* This file contains a table of "standard" extensions */
+
+extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info;
+extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
+
+/* This table will be searched using OBJ_bsearch so it *must* kept in
+ * order of the ext_nid values.
+ */
+
+static X509V3_EXT_METHOD *standard_exts[] = {
+&v3_nscert,
+&v3_ns_ia5_list[0],
+&v3_ns_ia5_list[1],
+&v3_ns_ia5_list[2],
+&v3_ns_ia5_list[3],
+&v3_ns_ia5_list[4],
+&v3_ns_ia5_list[5],
+&v3_ns_ia5_list[6],
+&v3_skey_id,
+&v3_key_usage,
+&v3_pkey_usage_period,
+&v3_alt[0],
+&v3_alt[1],
+&v3_bcons,
+&v3_crl_num,
+&v3_cpols,
+&v3_akey_id,
+&v3_crld,
+&v3_ext_ku,
+&v3_crl_reason,
+&v3_sxnet,
+&v3_info,
+};
+
+/* Number of standard extensions */
+
+#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
+
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
new file mode 100644
index 0000000000..4099e6019e
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_akey.c
@@ -0,0 +1,249 @@
+/* v3_akey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+                        AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+                        X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+X509V3_EXT_METHOD v3_akey_id = {
+NID_authority_key_identifier, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)AUTHORITY_KEYID_new,
+(X509V3_EXT_FREE)AUTHORITY_KEYID_free,
+(X509V3_EXT_D2I)d2i_AUTHORITY_KEYID,
+(X509V3_EXT_I2D)i2d_AUTHORITY_KEYID,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
+(X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
+NULL,NULL,
+NULL
+};
+
+
+int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_len_IMP_opt (a->issuer, i2d_GENERAL_NAMES);
+        M_ASN1_I2D_len_IMP_opt (a->serial, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING, 0);
+        M_ASN1_I2D_put_IMP_opt (a->issuer, i2d_GENERAL_NAMES, 1);
+        M_ASN1_I2D_put_IMP_opt (a->serial, i2d_ASN1_INTEGER, 2);
+
+        M_ASN1_I2D_finish();
+}
+
+AUTHORITY_KEYID *AUTHORITY_KEYID_new(void)
+{
+        AUTHORITY_KEYID *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, AUTHORITY_KEYID);
+        ret->keyid = NULL;
+        ret->issuer = NULL;
+        ret->serial = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_AUTHORITY_KEYID_NEW);
+}
+
+AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp,
+             long length)
+{
+        M_ASN1_D2I_vars(a,AUTHORITY_KEYID *,AUTHORITY_KEYID_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get_IMP_opt (ret->keyid, d2i_ASN1_OCTET_STRING, 0,
+                                                        V_ASN1_OCTET_STRING);
+        M_ASN1_D2I_get_IMP_opt (ret->issuer, d2i_GENERAL_NAMES, 1,
+                                                        V_ASN1_SEQUENCE);
+        M_ASN1_D2I_get_IMP_opt (ret->serial, d2i_ASN1_INTEGER, 2,
+                                                        V_ASN1_INTEGER);
+        M_ASN1_D2I_Finish(a, AUTHORITY_KEYID_free, ASN1_F_D2I_AUTHORITY_KEYID);
+}
+
+void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
+{
+        if (a == NULL) return;
+        ASN1_OCTET_STRING_free(a->keyid);
+        sk_GENERAL_NAME_pop_free(a->issuer, GENERAL_NAME_free);
+        ASN1_INTEGER_free (a->serial);
+        Free ((char *)a);
+}
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+             AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
+{
+        char *tmp;
+        if(akeyid->keyid) {
+                tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
+                X509V3_add_value("keyid", tmp, &extlist);
+                Free(tmp);
+        }
+        if(akeyid->issuer) 
+                extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
+        if(akeyid->serial) {
+                tmp = hex_to_string(akeyid->serial->data,
+                                                 akeyid->serial->length);
+                X509V3_add_value("serial", tmp, &extlist);
+                Free(tmp);
+        }
+        return extlist;
+}
+
+/* Currently two options:
+ * keyid: use the issuers subject keyid, the value 'always' means its is
+ * an error if the issuer certificate doesn't have a key id.
+ * issuer: use the issuers cert issuer and serial number. The default is
+ * to only use this if keyid is not present. With the option 'always'
+ * this is always included.
+ */
+
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+{
+char keyid=0, issuer=0;
+int i;
+CONF_VALUE *cnf;
+ASN1_OCTET_STRING *ikeyid = NULL;
+X509_NAME *isname = NULL;
+STACK_OF(GENERAL_NAME) * gens = NULL;
+GENERAL_NAME *gen = NULL;
+ASN1_INTEGER *serial = NULL;
+X509_EXTENSION *ext;
+X509 *cert;
+AUTHORITY_KEYID *akeyid;
+for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+        cnf = sk_CONF_VALUE_value(values, i);
+        if(!strcmp(cnf->name, "keyid")) {
+                keyid = 1;
+                if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2;
+        } else if(!strcmp(cnf->name, "issuer")) {
+                issuer = 1;
+                if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2;
+        } else {
+                X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
+                ERR_add_error_data(2, "name=", cnf->name);
+                return NULL;
+        }
+}
+
+
+
+if(!ctx || !ctx->issuer_cert) {
+        if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new();
+        X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
+        return NULL;
+}
+
+cert = ctx->issuer_cert;
+
+if(keyid) {
+        i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
+        if((i >= 0)  && (ext = X509_get_ext(cert, i)))
+                                                 ikeyid = X509V3_EXT_d2i(ext);
+        if(keyid==2 && !ikeyid) {
+                X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
+                return NULL;
+        }
+}
+
+if((issuer && !ikeyid) || (issuer == 2)) {
+        isname = X509_NAME_dup(X509_get_issuer_name(cert));
+        serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+        if(!isname || !serial) {
+                X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
+                goto err;
+        }
+}
+
+if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
+
+if(isname) {
+        if(!(gens = sk_GENERAL_NAME_new(NULL)) || !(gen = GENERAL_NAME_new())
+                || !sk_GENERAL_NAME_push(gens, gen)) {
+                X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+        gen->type = GEN_DIRNAME;
+        gen->d.dirn = isname;
+}
+
+akeyid->issuer = gens;
+akeyid->serial = serial;
+akeyid->keyid = ikeyid;
+
+return akeyid;
+
+err:
+X509_NAME_free(isname);
+ASN1_INTEGER_free(serial);
+ASN1_OCTET_STRING_free(ikeyid);
+return NULL;
+
+}
+
diff --git a/src/lib/libcrypto/x509v3/v3_akeya.c b/src/lib/libcrypto/x509v3/v3_akeya.c
new file mode 100644
index 0000000000..2aafa26ba7
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_akeya.c
@@ -0,0 +1,72 @@
+/* v3_akey_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+
+ASN1_SEQUENCE(AUTHORITY_KEYID) = {
+        ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0),
+        ASN1_IMP_SEQUENCE_OF_OPT(AUTHORITY_KEYID, issuer, GENERAL_NAME, 1),
+        ASN1_IMP_OPT(AUTHORITY_KEYID, serial, ASN1_INTEGER, 2)
+} ASN1_SEQUENCE_END(AUTHORITY_KEYID)
+
+IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_KEYID)
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
new file mode 100644
index 0000000000..b5e1f8af96
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -0,0 +1,402 @@
+/* v3_alt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens);
+static int copy_issuer(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens);
+X509V3_EXT_METHOD v3_alt[] = {
+{ NID_subject_alt_name, 0,
+(X509V3_EXT_NEW)GENERAL_NAMES_new,
+(X509V3_EXT_FREE)GENERAL_NAMES_free,
+(X509V3_EXT_D2I)d2i_GENERAL_NAMES,
+(X509V3_EXT_I2D)i2d_GENERAL_NAMES,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+(X509V3_EXT_V2I)v2i_subject_alt,
+NULL, NULL, NULL},
+{ NID_issuer_alt_name, 0,
+(X509V3_EXT_NEW)GENERAL_NAMES_new,
+(X509V3_EXT_FREE)GENERAL_NAMES_free,
+(X509V3_EXT_D2I)d2i_GENERAL_NAMES,
+(X509V3_EXT_I2D)i2d_GENERAL_NAMES,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+(X509V3_EXT_V2I)v2i_issuer_alt,
+NULL, NULL, NULL},
+EXT_END
+};
+
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+                STACK_OF(GENERAL_NAME) *gens, STACK_OF(CONF_VALUE) *ret)
+{
+        int i;
+        GENERAL_NAME *gen;
+        for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+                gen = sk_GENERAL_NAME_value(gens, i);
+                ret = i2v_GENERAL_NAME(method, gen, ret);
+        }
+        if(!ret) return sk_CONF_VALUE_new_null();
+        return ret;
+}
+
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
+                                GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
+{
+        char oline[256];
+        unsigned char *p;
+        switch (gen->type)
+        {
+                case GEN_OTHERNAME:
+                X509V3_add_value("othername","<unsupported>", &ret);
+                break;
+
+                case GEN_X400:
+                X509V3_add_value("X400Name","<unsupported>", &ret);
+                break;
+
+                case GEN_EDIPARTY:
+                X509V3_add_value("EdiPartyName","<unsupported>", &ret);
+                break;
+
+                case GEN_EMAIL:
+                X509V3_add_value_uchar("email",gen->d.ia5->data, &ret);
+                break;
+
+                case GEN_DNS:
+                X509V3_add_value_uchar("DNS",gen->d.ia5->data, &ret);
+                break;
+
+                case GEN_URI:
+                X509V3_add_value_uchar("URI",gen->d.ia5->data, &ret);
+                break;
+
+                case GEN_DIRNAME:
+                X509_NAME_oneline(gen->d.dirn, oline, 256);
+                X509V3_add_value("DirName",oline, &ret);
+                break;
+
+                case GEN_IPADD:
+                p = gen->d.ip->data;
+                /* BUG: doesn't support IPV6 */
+                if(gen->d.ip->length != 4) {
+                        X509V3_add_value("IP Address","<invalid>", &ret);
+                        break;
+                }
+                sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+                X509V3_add_value("IP Address",oline, &ret);
+                break;
+
+                case GEN_RID:
+                i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
+                X509V3_add_value("Registered ID",oline, &ret);
+                break;
+        }
+        return ret;
+}
+
+static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        STACK_OF(GENERAL_NAME) *gens = NULL;
+        CONF_VALUE *cnf;
+        int i;
+        if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!name_cmp(cnf->name, "issuer") && cnf->value &&
+                                                !strcmp(cnf->value, "copy")) {
+                        if(!copy_issuer(ctx, gens)) goto err;
+                } else {
+                        GENERAL_NAME *gen;
+                        if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+                                                                 goto err; 
+                        sk_GENERAL_NAME_push(gens, gen);
+                }
+        }
+        return gens;
+        err:
+        sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+        return NULL;
+}
+
+/* Append subject altname of issuer to issuer alt name of subject */
+
+static int copy_issuer(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
+{
+        STACK_OF(GENERAL_NAME) *ialt;
+        GENERAL_NAME *gen;
+        X509_EXTENSION *ext;
+        int i;
+        if(ctx && (ctx->flags == CTX_TEST)) return 1;
+        if(!ctx || !ctx->issuer_cert) {
+                X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_NO_ISSUER_DETAILS);
+                goto err;
+        }
+        i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
+        if(i < 0) return 1;
+        if(!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
+                        !(ialt = X509V3_EXT_d2i(ext)) ) {
+                X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_ISSUER_DECODE_ERROR);
+                goto err;
+        }
+
+        for(i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
+                gen = sk_GENERAL_NAME_value(ialt, i);
+                if(!sk_GENERAL_NAME_push(gens, gen)) {
+                        X509V3err(X509V3_F_COPY_ISSUER,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+        }
+        sk_GENERAL_NAME_free(ialt);
+
+        return 1;
+                
+        err:
+        return 0;
+        
+}
+
+static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        STACK_OF(GENERAL_NAME) *gens = NULL;
+        CONF_VALUE *cnf;
+        int i;
+        if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!name_cmp(cnf->name, "email") && cnf->value &&
+                                                !strcmp(cnf->value, "copy")) {
+                        if(!copy_email(ctx, gens)) goto err;
+                } else {
+                        GENERAL_NAME *gen;
+                        if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+                                                                 goto err; 
+                        sk_GENERAL_NAME_push(gens, gen);
+                }
+        }
+        return gens;
+        err:
+        sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+        return NULL;
+}
+
+/* Copy any email addresses in a certificate or request to 
+ * GENERAL_NAMES
+ */
+
+static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
+{
+        X509_NAME *nm;
+        ASN1_IA5STRING *email = NULL;
+        X509_NAME_ENTRY *ne;
+        GENERAL_NAME *gen = NULL;
+        int i;
+        if(ctx->flags == CTX_TEST) return 1;
+        if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
+                X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
+                goto err;
+        }
+        /* Find the subject name */
+        if(ctx->subject_cert) nm = X509_get_subject_name(ctx->subject_cert);
+        else nm = X509_REQ_get_subject_name(ctx->subject_req);
+
+        /* Now add any email address(es) to STACK */
+        i = -1;
+        while((i = X509_NAME_get_index_by_NID(nm,
+                                         NID_pkcs9_emailAddress, i)) > 0) {
+                ne = X509_NAME_get_entry(nm, i);
+                email = ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
+                if(!email || !(gen = GENERAL_NAME_new())) {
+                        X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                gen->d.ia5 = email;
+                email = NULL;
+                gen->type = GEN_EMAIL;
+                if(!sk_GENERAL_NAME_push(gens, gen)) {
+                        X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                gen = NULL;
+        }
+
+        
+        return 1;
+                
+        err:
+        GENERAL_NAME_free(gen);
+        ASN1_IA5STRING_free(email);
+        return 0;
+        
+}
+
+STACK_OF(GENERAL_NAME) *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        GENERAL_NAME *gen;
+        STACK_OF(GENERAL_NAME) *gens = NULL;
+        CONF_VALUE *cnf;
+        int i;
+        if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+                sk_GENERAL_NAME_push(gens, gen);
+        }
+        return gens;
+        err:
+        sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+        return NULL;
+}
+
+GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                                                         CONF_VALUE *cnf)
+{
+char is_string = 0;
+int type;
+GENERAL_NAME *gen = NULL;
+
+char *name, *value;
+
+name = cnf->name;
+value = cnf->value;
+
+if(!value) {
+        X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
+        return NULL;
+}
+
+if(!(gen = GENERAL_NAME_new())) {
+        X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+        return NULL;
+}
+
+if(!name_cmp(name, "email")) {
+        is_string = 1;
+        type = GEN_EMAIL;
+} else if(!name_cmp(name, "URI")) {
+        is_string = 1;
+        type = GEN_URI;
+} else if(!name_cmp(name, "DNS")) {
+        is_string = 1;
+        type = GEN_DNS;
+} else if(!name_cmp(name, "RID")) {
+        ASN1_OBJECT *obj;
+        if(!(obj = OBJ_txt2obj(value,0))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
+                ERR_add_error_data(2, "value=", value);
+                goto err;
+        }
+        gen->d.rid = obj;
+        type = GEN_RID;
+} else if(!name_cmp(name, "IP")) {
+        int i1,i2,i3,i4;
+        unsigned char ip[4];
+        if((sscanf(value, "%d.%d.%d.%d",&i1,&i2,&i3,&i4) != 4) ||
+            (i1 < 0) || (i1 > 255) || (i2 < 0) || (i2 > 255) ||
+            (i3 < 0) || (i3 > 255) || (i4 < 0) || (i4 > 255) ) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
+                ERR_add_error_data(2, "value=", value);
+                goto err;
+        }
+        ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4;
+        if(!(gen->d.ip = ASN1_OCTET_STRING_new()) ||
+                !ASN1_STRING_set(gen->d.ip, ip, 4)) {
+                        X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+                        goto err;
+        }
+        type = GEN_IPADD;
+} else {
+        X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION);
+        ERR_add_error_data(2, "name=", name);
+        goto err;
+}
+
+if(is_string) {
+        if(!(gen->d.ia5 = ASN1_IA5STRING_new()) ||
+                      !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
+                                       strlen(value))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+}
+
+gen->type = type;
+
+return gen;
+
+err:
+GENERAL_NAME_free(gen);
+return NULL;
+}
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
new file mode 100644
index 0000000000..de2f855c35
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_bcons.c
@@ -0,0 +1,164 @@
+/* v3_bcons.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
+static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+X509V3_EXT_METHOD v3_bcons = {
+NID_basic_constraints, 0,
+(X509V3_EXT_NEW)BASIC_CONSTRAINTS_new,
+(X509V3_EXT_FREE)BASIC_CONSTRAINTS_free,
+(X509V3_EXT_D2I)d2i_BASIC_CONSTRAINTS,
+(X509V3_EXT_I2D)i2d_BASIC_CONSTRAINTS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
+(X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
+NULL,NULL,
+NULL
+};
+
+
+int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+        if(a->ca) M_ASN1_I2D_len (a->ca, i2d_ASN1_BOOLEAN);
+        M_ASN1_I2D_len (a->pathlen, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_seq_total();
+
+        if (a->ca) M_ASN1_I2D_put (a->ca, i2d_ASN1_BOOLEAN);
+        M_ASN1_I2D_put (a->pathlen, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_finish();
+}
+
+BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void)
+{
+        BASIC_CONSTRAINTS *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, BASIC_CONSTRAINTS);
+        ret->ca = 0;
+        ret->pathlen = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_BASIC_CONSTRAINTS_NEW);
+}
+
+BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a,
+             unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,BASIC_CONSTRAINTS *,BASIC_CONSTRAINTS_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        if((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) ==
+                 (V_ASN1_UNIVERSAL|V_ASN1_BOOLEAN) ) {
+                        M_ASN1_D2I_get_int (ret->ca, d2i_ASN1_BOOLEAN);
+        }
+        M_ASN1_D2I_get_opt (ret->pathlen, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+        M_ASN1_D2I_Finish(a, BASIC_CONSTRAINTS_free, ASN1_F_D2I_BASIC_CONSTRAINTS);
+}
+
+void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
+{
+        if (a == NULL) return;
+        ASN1_INTEGER_free (a->pathlen);
+        Free ((char *)a);
+}
+
+static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
+             BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist)
+{
+        X509V3_add_value_bool("CA", bcons->ca, &extlist);
+        X509V3_add_value_int("pathlen", bcons->pathlen, &extlist);
+        return extlist;
+}
+
+static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+{
+        BASIC_CONSTRAINTS *bcons=NULL;
+        CONF_VALUE *val;
+        int i;
+        if(!(bcons = BASIC_CONSTRAINTS_new())) {
+                X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+                val = sk_CONF_VALUE_value(values, i);
+                if(!strcmp(val->name, "CA")) {
+                        if(!X509V3_get_value_bool(val, &bcons->ca)) goto err;
+                } else if(!strcmp(val->name, "pathlen")) {
+                        if(!X509V3_get_value_int(val, &bcons->pathlen)) goto err;
+                } else {
+                        X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, X509V3_R_INVALID_NAME);
+                        X509V3_conf_err(val);
+                        goto err;
+                }
+        }
+        return bcons;
+        err:
+        BASIC_CONSTRAINTS_free(bcons);
+        return NULL;
+}
+
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
new file mode 100644
index 0000000000..9828ba15b3
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_bitst.c
@@ -0,0 +1,147 @@
+/* v3_bitst.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static ASN1_BIT_STRING *asn1_bit_string_new(void);
+static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+                                ASN1_BIT_STRING *bits,
+                                STACK_OF(CONF_VALUE) *extlist);
+static BIT_STRING_BITNAME ns_cert_type_table[] = {
+{0, "SSL Client", "client"},
+{1, "SSL Server", "server"},
+{2, "S/MIME", "email"},
+{3, "Object Signing", "objsign"},
+{4, "Unused", "reserved"},
+{5, "SSL CA", "sslCA"},
+{6, "S/MIME CA", "emailCA"},
+{7, "Object Signing CA", "objCA"},
+{-1, NULL, NULL}
+};
+
+static BIT_STRING_BITNAME key_usage_type_table[] = {
+{0, "Digital Signature", "digitalSignature"},
+{1, "Non Repudiation", "nonRepudiation"},
+{2, "Key Encipherment", "keyEncipherment"},
+{3, "Data Encipherment", "dataEncipherment"},
+{4, "Key Agreement", "keyAgreement"},
+{5, "Certificate Sign", "keyCertSign"},
+{6, "CRL Sign", "cRLSign"},
+{7, "Encipher Only", "encipherOnly"},
+{8, "Decipher Only", "decipherOnly"},
+{-1, NULL, NULL}
+};
+
+
+
+X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
+X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
+
+static ASN1_BIT_STRING *asn1_bit_string_new(void)
+{
+        return ASN1_BIT_STRING_new();
+}
+
+static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+             ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
+{
+        BIT_STRING_BITNAME *bnam;
+        for(bnam =method->usr_data; bnam->lname; bnam++) {
+                if(ASN1_BIT_STRING_get_bit(bits, bnam->bitnum)) 
+                        X509V3_add_value(bnam->lname, NULL, &ret);
+        }
+        return ret;
+}
+        
+static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        CONF_VALUE *val;
+        ASN1_BIT_STRING *bs;
+        int i;
+        BIT_STRING_BITNAME *bnam;
+        if(!(bs = ASN1_BIT_STRING_new())) {
+                X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                val = sk_CONF_VALUE_value(nval, i);
+                for(bnam = method->usr_data; bnam->lname; bnam++) {
