import 0.9.7b (without idea and rc5)

87 files changed, 3706 insertions, 946 deletions

diff --git a/src/lib/libcrypto/bf/bftest.c b/src/lib/libcrypto/bf/bftest.c
index 09895f2542..24d526b14b 100644
--- a/src/lib/libcrypto/bf/bftest.c
+++ b/src/lib/libcrypto/bf/bftest.c
@@ -63,6 +63,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_BF
 int main(int argc, char *argv[])
 {
@@ -275,7 +277,7 @@ int main(int argc, char *argv[])
         else
                 ret=test();
 
-        exit(ret);
+        EXIT(ret);
         return(0);
         }
 
@@ -454,9 +456,9 @@ static int test(void)
         len=strlen(cbc_data)+1;
 
         BF_set_key(&key,16,cbc_key);
-        memset(cbc_in,0,40);
-        memset(cbc_out,0,40);
-        memcpy(iv,cbc_iv,8);
+        memset(cbc_in,0,sizeof cbc_in);
+        memset(cbc_out,0,sizeof cbc_out);
+        memcpy(iv,cbc_iv,sizeof iv);
         BF_cbc_encrypt((unsigned char *)cbc_data,cbc_out,len,
                 &key,iv,BF_ENCRYPT);
         if (memcmp(cbc_out,cbc_ok,32) != 0)
diff --git a/src/lib/libcrypto/bn/asm/vms.mar b/src/lib/libcrypto/bn/asm/vms.mar
index 465f2774b6..aefab15cdb 100644
--- a/src/lib/libcrypto/bn/asm/vms.mar
+++ b/src/lib/libcrypto/bn/asm/vms.mar
@@ -1,4 +1,4 @@
-        .title  vax_bn_mul_add_word  unsigned multiply & add, 32*32+32+32=>64
+        .title  vax_bn_mul_add_words  unsigned multiply & add, 32*32+32+32=>64
 ;
 ; w.j.m. 15-jan-1999
 ;
@@ -59,7 +59,7 @@ w=16 ;(AP)	w	by value (input)
         movl    r6,r0                   ; return c
         ret
 