+                        if(!strcmp(bnam->sname, val->name) ||
+                                !strcmp(bnam->lname, val->name) ) {
+                                ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1);
+                                break;
+                        }
+                }
+                if(!bnam->lname) {
+                        X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
+                                        X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
+                        X509V3_conf_err(val);
+                        ASN1_BIT_STRING_free(bs);
+                        return NULL;
+                }
+        }
+        return bs;
+}
+        
+
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
new file mode 100644
index 0000000000..f19bb3ad84
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -0,0 +1,366 @@
+/* v3_conf.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* extension creation utilities */
+
+
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+static int v3_check_critical(char **value);
+static int v3_check_generic(char **value);
+static X509_EXTENSION *do_ext_conf(LHASH *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type);
+static char *conf_lhash_get_string(void *db, char *section, char *value);
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
+static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
+                                                 int crit, void *ext_struc);
+/* LHASH *conf:  Config file    */
+/* char *name:  Name    */
+/* char *value:  Value    */
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
+             char *value)
+{
+        int crit;
+        int ext_type;
+        X509_EXTENSION *ret;
+        crit = v3_check_critical(&value);
+        if((ext_type = v3_check_generic(&value))) 
+                return v3_generic_extension(name, value, crit, ext_type);
+        ret = do_ext_conf(conf, ctx, OBJ_sn2nid(name), crit, value);
+        if(!ret) {
+                X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_ERROR_IN_EXTENSION);
+                ERR_add_error_data(4,"name=", name, ", value=", value);
+        }
+        return ret;
+}
+
+/* LHASH *conf:  Config file    */
+/* char *value:  Value    */
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+             char *value)
+{
+        int crit;
+        int ext_type;
+        crit = v3_check_critical(&value);
+        if((ext_type = v3_check_generic(&value))) 
+                return v3_generic_extension(OBJ_nid2sn(ext_nid),
+                                                         value, crit, ext_type);
+        return do_ext_conf(conf, ctx, ext_nid, crit, value);
+}
+
+/* LHASH *conf:  Config file    */
+/* char *value:  Value    */
+static X509_EXTENSION *do_ext_conf(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+             int crit, char *value)
+{
+        X509V3_EXT_METHOD *method;
+        X509_EXTENSION *ext;
+        STACK_OF(CONF_VALUE) *nval;
+        void *ext_struc;
+        if(ext_nid == NID_undef) {
+                X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
+                return NULL;
+        }
+        if(!(method = X509V3_EXT_get_nid(ext_nid))) {
+                X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION);
+                return NULL;
+        }
+        /* Now get internal extension representation based on type */
+        if(method->v2i) {
+                if(*value == '@') nval = CONF_get_section(conf, value + 1);
+                else nval = X509V3_parse_list(value);
+                if(!nval) {
+                        X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING);
+                        ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
+                        return NULL;
+                }
+                ext_struc = method->v2i(method, ctx, nval);
+                if(*value != '@') sk_CONF_VALUE_pop_free(nval,
+                                                         X509V3_conf_free);
+                if(!ext_struc) return NULL;
+        } else if(method->s2i) {
+                if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
+        } else if(method->r2i) {
+                if(!ctx->db) {
+                        X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_NO_CONFIG_DATABASE);
+                        return NULL;
+                }
+                if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
+        } else {
+                X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
+                ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
+                return NULL;
+        }
+
+        ext  = do_ext_i2d(method, ext_nid, crit, ext_struc);
+        method->ext_free(ext_struc);
+        return ext;
+
+}
+
+static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
+                                                 int crit, void *ext_struc)
+{
+        unsigned char *ext_der, *p;
+        int ext_len;
+        ASN1_OCTET_STRING *ext_oct;
+        X509_EXTENSION *ext;
+        /* Convert internal representation to DER */
+        ext_len = method->i2d(ext_struc, NULL);
+        if(!(ext_der = Malloc(ext_len))) goto merr;
+        p = ext_der;
+        method->i2d(ext_struc, &p);
+        if(!(ext_oct = ASN1_OCTET_STRING_new())) goto merr;
+        ext_oct->data = ext_der;
+        ext_oct->length = ext_len;
+        
+        ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
+        if(!ext) goto merr;
+        ASN1_OCTET_STRING_free(ext_oct);
+
+        return ext;
+
+        merr:
+        X509V3err(X509V3_F_DO_EXT_I2D,ERR_R_MALLOC_FAILURE);
+        return NULL;
+
+}
+
+/* Given an internal structure, nid and critical flag create an extension */
+
+X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
+{
+        X509V3_EXT_METHOD *method;
+        if(!(method = X509V3_EXT_get_nid(ext_nid))) {
+                X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
+                return NULL;
+        }
+        return do_ext_i2d(method, ext_nid, crit, ext_struc);
+}
+
+/* Check the extension string for critical flag */
+static int v3_check_critical(char **value)
+{
+        char *p = *value;
+        if((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
+        p+=9;
+        while(isspace((unsigned char)*p)) p++;
+        *value = p;
+        return 1;
+}
+
+/* Check extension string for generic extension and return the type */
+static int v3_check_generic(char **value)
+{
+        char *p = *value;
+        if((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0;
+        p+=4;
+        while(isspace((unsigned char)*p)) p++;
+        *value = p;
+        return 1;
+}
+
+/* Create a generic extension: for now just handle RAW type */
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
+             int crit, int type)
+{
+unsigned char *ext_der=NULL;
+long ext_len;
+ASN1_OBJECT *obj=NULL;
+ASN1_OCTET_STRING *oct=NULL;
+X509_EXTENSION *extension=NULL;
+if(!(obj = OBJ_txt2obj(ext, 0))) {
+        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_NAME_ERROR);
+        ERR_add_error_data(2, "name=", ext);
+        goto err;
+}
+
+if(!(ext_der = string_to_hex(value, &ext_len))) {
+        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
+        ERR_add_error_data(2, "value=", value);
+        goto err;
+}
+
+if(!(oct = ASN1_OCTET_STRING_new())) {
+        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE);
+        goto err;
+}
+
+oct->data = ext_der;
+oct->length = ext_len;
+ext_der = NULL;
+
+extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
+
+err:
+ASN1_OBJECT_free(obj);
+ASN1_OCTET_STRING_free(oct);
+if(ext_der) Free(ext_der);
+return extension;
+}
+
+
+/* This is the main function: add a bunch of extensions based on a config file
+ * section
+ */
+
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509 *cert)
+{
+        X509_EXTENSION *ext;
+        STACK_OF(CONF_VALUE) *nval;
+        CONF_VALUE *val;        
+        int i;
+        if(!(nval = CONF_get_section(conf, section))) return 0;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                val = sk_CONF_VALUE_value(nval, i);
+                if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+                                                                return 0;
+                if(cert) X509_add_ext(cert, ext, -1);
+                X509_EXTENSION_free(ext);
+        }
+        return 1;
+}
+
+/* Same as above but for a CRL */
+
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509_CRL *crl)
+{
+        X509_EXTENSION *ext;
+        STACK_OF(CONF_VALUE) *nval;
+        CONF_VALUE *val;        
+        int i;
+        if(!(nval = CONF_get_section(conf, section))) return 0;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                val = sk_CONF_VALUE_value(nval, i);
+                if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+                                                                return 0;
+                if(crl) X509_CRL_add_ext(crl, ext, -1);
+                X509_EXTENSION_free(ext);
+        }
+        return 1;
+}
+
+/* Config database functions */
+
+char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
+{
+        if(ctx->db_meth->get_string)
+                        return ctx->db_meth->get_string(ctx->db, name, section);
+        return NULL;
+}
+
+STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
+{
+        if(ctx->db_meth->get_section)
+                        return ctx->db_meth->get_section(ctx->db, section);
+        return NULL;
+}
+
+void X509V3_string_free(X509V3_CTX *ctx, char *str)
+{
+        if(!str) return;
+        if(ctx->db_meth->free_string)
+                        ctx->db_meth->free_string(ctx->db, str);
+}
+
+void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
+{
+        if(!section) return;
+        if(ctx->db_meth->free_section)
+                        ctx->db_meth->free_section(ctx->db, section);
+}
+
+static char *conf_lhash_get_string(void *db, char *section, char *value)
+{
+        return CONF_get_string(db, section, value);
+}
+
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
+{
+        return CONF_get_section(db, section);
+}
+
+static X509V3_CONF_METHOD conf_lhash_method = {
+conf_lhash_get_string,
+conf_lhash_get_section,
+NULL,
+NULL
+};
+
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash)
+{
+        ctx->db_meth = &conf_lhash_method;
+        ctx->db = lhash;
+}
+
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
+             X509_CRL *crl, int flags)
+{
+        ctx->issuer_cert = issuer;
+        ctx->subject_cert = subj;
+        ctx->crl = crl;
+        ctx->subject_req = req;
+        ctx->flags = flags;
+}
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
new file mode 100644
index 0000000000..b4d4883545
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -0,0 +1,655 @@
+/* v3_cpols.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+/* Certificate policies extension support: this one is a bit complex... */
+
+static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
+static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value);
+static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent);
+static void print_notice(BIO *out, USERNOTICE *notice, int indent);
+static POLICYINFO *policy_section(X509V3_CTX *ctx,
+                                 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
+                                        STACK_OF(CONF_VALUE) *unot, int ia5org);
+static STACK *nref_nos(STACK_OF(CONF_VALUE) *nos);
+
+X509V3_EXT_METHOD v3_cpols = {
+NID_certificate_policies, 0,
+(X509V3_EXT_NEW)CERTIFICATEPOLICIES_new,
+(X509V3_EXT_FREE)CERTIFICATEPOLICIES_free,
+(X509V3_EXT_D2I)d2i_CERTIFICATEPOLICIES,
+(X509V3_EXT_I2D)i2d_CERTIFICATEPOLICIES,
+NULL, NULL,
+NULL, NULL,
+(X509V3_EXT_I2R)i2r_certpol,
+(X509V3_EXT_R2I)r2i_certpol,
+NULL
+};
+
+
+static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
+                X509V3_CTX *ctx, char *value)
+{
+        STACK_OF(POLICYINFO) *pols = NULL;
+        char *pstr;
+        POLICYINFO *pol;
+        ASN1_OBJECT *pobj;
+        STACK_OF(CONF_VALUE) *vals;
+        CONF_VALUE *cnf;
+        int i, ia5org;
+        pols = sk_POLICYINFO_new_null();
+        vals =  X509V3_parse_list(value);
+        ia5org = 0;
+        for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+                cnf = sk_CONF_VALUE_value(vals, i);
+                if(cnf->value || !cnf->name ) {
+                        X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_POLICY_IDENTIFIER);
+                        X509V3_conf_err(cnf);
+                        goto err;
+                }
+                pstr = cnf->name;
+                if(!strcmp(pstr,"ia5org")) {
+                        ia5org = 1;
+                        continue;
+                } else if(*pstr == '@') {
+                        STACK_OF(CONF_VALUE) *polsect;
+                        polsect = X509V3_get_section(ctx, pstr + 1);
+                        if(!polsect) {
+                                X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_SECTION);
+
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        pol = policy_section(ctx, polsect, ia5org);
+                        X509V3_section_free(ctx, polsect);
+                        if(!pol) goto err;
+                } else {
+                        if(!(pobj = OBJ_txt2obj(cnf->name, 0))) {
+                                X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        pol = POLICYINFO_new();
+                        pol->policyid = pobj;
+                }
+                sk_POLICYINFO_push(pols, pol);
+        }
+        sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+        return pols;
+        err:
+        sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
+        return NULL;
+}
+
+static POLICYINFO *policy_section(X509V3_CTX *ctx,
+                                STACK_OF(CONF_VALUE) *polstrs, int ia5org)
+{
+        int i;
+        CONF_VALUE *cnf;
+        POLICYINFO *pol;
+        POLICYQUALINFO *qual;
+        if(!(pol = POLICYINFO_new())) goto merr;
+        for(i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
+                cnf = sk_CONF_VALUE_value(polstrs, i);
+                if(!strcmp(cnf->name, "policyIdentifier")) {
+                        ASN1_OBJECT *pobj;
+                        if(!(pobj = OBJ_txt2obj(cnf->value, 0))) {
+                                X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        pol->policyid = pobj;
+
+                } else if(!name_cmp(cnf->name, "CPS")) {
+                        if(!pol->qualifiers) pol->qualifiers =
+                                                 sk_POLICYQUALINFO_new_null();
+                        if(!(qual = POLICYQUALINFO_new())) goto merr;
+                        if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+                                                                 goto merr;
+                        qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
+                        qual->d.cpsuri = ASN1_IA5STRING_new();
+                        if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
+                                                 strlen(cnf->value))) goto merr;
+                } else if(!name_cmp(cnf->name, "userNotice")) {
+                        STACK_OF(CONF_VALUE) *unot;
+                        if(*cnf->value != '@') {
+                                X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_EXPECTED_A_SECTION_NAME);
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        unot = X509V3_get_section(ctx, cnf->value + 1);
+                        if(!unot) {
+                                X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_SECTION);
+
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        qual = notice_section(ctx, unot, ia5org);
+                        X509V3_section_free(ctx, unot);
+                        if(!qual) goto err;
+                        if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+                                                                 goto merr;
+                } else {
+                        X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OPTION);
+
+                        X509V3_conf_err(cnf);
+                        goto err;
+                }
+        }
+        if(!pol->policyid) {
+                X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_NO_POLICY_IDENTIFIER);
+                goto err;
+        }
+
+        return pol;
+
+        merr:
+        X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
+
+        err:
+        POLICYINFO_free(pol);
+        return NULL;
+        
+        
+}
+
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
+                                        STACK_OF(CONF_VALUE) *unot, int ia5org)
+{
+        int i;
+        CONF_VALUE *cnf;
+        USERNOTICE *not;
+        POLICYQUALINFO *qual;
+        if(!(qual = POLICYQUALINFO_new())) goto merr;
+        qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
+        if(!(not = USERNOTICE_new())) goto merr;
+        qual->d.usernotice = not;
+        for(i = 0; i < sk_CONF_VALUE_num(unot); i++) {
+                cnf = sk_CONF_VALUE_value(unot, i);
+                if(!strcmp(cnf->name, "explicitText")) {
+                        not->exptext = ASN1_VISIBLESTRING_new();
+                        if(!ASN1_STRING_set(not->exptext, cnf->value,
+                                                 strlen(cnf->value))) goto merr;
+                } else if(!strcmp(cnf->name, "organization")) {
+                        NOTICEREF *nref;
+                        if(!not->noticeref) {
+                                if(!(nref = NOTICEREF_new())) goto merr;
+                                not->noticeref = nref;
+                        } else nref = not->noticeref;
+                        if(ia5org) nref->organization = ASN1_IA5STRING_new();
+                        else nref->organization = ASN1_VISIBLESTRING_new();
+                        if(!ASN1_STRING_set(nref->organization, cnf->value,
+                                                 strlen(cnf->value))) goto merr;
+                } else if(!strcmp(cnf->name, "noticeNumbers")) {
+                        NOTICEREF *nref;
+                        STACK_OF(CONF_VALUE) *nos;
+                        if(!not->noticeref) {
+                                if(!(nref = NOTICEREF_new())) goto merr;
+                                not->noticeref = nref;
+                        } else nref = not->noticeref;
+                        nos = X509V3_parse_list(cnf->value);
+                        if(!nos || !sk_CONF_VALUE_num(nos)) {
+                                X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_NUMBERS);
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        nref->noticenos = nref_nos(nos);
+                        sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
+                        if(!nref->noticenos) goto err;
+                } else {
+                        X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
+
+                        X509V3_conf_err(cnf);
+                        goto err;
+                }
+        }
+
+        if(not->noticeref && 
+              (!not->noticeref->noticenos || !not->noticeref->organization)) {
+                        X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
+                        goto err;
+        }
+
+        return qual;
+
+        merr:
+        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+        err:
+        POLICYQUALINFO_free(qual);
+        return NULL;
+}
+
+static STACK *nref_nos(STACK_OF(CONF_VALUE) *nos)
+{
+        STACK *nnums;
+        CONF_VALUE *cnf;
+        ASN1_INTEGER *aint;
+        int i;
+        if(!(nnums = sk_new_null())) goto merr;
+        for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
+                cnf = sk_CONF_VALUE_value(nos, i);
+                if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+                        X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER);
+                        goto err;
+                }
+                if(!sk_push(nnums, (char *)aint)) goto merr;
+        }
+        return nnums;
+
+        merr:
+        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+        err:
+        sk_pop_free(nnums, ASN1_STRING_free);
+        return NULL;
+}
+
+
+static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
+                BIO *out, int indent)
+{
+        int i;
+        POLICYINFO *pinfo;
+        /* First print out the policy OIDs */
+        for(i = 0; i < sk_POLICYINFO_num(pol); i++) {
+                pinfo = sk_POLICYINFO_value(pol, i);
+                BIO_printf(out, "%*sPolicy: ", indent, "");
+                i2a_ASN1_OBJECT(out, pinfo->policyid);
+                BIO_puts(out, "\n");
+                if(pinfo->qualifiers)
+                         print_qualifiers(out, pinfo->qualifiers, indent + 2);
+        }
+        return 1;
+}
+
+
+int i2d_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) *a, unsigned char **pp)
+{
+
+return i2d_ASN1_SET_OF_POLICYINFO(a, pp, i2d_POLICYINFO, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(POLICYINFO) *CERTIFICATEPOLICIES_new(void)
+{
+        return sk_POLICYINFO_new_null();
+}
+
+void CERTIFICATEPOLICIES_free(STACK_OF(POLICYINFO) *a)
+{
+        sk_POLICYINFO_pop_free(a, POLICYINFO_free);
+}
+
+STACK_OF(POLICYINFO) *d2i_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) **a,
+                unsigned char **pp,long length)
+{
+return d2i_ASN1_SET_OF_POLICYINFO(a, pp, length, d2i_POLICYINFO,
+                         POLICYINFO_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(POLICYINFO)
+IMPLEMENT_ASN1_SET_OF(POLICYINFO)
+
+int i2d_POLICYINFO(POLICYINFO *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->policyid, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_len_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
+                                                         i2d_POLICYQUALINFO);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->policyid, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_put_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
+                                                         i2d_POLICYQUALINFO);
+
+        M_ASN1_I2D_finish();
+}
+
+POLICYINFO *POLICYINFO_new(void)
+{
+        POLICYINFO *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, POLICYINFO);
+        ret->policyid = NULL;
+        ret->qualifiers = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_POLICYINFO_NEW);
+}
+
+POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, unsigned char **pp,long length)
+{
+        M_ASN1_D2I_vars(a,POLICYINFO *,POLICYINFO_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(ret->policyid, d2i_ASN1_OBJECT);
+        if(!M_ASN1_D2I_end_sequence()) {
+                M_ASN1_D2I_get_seq_type (POLICYQUALINFO, ret->qualifiers,
+                                 d2i_POLICYQUALINFO, POLICYQUALINFO_free);
+        }
+        M_ASN1_D2I_Finish(a, POLICYINFO_free, ASN1_F_D2I_POLICYINFO);
+}
+
+void POLICYINFO_free(POLICYINFO *a)
+{
+        if (a == NULL) return;
+        ASN1_OBJECT_free(a->policyid);
+        sk_POLICYQUALINFO_pop_free(a->qualifiers, POLICYQUALINFO_free);
+        Free (a);
+}
+
+static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
+                int indent)
+{
+        POLICYQUALINFO *qualinfo;
+        int i;
+        for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
+                qualinfo = sk_POLICYQUALINFO_value(quals, i);
+                switch(OBJ_obj2nid(qualinfo->pqualid))
+                {
+                        case NID_id_qt_cps:
+                        BIO_printf(out, "%*sCPS: %s\n", indent, "",
+                                                qualinfo->d.cpsuri->data);
+                        break;
+                
+                        case NID_id_qt_unotice:
+                        BIO_printf(out, "%*sUser Notice:\n", indent, "");
+                        print_notice(out, qualinfo->d.usernotice, indent + 2);
+                        break;
+
+                        default:
+                        BIO_printf(out, "%*sUnknown Qualifier: ",
+                                                         indent + 2, "");
+                        
+                        i2a_ASN1_OBJECT(out, qualinfo->pqualid);
+                        BIO_puts(out, "\n");
+                        break;
+                }
+        }
+}
+
+static void print_notice(BIO *out, USERNOTICE *notice, int indent)
+{
+        int i;
+        if(notice->noticeref) {
+                NOTICEREF *ref;
+                ref = notice->noticeref;
+                BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+                                                 ref->organization->data);
+                BIO_printf(out, "%*sNumber%s: ", indent, "",
+                                 (sk_num(ref->noticenos) > 1) ? "s" : "");
+                for(i = 0; i < sk_num(ref->noticenos); i++) {
+                        ASN1_INTEGER *num;
+                        char *tmp;
+                        num = (ASN1_INTEGER *)sk_value(ref->noticenos, i);
+                        if(i) BIO_puts(out, ", ");
+                        tmp = i2s_ASN1_INTEGER(NULL, num);
+                        BIO_puts(out, tmp);
+                        Free(tmp);
+                }
+                BIO_puts(out, "\n");
+        }
+        if(notice->exptext)
+                BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
+                                                         notice->exptext->data);
+}
+                
+        
+
+int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->pqualid, i2d_ASN1_OBJECT);
+        switch(OBJ_obj2nid(a->pqualid)) {
+                case NID_id_qt_cps:
+                M_ASN1_I2D_len(a->d.cpsuri, i2d_ASN1_IA5STRING);
+                break;
+
+                case NID_id_qt_unotice:
+                M_ASN1_I2D_len(a->d.usernotice, i2d_USERNOTICE);
+                break;
+
+                default:
+                M_ASN1_I2D_len(a->d.other, i2d_ASN1_TYPE);
+                break;
+        }
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->pqualid, i2d_ASN1_OBJECT);
+        switch(OBJ_obj2nid(a->pqualid)) {
+                case NID_id_qt_cps:
+                M_ASN1_I2D_put(a->d.cpsuri, i2d_ASN1_IA5STRING);
+                break;
+
+                case NID_id_qt_unotice:
+                M_ASN1_I2D_put(a->d.usernotice, i2d_USERNOTICE);
+                break;
+
+                default:
+                M_ASN1_I2D_put(a->d.other, i2d_ASN1_TYPE);
+                break;
+        }
+
+        M_ASN1_I2D_finish();
+}
+
+POLICYQUALINFO *POLICYQUALINFO_new(void)
+{
+        POLICYQUALINFO *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, POLICYQUALINFO);
+        ret->pqualid = NULL;
+        ret->d.other = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_POLICYQUALINFO_NEW);
+}
+
+POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, unsigned char **pp,
+                long length)
+{
+        M_ASN1_D2I_vars(a,POLICYQUALINFO *,POLICYQUALINFO_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->pqualid, d2i_ASN1_OBJECT);
+        switch(OBJ_obj2nid(ret->pqualid)) {
+                case NID_id_qt_cps:
+                M_ASN1_D2I_get(ret->d.cpsuri, d2i_ASN1_IA5STRING);
+                break;
+
+                case NID_id_qt_unotice:
+                M_ASN1_D2I_get(ret->d.usernotice, d2i_USERNOTICE);
+                break;
+
+                default:
+                M_ASN1_D2I_get(ret->d.other, d2i_ASN1_TYPE);
+                break;
+        }
+        M_ASN1_D2I_Finish(a, POLICYQUALINFO_free, ASN1_F_D2I_POLICYQUALINFO);
+}
+
+void POLICYQUALINFO_free(POLICYQUALINFO *a)
+{
+        if (a == NULL) return;
+        switch(OBJ_obj2nid(a->pqualid)) {
+                case NID_id_qt_cps:
+                ASN1_IA5STRING_free(a->d.cpsuri);
+                break;
+
+                case NID_id_qt_unotice:
+                USERNOTICE_free(a->d.usernotice);
+                break;
+
+                default:
+                ASN1_TYPE_free(a->d.other);
+                break;
+        }
+        
+        ASN1_OBJECT_free(a->pqualid);
+        Free (a);
+}
+
+int i2d_USERNOTICE(USERNOTICE *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->noticeref, i2d_NOTICEREF);
+        M_ASN1_I2D_len (a->exptext, i2d_DISPLAYTEXT);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->noticeref, i2d_NOTICEREF);
+        M_ASN1_I2D_put (a->exptext, i2d_DISPLAYTEXT);
+
+        M_ASN1_I2D_finish();
+}
+
+USERNOTICE *USERNOTICE_new(void)
+{
+        USERNOTICE *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, USERNOTICE);
+        ret->noticeref = NULL;
+        ret->exptext = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_USERNOTICE_NEW);
+}
+
+USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, unsigned char **pp,long length)
+{
+        M_ASN1_D2I_vars(a,USERNOTICE *,USERNOTICE_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get_opt(ret->noticeref, d2i_NOTICEREF, V_ASN1_SEQUENCE);
+        if (!M_ASN1_D2I_end_sequence()) {
+                M_ASN1_D2I_get(ret->exptext, d2i_DISPLAYTEXT);
+        }
+        M_ASN1_D2I_Finish(a, USERNOTICE_free, ASN1_F_D2I_USERNOTICE);
+}
+
+void USERNOTICE_free(USERNOTICE *a)
+{
+        if (a == NULL) return;
+        NOTICEREF_free(a->noticeref);
+        DISPLAYTEXT_free(a->exptext);
+        Free (a);
+}
+
+int i2d_NOTICEREF(NOTICEREF *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->organization, i2d_DISPLAYTEXT);
+        M_ASN1_I2D_len_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->organization, i2d_DISPLAYTEXT);
+        M_ASN1_I2D_put_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_finish();
+}
+
+NOTICEREF *NOTICEREF_new(void)
+{
+        NOTICEREF *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, NOTICEREF);
+        ret->organization = NULL;
+        ret->noticenos = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_NOTICEREF_NEW);
+}
+
+NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp,long length)
+{
+        M_ASN1_D2I_vars(a,NOTICEREF *,NOTICEREF_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        /* This is to cope with some broken encodings that use IA5STRING for
+         * the organization field
+         */
+        M_ASN1_D2I_get_opt(ret->organization, d2i_ASN1_IA5STRING,
+                                                         V_ASN1_IA5STRING);
+        if(!ret->organization) {
+                 M_ASN1_D2I_get(ret->organization, d2i_DISPLAYTEXT);
+        }
+        M_ASN1_D2I_get_seq(ret->noticenos, d2i_ASN1_INTEGER, ASN1_STRING_free);
+        M_ASN1_D2I_Finish(a, NOTICEREF_free, ASN1_F_D2I_NOTICEREF);
+}
+
+void NOTICEREF_free(NOTICEREF *a)
+{
+        if (a == NULL) return;
+        DISPLAYTEXT_free(a->organization);
+        sk_pop_free(a->noticenos, ASN1_STRING_free);
+        Free (a);
+}
+
+IMPLEMENT_STACK_OF(POLICYQUALINFO)
+IMPLEMENT_ASN1_SET_OF(POLICYQUALINFO)
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
new file mode 100644
index 0000000000..897ffb63e4
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -0,0 +1,283 @@
+/* v3_crld.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
+                STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+X509V3_EXT_METHOD v3_crld = {
+NID_crl_distribution_points, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)CRL_DIST_POINTS_new,
+(X509V3_EXT_FREE)CRL_DIST_POINTS_free,
+(X509V3_EXT_D2I)d2i_CRL_DIST_POINTS,
+(X509V3_EXT_I2D)i2d_CRL_DIST_POINTS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_crld,
+(X509V3_EXT_V2I)v2i_crld,
+NULL, NULL, NULL
+};
+
+static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
+                        STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
+{
+        DIST_POINT *point;
+        int i;
+        for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
+                point = sk_DIST_POINT_value(crld, i);
+                if(point->distpoint->fullname) {
+                        exts = i2v_GENERAL_NAMES(NULL,
+                                         point->distpoint->fullname, exts);
+                }
+                if(point->reasons) 
+                        X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
+                if(point->CRLissuer)
+                        X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+                if(point->distpoint->relativename)
+                        X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
+        }
+        return exts;
+}
+
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        STACK_OF(DIST_POINT) *crld = NULL;
+        STACK_OF(GENERAL_NAME) *gens = NULL;
+        GENERAL_NAME *gen = NULL;
+        CONF_VALUE *cnf;
+        int i;
+        if(!(crld = sk_DIST_POINT_new(NULL))) goto merr;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                DIST_POINT *point;
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+                if(!(gens = GENERAL_NAMES_new())) goto merr;
+                if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+                gen = NULL;
+                if(!(point = DIST_POINT_new())) goto merr;
+                if(!sk_DIST_POINT_push(crld, point)) {
+                        DIST_POINT_free(point);
+                        goto merr;
+                }
+                if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+                point->distpoint->fullname = gens;
+                gens = NULL;
+        }
+        return crld;
+
+        merr:
+        X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+        err:
+        GENERAL_NAME_free(gen);
+        GENERAL_NAMES_free(gens);
+        sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+        return NULL;
+}
+
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp)
+{
+
+return i2d_ASN1_SET_OF_DIST_POINT(a, pp, i2d_DIST_POINT, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void)
+{
+        return sk_DIST_POINT_new_null();
+}
+
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a)
+{
+        sk_DIST_POINT_pop_free(a, DIST_POINT_free);
+}
+
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+                unsigned char **pp,long length)
+{
+return d2i_ASN1_SET_OF_DIST_POINT(a, pp, length, d2i_DIST_POINT,
+                         DIST_POINT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(DIST_POINT)
+IMPLEMENT_ASN1_SET_OF(DIST_POINT)
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp)
+{
+        int v = 0;
+        M_ASN1_I2D_vars(a);
+        /* NB: underlying type is a CHOICE so need EXPLICIT tagging */
+        M_ASN1_I2D_len_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+        M_ASN1_I2D_len_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING);
+        M_ASN1_I2D_len_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+        M_ASN1_I2D_put_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING, 1);
+        M_ASN1_I2D_put_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES, 2);
+
+        M_ASN1_I2D_finish();
+}
+
+DIST_POINT *DIST_POINT_new(void)
+{
+        DIST_POINT *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, DIST_POINT);
+        ret->distpoint = NULL;
+        ret->reasons = NULL;
+        ret->CRLissuer = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_DIST_POINT_NEW);
+}
+
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,DIST_POINT *,DIST_POINT_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get_EXP_opt (ret->distpoint, d2i_DIST_POINT_NAME, 0);
+        M_ASN1_D2I_get_IMP_opt (ret->reasons, d2i_ASN1_BIT_STRING, 1,
+                                                        V_ASN1_BIT_STRING);
+        M_ASN1_D2I_get_IMP_opt (ret->CRLissuer, d2i_GENERAL_NAMES, 2,
+                                                        V_ASN1_SEQUENCE);
+        M_ASN1_D2I_Finish(a, DIST_POINT_free, ASN1_F_D2I_DIST_POINT);
+}
+
+void DIST_POINT_free(DIST_POINT *a)
+{
+        if (a == NULL) return;
+        DIST_POINT_NAME_free(a->distpoint);
+        ASN1_BIT_STRING_free(a->reasons);
+        sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free);
+        Free ((char *)a);
+}
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
+{
+        int v = 0;
+        M_ASN1_I2D_vars(a);
+
+        if(a->fullname) {
+                M_ASN1_I2D_len_IMP_opt (a->fullname, i2d_GENERAL_NAMES);
+        } else {
+                M_ASN1_I2D_len_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+        }
+
+        /* Don't want a SEQUENCE so... */
+        if(pp == NULL) return ret;
+        p = *pp;
+
+        if(a->fullname) {
+                M_ASN1_I2D_put_IMP_opt (a->fullname, i2d_GENERAL_NAMES, 0);
+        } else {
+                M_ASN1_I2D_put_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+        }
+        M_ASN1_I2D_finish();
+}
+
+DIST_POINT_NAME *DIST_POINT_NAME_new(void)
+{
+        DIST_POINT_NAME *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, DIST_POINT_NAME);
+        ret->fullname = NULL;
+        ret->relativename = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_DIST_POINT_NAME_NEW);
+}
+
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a)
+{
+        if (a == NULL) return;
+        X509_NAME_free(a->relativename);
+        sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free);
+        Free ((char *)a);
+}
+
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+             long length)
+{
+        unsigned char _tmp, tag;
+        M_ASN1_D2I_vars(a,DIST_POINT_NAME *,DIST_POINT_NAME_new);
+        M_ASN1_D2I_Init();
+        c.slen = length;
+
+        _tmp = M_ASN1_next;
+        tag = _tmp & ~V_ASN1_CONSTRUCTED;
+        
+        if(tag == (0|V_ASN1_CONTEXT_SPECIFIC)) {
+                M_ASN1_D2I_get_imp(ret->fullname, d2i_GENERAL_NAMES,
+                                                        V_ASN1_SEQUENCE);
+        } else if (tag == (1|V_ASN1_CONTEXT_SPECIFIC)) {
+                M_ASN1_D2I_get_EXP_opt (ret->relativename, d2i_X509_NAME, 1);
+        } else {
+                c.error = ASN1_R_BAD_TAG;
+                goto err;
+        }
+
+        M_ASN1_D2I_Finish(a, DIST_POINT_NAME_free, ASN1_F_D2I_DIST_POINT_NAME);
+}
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
new file mode 100644
index 0000000000..db423548ff
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_enum.c
@@ -0,0 +1,103 @@
+/* v3_enum.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+static ASN1_ENUMERATED *asn1_enumerated_new(void);
+
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, "Unspecified", "unspecified"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "CACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{8, "Remove From CRL", "removeFromCRL"},
+{-1, NULL, NULL}
+};
+
+X509V3_EXT_METHOD v3_crl_reason = { 
+NID_crl_reason, 0,
+(X509V3_EXT_NEW)asn1_enumerated_new,
+(X509V3_EXT_FREE)ASN1_STRING_free,
+(X509V3_EXT_D2I)d2i_ASN1_ENUMERATED,
+(X509V3_EXT_I2D)i2d_ASN1_ENUMERATED,
+(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
+(X509V3_EXT_S2I)NULL,
+NULL, NULL, NULL, NULL, crl_reasons};
+
+
+static ASN1_ENUMERATED *asn1_enumerated_new(void)
+{
+        return ASN1_ENUMERATED_new();
+}
+
+char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
+             ASN1_ENUMERATED *e)
+{
+        ENUMERATED_NAMES *enam;
+        long strval;
+        strval = ASN1_ENUMERATED_get(e);
+        for(enam = method->usr_data; enam->lname; enam++) {
+                if(strval == enam->bitnum) return BUF_strdup(enam->lname);
+        }
+        return i2s_ASN1_ENUMERATED(method, e);
+}
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
new file mode 100644
index 0000000000..e039d21cbf
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_extku.c
@@ -0,0 +1,150 @@
+/* v3_extku.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(ASN1_OBJECT) *v2i_ext_ku(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_ext_ku(X509V3_EXT_METHOD *method,
+                STACK_OF(ASN1_OBJECT) *eku, STACK_OF(CONF_VALUE) *extlist);
+X509V3_EXT_METHOD v3_ext_ku = {
+NID_ext_key_usage, 0,
+(X509V3_EXT_NEW)ext_ku_new,
+(X509V3_EXT_FREE)ext_ku_free,
+(X509V3_EXT_D2I)d2i_ext_ku,
+(X509V3_EXT_I2D)i2d_ext_ku,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_ext_ku,
+(X509V3_EXT_V2I)v2i_ext_ku,
+NULL,NULL,
+NULL
+};
+
+STACK_OF(ASN1_OBJECT) *ext_ku_new(void)
+{
+        return sk_ASN1_OBJECT_new_null();
+}
+
+void ext_ku_free(STACK_OF(ASN1_OBJECT) *eku)
+{
+        sk_ASN1_OBJECT_pop_free(eku, ASN1_OBJECT_free);
+        return;
+}
+
+int i2d_ext_ku(STACK_OF(ASN1_OBJECT) *a, unsigned char **pp)
+{
+        return i2d_ASN1_SET_OF_ASN1_OBJECT(a, pp, i2d_ASN1_OBJECT,
+                                V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
+}
+
+STACK_OF(ASN1_OBJECT) *d2i_ext_ku(STACK_OF(ASN1_OBJECT) **a,
+                                        unsigned char **pp, long length)
+{
+        return d2i_ASN1_SET_OF_ASN1_OBJECT(a, pp, length, d2i_ASN1_OBJECT,
+                         ASN1_OBJECT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+
+
+static STACK_OF(CONF_VALUE) *i2v_ext_ku(X509V3_EXT_METHOD *method,
+                STACK_OF(ASN1_OBJECT) *eku, STACK_OF(CONF_VALUE) *ext_list)
+{
+int i;
+ASN1_OBJECT *obj;
+char obj_tmp[80];
+for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
+        obj = sk_ASN1_OBJECT_value(eku, i);
+        i2t_ASN1_OBJECT(obj_tmp, 80, obj);
+        X509V3_add_value(NULL, obj_tmp, &ext_list);
+}
+return ext_list;
+}
+
+static STACK_OF(ASN1_OBJECT) *v2i_ext_ku(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+STACK_OF(ASN1_OBJECT) *extku;
+char *extval;
+ASN1_OBJECT *objtmp;
+CONF_VALUE *val;
+int i;
+
+if(!(extku = sk_ASN1_OBJECT_new(NULL))) {
+        X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
+        return NULL;
+}
+
+for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+        val = sk_CONF_VALUE_value(nval, i);
+        if(val->value) extval = val->value;
+        else extval = val->name;
+        if(!(objtmp = OBJ_txt2obj(extval, 0))) {
+                sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
+                X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                X509V3_conf_err(val);
+                return NULL;
+        }
+        sk_ASN1_OBJECT_push(extku, objtmp);
+}
+return extku;
+}
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
new file mode 100644
index 0000000000..af716232f8
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_genn.c
@@ -0,0 +1,237 @@
+/* v3_genn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **pp)
+{
+        unsigned char *p;
+        int ret;
+
+        ret = 0;
+
+        /* Save the location of initial TAG */
+        if(pp) p = *pp;
+        else p = NULL;
+
+        /* GEN_DNAME needs special treatment because of EXPLICIT tag */
+
+        if(a->type == GEN_DIRNAME) {
+                int v = 0;
+                M_ASN1_I2D_len_EXP_opt(a->d.dirn, i2d_X509_NAME, 4, v);
+                if(!p) return ret;
+                M_ASN1_I2D_put_EXP_opt(a->d.dirn, i2d_X509_NAME, 4, v);
+                *pp = p;
+                return ret;
+        }
+
+        switch(a->type) {
+
+                case GEN_OTHERNAME:
+                case GEN_X400:
+                case GEN_EDIPARTY:
+                ret = i2d_ASN1_TYPE(a->d.other, pp);
+                break;
+
+                case GEN_EMAIL:
+                case GEN_DNS:
+                case GEN_URI:
+                ret = i2d_ASN1_IA5STRING(a->d.ia5, pp);
+                break;
+
+                case GEN_IPADD:
+                ret = i2d_ASN1_OCTET_STRING(a->d.ip, pp);
+                break;
+        
+                case GEN_RID:
+                ret = i2d_ASN1_OBJECT(a->d.rid, pp);
+                break;
+        }
+        /* Replace TAG with IMPLICIT value */
+        if(p) *p = (*p & V_ASN1_CONSTRUCTED) | a->type;
+        return ret;
+}
+
+GENERAL_NAME *GENERAL_NAME_new()
+{
+        GENERAL_NAME *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, GENERAL_NAME);
+        ret->type = -1;
+        ret->d.ptr = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_GENERAL_NAME_NEW);
+}
+
+GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, unsigned char **pp,
+                                                                 long length)
+{
+        unsigned char _tmp;
+        M_ASN1_D2I_vars(a,GENERAL_NAME *,GENERAL_NAME_new);
+        M_ASN1_D2I_Init();
+        c.slen = length;
+
+        _tmp = M_ASN1_next;
+        ret->type = _tmp & ~V_ASN1_CONSTRUCTED;
+
+        switch(ret->type) {
+                /* Just put these in a "blob" for now */
+                case GEN_OTHERNAME:
+                case GEN_X400:
+                case GEN_EDIPARTY:
+                M_ASN1_D2I_get_imp(ret->d.other, d2i_ASN1_TYPE,V_ASN1_SEQUENCE);
+                break;
+
+                case GEN_EMAIL:
+                case GEN_DNS:
+                case GEN_URI:
+                M_ASN1_D2I_get_imp(ret->d.ia5, d2i_ASN1_IA5STRING,
+                                                        V_ASN1_IA5STRING);
+                break;
+
+                case GEN_DIRNAME:
+                M_ASN1_D2I_get_EXP_opt(ret->d.dirn, d2i_X509_NAME, 4);
+                break;
+
+                case GEN_IPADD:
+                M_ASN1_D2I_get_imp(ret->d.ip, d2i_ASN1_OCTET_STRING,
+                                                        V_ASN1_OCTET_STRING);
+                break;
+        
+                case GEN_RID:
+                M_ASN1_D2I_get_imp(ret->d.rid, d2i_ASN1_OBJECT,V_ASN1_OBJECT);
+                break;
+
+                default:
+                c.error = ASN1_R_BAD_TAG;
+                goto err;
+        }
+
+        c.slen = 0;
+        M_ASN1_D2I_Finish(a, GENERAL_NAME_free, ASN1_F_D2I_GENERAL_NAME);
+}
+
+void GENERAL_NAME_free(GENERAL_NAME *a)
+{
+        if (a == NULL) return;
+        switch(a->type) {
+                case GEN_OTHERNAME:
+                case GEN_X400:
+                case GEN_EDIPARTY:
+                ASN1_TYPE_free(a->d.other);
+                break;
+
+                case GEN_EMAIL:
+                case GEN_DNS:
+                case GEN_URI:
+
+                ASN1_IA5STRING_free(a->d.ia5);
+                break;
+
+                case GEN_DIRNAME:
+                X509_NAME_free(a->d.dirn);
+                break;
+
+                case GEN_IPADD:
+                ASN1_OCTET_STRING_free(a->d.ip);
+                break;
+        
+                case GEN_RID:
+                ASN1_OBJECT_free(a->d.rid);
+                break;
+
+        }
+        Free ((char *)a);
+}
+
+/* Now the GeneralNames versions: a SEQUENCE OF GeneralName These are needed as
+ * an explicit functions.