-        .title  vax_bn_mul_word  unsigned multiply & add, 32*32+32=>64
+        .title  vax_bn_mul_words  unsigned multiply & add, 32*32+32=>64
 ;
 ; w.j.m. 15-jan-1999
 ;
@@ -172,147 +172,175 @@ n=12 ;(AP)	n	by value (input)
 ; }
 ;
 ; Using EDIV would be very easy, if it didn't do signed calculations.
-; Therefore, som extra things have to happen around it.  The way to
-; handle that is to shift all operands right one step (basically dividing
-; them by 2) and handle the different cases depending on what the lowest
-; bit of each operand was.
+; Any time any of the input numbers are signed, there are problems,
+; usually with integer overflow, at which point it returns useless
+; data (the quotient gets the value of l, and the remainder becomes 0).
 ;
-; To start with, let's define the following:
+; If it was just for the dividend, it would be very easy, just divide
+; it by 2 (unsigned), do the division, multiply the resulting quotient
+; and remainder by 2, add the bit that was dropped when dividing by 2
+; to the remainder, and do some adjustment so the remainder doesn't
+; end up larger than the divisor.  For some cases when the divisor is
+; negative (from EDIV's point of view, i.e. when the highest bit is set),
+; dividing the dividend by 2 isn't enough, and since some operations
+; might generate integer overflows even when the dividend is divided by
+; 4 (when the high part of the shifted down dividend ends up being exactly
+; half of the divisor, the result is the quotient 0x80000000, which is
+; negative...) it needs to be divided by 8.  Furthermore, the divisor needs
+; to be divided by 2 (unsigned) as well, to avoid more problems with the sign.
+; In this case, a little extra fiddling with the remainder is required.
 ;
-; a' = l & 1
-; a2 = <h,l> >> 1       # UNSIGNED shift!
-; b' = d & 1
-; b2 = d >> 1           # UNSIGNED shift!
+; So, the simplest way to handle this is always to divide the dividend
+; by 8, and to divide the divisor by 2 if it's highest bit is set.
+; After EDIV has been used, the quotient gets multiplied by 8 if the
+; original divisor was positive, otherwise 4.  The remainder, oddly
+; enough, is *always* multiplied by 8.
+; NOTE: in the case mentioned above, where the high part of the shifted
+; down dividend ends up being exactly half the shifted down divisor, we
+; end up with a 33 bit quotient.  That's no problem however, it usually
+; means we have ended up with a too large remainder as well, and the
+; problem is fixed by the last part of the algorithm (next paragraph).
 ;
-; Now, use EDIV to calculate a quotient and a remainder:
+; The routine ends with comparing the resulting remainder with the
+; original divisor and if the remainder is larger, subtract the
+; original divisor from it, and increase the quotient by 1.  This is
+; done until the remainder is smaller than the divisor.
 ;
-; q'' = a2/b2
-; r'' = a2 - q''*b2
+; The complete algorithm looks like this:
 ;
-; If b' is 0, the quotient is already correct, we just need to adjust the
-; remainder:
+; d'    = d
+; l'    = l & 7
+; [h,l] = [h,l] >> 3
+; [q,r] = floor([h,l] / d)      # This is the EDIV operation
+; if (q < 0) q = -q             # I doubt this is necessary any more
 ;
-; if (b' == 0)
-;   {
-;     r = 2*r'' + a'
-;     q = q''
-;   }
-;
-; If b' is 1, we need to do other adjustements.  The first thought is the
-; following (note that r' will not always have the right value, but an
-; adjustement follows further down):
-;
-; if (b' == 1)
-;   {
-;     q' = q''
-;     r' = a - q'*b
-;
-; However, one can note the folowing relationship:
-;
-;                         r'' = a2 - q''*b2
-;                  =>   2*r'' = 2*a2 - 2*q''*b2
-;                             = { a = 2*a2 + a', b = 2*b2 + b' = 2*b2 + 1,
-;                                 q' = q'' }
-;                             = a - a' - q'*(b - 1)
-;                             = a - q'*b - a' + q'
-;                             = r' - a' + q'
-;                  =>     r'  = 2*r'' - q' + a'
+; r'    = r >> 29
+; if (d' >= 0)
+;   q'  = q >> 29
+;   q   = q << 3
+; else
+;   q'  = q >> 30
+;   q   = q << 2
+; r     = (r << 3) + l'
 ;
-; This enables us to use r'' instead of discarding and calculating another
-; modulo:
-;
-; if (b' == 1)
+; if (d' < 0)
 ;   {
-;     q' = q''
-;     r' = (r'' << 1) - q' + a'
-;
-; Now, all we have to do is adjust r', because it might be < 0:
-;
-;     while (r' < 0)
+;     [r',r] = [r',r] - q
+;     while ([r',r] < 0)
 ;       {
-;         r' = r' + b
-;         q' = q' - 1
+;         [r',r] = [r',r] + d
+;         [q',q] = [q',q] - 1
 ;       }
 ;   }
 ;
-; return q'
+; while ([r',r] >= d')
+;   {
+;     [r',r] = [r',r] - d'
+;     [q',q] = [q',q] + 1
+;   }
+;
+; return q
 
 h=4 ;(AP)       h       by value (input)
 l=8 ;(AP)       l       by value (input)
 d=12 ;(AP)      d       by value (input)
 
-;aprim=r5
-;a2=r6
-;a20=r6
-;a21=r7
-;bprim=r8
-;b2=r9
-;qprim=r10      ; initially used as q''
-;rprim=r11      ; initially used as r''
-
+;r2 = l, q
+;r3 = h, r
+;r4 = d
+;r5 = l'
+;r6 = r'
+;r7 = d'
+;r8 = q'
 
         .psect  code,nowrt
 
-.entry  bn_div_words,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10,r11>
+.entry  bn_div_words,^m<r2,r3,r4,r5,r6,r7,r8>
         movl    l(ap),r2
         movl    h(ap),r3
         movl    d(ap),r4
 