+ */
+
+STACK_OF(GENERAL_NAME) *GENERAL_NAMES_new()
+{
+        return sk_GENERAL_NAME_new(NULL);
+}
+
+void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *a)
+{
+        sk_GENERAL_NAME_pop_free(a, GENERAL_NAME_free);
+}
+
+STACK_OF(GENERAL_NAME) *d2i_GENERAL_NAMES(STACK_OF(GENERAL_NAME) **a,
+                                         unsigned char **pp, long length)
+{
+return d2i_ASN1_SET_OF_GENERAL_NAME(a, pp, length, d2i_GENERAL_NAME,
+                         GENERAL_NAME_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+int i2d_GENERAL_NAMES(STACK_OF(GENERAL_NAME) *a, unsigned char **pp)
+{
+return i2d_ASN1_SET_OF_GENERAL_NAME(a, pp, i2d_GENERAL_NAME, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+}
+
+IMPLEMENT_STACK_OF(GENERAL_NAME)
+IMPLEMENT_ASN1_SET_OF(GENERAL_NAME)
+
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
new file mode 100644
index 0000000000..3446c5cd6a
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_ia5.c
@@ -0,0 +1,116 @@
+/* v3_ia5.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static ASN1_IA5STRING *ia5string_new(void);
+static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
+static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+X509V3_EXT_METHOD v3_ns_ia5_list[] = { 
+EXT_IA5STRING(NID_netscape_base_url),
+EXT_IA5STRING(NID_netscape_revocation_url),
+EXT_IA5STRING(NID_netscape_ca_revocation_url),
+EXT_IA5STRING(NID_netscape_renewal_url),
+EXT_IA5STRING(NID_netscape_ca_policy_url),
+EXT_IA5STRING(NID_netscape_ssl_server_name),
+EXT_IA5STRING(NID_netscape_comment),
+EXT_END
+};
+
+
+static ASN1_IA5STRING *ia5string_new(void)
+{
+        return ASN1_IA5STRING_new();
+}
+
+static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+             ASN1_IA5STRING *ia5)
+{
+        char *tmp;
+        if(!ia5 || !ia5->length) return NULL;
+        tmp = Malloc(ia5->length + 1);
+        memcpy(tmp, ia5->data, ia5->length);
+        tmp[ia5->length] = 0;
+        return tmp;
+}
+
+static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, char *str)
+{
+        ASN1_IA5STRING *ia5;
+        if(!str) {
+                X509V3err(X509V3_F_S2I_ASN1_IA5STRING,X509V3_R_INVALID_NULL_ARGUMENT);
+                return NULL;
+        }
+        if(!(ia5 = ASN1_IA5STRING_new())) goto err;
+        if(!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
+                            strlen(str))) {
+                ASN1_IA5STRING_free(ia5);
+                goto err;
+        }
+        return ia5;
+        err:
+        X509V3err(X509V3_F_S2I_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
+        return NULL;
+}
+
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
new file mode 100644
index 0000000000..78d2135046
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -0,0 +1,236 @@
+/* v3_info.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+                                STACK_OF(ACCESS_DESCRIPTION) *ainfo,
+                                                STACK_OF(CONF_VALUE) *ret);
+static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+X509V3_EXT_METHOD v3_info =
+{ NID_info_access, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)AUTHORITY_INFO_ACCESS_new,
+(X509V3_EXT_FREE)AUTHORITY_INFO_ACCESS_free,
+(X509V3_EXT_D2I)d2i_AUTHORITY_INFO_ACCESS,
+(X509V3_EXT_I2D)i2d_AUTHORITY_INFO_ACCESS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
+(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
+NULL, NULL, NULL};
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+                                STACK_OF(ACCESS_DESCRIPTION) *ainfo,
+                                                STACK_OF(CONF_VALUE) *ret)
+{
+        ACCESS_DESCRIPTION *desc;
+        int i;
+        char objtmp[80], *ntmp;
+        CONF_VALUE *vtmp;
+        for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
+                desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);
+                ret = i2v_GENERAL_NAME(method, desc->location, ret);
+                if(!ret) break;
+                vtmp = sk_CONF_VALUE_value(ret, i);
+                i2t_ASN1_OBJECT(objtmp, 80, desc->method);
+                ntmp = Malloc(strlen(objtmp) + strlen(vtmp->name) + 5);
+                if(!ntmp) {
+                        X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
+                                        ERR_R_MALLOC_FAILURE);
+                        return NULL;
+                }
+                strcpy(ntmp, objtmp);
+                strcat(ntmp, " - ");
+                strcat(ntmp, vtmp->name);
+                Free(vtmp->name);
+                vtmp->name = ntmp;
+                
+        }
+        if(!ret) return sk_CONF_VALUE_new_null();
+        return ret;
+}
+
+static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        STACK_OF(ACCESS_DESCRIPTION) *ainfo = NULL;
+        CONF_VALUE *cnf, ctmp;
+        ACCESS_DESCRIPTION *acc;
+        int i, objlen;
+        char *objtmp, *ptmp;
+        if(!(ainfo = sk_ACCESS_DESCRIPTION_new(NULL))) {
+                X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!(acc = ACCESS_DESCRIPTION_new())
+                        || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
+                        X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                ptmp = strchr(cnf->name, ';');
+                if(!ptmp) {
+                        X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_INVALID_SYNTAX);
+                        goto err;
+                }
+                objlen = ptmp - cnf->name;
+                ctmp.name = ptmp + 1;
+                ctmp.value = cnf->value;
+                if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp)))
+                                                                 goto err; 
+                if(!(objtmp = Malloc(objlen + 1))) {
+                        X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                strncpy(objtmp, cnf->name, objlen);
+                objtmp[objlen] = 0;
+                acc->method = OBJ_txt2obj(objtmp, 0);
+                if(!acc->method) {
+                        X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_BAD_OBJECT);
+                        ERR_add_error_data(2, "value=", objtmp);
+                        Free(objtmp);
+                        goto err;
+                }
+                Free(objtmp);
+
+        }
+        return ainfo;
+        err:
+        sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
+        return NULL;
+}
+
+int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len(a->method, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_len(a->location, i2d_GENERAL_NAME);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put(a->method, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_put(a->location, i2d_GENERAL_NAME);
+
+        M_ASN1_I2D_finish();
+}
+
+ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void)
+{
+        ACCESS_DESCRIPTION *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, ACCESS_DESCRIPTION);
+        ret->method = OBJ_nid2obj(NID_undef);
+        ret->location = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_ACCESS_DESCRIPTION_NEW);
+}
+
+ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, unsigned char **pp,
+             long length)
+{
+        M_ASN1_D2I_vars(a,ACCESS_DESCRIPTION *,ACCESS_DESCRIPTION_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(ret->method, d2i_ASN1_OBJECT);
+        M_ASN1_D2I_get(ret->location, d2i_GENERAL_NAME);
+        M_ASN1_D2I_Finish(a, ACCESS_DESCRIPTION_free, ASN1_F_D2I_ACCESS_DESCRIPTION);
+}
+
+void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
+{
+        if (a == NULL) return;
+        ASN1_OBJECT_free(a->method);
+        GENERAL_NAME_free(a->location);
+        Free (a);
+}
+
+STACK_OF(ACCESS_DESCRIPTION) *AUTHORITY_INFO_ACCESS_new(void)
+{
+        return sk_ACCESS_DESCRIPTION_new(NULL);
+}
+
+void AUTHORITY_INFO_ACCESS_free(STACK_OF(ACCESS_DESCRIPTION) *a)
+{
+        sk_ACCESS_DESCRIPTION_pop_free(a, ACCESS_DESCRIPTION_free);
+}
+
+STACK_OF(ACCESS_DESCRIPTION) *d2i_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) **a,
+                                         unsigned char **pp, long length)
+{
+return d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(a, pp, length, d2i_ACCESS_DESCRIPTION,
+                         ACCESS_DESCRIPTION_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+int i2d_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) *a, unsigned char **pp)
+{
+return i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(a, pp, i2d_ACCESS_DESCRIPTION, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+}
+
+IMPLEMENT_STACK_OF(ACCESS_DESCRIPTION)
+IMPLEMENT_ASN1_SET_OF(ACCESS_DESCRIPTION)
+
+
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
new file mode 100644
index 0000000000..637dd5e128
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_int.c
@@ -0,0 +1,79 @@
+/* v3_int.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+static ASN1_INTEGER *asn1_integer_new(void);
+
+X509V3_EXT_METHOD v3_crl_num = { 
+NID_crl_number, 0,
+(X509V3_EXT_NEW)asn1_integer_new,
+(X509V3_EXT_FREE)ASN1_STRING_free,
+(X509V3_EXT_D2I)d2i_ASN1_INTEGER,
+(X509V3_EXT_I2D)i2d_ASN1_INTEGER,
+(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+(X509V3_EXT_S2I)NULL,
+NULL, NULL, NULL, NULL, NULL};
+
+
+static ASN1_INTEGER *asn1_integer_new(void)
+{
+        return ASN1_INTEGER_new();
+}
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
new file mode 100644
index 0000000000..a0aa5de794
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -0,0 +1,177 @@
+/* v3_lib.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK *ext_list = NULL;
+
+static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b);
+static void ext_list_free(X509V3_EXT_METHOD *ext);
+
+int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
+{
+        if(!ext_list && !(ext_list = sk_new(ext_cmp))) {
+                X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if(!sk_push(ext_list, (char *)ext)) {
+                X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        return 1;
+}
+
+static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b)
+{
+        return ((*a)->ext_nid - (*b)->ext_nid);
+}
+
+X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
+{
+        X509V3_EXT_METHOD tmp;
+        int idx;
+        tmp.ext_nid = nid;
+        if(!ext_list || (tmp.ext_nid < 0) ) return NULL;
+        idx = sk_find(ext_list, (char *)&tmp);
+        if(idx == -1) return NULL;
+        return (X509V3_EXT_METHOD *)sk_value(ext_list, idx);
+}
+
+X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
+{
+        int nid;
+        if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
+        return X509V3_EXT_get_nid(nid);
+}
+
+
+int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
+{
+        for(;extlist->ext_nid!=-1;extlist++) 
+                        if(!X509V3_EXT_add(extlist)) return 0;
+        return 1;
+}
+
+int X509V3_EXT_add_alias(int nid_to, int nid_from)
+{
+        X509V3_EXT_METHOD *ext, *tmpext;
+        if(!(ext = X509V3_EXT_get_nid(nid_from))) {
+                X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
+                return 0;
+        }
+        if(!(tmpext = (X509V3_EXT_METHOD *)Malloc(sizeof(X509V3_EXT_METHOD)))) {
+                X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        *tmpext = *ext;
+        tmpext->ext_nid = nid_to;
+        tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
+        return 1;
+}
+
+void X509V3_EXT_cleanup(void)
+{
+        sk_pop_free(ext_list, ext_list_free);
+        ext_list = NULL;
+}
+
+static void ext_list_free(X509V3_EXT_METHOD *ext)
+{
+        if(ext->ext_flags & X509V3_EXT_DYNAMIC) Free(ext);
+}
+
+extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet;
+extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
+
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
+
+int X509V3_add_standard_extensions(void)
+{
+        X509V3_EXT_add_list(v3_ns_ia5_list);
+        X509V3_EXT_add_list(v3_alt);
+        X509V3_EXT_add(&v3_bcons);
+        X509V3_EXT_add(&v3_nscert);
+        X509V3_EXT_add(&v3_key_usage);
+        X509V3_EXT_add(&v3_ext_ku);
+        X509V3_EXT_add(&v3_skey_id);
+        X509V3_EXT_add(&v3_akey_id);
+        X509V3_EXT_add(&v3_pkey_usage_period);
+        X509V3_EXT_add(&v3_crl_num);
+        X509V3_EXT_add(&v3_sxnet);
+        X509V3_EXT_add(&v3_crl_reason);
+        X509V3_EXT_add(&v3_cpols);
+        X509V3_EXT_add(&v3_crld);
+        return 1;
+}
+
+/* Return an extension internal structure */
+
+void *X509V3_EXT_d2i(X509_EXTENSION *ext)
+{
+        X509V3_EXT_METHOD *method;
+        unsigned char *p;
+        if(!(method = X509V3_EXT_get(ext)) || !method->d2i) return NULL;
+        p = ext->value->data;
+        return method->d2i(NULL, &p, ext->value->length);
+}
+
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
new file mode 100644
index 0000000000..083112314e
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -0,0 +1,272 @@
+/* v3_ocsp.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/ocsp.h>
+#include <openssl/x509v3.h>
+
+/* OCSP extensions and a couple of CRL entry extensions
+ */
+
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent);
+
+static void *ocsp_nonce_new(void);
+static int i2d_ocsp_nonce(void *a, unsigned char **pp);
+static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length);
+static void ocsp_nonce_free(void *a);
+static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+
+static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent);
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind);
+
+X509V3_EXT_METHOD v3_ocsp_crlid = {
+        NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_crlid,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_acutoff = {
+        NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_acutoff,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_crl_invdate = {
+        NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_acutoff,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_crl_hold = {
+        NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_object,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_nonce = {
+        NID_id_pkix_OCSP_Nonce, 0, NULL,
+        ocsp_nonce_new,
+        ocsp_nonce_free,
+        d2i_ocsp_nonce,
+        i2d_ocsp_nonce,
+        0,0,
+        0,0,
+        i2r_ocsp_nonce,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_nocheck = {
+        NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
+        0,0,0,0,
+        0,s2i_ocsp_nocheck,
+        0,0,
+        i2r_ocsp_nocheck,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_serviceloc = {
+        NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_serviceloc,0,
+        NULL
+};
+
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+{
+        OCSP_CRLID *a = in;
+        if (a->crlUrl)
+                {
+                if (!BIO_printf(bp, "%*scrlUrl: ", ind, "")) goto err;
+                if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
+                }
+        if (a->crlNum)
+                {
+                if (!BIO_printf(bp, "%*scrlNum: ", ind, "")) goto err;
+                if (!i2a_ASN1_INTEGER(bp, a->crlNum)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
+                }
+        if (a->crlTime)
+                {
+                if (!BIO_printf(bp, "%*scrlTime: ", ind, "")) goto err;
+                if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
+                }
+        return 1;
+        err:
+        return 0;
+}
+
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, int ind)
+{
+        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+        if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
+        return 1;
+}
+
+
+static int i2r_object(X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
+{
+        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+        if(!i2a_ASN1_OBJECT(bp, oid)) return 0;
+        return 1;
+}
+
+/* OCSP nonce. This is needs special treatment because it doesn't have
+ * an ASN1 encoding at all: it just contains arbitrary data.
+ */
+
+static void *ocsp_nonce_new(void)
+{
+        return ASN1_OCTET_STRING_new();
+}
+
+static int i2d_ocsp_nonce(void *a, unsigned char **pp)
+{
+        ASN1_OCTET_STRING *os = a;
+        if(pp) {
+                memcpy(*pp, os->data, os->length);
+                *pp += os->length;
+        }
+        return os->length;
+}
+
+static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length)
+{
+        ASN1_OCTET_STRING *os, **pos;
+        pos = a;
+        if(!pos || !*pos) os = ASN1_OCTET_STRING_new();
+        else os = *pos;
+        if(!ASN1_OCTET_STRING_set(os, *pp, length)) goto err;
+
+        *pp += length;
+
+        if(pos) *pos = os;
+        return os;
+
+        err:
+        if(os && (!pos || (*pos != os))) M_ASN1_OCTET_STRING_free(os);
+        OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
+        return NULL;
+}
+
+static void ocsp_nonce_free(void *a)
+{
+        M_ASN1_OCTET_STRING_free(a);
+}
+
+static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent)
+{
+        if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
+        if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
+        return 1;
+}
+
+/* Nocheck is just a single NULL. Don't print anything and always set it */
+
+static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent)
+{
+        return 1;
+}
+
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
+{
+        return ASN1_NULL_new();
+}
+
+static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+        {
+        int i;
+        OCSP_SERVICELOC *a = in;
+        ACCESS_DESCRIPTION *ad;
+
+        if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) goto err;
+        if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) goto err;
+        for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++)
+                {
+                                ad = sk_ACCESS_DESCRIPTION_value(a->locator,i);
+                                if (BIO_printf(bp, "\n%*s", (2*ind), "") <= 0) 
+                                        goto err;
+                                if(i2a_ASN1_OBJECT(bp, ad->method) <= 0) goto err;
+                                if(BIO_puts(bp, " - ") <= 0) goto err;
+                                if(GENERAL_NAME_print(bp, ad->location) <= 0) goto err;
+                }
+        return 1;
+err:
+        return 0;
+        }
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
new file mode 100644
index 0000000000..c13e7d8f45
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_pku.c
@@ -0,0 +1,151 @@
+/* v3_pku.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
+/*
+static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+*/
+X509V3_EXT_METHOD v3_pkey_usage_period = {
+NID_private_key_usage_period, 0,
+(X509V3_EXT_NEW)PKEY_USAGE_PERIOD_new,
+(X509V3_EXT_FREE)PKEY_USAGE_PERIOD_free,
+(X509V3_EXT_D2I)d2i_PKEY_USAGE_PERIOD,
+(X509V3_EXT_I2D)i2d_PKEY_USAGE_PERIOD,
+NULL, NULL, NULL, NULL,
+(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
+NULL
+};
+
+int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len_IMP_opt (a->notBefore, i2d_ASN1_GENERALIZEDTIME);
+        M_ASN1_I2D_len_IMP_opt (a->notAfter, i2d_ASN1_GENERALIZEDTIME);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put_IMP_opt (a->notBefore, i2d_ASN1_GENERALIZEDTIME, 0);
+        M_ASN1_I2D_put_IMP_opt (a->notAfter, i2d_ASN1_GENERALIZEDTIME, 1);
+
+        M_ASN1_I2D_finish();
+}
+
+PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void)
+{
+        PKEY_USAGE_PERIOD *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PKEY_USAGE_PERIOD);
+        ret->notBefore = NULL;
+        ret->notAfter = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PKEY_USAGE_PERIOD_NEW);
+}
+
+PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a,
+             unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,PKEY_USAGE_PERIOD *,PKEY_USAGE_PERIOD_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get_IMP_opt (ret->notBefore, d2i_ASN1_GENERALIZEDTIME, 0,
+                                                        V_ASN1_GENERALIZEDTIME);
+        M_ASN1_D2I_get_IMP_opt (ret->notAfter, d2i_ASN1_GENERALIZEDTIME, 1,
+                                                        V_ASN1_GENERALIZEDTIME);
+        M_ASN1_D2I_Finish(a, PKEY_USAGE_PERIOD_free, ASN1_F_D2I_PKEY_USAGE_PERIOD);
+}
+
+void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
+{
+        if (a == NULL) return;
+        ASN1_GENERALIZEDTIME_free(a->notBefore);
+        ASN1_GENERALIZEDTIME_free(a->notAfter);
+        Free ((char *)a);
+}
+
+static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
+             PKEY_USAGE_PERIOD *usage, BIO *out, int indent)
+{
+        BIO_printf(out, "%*s", indent, "");
+        if(usage->notBefore) {
+                BIO_write(out, "Not Before: ", 12);
+                ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
+                if(usage->notAfter) BIO_write(out, ", ", 2);
+        }
+        if(usage->notAfter) {
+                BIO_write(out, "Not After: ", 11);
+                ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
+        }
+        return 1;
+}
+
+/*
+static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values)
+X509V3_EXT_METHOD *method;
+X509V3_CTX *ctx;
+STACK_OF(CONF_VALUE) *values;
+{
+return NULL;
+}
+*/
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
new file mode 100644
index 0000000000..dc20c6bdba
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -0,0 +1,135 @@
+/* v3_prn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+/* Extension printing routines */
+
+/* Print out a name+value stack */
+
+void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
+{
+        int i;
+        CONF_VALUE *nval;
+        if(!val) return;
+        if(!ml || !sk_CONF_VALUE_num(val)) {
+                BIO_printf(out, "%*s", indent, "");
+                if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n");
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(val); i++) {
+                if(ml) BIO_printf(out, "%*s", indent, "");
+                else if(i > 0) BIO_printf(out, ", ");
+                nval = sk_CONF_VALUE_value(val, i);
+                if(!nval->name) BIO_puts(out, nval->value);
+                else if(!nval->value) BIO_puts(out, nval->name);
+                else BIO_printf(out, "%s:%s", nval->name, nval->value);
+                if(ml) BIO_puts(out, "\n");
+        }
+}
+
+/* Main routine: print out a general extension */
+
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent)
+{
+        char *ext_str = NULL, *value = NULL;
+        unsigned char *p;
+        X509V3_EXT_METHOD *method;      
+        STACK_OF(CONF_VALUE) *nval = NULL;
+        int ok = 1;
+        if(!(method = X509V3_EXT_get(ext))) return 0;
+        p = ext->value->data;
+        if(!(ext_str = method->d2i(NULL, &p, ext->value->length))) return 0;
+        if(method->i2s) {
+                if(!(value = method->i2s(method, ext_str))) {
+                        ok = 0;
+                        goto err;
+                }
+                BIO_printf(out, "%*s%s", indent, "", value);
+        } else if(method->i2v) {
+                if(!(nval = method->i2v(method, ext_str, NULL))) {
+                        ok = 0;
+                        goto err;
+                }
+                X509V3_EXT_val_prn(out, nval, indent,
+                                 method->ext_flags & X509V3_EXT_MULTILINE);
+        } else if(method->i2r) {
+                if(!method->i2r(method, ext_str, out, indent)) ok = 0;
+        } else ok = 0;
+
+        err:
+                sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
+                if(value) Free(value);
+                method->ext_free(ext_str);
+                return ok;
+}
+
+#ifndef NO_FP_API
+int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
+{
+        BIO *bio_tmp;
+        int ret;
+        if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0;
+        ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
+        BIO_free(bio_tmp);
+        return ret;
+}
+#endif
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
new file mode 100644
index 0000000000..b7494ebcd5
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -0,0 +1,456 @@
+/* v3_purp.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+
+static void x509v3_cache_extensions(X509 *x);
+
+static int ca_check(X509 *x);
+static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
+static int purpose_smime(X509 *x, int ca);
+static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca);
+
+static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b);
+static void xptable_free(X509_PURPOSE *p);
+
+static X509_PURPOSE xstandard[] = {
+        {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
+        {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
+        {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
+        {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
+        {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
+        {X509_PURPOSE_CRL_SIGN, X509_TRUST_ANY, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
+};
+
+#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
+
+IMPLEMENT_STACK_OF(X509_PURPOSE)
+
+static STACK_OF(X509_PURPOSE) *xptable = NULL;
+
+static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b)
+{
+        return (*a)->purpose - (*b)->purpose;
+}
+
+int X509_check_purpose(X509 *x, int id, int ca)
+{
+        int idx;
+        X509_PURPOSE *pt;
+        if(!(x->ex_flags & EXFLAG_SET)) {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509);
+                x509v3_cache_extensions(x);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        }
+        if(id == -1) return 1;
+        idx = X509_PURPOSE_get_by_id(id);
+        if(idx == -1) return -1;
+        pt = X509_PURPOSE_get0(idx);
+        return pt->check_purpose(pt, x, ca);
+}
+
+int X509_PURPOSE_get_count(void)
+{
+        if(!xptable) return X509_PURPOSE_COUNT;
+        return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
+}
+
+X509_PURPOSE * X509_PURPOSE_get0(int idx)
+{
+        if(idx < 0) return NULL;
+        if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
+        return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
+}
+
+int X509_PURPOSE_get_by_sname(char *sname)
+{
+        int i;
+        X509_PURPOSE *xptmp;
+        for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+                xptmp = X509_PURPOSE_get0(i);
+                if(!strcmp(xptmp->sname, sname)) return i;
+        }
+        return -1;
+}
+
+
+int X509_PURPOSE_get_by_id(int purpose)
+{
+        X509_PURPOSE tmp;
+        int idx;
+        if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
+                return purpose - X509_PURPOSE_MIN;
+        tmp.purpose = purpose;
+        if(!xptable) return -1;
+        idx = sk_X509_PURPOSE_find(xptable, &tmp);
+        if(idx == -1) return -1;
+        return idx + X509_PURPOSE_COUNT;
+}
+
+int X509_PURPOSE_add(int id, int trust, int flags,
+                        int (*ck)(X509_PURPOSE *, X509 *, int),
+                                        char *name, char *sname, void *arg)
+{
+        int idx;
+        X509_PURPOSE *ptmp;
+        /* This is set according to what we change: application can't set it */
+        flags &= ~X509_PURPOSE_DYNAMIC;
+        /* This will always be set for application modified trust entries */
+        flags |= X509_PURPOSE_DYNAMIC_NAME;
+        /* Get existing entry if any */
+        idx = X509_PURPOSE_get_by_id(id);
+        /* Need a new entry */
+        if(idx == -1) {
+                if(!(ptmp = Malloc(sizeof(X509_PURPOSE)))) {
+                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                ptmp->flags = X509_PURPOSE_DYNAMIC;
+        } else ptmp = X509_PURPOSE_get0(idx);
+
+        /* Free existing name if dynamic */
+        if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
+                Free(ptmp->name);
+                Free(ptmp->sname);
+        }
+        /* dup supplied name */
+        ptmp->name = BUF_strdup(name);
+        ptmp->sname = BUF_strdup(sname);
+        if(!ptmp->name || !ptmp->sname) {
+                X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        /* Keep the dynamic flag of existing entry */
+        ptmp->flags &= X509_PURPOSE_DYNAMIC;
+        /* Set all other flags */
+        ptmp->flags |= flags;
+
+        ptmp->purpose = id;
+        ptmp->trust = trust;
+        ptmp->check_purpose = ck;
+        ptmp->usr_data = arg;
+
+        /* If its a new entry manage the dynamic table */
+        if(idx == -1) {
+                if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
+                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
+                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+        }
+        return 1;
+}
+
+static void xptable_free(X509_PURPOSE *p)
+        {
+        if(!p) return;
+        if (p->flags & X509_PURPOSE_DYNAMIC) 
+                {
+                if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
+                        Free(p->name);
+                        Free(p->sname);
+                }
+                Free(p);
+                }
+        }
+
+void X509_PURPOSE_cleanup(void)
+{
+        int i;
+        sk_X509_PURPOSE_pop_free(xptable, xptable_free);
+        for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
+        xptable = NULL;
+}
+
+int X509_PURPOSE_get_id(X509_PURPOSE *xp)
+{
+        return xp->purpose;
+}
+
+char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
+{
+        return xp->name;
+}
+
+char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
+{
+        return xp->sname;
+}
+
+int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
+{
+        return xp->trust;
+}
+
+#ifndef NO_SHA
+static void x509v3_cache_extensions(X509 *x)
+{
+        BASIC_CONSTRAINTS *bs;
+        ASN1_BIT_STRING *usage;
+        ASN1_BIT_STRING *ns;
+        STACK_OF(ASN1_OBJECT) *extusage;
+        int i;
+        if(x->ex_flags & EXFLAG_SET) return;
+        X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
+        /* Does subject name match issuer ? */
+        if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
+                         x->ex_flags |= EXFLAG_SS;
+        /* V1 should mean no extensions ... */
+        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
+        /* Handle basic constraints */
+        if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
+                if(bs->ca) x->ex_flags |= EXFLAG_CA;
+                if(bs->pathlen) {
+                        if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
+                                                || !bs->ca) {
+                                x->ex_flags |= EXFLAG_INVALID;
+                                x->ex_pathlen = 0;
+                        } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+                } else x->ex_pathlen = -1;
+                BASIC_CONSTRAINTS_free(bs);
+                x->ex_flags |= EXFLAG_BCONS;
+        }
+        /* Handle key usage */
+        if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
+                if(usage->length > 0) {
+                        x->ex_kusage = usage->data[0];
+                        if(usage->length > 1) 
+                                x->ex_kusage |= usage->data[1] << 8;
+                } else x->ex_kusage = 0;
+                x->ex_flags |= EXFLAG_KUSAGE;
+                ASN1_BIT_STRING_free(usage);
+        }
+        x->ex_xkusage = 0;
+        if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
+                x->ex_flags |= EXFLAG_XKUSAGE;
+                for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
+                        switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
+                                case NID_server_auth:
+                                x->ex_xkusage |= XKU_SSL_SERVER;
+                                break;
+
+                                case NID_client_auth:
+                                x->ex_xkusage |= XKU_SSL_CLIENT;
+                                break;
+
+                                case NID_email_protect:
+                                x->ex_xkusage |= XKU_SMIME;
+                                break;
+
+                                case NID_code_sign:
+                                x->ex_xkusage |= XKU_CODE_SIGN;
+                                break;
+
+                                case NID_ms_sgc:
+                                case NID_ns_sgc:
+                                x->ex_xkusage |= XKU_SGC;
+                        }
+                }
+                sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
+        }
+
+        if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
+                if(ns->length > 0) x->ex_nscert = ns->data[0];
+                else x->ex_nscert = 0;
+                x->ex_flags |= EXFLAG_NSCERT;
+                ASN1_BIT_STRING_free(ns);
+        }
+        x->ex_flags |= EXFLAG_SET;
+}
+#endif
+
+/* CA checks common to all purposes
+ * return codes:
+ * 0 not a CA
+ * 1 is a CA
+ * 2 basicConstraints absent so "maybe" a CA
+ * 3 basicConstraints absent but self signed V1.
+ */
+
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
+static int ca_check(X509 *x)
+{
+        /* keyUsage if present should allow cert signing */
+        if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
+        if(x->ex_flags & EXFLAG_BCONS) {
+                if(x->ex_flags & EXFLAG_CA) return 1;
+                /* If basicConstraints says not a CA then say so */
+                else return 0;
+        } else {
+                if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+                else return 2;
+        }
+}
+
+
+static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
+        if(ca) {
+                int ca_ret;
+                ca_ret = ca_check(x);
+                if(!ca_ret) return 0;
+                /* check nsCertType if present */
+                if(x->ex_flags & EXFLAG_NSCERT) {
+                        if(x->ex_nscert & NS_SSL_CA) return ca_ret;
+                        return 0;
+                }
+                if(ca_ret != 2) return ca_ret;
+                else return 0;
+        }
+        /* We need to do digital signatures with it */
+        if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
+        /* nsCertType if present should allow SSL client use */ 
+        if(ns_reject(x, NS_SSL_CLIENT)) return 0;
+        return 1;
+}
+
+static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
+        /* Otherwise same as SSL client for a CA */
+        if(ca) return check_purpose_ssl_client(xp, x, 1);
+
+        if(ns_reject(x, NS_SSL_SERVER)) return 0;
+        /* Now as for keyUsage: we'll at least need to sign OR encipher */
+        if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
+        
+        return 1;
+
+}
+
+static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        int ret;
+        ret = check_purpose_ssl_server(xp, x, ca);
+        if(!ret || ca) return ret;
+        /* We need to encipher or Netscape complains */
+        if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
+        return ret;
+}
+
+/* common S/MIME checks */
+static int purpose_smime(X509 *x, int ca)
+{
+        if(xku_reject(x,XKU_SMIME)) return 0;
+        if(ca) {
+                int ca_ret;
+                ca_ret = ca_check(x);
+                if(!ca_ret) return 0;
+                /* check nsCertType if present */
+                if(x->ex_flags & EXFLAG_NSCERT) {
+                        if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
+                        return 0;
+                }
+                if(ca_ret != 2) return ca_ret;
+                else return 0;
+        }
+        if(x->ex_flags & EXFLAG_NSCERT) {
+                if(x->ex_nscert & NS_SMIME) return 1;
+                /* Workaround for some buggy certificates */
+                if(x->ex_nscert & NS_SSL_CLIENT) return 2;
+                return 0;
+        }
+        return 1;
+}
+
+static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        int ret;
+        ret = purpose_smime(x, ca);
+        if(!ret || ca) return ret;
+        if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
+        return ret;
+}
+
+static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        int ret;
+        ret = purpose_smime(x, ca);
+        if(!ret || ca) return ret;
+        if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
+        return ret;
+}
+
+static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        if(ca) {
+                int ca_ret;
+                if((ca_ret = ca_check(x)) != 2) return ca_ret;
+                else return 0;
+        }
+        if(ku_reject(x, KU_CRL_SIGN)) return 0;
+        return 1;
+}
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
new file mode 100644
index 0000000000..fb3e36014d
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_skey.c
@@ -0,0 +1,156 @@
+/* v3_skey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+static ASN1_OCTET_STRING *octet_string_new(void);
+static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+X509V3_EXT_METHOD v3_skey_id = { 
+NID_subject_key_identifier, 0,
+(X509V3_EXT_NEW)octet_string_new,
+(X509V3_EXT_FREE)ASN1_STRING_free,
+(X509V3_EXT_D2I)d2i_ASN1_OCTET_STRING,
+(X509V3_EXT_I2D)i2d_ASN1_OCTET_STRING,
+(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
+(X509V3_EXT_S2I)s2i_skey_id,
+NULL, NULL, NULL, NULL, NULL};
+
+
+static ASN1_OCTET_STRING *octet_string_new(void)
+{
+        return ASN1_OCTET_STRING_new();
+}
+
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+             ASN1_OCTET_STRING *oct)
+{
+        return hex_to_string(oct->data, oct->length);
+}
+
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, char *str)
+{
+        ASN1_OCTET_STRING *oct;
+        long length;
+
+        if(!(oct = ASN1_OCTET_STRING_new())) {
+                X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        if(!(oct->data = string_to_hex(str, &length))) {
+                ASN1_OCTET_STRING_free(oct);
+                return NULL;
+        }
+
+        oct->length = length;
+
+        return oct;
+
+}
+
+static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, char *str)
+{
+        ASN1_OCTET_STRING *oct;
+        ASN1_BIT_STRING *pk;
+        unsigned char pkey_dig[EVP_MAX_MD_SIZE];
+        EVP_MD_CTX md;
+        unsigned int diglen;
+
+        if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
+
+        if(!(oct = ASN1_OCTET_STRING_new())) {
+                X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        if(ctx && (ctx->flags == CTX_TEST)) return oct;
+
+        if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
+                X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+                goto err;
+        }
+
+        if(ctx->subject_req) 
+                pk = ctx->subject_req->req_info->pubkey->public_key;
+        else pk = ctx->subject_cert->cert_info->key->public_key;
+
+        if(!pk) {
+                X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+                goto err;
+        }
+
+        EVP_DigestInit(&md, EVP_sha1());
+        EVP_DigestUpdate(&md, pk->data, pk->length);
+        EVP_DigestFinal(&md, pkey_dig, &diglen);
+
+        if(!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
+                X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+
+        return oct;
+        
+        err:
+        ASN1_OCTET_STRING_free(oct);
+        return NULL;
+}
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
new file mode 100644
index 0000000000..0687bb4e3d
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_sxnet.c
@@ -0,0 +1,340 @@
+/* v3_sxnet.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+/* Support for Thawte strong extranet extension */
+
+#define SXNET_TEST
+
+static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent);
+#ifdef SXNET_TEST
+static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                                                STACK_OF(CONF_VALUE) *nval);
+#endif
+X509V3_EXT_METHOD v3_sxnet = {
+NID_sxnet, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)SXNET_new,
+(X509V3_EXT_FREE)SXNET_free,
+(X509V3_EXT_D2I)d2i_SXNET,
+(X509V3_EXT_I2D)i2d_SXNET,
+NULL, NULL,
+NULL, 
+#ifdef SXNET_TEST
+(X509V3_EXT_V2I)sxnet_v2i,
+#else
+NULL,
+#endif
+(X509V3_EXT_I2R)sxnet_i2r,
+NULL,
+NULL
+};
+
+
+int i2d_SXNET(SXNET *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->version, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len_SEQUENCE_type (SXNETID, a->ids, i2d_SXNETID);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->version, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put_SEQUENCE_type (SXNETID, a->ids, i2d_SXNETID);
+
+        M_ASN1_I2D_finish();
+}
+
+SXNET *SXNET_new(void)
+{
+        SXNET *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, SXNET);
+        M_ASN1_New(ret->version,ASN1_INTEGER_new);
+        M_ASN1_New(ret->ids,sk_SXNETID_new_null);
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_SXNET_NEW);
+}
+
+SXNET *d2i_SXNET(SXNET **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,SXNET *,SXNET_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->version, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_get_seq_type (SXNETID, ret->ids, d2i_SXNETID, SXNETID_free);
+        M_ASN1_D2I_Finish(a, SXNET_free, ASN1_F_D2I_SXNET);
+}
+
+void SXNET_free(SXNET *a)
+{
+        if (a == NULL) return;
+        ASN1_INTEGER_free(a->version);
+        sk_SXNETID_pop_free(a->ids, SXNETID_free);
+        Free (a);
+}
+
+int i2d_SXNETID(SXNETID *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->zone, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len (a->user, i2d_ASN1_OCTET_STRING);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->zone, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put (a->user, i2d_ASN1_OCTET_STRING);
+
+        M_ASN1_I2D_finish();
+}
+
+SXNETID *SXNETID_new(void)
+{
+        SXNETID *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, SXNETID);
+        ret->zone = NULL;
+        M_ASN1_New(ret->user,ASN1_OCTET_STRING_new);
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_SXNETID_NEW);
+}
+
+SXNETID *d2i_SXNETID(SXNETID **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,SXNETID *,SXNETID_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(ret->zone, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_get(ret->user, d2i_ASN1_OCTET_STRING);
+        M_ASN1_D2I_Finish(a, SXNETID_free, ASN1_F_D2I_SXNETID);
+}
+
+void SXNETID_free(SXNETID *a)
+{
+        if (a == NULL) return;
+        ASN1_INTEGER_free(a->zone);
+        ASN1_OCTET_STRING_free(a->user);
+        Free (a);
+}
+
+static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
+             int indent)
+{
+        long v;
+        char *tmp;
+        SXNETID *id;
+        int i;
+        v = ASN1_INTEGER_get(sx->version);
+        BIO_printf(out, "%*sVersion: %d (0x%X)", indent, "", v + 1, v);
+        for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
+                id = sk_SXNETID_value(sx->ids, i);
+                tmp = i2s_ASN1_INTEGER(NULL, id->zone);
+                BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
+                Free(tmp);
+                ASN1_OCTET_STRING_print(out, id->user);
+        }
+        return 1;
+}
+
+#ifdef SXNET_TEST
+
+/* NBB: this is used for testing only. It should *not* be used for anything
+ * else because it will just take static IDs from the configuration file and
+ * they should really be separate values for each user.
+ */
+
+
+static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+             STACK_OF(CONF_VALUE) *nval)
+{
+        CONF_VALUE *cnf;
+        SXNET *sx = NULL;
+        int i;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
+                                                                 return NULL;
+        }
+        return sx;
+}
+                
+        
+#endif
+
+/* Strong Extranet utility functions */
+
+/* Add an id given the zone as an ASCII number */
+
+int SXNET_add_id_asc(SXNET **psx, char *zone, char *user,
+             int userlen)
+{
+        ASN1_INTEGER *izone = NULL;
+        if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+                X509V3err(X509V3_F_SXNET_ADD_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
+                return 0;
+        }
+        return SXNET_add_id_INTEGER(psx, izone, user, userlen);
+}
+
+/* Add an id given the zone as an unsigned long */
+
+int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
+             int userlen)
+{
+        ASN1_INTEGER *izone = NULL;
+        if(!(izone = ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+                X509V3err(X509V3_F_SXNET_ADD_ID_ULONG,ERR_R_MALLOC_FAILURE);
+                ASN1_INTEGER_free(izone);
+                return 0;
+        }
+        return SXNET_add_id_INTEGER(psx, izone, user, userlen);
+        
+}
+
+/* Add an id given the zone as an ASN1_INTEGER.
+ * Note this version uses the passed integer and doesn't make a copy so don't
+ * free it up afterwards.