-        movl    #0,r5
-        movl    #0,r8
-        movl    #0,r0
-;       movl    #0,r1
+        bicl3   #^XFFFFFFF8,r2,r5 ; l' = l & 7
+        bicl3   #^X00000007,r2,r2
 
-        rotl    #-1,r2,r6       ; a20 = l >> 1 (almost)
-        rotl    #-1,r3,r7       ; a21 = h >> 1 (almost)
-        rotl    #-1,r4,r9       ; b2 = d >> 1 (almost)
+        bicl3   #^XFFFFFFF8,r3,r6
+        bicl3   #^X00000007,r3,r3
+        
+        addl    r6,r2
 
-        tstl    r6
-        bgeq    1$
-        xorl2   #^X80000000,r6  ; fixup a20 so highest bit is 0
-        incl    r5              ; a' = 1
-1$:
-        tstl    r7
-        bgeq    2$
-        xorl2   #^X80000000,r6  ; fixup a20 so highest bit is 1,
-                                ; since that's what was lowest in a21
-        xorl2   #^X80000000,r7  ; fixup a21 so highest bit is 1
-2$:
-        tstl    r9
+        rotl    #-3,r2,r2       ; l = l >> 3
+        rotl    #-3,r3,r3       ; h = h >> 3
+                
+        movl    r4,r7           ; d' = d
+
+        movl    #0,r6           ; r' = 0
+        movl    #0,r8           ; q' = 0
+
+        tstl    r4
         beql    666$            ; Uh-oh, the divisor is 0...
-        bgtr    3$
-        xorl2   #^X80000000,r9  ; fixup b2 so highest bit is 0
-        incl    r8              ; b' = 1
-3$:
-        tstl    r9
-        bneq    4$              ; if b2 is 0, we know that b' is 1
-        tstl    r3
-        bneq    666$            ; if higher half isn't 0, we overflow
-        movl    r2,r10          ; otherwise, we have our result
-        brb     42$             ; This is a success, really.
-4$:
-        ediv    r9,r6,r10,r11
-
-        tstl    r8
-        bneq    5$              ; If b' != 0, go to the other part
-;       addl3   r11,r11,r1
-;       addl2   r5,r1
-        brb     42$
-5$:
-        ashl    #1,r11,r11
-        subl2   r10,r11
-        addl2   r5,r11
-        bgeq    7$
-6$:
-        decl    r10
-        addl2   r4,r11
-        blss    6$
-7$:
-;       movl    r11,r1
+        bgtr    1$
+        rotl    #-1,r4,r4       ; If d is negative, shift it right.
+        bicl2   #^X80000000,r4  ; Since d is then a large number, the
+                                ; lowest bit is insignificant
+                                ; (contradict that, and I'll fix the problem!)
+1$:     
+        ediv    r4,r2,r2,r3     ; Do the actual division
+
+        tstl    r2
+        bgeq    3$
+        mnegl   r2,r2           ; if q < 0, negate it
+3$:     
+        tstl    r7
+        blss    4$
+        rotl    #3,r2,r2        ;   q = q << 3
+        bicl3   #^XFFFFFFF8,r2,r8 ;    q' gets the high bits from q
+        bicl3   #^X00000007,r2,r2
+        bsb     41$
+4$:                             ; else
+        rotl    #2,r2,r2        ;   q = q << 2
+        bicl3   #^XFFFFFFFC,r2,r8 ;   q' gets the high bits from q
+        bicl3   #^X00000003,r2,r2
+41$:
+        rotl    #3,r3,r3        ; r = r << 3
+        bicl3   #^XFFFFFFF8,r3,r6 ; r' gets the high bits from r
+        bicl3   #^X00000007,r3,r3
+        addl    r5,r3           ; r = r + l'
+
+        tstl    r7
+        bgeq    5$
+        bitl    #1,r7
+        beql    5$              ; if d' < 0 && d' & 1
+        subl    r2,r3           ;   [r',r] = [r',r] - [q',q]
+        sbwc    r8,r6
+45$:
+        bgeq    5$              ;   while r < 0
+        decl    r2              ;     [q',q] = [q',q] - 1
+        sbwc    #0,r8
+        addl    r7,r3           ;     [r',r] = [r',r] + d'
+        adwc    #0,r6
+        brb     45$
+
+; The return points are placed in the middle to keep a short distance from
+; all the branch points
 42$:
-        movl    r10,r0
+;       movl    r3,r1
+        movl    r2,r0
+        ret
 666$:
+        movl    #^XFFFFFFFF,r0
         ret
+
+5$:
+        tstl    r6
+        bneq    6$
+        cmpl    r3,r7
+        blssu   42$             ; while [r',r] >= d'
+6$:
+        subl    r7,r3           ;   [r',r] = [r',r] - d'
+        sbwc    #0,r6
+        incl    r2              ;   [q',q] = [q',q] + 1
+        adwc    #0,r8
+        brb     5$      
 