+ */
+
+int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
+             int userlen)
+{
+        SXNET *sx = NULL;
+        SXNETID *id = NULL;
+        if(!psx || !zone || !user) {
+                X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_INVALID_NULL_ARGUMENT);
+                return 0;
+        }
+        if(userlen == -1) userlen = strlen(user);
+        if(userlen > 64) {
+                X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_USER_TOO_LONG);
+                return 0;
+        }
+        if(!*psx) {
+                if(!(sx = SXNET_new())) goto err;
+                if(!ASN1_INTEGER_set(sx->version, 0)) goto err;
+                *psx = sx;
+        } else sx = *psx;
+        if(SXNET_get_id_INTEGER(sx, zone)) {
+                X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_DUPLICATE_ZONE_ID);
+                return 0;
+        }
+
+        if(!(id = SXNETID_new())) goto err;
+        if(userlen == -1) userlen = strlen(user);
+                
+        if(!ASN1_OCTET_STRING_set(id->user, user, userlen)) goto err;
+        if(!sk_SXNETID_push(sx->ids, id)) goto err;
+        id->zone = zone;
+        return 1;
+        
+        err:
+        X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,ERR_R_MALLOC_FAILURE);
+        SXNETID_free(id);
+        SXNET_free(sx);
+        *psx = NULL;
+        return 0;
+}
+
+ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone)
+{
+        ASN1_INTEGER *izone = NULL;
+        ASN1_OCTET_STRING *oct;
+        if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+                X509V3err(X509V3_F_SXNET_GET_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
+                return NULL;
+        }
+        oct = SXNET_get_id_INTEGER(sx, izone);
+        ASN1_INTEGER_free(izone);
+        return oct;
+}
+
+ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
+{
+        ASN1_INTEGER *izone = NULL;
+        ASN1_OCTET_STRING *oct;
+        if(!(izone = ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+                X509V3err(X509V3_F_SXNET_GET_ID_ULONG,ERR_R_MALLOC_FAILURE);
+                ASN1_INTEGER_free(izone);
+                return NULL;
+        }
+        oct = SXNET_get_id_INTEGER(sx, izone);
+        ASN1_INTEGER_free(izone);
+        return oct;
+}
+
+ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
+{
+        SXNETID *id;
+        int i;
+        for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
+                id = sk_SXNETID_value(sx->ids, i);
+                if(!ASN1_INTEGER_cmp(id->zone, zone)) return id->user;
+        }
+        return NULL;
+}
+
+IMPLEMENT_STACK_OF(SXNETID)
+IMPLEMENT_ASN1_SET_OF(SXNETID)
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
new file mode 100644
index 0000000000..40f71c71b4
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -0,0 +1,418 @@
+/* v3_utl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static char *strip_spaces(char *name);
+
+/* Add a CONF_VALUE name value pair to stack */
+
+int X509V3_add_value(const char *name, const char *value,
+                                                STACK_OF(CONF_VALUE) **extlist)
+{
+        CONF_VALUE *vtmp = NULL;
+        char *tname = NULL, *tvalue = NULL;
+        if(name && !(tname = BUF_strdup(name))) goto err;
+        if(value && !(tvalue = BUF_strdup(value))) goto err;;
+        if(!(vtmp = (CONF_VALUE *)Malloc(sizeof(CONF_VALUE)))) goto err;
+        if(!*extlist && !(*extlist = sk_CONF_VALUE_new(NULL))) goto err;
+        vtmp->section = NULL;
+        vtmp->name = tname;
+        vtmp->value = tvalue;
+        if(!sk_CONF_VALUE_push(*extlist, vtmp)) goto err;
+        return 1;
+        err:
+        X509V3err(X509V3_F_X509V3_ADD_VALUE,ERR_R_MALLOC_FAILURE);
+        if(vtmp) Free(vtmp);
+        if(tname) Free(tname);
+        if(tvalue) Free(tvalue);
+        return 0;
+}
+
+int X509V3_add_value_uchar(const char *name, const unsigned char *value,
+                           STACK_OF(CONF_VALUE) **extlist)
+    {
+    return X509V3_add_value(name,(const char *)value,extlist);
+    }
+
+/* Free function for STACK_OF(CONF_VALUE) */
+
+void X509V3_conf_free(CONF_VALUE *conf)
+{
+        if(!conf) return;
+        if(conf->name) Free(conf->name);
+        if(conf->value) Free(conf->value);
+        if(conf->section) Free(conf->section);
+        Free((char *)conf);
+}
+
+int X509V3_add_value_bool(const char *name, int asn1_bool,
+                                                STACK_OF(CONF_VALUE) **extlist)
+{
+        if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
+        return X509V3_add_value(name, "FALSE", extlist);
+}
+
+int X509V3_add_value_bool_nf(char *name, int asn1_bool,
+                                                STACK_OF(CONF_VALUE) **extlist)
+{
+        if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
+        return 1;
+}
+
+
+char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
+{
+        BIGNUM *bntmp = NULL;
+        char *strtmp = NULL;
+        if(!a) return NULL;
+        if(!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
+            !(strtmp = BN_bn2dec(bntmp)) )
+                X509V3err(X509V3_F_I2S_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
+        BN_free(bntmp);
+        return strtmp;
+}
+
+char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
+{
+        BIGNUM *bntmp = NULL;
+        char *strtmp = NULL;
+        if(!a) return NULL;
+        if(!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
+            !(strtmp = BN_bn2dec(bntmp)) )
+                X509V3err(X509V3_F_I2S_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+        BN_free(bntmp);
+        return strtmp;
+}
+
+ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
+{
+        BIGNUM *bn = NULL;
+        ASN1_INTEGER *aint;
+        bn = BN_new();
+        if(!value) {
+                X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
+                return 0;
+        }
+        if(!BN_dec2bn(&bn, value)) {
+                X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
+                return 0;
+        }
+
+        if(!(aint = BN_to_ASN1_INTEGER(bn, NULL))) {
+                X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
+                return 0;
+        }
+        BN_free(bn);
+        return aint;
+}
+
+int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
+             STACK_OF(CONF_VALUE) **extlist)
+{
+        char *strtmp;
+        int ret;
+        if(!aint) return 1;
+        if(!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) return 0;
+        ret = X509V3_add_value(name, strtmp, extlist);
+        Free(strtmp);
+        return ret;
+}
+
+int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
+{
+        char *btmp;
+        if(!(btmp = value->value)) goto err;
+        if(!strcmp(btmp, "TRUE") || !strcmp(btmp, "true")
+                 || !strcmp(btmp, "Y") || !strcmp(btmp, "y")
+                || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
+                *asn1_bool = 0xff;
+                return 1;
+        } else if(!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
+                 || !strcmp(btmp, "N") || !strcmp(btmp, "n")
+                || !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
+                *asn1_bool = 0;
+                return 1;
+        }
+        err:
+        X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,X509V3_R_INVALID_BOOLEAN_STRING);
+        X509V3_conf_err(value);
+        return 0;
+}
+
+int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
+{
+        ASN1_INTEGER *itmp;
+        if(!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
+                X509V3_conf_err(value);
+                return 0;
+        }
+        *aint = itmp;
+        return 1;
+}
+
+#define HDR_NAME        1
+#define HDR_VALUE       2
+
+/*#define DEBUG*/
+
+STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line)
+{
+        char *p, *q, c;
+        char *ntmp, *vtmp;
+        STACK_OF(CONF_VALUE) *values = NULL;
+        char *linebuf;
+        int state;
+        /* We are going to modify the line so copy it first */
+        linebuf = BUF_strdup(line);
+        state = HDR_NAME;
+        ntmp = NULL;
+        /* Go through all characters */
+        for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
+
+                switch(state) {
+                        case HDR_NAME:
+                        if(c == ':') {
+                                state = HDR_VALUE;
+                                *p = 0;
+                                ntmp = strip_spaces(q);
+                                if(!ntmp) {
+                                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+                                        goto err;
+                                }
+                                q = p + 1;
+                        } else if(c == ',') {
+                                *p = 0;
+                                ntmp = strip_spaces(q);
+                                q = p + 1;
+#ifdef DEBUG
+                                printf("%s\n", ntmp);
+#endif
+                                if(!ntmp) {
+                                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+                                        goto err;
+                                }
+                                X509V3_add_value(ntmp, NULL, &values);
+                        }
+                        break ;
+
+                        case HDR_VALUE:
+                        if(c == ',') {
+                                state = HDR_NAME;
+                                *p = 0;
+                                vtmp = strip_spaces(q);
+#ifdef DEBUG
+                                printf("%s\n", ntmp);
+#endif
+                                if(!vtmp) {
+                                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
+                                        goto err;
+                                }
+                                X509V3_add_value(ntmp, vtmp, &values);
+                                ntmp = NULL;
+                                q = p + 1;
+                        }
+
+                }
+        }
+
+        if(state == HDR_VALUE) {
+                vtmp = strip_spaces(q);
+#ifdef DEBUG
+                printf("%s=%s\n", ntmp, vtmp);
+#endif
+                if(!vtmp) {
+                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
+                        goto err;
+                }
+                X509V3_add_value(ntmp, vtmp, &values);
+        } else {
+                ntmp = strip_spaces(q);
+#ifdef DEBUG
+                printf("%s\n", ntmp);
+#endif
+                if(!ntmp) {
+                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+                        goto err;
+                }
+                X509V3_add_value(ntmp, NULL, &values);
+        }
+Free(linebuf);
+return values;
+
+err:
+Free(linebuf);
+sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
+return NULL;
+
+}
+
+/* Delete leading and trailing spaces from a string */
+static char *strip_spaces(char *name)
+{
+        char *p, *q;
+        /* Skip over leading spaces */
+        p = name;
+        while(*p && isspace((unsigned char)*p)) p++;
+        if(!*p) return NULL;
+        q = p + strlen(p) - 1;
+        while((q != p) && isspace((unsigned char)*q)) q--;
+        if(p != q) q[1] = 0;
+        if(!*p) return NULL;
+        return p;
+}
+
+/* hex string utilities */
+
+/* Given a buffer of length 'len' return a Malloc'ed string with its
+ * hex representation
+ */
+
+char *hex_to_string(unsigned char *buffer, long len)
+{
+        char *tmp, *q;
+        unsigned char *p;
+        int i;
+        static char hexdig[] = "0123456789ABCDEF";
+        if(!buffer || !len) return NULL;
+        if(!(tmp = Malloc(len * 3 + 1))) {
+                X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        q = tmp;
+        for(i = 0, p = buffer; i < len; i++,p++) {
+                *q++ = hexdig[(*p >> 4) & 0xf];
+                *q++ = hexdig[*p & 0xf];
+                *q++ = ':';
+        }
+        q[-1] = 0;
+        return tmp;
+}
+
+/* Give a string of hex digits convert to
+ * a buffer
+ */
+
+unsigned char *string_to_hex(char *str, long *len)
+{
+        unsigned char *hexbuf, *q;
+        unsigned char ch, cl, *p;
+        if(!str) {
+                X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_INVALID_NULL_ARGUMENT);
+                return NULL;
+        }
+        if(!(hexbuf = Malloc(strlen(str) >> 1))) goto err;
+        for(p = (unsigned char *)str, q = hexbuf; *p;) {
+                ch = *p++;
+                if(ch == ':') continue;
+                cl = *p++;
+                if(!cl) {
+                        X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ODD_NUMBER_OF_DIGITS);
+                        Free(hexbuf);
+                        return NULL;
+                }
+                if(isupper(ch)) ch = tolower(ch);
+                if(isupper(cl)) cl = tolower(cl);
+
+                if((ch >= '0') && (ch <= '9')) ch -= '0';
+                else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10;
+                else goto badhex;
+
+                if((cl >= '0') && (cl <= '9')) cl -= '0';
+                else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10;
+                else goto badhex;
+
+                *q++ = (ch << 4) | cl;
+        }
+
+        if(len) *len = q - hexbuf;
+
+        return hexbuf;
+
+        err:
+        if(hexbuf) Free(hexbuf);
+        X509V3err(X509V3_F_STRING_TO_HEX,ERR_R_MALLOC_FAILURE);
+        return NULL;
+
+        badhex:
+        Free(hexbuf);
+        X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ILLEGAL_HEX_DIGIT);
+        return NULL;
+
+}
+
+/* V2I name comparison function: returns zero if 'name' matches
+ * cmp or cmp.*
+ */
+
+int name_cmp(const char *name, const char *cmp)
+{
+        int len, ret;
+        char c;
+        len = strlen(cmp);
+        if((ret = strncmp(name, cmp, len))) return ret;
+        c = name[len];
+        if(!c || (c=='.')) return 0;
+        return 1;
+}
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
new file mode 100644
index 0000000000..50efa8d99d
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -0,0 +1,171 @@
+/* crypto/x509v3/v3err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA X509V3_str_functs[]=
+        {
+{ERR_PACK(0,X509V3_F_COPY_EMAIL,0),     "COPY_EMAIL"},
+{ERR_PACK(0,X509V3_F_COPY_ISSUER,0),    "COPY_ISSUER"},
+{ERR_PACK(0,X509V3_F_DO_EXT_CONF,0),    "DO_EXT_CONF"},
+{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0),     "DO_EXT_I2D"},
+{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),  "hex_to_string"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),    "i2s_ASN1_ENUMERATED"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),       "i2s_ASN1_INTEGER"},
+{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"},
+{ERR_PACK(0,X509V3_F_NREF_NOS,0),       "NREF_NOS"},
+{ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"},
+{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),    "R2I_CERTPOL"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),     "S2I_ASN1_IA5STRING"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),       "s2i_ASN1_INTEGER"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),  "s2i_ASN1_OCTET_STRING"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_SKEY_ID,0),       "S2I_ASN1_SKEY_ID"},
+{ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0),        "S2I_S2I_SKEY_ID"},
+{ERR_PACK(0,X509V3_F_STRING_TO_HEX,0),  "string_to_hex"},
+{ERR_PACK(0,X509V3_F_SXNET_ADD_ASC,0),  "SXNET_ADD_ASC"},
+{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_INTEGER,0),   "SXNET_add_id_INTEGER"},
+{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_ULONG,0),     "SXNET_add_id_ulong"},
+{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ASC,0),       "SXNET_get_id_asc"},
+{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ULONG,0),     "SXNET_get_id_ulong"},
+{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),    "V2I_ASN1_BIT_STRING"},
+{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),    "V2I_AUTHORITY_KEYID"},
+{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),  "V2I_BASIC_CONSTRAINTS"},
+{ERR_PACK(0,X509V3_F_V2I_CRLD,0),       "V2I_CRLD"},
+{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),     "V2I_EXT_KU"},
+{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),       "v2i_GENERAL_NAME"},
+{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),      "v2i_GENERAL_NAMES"},
+{ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),   "V3_GENERIC_EXTENSION"},
+{ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0),       "X509V3_add_value"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0), "X509V3_EXT_add"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0),   "X509V3_EXT_add_alias"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_CONF,0),        "X509V3_EXT_conf"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_I2D,0), "X509V3_EXT_i2d"},
+{ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),  "X509V3_get_value_bool"},
+{ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),      "X509V3_parse_list"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA X509V3_str_reasons[]=
+        {
+{X509V3_R_BAD_IP_ADDRESS                 ,"bad ip address"},
+{X509V3_R_BAD_OBJECT                     ,"bad object"},
+{X509V3_R_BN_DEC2BN_ERROR                ,"bn dec2bn error"},
+{X509V3_R_BN_TO_ASN1_INTEGER_ERROR       ,"bn to asn1 integer error"},
+{X509V3_R_DUPLICATE_ZONE_ID              ,"duplicate zone id"},
+{X509V3_R_ERROR_CONVERTING_ZONE          ,"error converting zone"},
+{X509V3_R_ERROR_IN_EXTENSION             ,"error in extension"},
+{X509V3_R_EXPECTED_A_SECTION_NAME        ,"expected a section name"},
+{X509V3_R_EXTENSION_NAME_ERROR           ,"extension name error"},
+{X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
+{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
+{X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
+{X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
+{X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
+{X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
+{X509V3_R_INVALID_NAME                   ,"invalid name"},
+{X509V3_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
+{X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
+{X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
+{X509V3_R_INVALID_NUMBER                 ,"invalid number"},
+{X509V3_R_INVALID_NUMBERS                ,"invalid numbers"},
+{X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
+{X509V3_R_INVALID_OPTION                 ,"invalid option"},
+{X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_SECTION                ,"invalid section"},
+{X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
+{X509V3_R_MISSING_VALUE                  ,"missing value"},
+{X509V3_R_NEED_ORGANIZATION_AND_NUMBERS  ,"need organization and numbers"},
+{X509V3_R_NO_CONFIG_DATABASE             ,"no config database"},
+{X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
+{X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
+{X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
+{X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
+{X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
+{X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
+{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
+{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
+{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
+{X509V3_R_UNKNOWN_EXTENSION              ,"unknown extension"},
+{X509V3_R_UNKNOWN_EXTENSION_NAME         ,"unknown extension name"},
+{X509V3_R_UNKNOWN_OPTION                 ,"unknown option"},
+{X509V3_R_UNSUPPORTED_OPTION             ,"unsupported option"},
+{X509V3_R_USER_TOO_LONG                  ,"user too long"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_X509V3_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_X509V3,X509V3_str_functs);
+                ERR_load_strings(ERR_LIB_X509V3,X509V3_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE
new file mode 100644
index 0000000000..b9e18d5e7b
--- /dev/null
+++ b/src/lib/libssl/LICENSE
@@ -0,0 +1,127 @@
+
+  LICENSE ISSUES
+  ==============
+
+  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+  the OpenSSL License and the original SSLeay license apply to the toolkit.
+  See below for the actual license texts. Actually both licenses are BSD-style
+  Open Source licenses. In case of any license issues related to OpenSSL
+  please contact openssl-core@openssl.org.
+
+  OpenSSL License
+  ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
new file mode 100644
index 0000000000..d70dd25622
--- /dev/null
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -0,0 +1,214 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE                = $ENV::HOME/.rnd
+oid_file                = $ENV::HOME/.oid
+oid_section             = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions            = 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir             = ./demoCA              # Where everything is kept
+certs           = $dir/certs            # Where the issued certs are kept
+crl_dir         = $dir/crl              # Where the issued crl are kept
+database        = $dir/index.txt        # database index file.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+
+certificate     = $dir/cacert.pem       # The CA certificate
+serial          = $dir/serial           # The current serial number
+crl             = $dir/crl.pem          # The current CRL
+private_key     = $dir/private/cakey.pem# The private key
+RANDFILE        = $dir/private/.rand    # private random number file
+
+x509_extensions = usr_cert              # The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions        = crl_ext
+
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = md5                   # which md to use.
+preserve        = no                    # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits            = 1024
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+countryName_min                 = 2
+countryName_max                 = 2
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Some-State
+
+localityName                    = Locality Name (eg, city)
+
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName             = Second Organization Name (eg, company)
+#1.organizationName_default     = World Wide Web Pty Ltd
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName                      = Common Name (eg, YOUR name)
+commonName_max                  = 64
+
+emailAddress                    = Email Address
+emailAddress_max                = 40
+
+# SET-ex3                       = SET extension number 3
+
+[ req_attributes ]
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+
+unstructuredName                = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType                    = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# RAW DER hex encoding of an extension: beware experts only!
+# 1.2.3.5=RAW:02:03
+# You can even override a supported extension:
+# basicConstraints= critical, RAW:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/src/lib/libssl/doc/openssl.txt b/src/lib/libssl/doc/openssl.txt
new file mode 100644
index 0000000000..91b85e5f14
--- /dev/null
+++ b/src/lib/libssl/doc/openssl.txt
@@ -0,0 +1,1174 @@
+
+This is some preliminary documentation for OpenSSL.
+
+==============================================================================
+                            BUFFER Library
+==============================================================================
+
+The buffer library handles simple character arrays. Buffers are used for
+various purposes in the library, most notably memory BIOs.
+
+The library uses the BUF_MEM structure defined in buffer.h:
+
+typedef struct buf_mem_st
+{
+        int length;     /* current number of bytes */
+        char *data;
+        int max;        /* size of buffer */
+} BUF_MEM;
+
+'length' is the current size of the buffer in bytes, 'max' is the amount of
+memory allocated to the buffer. There are three functions which handle these
+and one "miscellaneous" function.
+
+BUF_MEM *BUF_MEM_new()
+
+This allocates a new buffer of zero size. Returns the buffer or NULL on error.
+
+void BUF_MEM_free(BUF_MEM *a)
+
+This frees up an already existing buffer. The data is zeroed before freeing
+up in case the buffer contains sensitive data.
+
+int BUF_MEM_grow(BUF_MEM *str, int len)
+
+This changes the size of an already existing buffer. It returns zero on error
+or the new size (i.e. 'len'). Any data already in the buffer is preserved if
+it increases in size.
+
+char * BUF_strdup(char *str)
+
+This is the previously mentioned strdup function: like the standard library
+strdup() it copies a null terminated string into a block of allocated memory
+and returns a pointer to the allocated block.
+
+Unlike the standard C library strdup() this function uses Malloc() and so
+should be used in preference to the standard library strdup() because it can
+be used for memory leak checking or replacing the malloc() function.
+
+The memory allocated from BUF_strdup() should be freed up using the Free()
+function.
+
+==============================================================================
+               OpenSSL X509V3 extension configuration
+==============================================================================
+
+OpenSSL X509V3 extension configuration: preliminary documentation.
+
+INTRODUCTION.
+
+For OpenSSL 0.9.2 the extension code has be considerably enhanced. It is now
+possible to add and print out common X509 V3 certificate and CRL extensions.
+
+BEGINNERS NOTE
+
+For most simple applications you don't need to know too much about extensions:
+the default openssl.cnf values will usually do sensible things.
+
+If you want to know more you can initially quickly look through the sections
+describing how the standard OpenSSL utilities display and add extensions and
+then the list of supported extensions.
+
+For more technical information about the meaning of extensions see:
+
+http://www.imc.org/ietf-pkix/
+http://home.netscape.com/eng/security/certs.html
+
+PRINTING EXTENSIONS.
+
+Extension values are automatically printed out for supported extensions.
+
+openssl x509 -in cert.pem -text
+openssl crl -in crl.pem -text
+
+will give information in the extension printout, for example:
+
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15
+            X509v3 Authority Key Identifier: 
+                keyid:73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15, DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/Email=email@1.address/Email=email@2.address, serial:00
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            X509v3 Subject Alternative Name: 
+                email:email@1.address, email:email@2.address
+
+CONFIGURATION FILES.
+
+The OpenSSL utilities 'ca' and 'req' can now have extension sections listing
+which certificate extensions to include. In each case a line:
+
+x509_extensions = extension_section
+
+indicates which section contains the extensions. In the case of 'req' the
+extension section is used when the -x509 option is present to create a
+self signed root certificate.
+
+The 'x509' utility also supports extensions when it signs a certificate.
+The -extfile option is used to set the configuration file containing the
+extensions. In this case a line with:
+
+extensions = extension_section
+
+in the nameless (default) section is used. If no such line is included then
+it uses the default section.
+
+You can also add extensions to CRLs: a line
+
+crl_extensions = crl_extension_section
+
+will include extensions when the -gencrl option is used with the 'ca' utility.
+You can add any extension to a CRL but of the supported extensions only
+issuerAltName and authorityKeyIdentifier make any real sense. Note: these are
+CRL extensions NOT CRL *entry* extensions which cannot currently be generated.
+CRL entry extensions can be displayed.
+
+NB. At this time Netscape Communicator rejects V2 CRLs: to get an old V1 CRL
+you should not include a crl_extensions line in the configuration file.
+
+As with all configuration files you can use the inbuilt environment expansion
+to allow the values to be passed in the environment. Therefore if you have
+several extension sections used for different purposes you can have a line:
+
+x509_extensions = $ENV::ENV_EXT
+
+and set the ENV_EXT environment variable before calling the relevant utility.
+
+EXTENSION SYNTAX.
+
+Extensions have the basic form:
+
+extension_name=[critical,] extension_options
+
+the use of the critical option makes the extension critical. Extreme caution
+should be made when using the critical flag. If an extension is marked
+as critical then any client that does not understand the extension should
+reject it as invalid. Some broken software will reject certificates which
+have *any* critical extensions (these violates PKIX but we have to live
+with it).
+
+There are three main types of extension: string extensions, multi-valued
+extensions, and raw extensions.
+
+String extensions simply have a string which contains either the value itself
+or how it is obtained.
+
+For example:
+
+nsComment="This is a Comment"
+
+Multi-valued extensions have a short form and a long form. The short form
+is a list of names and values:
+
+basicConstraints=critical,CA:true,pathlen:1
+
+The long form allows the values to be placed in a separate section:
+
+basicConstraints=critical,@bs_section
+
+[bs_section]
+
+CA=true
+pathlen=1
+
+Both forms are equivalent. However it should be noted that in some cases the
+same name can appear multiple times, for example,
+
+subjectAltName=email:steve@here,email:steve@there
+
+in this case an equivalent long form is:
+
+subjectAltName=@alt_section
+
+[alt_section]
+
+email.1=steve@here
+email.2=steve@there
+
+This is because the configuration file code cannot handle the same name
+occurring twice in the same extension.
+
+The syntax of raw extensions is governed by the extension code: it can
+for example contain data in multiple sections. The correct syntax to
+use is defined by the extension code itself: check out the certificate
+policies extension for an example.
+
+In addition it is also possible to use the word DER to include arbitrary
+data in any extension.
+
+1.2.3.4=critical,DER:01:02:03:04
+1.2.3.4=DER:01020304
+
+The value following DER is a hex dump of the DER encoding of the extension
+Any extension can be placed in this form to override the default behaviour.
+For example:
+
+basicConstraints=critical,DER:00:01:02:03
+
+WARNING: DER should be used with caution. It is possible to create totally
+invalid extensions unless care is taken.
+
+CURRENTLY SUPPORTED EXTENSIONS.
+
+If you aren't sure about extensions then they can be largely ignored: its only
+when you want to do things like restrict certificate usage when you need to
+worry about them. 
+
+The only extension that a beginner might want to look at is Basic Constraints.
+If in addition you want to try Netscape object signing the you should also
+look at Netscape Certificate Type.
+
+Literal String extensions.
+
+In each case the 'value' of the extension is placed directly in the
+extension. Currently supported extensions in this category are: nsBaseUrl,
+nsRevocationUrl, nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl,
+nsSslServerName and nsComment.
+
+For example:
+
+nsComment="This is a test comment"
+
+Bit Strings.
+
+Bit string extensions just consist of a list of supported bits, currently
+two extensions are in this category: PKIX keyUsage and the Netscape specific
+nsCertType.
+
+nsCertType (netscape certificate type) takes the flags: client, server, email,
+objsign, reserved, sslCA, emailCA, objCA.
+
+keyUsage (PKIX key usage) takes the flags: digitalSignature, nonRepudiation,
+keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign,
+encipherOnly, decipherOnly.
+
+For example:
+
+nsCertType=server
+
+keyUsage=digitalSignature, nonRepudiation
+
+Hints on Netscape Certificate Type.
+
+Other than Basic Constraints this is the only extension a beginner might
+want to use, if you want to try Netscape object signing, otherwise it can
+be ignored.
+
+If you want a certificate that can be used just for object signing then:
+
+nsCertType=objsign
+
+will do the job. If you want to use it as a normal end user and server
+certificate as well then
+
+nsCertType=objsign,email,server
+
+is more appropriate. You cannot use a self signed certificate for object
+signing (well Netscape signtool can but it cheats!) so you need to create
+a CA certificate and sign an end user certificate with it.
+
+Side note: If you want to conform to the Netscape specifications then you
+should really also set:
+
+nsCertType=objCA
+
+in the *CA* certificate for just an object signing CA and
+
+nsCertType=objCA,emailCA,sslCA
+
+for everything. Current Netscape software doesn't enforce this so it can
+be omitted.
+
+Basic Constraints.
+
+This is generally the only extension you need to worry about for simple
+applications. If you want your certificate to be usable as a CA certificate
+(in addition to an end user certificate) then you set this to:
+
+basicConstraints=CA:TRUE
+
+if you want to be certain the certificate cannot be used as a CA then do:
+
+basicConstraints=CA:FALSE
+
+The rest of this section describes more advanced usage.
+
+Basic constraints is a multi-valued extension that supports a CA and an
+optional pathlen option. The CA option takes the values true and false and
+pathlen takes an integer. Note if the CA option is false the pathlen option
+should be omitted. 
+
+The pathlen parameter indicates the maximum number of CAs that can appear
+below this one in a chain. So if you have a CA with a pathlen of zero it can
+only be used to sign end user certificates and not further CAs. This all
+assumes that the software correctly interprets this extension of course.
+
+Examples:
+
+basicConstraints=CA:TRUE
+basicConstraints=critical,CA:TRUE, pathlen:0
+
+NOTE: for a CA to be considered valid it must have the CA option set to
+TRUE. An end user certificate MUST NOT have the CA value set to true.
+According to PKIX recommendations it should exclude the extension entirely,
+however some software may require CA set to FALSE for end entity certificates.
+
+Subject Key Identifier.
+
+This is really a string extension and can take two possible values. Either
+a hex string giving details of the extension value to include or the word
+'hash' which then automatically follow PKIX guidelines in selecting and
+appropriate key identifier. The use of the hex string is strongly discouraged.
+
+Example: subjectKeyIdentifier=hash
+
+Authority Key Identifier.
+
+The authority key identifier extension permits two options. keyid and issuer:
+both can take the optional value "always".
+
+If the keyid option is present an attempt is made to copy the subject key
+identifier from the parent certificate. If the value "always" is present
+then an error is returned if the option fails.
+
+The issuer option copies the issuer and serial number from the issuer
+certificate. Normally this will only be done if the keyid option fails or
+is not included: the "always" flag will always include the value.
+
+Subject Alternative Name.
+
+The subject alternative name extension allows various literal values to be
+included in the configuration file. These include "email" (an email address)
+"URI" a uniform resource indicator, "DNS" (a DNS domain name), RID (a
+registered ID: OBJECT IDENTIFIER) and IP (and IP address).
+
+Also the email option include a special 'copy' value. This will automatically
+include and email addresses contained in the certificate subject name in
+the extension.
+
+Examples:
+
+subjectAltName=email:copy,email:my@other.address,URL:http://my.url.here/
+subjectAltName=email:my@other.address,RID:1.2.3.4
+
+Issuer Alternative Name.
+
+The issuer alternative name option supports all the literal options of
+subject alternative name. It does *not* support the email:copy option because
+that would not make sense. It does support an additional issuer:copy option
+that will copy all the subject alternative name values from the issuer 
+certificate (if possible).
+
+CRL distribution points.
+
+This is a multi-valued extension that supports all the literal options of
+subject alternative name. Of the few software packages that currently interpret
+this extension most only interpret the URI option.
+
+Currently each option will set a new DistributionPoint with the fullName
+field set to the given value.
+
+Other fields like cRLissuer and reasons cannot currently be set or displayed:
+at this time no examples were available that used these fields.
+
+If you see this extension with <UNSUPPORTED> when you attempt to print it out
+or it doesn't appear to display correctly then let me know, including the
+certificate (mail me at steve@openssl.org) .
+
+Examples:
+
+crlDistributionPoints=URI:http://www.myhost.com/myca.crl
+crlDistributionPoints=URI:http://www.my.com/my.crl,URI:http://www.oth.com/my.crl
+
+Certificate Policies.
+
+This is a RAW extension. It attempts to display the contents of this extension:
+unfortunately this extension is often improperly encoded.
+
+The certificate policies extension will rarely be used in practice: few
+software packages interpret it correctly or at all. IE5 does partially
+support this extension: but it needs the 'ia5org' option because it will
+only correctly support a broken encoding. Of the options below only the
+policy OID, explicitText and CPS options are displayed with IE5.
+
+All the fields of this extension can be set by using the appropriate syntax.
+
+If you follow the PKIX recommendations of not including any qualifiers and just
+using only one OID then you just include the value of that OID. Multiple OIDs
+can be set separated by commas, for example:
+
+certificatePolicies= 1.2.4.5, 1.1.3.4
+
+If you wish to include qualifiers then the policy OID and qualifiers need to
+be specified in a separate section: this is done by using the @section syntax
+instead of a literal OID value.
+
+The section referred to must include the policy OID using the name
+policyIdentifier, cPSuri qualifiers can be included using the syntax:
+
+CPS.nnn=value
+
+userNotice qualifiers can be set using the syntax:
+
+userNotice.nnn=@notice
+
+The value of the userNotice qualifier is specified in the relevant section.
+This section can include explicitText, organization and noticeNumbers
+options. explicitText and organization are text strings, noticeNumbers is a
+comma separated list of numbers. The organization and noticeNumbers options
+(if included) must BOTH be present. If you use the userNotice option with IE5
+then you need the 'ia5org' option at the top level to modify the encoding:
+otherwise it will not be interpreted properly.
+
+Example:
+
+certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
+
+[polsect]
+
+policyIdentifier = 1.3.5.8
+CPS.1="http://my.host.name/"
+CPS.2="http://my.your.name/"
+userNotice.1=@notice
+
+[notice]
+
+explicitText="Explicit Text Here"
+organization="Organisation Name"
+noticeNumbers=1,2,3,4
+
+TECHNICAL NOTE: the ia5org option changes the type of the 'organization' field,
+according to PKIX it should be of type DisplayText but Verisign uses an 
+IA5STRING and IE5 needs this too.
+
+Display only extensions.
+
+Some extensions are only partially supported and currently are only displayed
+but cannot be set. These include private key usage period, CRL number, and
+CRL reason.
+
+==============================================================================
+                X509V3 Extension code: programmers guide
+==============================================================================
+
+The purpose of the extension code is twofold. It allows an extension to be
+created from a string or structure describing its contents and it prints out an
+extension in a human or machine readable form.
+
+1. Initialisation and cleanup.
+
+X509V3_add_standard_extensions();
+
+This function should be called before any other extension code. It adds support
+for some common PKIX and Netscape extensions. Additional custom extensions can
+be added as well (see later).
+
+void X509V3_EXT_cleanup(void);
+
+This function should be called last to cleanup the extension code. After this
+call no other extension calls should be made.
+
+2. Printing and parsing extensions.
+
+The simplest way to print out extensions is via the standard X509 printing
+routines: if you use the standard X509_print() function, the supported
+extensions will be printed out automatically.
+
+The following functions allow finer control over extension display:
+
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent);
+int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
+
+These two functions print out an individual extension to a BIO or FILE pointer.
+Currently the flag argument is unused and should be set to 0. The 'indent'
+argument is the number of spaces to indent each line.
+
+void *X509V3_EXT_d2i(X509_EXTENSION *ext);
+
+This function parses an extension and returns its internal structure. The
+precise structure you get back depends on the extension being parsed. If the
+extension if basicConstraints you will get back a pointer to a
+BASIC_CONSTRAINTS structure. Check out the source in crypto/x509v3 for more
+details about the structures returned. The returned structure should be freed
+after use using the relevant free function, BASIC_CONSTRAINTS_free() for 
+example.
+
+3. Generating extensions.
+
+An extension will typically be generated from a configuration file, or some
+other kind of configuration database.
+
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+                                                                 X509 *cert);
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+                                                                 X509_CRL *crl);
+
+These functions add all the extensions in the given section to the given
+certificate or CRL. They will normally be called just before the certificate
+or CRL is due to be signed. Both return 0 on error on non zero for success.
+
+In each case 'conf' is the LHASH pointer of the configuration file to use
+and 'section' is the section containing the extension details.
+
+See the 'context functions' section for a description of the ctx paramater.
+
+
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
+                                                                 char *value);
+
+This function returns an extension based on a name and value pair, if the
+pair will not need to access other sections in a config file (or there is no
+config file) then the 'conf' parameter can be set to NULL.
+
+X509_EXTENSION *X509V3_EXT_conf_nid(char *conf, X509V3_CTX *ctx, int nid,
+                                                                 char *value);
+
+This function creates an extension in the same way as X509V3_EXT_conf() but
+takes the NID of the extension rather than its name.
+
+For example to produce basicConstraints with the CA flag and a path length of
+10:
+
+x = X509V3_EXT_conf_nid(NULL, NULL, NID_basicConstraints, "CA:TRUE,pathlen:10");
+
+
+X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
+
+This function sets up an extension from its internal structure. The ext_nid
+parameter is the NID of the extension and 'crit' is the critical flag.
+
+4. Context functions.
+
+The following functions set and manipulate an extension context structure.
+The purpose of the extension context is to allow the extension code to
+access various structures relating to the "environment" of the certificate:
+for example the issuers certificate or the certificate request.
+
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
+                                 X509_REQ *req, X509_CRL *crl, int flags);
+
+This function sets up an X509V3_CTX structure with details of the certificate
+environment: specifically the issuers certificate, the subject certificate,
+the certificate request and the CRL: if these are not relevant or not
+available then they can be set to NULL. The 'flags' parameter should be set
+to zero.
+
+X509V3_set_ctx_test(ctx)
+
+This macro is used to set the 'ctx' structure to a 'test' value: this is to
+allow the syntax of an extension (or configuration file) to be tested.
+
+X509V3_set_ctx_nodb(ctx)
+
+This macro is used when no configuration database is present.
+
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
+
+This function is used to set the configuration database when it is an LHASH
+structure: typically a configuration file.
+
+The following functions are used to access a configuration database: they
+should only be used in RAW extensions.
+
+char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
+
+This function returns the value of the parameter "name" in "section", or NULL
+if there has been an error.
+
+void X509V3_string_free(X509V3_CTX *ctx, char *str);
+
+This function frees up the string returned by the above function.
+
+STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
+
+This function returns a whole section as a STACK_OF(CONF_VALUE) .
+
+void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
+
+This function frees up the STACK returned by the above function.
+
+Note: it is possible to use the extension code with a custom configuration
+database. To do this the "db_meth" element of the X509V3_CTX structure should
+be set to an X509V3_CTX_METHOD structure. This structure contains the following
+function pointers:
+
+char * (*get_string)(void *db, char *section, char *value);
+STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
+void (*free_string)(void *db, char * string);
+void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
+
+these will be called and passed the 'db' element in the X509V3_CTX structure
+to access the database. If a given function is not implemented or not required
+it can be set to NULL.
+
+5. String helper functions.
+
+There are several "i2s" and "s2i" functions that convert structures to and
+from ASCII strings. In all the "i2s" cases the returned string should be
+freed using Free() after use. Since some of these are part of other extension
+code they may take a 'method' parameter. Unless otherwise stated it can be
+safely set to NULL.
+
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct);
+
+This returns a hex string from an ASN1_OCTET_STRING.
+
+char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
+char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
+
+These return a string decimal representations of an ASN1_INTEGER and an
+ASN1_ENUMERATED type, respectively.
+
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+                                                   X509V3_CTX *ctx, char *str);
+
+This converts an ASCII hex string to an ASN1_OCTET_STRING.
+
+ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
+
+This converts a decimal ASCII string into an ASN1_INTEGER.
+
+6. Multi valued extension helper functions.
+
+The following functions can be used to manipulate STACKs of CONF_VALUE
+structures, as used by multi valued extensions.
+
+int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
+
+This function expects a boolean value in 'value' and sets 'asn1_bool' to
+it. That is it sets it to 0 for FALSE or 0xff for TRUE. The following
+strings are acceptable: "TRUE", "true", "Y", "y", "YES", "yes", "FALSE"
+"false", "N", "n", "NO" or "no".
+
+int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
+
+This accepts a decimal integer of arbitrary length and sets an ASN1_INTEGER.
+
+int X509V3_add_value(const char *name, const char *value,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+This simply adds a string name and value pair.
+
+int X509V3_add_value_uchar(const char *name, const unsigned char *value,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+The same as above but for an unsigned character value.
+
+int X509V3_add_value_bool(const char *name, int asn1_bool,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+This adds either "TRUE" or "FALSE" depending on the value of 'ans1_bool'
+
+int X509V3_add_value_bool_nf(char *name, int asn1_bool,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+This is the same as above except it adds nothing if asn1_bool is FALSE.
+
+int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+This function adds the value of the ASN1_INTEGER in decimal form.
+
+7. Other helper functions.
+
+<to be added>
+
+ADDING CUSTOM EXTENSIONS.
+
+Currently there are three types of supported extensions. 
+
+String extensions are simple strings where the value is placed directly in the
+extensions, and the string returned is printed out.
+
+Multi value extensions are passed a STACK_OF(CONF_VALUE) name and value pairs
+or return a STACK_OF(CONF_VALUE).
+
+Raw extensions are just passed a BIO or a value and it is the extensions
+responsiblity to handle all the necessary printing.
+
+There are two ways to add an extension. One is simply as an alias to an already
+existing extension. An alias is an extension that is identical in ASN1 structure
+to an existing extension but has a different OBJECT IDENTIFIER. This can be
+done by calling:
+
+int X509V3_EXT_add_alias(int nid_to, int nid_from);
+
+'nid_to' is the new extension NID and 'nid_from' is the already existing
+extension NID.
+
+Alternatively an extension can be written from scratch. This involves writing
+the ASN1 code to encode and decode the extension and functions to print out and
+generate the extension from strings. The relevant functions are then placed in
+a X509V3_EXT_METHOD structure and int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
+called.
+
+The X509V3_EXT_METHOD structure is described below.
+
+strut {
+int ext_nid;
+int ext_flags;
+X509V3_EXT_NEW ext_new;
+X509V3_EXT_FREE ext_free;
+X509V3_EXT_D2I d2i;
+X509V3_EXT_I2D i2d;
+X509V3_EXT_I2S i2s;
+X509V3_EXT_S2I s2i;
+X509V3_EXT_I2V i2v;
+X509V3_EXT_V2I v2i;
+X509V3_EXT_R2I r2i;
+X509V3_EXT_I2R i2r;
+
+void *usr_data;
+};
+
+The elements have the following meanings.
+
+ext_nid         is the NID of the object identifier of the extension.
+
+ext_flags       is set of flags. Currently the only external flag is
+                X509V3_EXT_MULTILINE which means a multi valued extensions
+                should be printed on separate lines.
+
+usr_data        is an extension specific pointer to any relevant data. This
+                allows extensions to share identical code but have different
+                uses. An example of this is the bit string extension which uses
+                usr_data to contain a list of the bit names.
+
+All the remaining elements are function pointers.
+
+ext_new         is a pointer to a function that allocates memory for the
+                extension ASN1 structure: for example ASN1_OBJECT_new().
+
+ext_free        is a pointer to a function that free up memory of the extension
+                ASN1 structure: for example ASN1_OBJECT_free().
+
+d2i             is the standard ASN1 function that converts a DER buffer into
+                the internal ASN1 structure: for example d2i_ASN1_IA5STRING().
+
+i2d             is the standard ASN1 function that converts the internal
+                structure into the DER representation: for example
+                i2d_ASN1_IA5STRING().
+
+The remaining functions are depend on the type of extension. One i2X and
+one X2i should be set and the rest set to NULL. The types set do not need
+to match up, for example the extension could be set using the multi valued
+v2i function and printed out using the raw i2r.
+
+All functions have the X509V3_EXT_METHOD passed to them in the 'method'
+parameter and an X509V3_CTX structure. Extension code can then access the
+parent structure via the 'method' parameter to for example make use of the value
+of usr_data. If the code needs to use detail relating to the request it can
+use the 'ctx' parameter.
+
+A note should be given here about the 'flags' member of the 'ctx' parameter.
+If it has the value CTX_TEST then the configuration syntax is being checked
+and no actual certificate or CRL exists. Therefore any attempt in the config
+file to access such information should silently succeed. If the syntax is OK
+then it should simply return a (possibly bogus) extension, otherwise it
+should return NULL.
+
+char *i2s(struct v3_ext_method *method, void *ext);
+
+This function takes the internal structure in the ext parameter and returns
+a Malloc'ed string representing its value.
+
+void * s2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+
+This function takes the string representation in the ext parameter and returns
+an allocated internal structure: ext_free() will be used on this internal
+structure after use.
+
+i2v and v2i handle a STACK_OF(CONF_VALUE):
+
+typedef struct
+{
+        char *section;
+        char *name;
+        char *value;
+} CONF_VALUE;
+
+Only the name and value members are currently used.
+
+STACK_OF(CONF_VALUE) * i2v(struct v3_ext_method *method, void *ext);
+
+This function is passed the internal structure in the ext parameter and
+returns a STACK of CONF_VALUE structures. The values of name, value,
+section and the structure itself will be freed up with Free after use.
+Several helper functions are available to add values to this STACK.
+
+void * v2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx,
+                                                STACK_OF(CONF_VALUE) *values);
+
+This function takes a STACK_OF(CONF_VALUE) structures and should set the
+values of the external structure. This typically uses the name element to
+determine which structure element to set and the value element to determine
+what to set it to. Several helper functions are available for this
+purpose (see above).
+
+int i2r(struct v3_ext_method *method, void *ext, BIO *out, int indent);
+
+This function is passed the internal extension structure in the ext parameter
+and sends out a human readable version of the extension to out. The 'indent'
+paremeter should be noted to determine the necessary amount of indentation
+needed on the output.
+
+void * r2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+
+This is just passed the string representation of the extension. It is intended
+to be used for more elaborate extensions where the standard single and multi
+valued options are insufficient. They can use the 'ctx' parameter to parse the
+configuration database themselves. See the context functions section for details
+of how to do this.
+
+Note: although this type takes the same parameters as the "r2s" function there
+is a subtle difference. Whereas an "r2i" function can access a configuration
+database an "s2i" function MUST NOT. This is so the internal code can safely
+assume that an "s2i" function will work without a configuration database.
+
+==============================================================================
+                            PKCS#12 Library
+==============================================================================
+
+This section describes the internal PKCS#12 support. There are very few
+differences between the old external library and the new internal code at
+present. This may well change because the external library will not be updated
+much in future.
+
+This version now includes a couple of high level PKCS#12 functions which
+generally "do the right thing" and should make it much easier to handle PKCS#12
+structures.
+
+HIGH LEVEL FUNCTIONS.
+
+For most applications you only need concern yourself with the high level
+functions. They can parse and generate simple PKCS#12 files as produced by
+Netscape and MSIE or indeed any compliant PKCS#12 file containing a single
+private key and certificate pair.
+
+1. Initialisation and cleanup.
+
+No special initialisation is needed for the internal PKCS#12 library: the 
+standard SSLeay_add_all_algorithms() is sufficient. If you do not wish to
+add all algorithms (you should at least add SHA1 though) then you can manually
+initialise the PKCS#12 library with:
+
+PKCS12_PBE_add();
+
+The memory allocated by the PKCS#12 library is freed up when EVP_cleanup() is
+called or it can be directly freed with:
+
+EVP_PBE_cleanup();
+
+after this call (or EVP_cleanup() ) no more PKCS#12 library functions should
+be called.
+
+2. I/O functions.
+
+i2d_PKCS12_bio(bp, p12)
+
+This writes out a PKCS12 structure to a BIO.
+
+i2d_PKCS12_fp(fp, p12)
+
+This is the same but for a FILE pointer.
+
+d2i_PKCS12_bio(bp, p12)
+
+This reads in a PKCS12 structure from a BIO.
+
+d2i_PKCS12_fp(fp, p12)
+
+This is the same but for a FILE pointer.
+
+3. Parsing and creation functions.
+
+3.1 Parsing with PKCS12_parse().
+
+int PKCS12_parse(PKCS12 *p12, char *pass, EVP_PKEY **pkey, X509 **cert,
+                                                                 STACK **ca);
+
+This function takes a PKCS12 structure and a password (ASCII, null terminated)
+and returns the private key, the corresponding certificate and any CA
+certificates. If any of these is not required it can be passed as a NULL.
+The 'ca' parameter should be either NULL, a pointer to NULL or a valid STACK
+structure. Typically to read in a PKCS#12 file you might do:
+
+p12 = d2i_PKCS12_fp(fp, NULL);
+PKCS12_parse(p12, password, &pkey, &cert, NULL);        /* CAs not wanted */
+PKCS12_free(p12);
+
+3.2 PKCS#12 creation with PKCS12_create().
+
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
+                        STACK *ca, int nid_key, int nid_cert, int iter,
+                                                 int mac_iter, int keytype);
+
+This function will create a PKCS12 structure from a given password, name,
+private key, certificate and optional STACK of CA certificates. The remaining
+5 parameters can be set to 0 and sensible defaults will be used.
+
+The parameters nid_key and nid_cert are the key and certificate encryption
+algorithms, iter is the encryption iteration count, mac_iter is the MAC
+iteration count and keytype is the type of private key. If you really want
+to know what these last 5 parameters do then read the low level section.
+
+Typically to create a PKCS#12 file the following could be used:
+
+p12 = PKCS12_create(pass, "My Certificate", pkey, cert, NULL, 0,0,0,0,0);
+i2d_PKCS12_fp(fp, p12);
+PKCS12_free(p12);
+
+LOW LEVEL FUNCTIONS.
+
+In some cases the high level functions do not provide the necessary
+functionality. For example if you want to generate or parse more complex
+PKCS#12 files. The sample pkcs12 application uses the low level functions
+to display details about the internal structure of a PKCS#12 file.
+
+Introduction.
+
+This is a brief description of how a PKCS#12 file is represented internally:
+some knowledge of PKCS#12 is assumed.
+
+A PKCS#12 object contains several levels.
+
+At the lowest level is a PKCS12_SAFEBAG. This can contain a certificate, a
+CRL, a private key, encrypted or unencrypted, a set of safebags (so the
+structure can be nested) or other secrets (not documented at present). 
+A safebag can optionally have attributes, currently these are: a unicode
+friendlyName (a Unicode string) or a localKeyID (a string of bytes).
+
+At the next level is an authSafe which is a set of safebags collected into
+a PKCS#7 ContentInfo. This can be just plain data, or encrypted itself.
+
+At the top level is the PKCS12 structure itself which contains a set of
+authSafes in an embedded PKCS#7 Contentinfo of type data. In addition it
+contains a MAC which is a kind of password protected digest to preserve
+integrity (so any unencrypted stuff below can't be tampered with).
+
+The reason for these levels is so various objects can be encrypted in various
+ways. For example you might want to encrypt a set of private keys with
+triple-DES and then include the related certificates either unencrypted or
+with lower encryption. Yes it's the dreaded crypto laws at work again which
+allow strong encryption on private keys and only weak encryption on other
+stuff.
+
+To build one of these things you turn all certificates and keys into safebags
+(with optional attributes). You collect the safebags into (one or more) STACKS
+and convert these into authsafes (encrypted or unencrypted).  The authsafes
+are collected into a STACK and added to a PKCS12 structure.  Finally a MAC
+inserted.
+
+Pulling one apart is basically the reverse process. The MAC is verified against
+the given password. The authsafes are extracted and each authsafe split into
+a set of safebags (possibly involving decryption). Finally the safebags are
+decomposed into the original keys and certificates and the attributes used to
+match up private key and certificate pairs.
+
+Anyway here are the functions that do the dirty work.
+
+1. Construction functions.
+
+1.1 Safebag functions.
+
+M_PKCS12_x5092certbag(x509)
+
+This macro takes an X509 structure and returns a certificate bag. The
+X509 structure can be freed up after calling this function.
+
+M_PKCS12_x509crl2certbag(crl)
+
+As above but for a CRL.
+
+PKCS8_PRIV_KEY_INFO *PKEY2PKCS8(EVP_PKEY *pkey)
+
+Take a private key and convert it into a PKCS#8 PrivateKeyInfo structure.
+Works for both RSA and DSA private keys. NB since the PKCS#8 PrivateKeyInfo
+structure contains a private key data in plain text form it should be free'd
+up as soon as it has been encrypted for security reasons (freeing up the
+structure zeros out the sensitive data). This can be done with
+PKCS8_PRIV_KEY_INFO_free().
+
+PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
+
+This sets the key type when a key is imported into MSIE or Outlook 98. Two
+values are currently supported: KEY_EX and KEY_SIG. KEY_EX is an exchange type
+key that can also be used for signing but its size is limited in the export
+versions of MS software to 512 bits, it is also the default. KEY_SIG is a
+signing only key but the keysize is unlimited (well 16K is supposed to work).
+If you are using the domestic version of MSIE then you can ignore this because
+KEY_EX is not limited and can be used for both.
+
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
+
+Convert a PKCS8 private key structure into a keybag. This routine embeds the
+p8 structure in the keybag so p8 should not be freed up or used after it is
+called.  The p8 structure will be freed up when the safebag is freed.
+
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8)
+
+Convert a PKCS#8 structure into a shrouded key bag (encrypted). p8 is not
+embedded and can be freed up after use.
+
+int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
+int PKCS12_add_friendlyname(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
+
+Add a local key id or a friendlyname to a safebag.
+
+1.2 Authsafe functions.
+
+PKCS7 *PKCS12_pack_p7data(STACK *sk)
+Take a stack of safebags and convert them into an unencrypted authsafe. The
+stack of safebags can be freed up after calling this function.
+
+PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, STACK *bags);
+
+As above but encrypted.
+
+1.3 PKCS12 functions.
+
+PKCS12 *PKCS12_init(int mode)
+
+Initialise a PKCS12 structure (currently mode should be NID_pkcs7_data).
+
+M_PKCS12_pack_authsafes(p12, safes)
+
+This macro takes a STACK of authsafes and adds them to a PKCS#12 structure.
+
+int PKCS12_set_mac(PKCS12 *p12, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, EVP_MD *md_type);
+
+Add a MAC to a PKCS12 structure. If EVP_MD is NULL use SHA-1, the spec suggests
+that SHA-1 should be used.
+
+2. Extraction Functions.
+
+2.1 Safebags.
+
+M_PKCS12_bag_type(bag)
+
+Return the type of "bag". Returns one of the following
+
+NID_keyBag
+NID_pkcs8ShroudedKeyBag                 7
+NID_certBag                             8
+NID_crlBag                              9
+NID_secretBag                           10
+NID_safeContentsBag                     11
+
+M_PKCS12_cert_bag_type(bag)
+
+Returns type of certificate bag, following are understood.
+
+NID_x509Certificate                     14
+NID_sdsiCertificate                     15
+
+M_PKCS12_crl_bag_type(bag)
+
+Returns crl bag type, currently only NID_crlBag is recognised.
+
+M_PKCS12_certbag2x509(bag)
+
+This macro extracts an X509 certificate from a certificate bag.
+
+M_PKCS12_certbag2x509crl(bag)
+
+As above but for a CRL.
+
+EVP_PKEY * PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8)
+
+Extract a private key from a PKCS8 private key info structure.
+
+M_PKCS12_decrypt_skey(bag, pass, passlen) 
+
+Decrypt a shrouded key bag and return a PKCS8 private key info structure.
+Works with both RSA and DSA keys
+
+char *PKCS12_get_friendlyname(bag)
+
+Returns the friendlyName of a bag if present or NULL if none. The returned
+string is a null terminated ASCII string allocated with Malloc(). It should 
+thus be freed up with Free() after use.
+
+2.2 AuthSafe functions.
+
+M_PKCS12_unpack_p7data(p7)
+
+Extract a STACK of safe bags from a PKCS#7 data ContentInfo.
+
+#define M_PKCS12_unpack_p7encdata(p7, pass, passlen)
+
+As above but for an encrypted content info.
+
+2.3 PKCS12 functions.
+
+M_PKCS12_unpack_authsafes(p12)
+
+Extract a STACK of authsafes from a PKCS12 structure.
+
+M_PKCS12_mac_present(p12)
+
+Check to see if a MAC is present.
+
+int PKCS12_verify_mac(PKCS12 *p12, unsigned char *pass, int passlen)
+
+Verify a MAC on a PKCS12 structure. Returns an error if MAC not present.
+
+
+Notes.
+
+1. All the function return 0 or NULL on error.
+2. Encryption based functions take a common set of parameters. These are
+described below.
+
+pass, passlen
+ASCII password and length. The password on the MAC is called the "integrity
+password" the encryption password is called the "privacy password" in the
+PKCS#12 documentation. The passwords do not have to be the same. If -1 is
+passed for the length it is worked out by the function itself (currently
+this is sometimes done whatever is passed as the length but that may change).
+
+salt, saltlen
+A 'salt' if salt is NULL a random salt is used. If saltlen is also zero a
+default length is used.
+
+iter
+Iteration count. This is a measure of how many times an internal function is
+called to encrypt the data. The larger this value is the longer it takes, it
+makes dictionary attacks on passwords harder. NOTE: Some implementations do
+not support an iteration count on the MAC. If the password for the MAC and
+encryption is the same then there is no point in having a high iteration
+count for encryption if the MAC has no count. The MAC could be attacked
+and the password used for the main decryption.
+
+pbe_nid
+This is the NID of the password based encryption method used. The following are
+supported.
+NID_pbe_WithSHA1And128BitRC4
+NID_pbe_WithSHA1And40BitRC4
+NID_pbe_WithSHA1And3_Key_TripleDES_CBC
+NID_pbe_WithSHA1And2_Key_TripleDES_CBC
+NID_pbe_WithSHA1And128BitRC2_CBC
+NID_pbe_WithSHA1And40BitRC2_CBC
+
+Which you use depends on the implementation you are exporting to. "Export
+grade" (i.e. cryptographically challenged) products cannot support all
+algorithms. Typically you may be able to use any encryption on shrouded key
+bags but they must then be placed in an unencrypted authsafe. Other authsafes
+may only support 40bit encryption. Of course if you are using SSLeay
+throughout you can strongly encrypt everything and have high iteration counts
+on everything.
+
+3. For decryption routines only the password and length are needed.
+
+4. Unlike the external version the nid's of objects are the values of the
+constants: that is NID_certBag is the real nid, therefore there is no 
+PKCS12_obj_offset() function.  Note the object constants are not the same as
+those of the external version. If you use these constants then you will need
+to recompile your code.
+
+5. With the exception of PKCS12_MAKE_KEYBAG(), after calling any function or 
+macro of the form PKCS12_MAKE_SOMETHING(other) the "other" structure can be
+reused or freed up safely.
+
diff --git a/src/lib/libssl/doc/standards.txt b/src/lib/libssl/doc/standards.txt
new file mode 100644
index 0000000000..61ccc5d7e0
--- /dev/null
+++ b/src/lib/libssl/doc/standards.txt
@@ -0,0 +1,121 @@
+Standards related to OpenSSL
+============================
+
+[Please, this is currently a draft.  I made a first try at finding
+ documents that describe parts of what OpenSSL implements.  There are
+ big gaps, and I've most certainly done something wrong.  Please
+ correct whatever is...  Also, this note should be removed when this
+ file is reaching a somewhat correct state.        -- Richard Levitte]
+
+
+All pointers in here will be either URL's or blobs of text borrowed
+from miscellaneous indexes, like rfc-index.txt (index of RFCs),
+1id-index.txt (index of Internet drafts) and the like.
+
+To find the latest possible RFCs, it's recommended to either browse
+ftp://ftp.isi.edu/in-notes/ or go to http://www.rfc-editor.org/ and
+use the search mechanism found there.
+To find the latest possible Internet drafts, it's recommended to
+browse ftp://ftp.isi.edu/internet-drafts/.
+To find the latest possible PKCS, it's recommended to browse
+http://www.rsasecurity.com/rsalabs/pkcs/.
+
+
+Implemented:
+------------
+
+These are documents that describe things that are implemented in OpenSSL.
+
+1319 The MD2 Message-Digest Algorithm. B. Kaliski. April 1992.
+     (Format: TXT=25661 bytes) (Status: INFORMATIONAL)
+
+1320 The MD4 Message-Digest Algorithm. R. Rivest. April 1992. (Format:
+     TXT=32407 bytes) (Status: INFORMATIONAL)
+
+1321 The MD5 Message-Digest Algorithm. R. Rivest. April 1992. (Format:
+     TXT=35222 bytes) (Status: INFORMATIONAL)
+
+2246 The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999.
+     (Format: TXT=170401 bytes) (Status: PROPOSED STANDARD)
+
+2268 A Description of the RC2(r) Encryption Algorithm. R. Rivest.
+     January 1998. (Format: TXT=19048 bytes) (Status: INFORMATIONAL)
+
+2314 PKCS 10: Certification Request Syntax Version 1.5. B. Kaliski.
+     March 1998. (Format: TXT=15814 bytes) (Status: INFORMATIONAL)
+
+2315 PKCS 7: Cryptographic Message Syntax Version 1.5. B. Kaliski.
+     March 1998. (Format: TXT=69679 bytes) (Status: INFORMATIONAL)
+
+2437 PKCS #1: RSA Cryptography Specifications Version 2.0. B. Kaliski,
+     J. Staddon. October 1998. (Format: TXT=73529 bytes) (Obsoletes
+     RFC2313) (Status: INFORMATIONAL)
+
+2459 Internet X.509 Public Key Infrastructure Certificate and CRL
+     Profile. R. Housley, W. Ford, W. Polk, D. Solo. January 1999.
+     (Format: TXT=278438 bytes) (Status: PROPOSED STANDARD)
+
+PKCS#8: Private-Key Information Syntax Standard
+
+PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
+
+
+Related:
+--------
+
+These are documents that are close to OpenSSL, for example the
+STARTTLS documents.
+
+1421 Privacy Enhancement for Internet Electronic Mail: Part I: Message
+     Encryption and Authentication Procedures. J. Linn. February 1993.
+     (Format: TXT=103894 bytes) (Obsoletes RFC1113) (Status: PROPOSED
+     STANDARD)
+
+1422 Privacy Enhancement for Internet Electronic Mail: Part II:
+     Certificate-Based Key Management. S. Kent. February 1993. (Format:
+     TXT=86085 bytes) (Obsoletes RFC1114) (Status: PROPOSED STANDARD)
+
+1423 Privacy Enhancement for Internet Electronic Mail: Part III:
+     Algorithms, Modes, and Identifiers. D. Balenson. February 1993.
+     (Format: TXT=33277 bytes) (Obsoletes RFC1115) (Status: PROPOSED
+     STANDARD)
+
+1424 Privacy Enhancement for Internet Electronic Mail: Part IV: Key
+     Certification and Related Services. B. Kaliski. February 1993.
+     (Format: TXT=17537 bytes) (Status: PROPOSED STANDARD)
+
+2487 SMTP Service Extension for Secure SMTP over TLS. P. Hoffman.
+     January 1999. (Format: TXT=15120 bytes) (Status: PROPOSED STANDARD)
+
+2585 Internet X.509 Public Key Infrastructure Operational Protocols:
+     FTP and HTTP. R. Housley, P. Hoffman. May 1999. (Format: TXT=14813
+     bytes) (Status: PROPOSED STANDARD)
+
+2595 Using TLS with IMAP, POP3 and ACAP. C. Newman. June 1999.
+     (Format: TXT=32440 bytes) (Status: PROPOSED STANDARD)
+
+2712 Addition of Kerberos Cipher Suites to Transport Layer Security
+     (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes)
+     (Status: PROPOSED STANDARD)
+
+2817 Upgrading to TLS Within HTTP/1.1. R. Khare, S. Lawrence. May
+     2000. (Format: TXT=27598 bytes) (Updates RFC2616) (Status: PROPOSED
+     STANDARD)
+
+2818 HTTP Over TLS. E. Rescorla. May 2000. (Format: TXT=15170 bytes)
+     (Status: INFORMATIONAL)
+
+  "Securing FTP with TLS", 01/27/2000, <draft-murray-auth-ftp-ssl-05.txt>  
+ 
+
+To be implemented:
+------------------
+
+These are documents that describe things that are planed to be
+implemented in the hopefully short future.
+
+2560 X.509 Internet Public Key Infrastructure Online Certificate
+     Status Protocol - OCSP. M. Myers, R. Ankney, A. Malpani, S. Galperin,
+     C. Adams. June 1999. (Format: TXT=43243 bytes) (Status: PROPOSED
+     STANDARD)
+
diff --git a/src/lib/libssl/test/VMSca-response.1 b/src/lib/libssl/test/VMSca-response.1
new file mode 100644
index 0000000000..8b13789179
--- /dev/null
+++ b/src/lib/libssl/test/VMSca-response.1
@@ -0,0 +1 @@
+
diff --git a/src/lib/libssl/test/VMSca-response.2 b/src/lib/libssl/test/VMSca-response.2
new file mode 100644
index 0000000000..9b48ee4cf9
--- /dev/null
+++ b/src/lib/libssl/test/VMSca-response.2
@@ -0,0 +1,2 @@
+y
+y
diff --git a/src/lib/libssl/test/bctest b/src/lib/libssl/test/bctest
new file mode 100644
index 0000000000..bdb3218f7a
--- /dev/null
+++ b/src/lib/libssl/test/bctest
@@ -0,0 +1,111 @@
+#!/bin/sh
+
+# This script is used by test/Makefile.ssl to check whether a sane 'bc'
+# is installed.
+# ('make test_bn' should not try to run 'bc' if it does not exist or if
+# it is a broken 'bc' version that is known to cause trouble.)
+#
+# If 'bc' works, we also test if it knows the 'print' command.
+#
+# In any case, output an appropriate command line for running (or not
+# running) bc.
+
+
+IFS=:
+try_without_dir=true
+# First we try "bc", then "$dir/bc" for each item in $PATH.
+for dir in dummy:$PATH; do
+    if [ "$try_without_dir" = true ]; then
+      # first iteration
+      bc=bc
+      try_without_dir=false
+    else
+      # second and later iterations
+      bc="$dir/bc"
+      if [ ! -f "$bc" ]; then  # '-x' is not available on Ultrix
+        bc=''
+      fi
+    fi
+
+    if [ ! "$bc" = '' ]; then
+        failure=none
+
+
+        # Test for SunOS 5.[78] bc bug
+        "$bc" >tmp.bctest <<\EOF
+obase=16
+ibase=16
+a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\
+CEEC1A0EC16950233F77F1C2F2363D56DD71A36C57E0B2511FC4BA8F22D261FE2E9356D99AF57\
+10F3817C0E05BF79C423C3F66FDF321BE8D3F18F625D91B670931C1EF25F28E489BDA1C5422D1\
+C3F6F7A1AD21585746ECC4F10A14A778AF56F08898E965E9909E965E0CB6F85B514150C644759\
+3BE731877B16EA07B552088FF2EA728AC5E0FF3A23EB939304519AB8B60F2C33D6BA0945B66F0\
+4FC3CADF855448B24A9D7640BCF473E
+b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\
+9209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD\
+8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\
+3ED0E2017D60A68775B75481449
+(a/b)*b + (a%b) - a
+EOF
+        if [ 0 != "`cat tmp.bctest`" ]; then
+            failure=SunOStest
+        fi
+
+
+        if [ "$failure" = none ]; then
+            # Test for SCO bc bug.
+            "$bc" >tmp.bctest <<\EOF
+obase=16
+ibase=16
+-FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\
+9DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7F5ADFACEE54573F5D256A06\
+11B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99FB9812A0E4A5773D8B254117\
+1239157EC6E3D8D50199 * -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4\
+AEC6F15AC177F176F2274D29DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7\
+F5ADFACEE54573F5D256A0611B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99F\
+B9812A0E4A5773D8B2541171239157EC6E3D8D50199 - FFBACC221682DA464B6D7F123482522\
+02EDAEDCA38C3B69E9B7BBCD6165A9CD8716C4903417F23C09A85B851961F92C217258CEEB866\
+85EFCC5DD131853A02C07A873B8E2AF2E40C6D5ED598CD0E8F35AD49F3C3A17FDB7653E4E2DC4\
+A8D23CC34686EE4AD01F7407A7CD74429AC6D36DBF0CB6A3E302D0E5BDFCD048A3B90C1BE5AA8\
+E16C3D5884F9136B43FF7BB443764153D4AEC176C681B078F4CC53D6EB6AB76285537DDEE7C18\
+8C72441B52EDBDDBC77E02D34E513F2AABF92F44109CAFE8242BD0ECBAC5604A94B02EA44D43C\
+04E9476E6FBC48043916BFA1485C6093603600273C9C33F13114D78064AE42F3DC466C7DA543D\
+89C8D71
+AD534AFBED2FA39EE9F40E20FCF9E2C861024DB98DDCBA1CD118C49CA55EEBC20D6BA51B2271C\
+928B693D6A73F67FEB1B4571448588B46194617D25D910C6A9A130CC963155CF34079CB218A44\
+8A1F57E276D92A33386DDCA3D241DB78C8974ABD71DD05B0FA555709C9910D745185E6FE108E3\
+37F1907D0C56F8BFBF52B9704 % -E557905B56B13441574CAFCE2BD257A750B1A8B2C88D0E36\
+E18EF7C38DAC80D3948E17ED63AFF3B3467866E3B89D09A81B3D16B52F6A3C7134D3C6F5123E9\
+F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\
+9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\
+D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\
+5296964
+EOF
+            if [ "0
+0" != "`cat tmp.bctest`" ]; then
+                failure=SCOtest
+            fi
+        fi
+
+
+        if [ "$failure" = none ]; then
+            # bc works; now check if it knows the 'print' command.
+            if [ "OK" = "`echo 'print \"OK\"' | $bc 2>/dev/null`" ]
+            then
+                echo "$bc"
+            else
+                echo "sed 's/print.*//' | $bc"
+            fi
+            exit 0
+        fi
+
+        echo "$bc does not work properly ('$failure' failed).  Looking for another bc ..." >&2
+    fi
+done
+
+echo "No working bc found.  Consider installing GNU bc." >&2
+if [ "$1" = ignore ]; then
+  echo "cat >/dev/null"
+  exit 0
+fi
+exit 1