         .title  vax_bn_add_words  unsigned add of two arrays
 ;
diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c
index 8158a67374..3c8c540387 100644
--- a/src/lib/libcrypto/bn/bntest.c
+++ b/src/lib/libcrypto/bn/bntest.c
@@ -68,10 +68,6 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
-
 const int num0 = 100; /* number of tests */
 const int num1 = 50;  /* additional tests for some functions */
 const int num2 = 5;   /* number of tests for slow functions */
@@ -96,11 +92,6 @@ int test_sqrt(BIO *bp,BN_CTX *ctx);
 int rand_neg(void);
 static int results=0;
 
-#ifdef OPENSSL_NO_STDIO
-#define APPS_WIN16
-#include "bss_file.c"
-#endif
-
 static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
 
@@ -141,10 +132,10 @@ int main(int argc, char *argv[])
 
 
         ctx=BN_CTX_new();
-        if (ctx == NULL) exit(1);
+        if (ctx == NULL) EXIT(1);
 
         out=BIO_new(BIO_s_file());
-        if (out == NULL) exit(1);
+        if (out == NULL) EXIT(1);
         if (outfile == NULL)
                 {
                 BIO_set_fp(out,stdout,BIO_NOCLOSE);
@@ -154,7 +145,7 @@ int main(int argc, char *argv[])
                 if (!BIO_write_filename(out,outfile))
                         {
                         perror(outfile);
-                        exit(1);
+                        EXIT(1);
                         }
                 }
 
@@ -238,14 +229,14 @@ int main(int argc, char *argv[])
         BIO_free(out);
 
 /**/
-        exit(0);
+        EXIT(0);
 err:
         BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
                               * the failure, see test_bn in test/Makefile.ssl*/
         BIO_flush(out);
         ERR_load_crypto_strings();
         ERR_print_errors_fp(stderr);
-        exit(1);
+        EXIT(1);
         return(1);
         }
 
@@ -488,7 +479,7 @@ int test_mul(BIO *bp)
         BN_CTX *ctx;
 
         ctx = BN_CTX_new();
-        if (ctx == NULL) exit(1);
+        if (ctx == NULL) EXIT(1);
         
         BN_init(&a);
         BN_init(&b);
@@ -726,7 +717,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
                         while ((l=ERR_get_error()))
                                 fprintf(stderr,"ERROR:%s\n",
                                         ERR_error_string(l,NULL));
-                        exit(1);
+                        EXIT(1);
                         }
                 if (bp != NULL)
                         {
diff --git a/src/lib/libcrypto/bn/divtest.c b/src/lib/libcrypto/bn/divtest.c
index 13ba86e3c4..d3fc688f33 100644
--- a/src/lib/libcrypto/bn/divtest.c
+++ b/src/lib/libcrypto/bn/divtest.c
@@ -1,7 +1,7 @@
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 
-static int rand(n)
+static int Rand(n)
 {
     unsigned char x[2];
     RAND_pseudo_bytes(x,2);
@@ -26,8 +26,8 @@ main()
     BN_CTX *ctx=BN_CTX_new();
 
     for(;;) {
-        BN_pseudo_rand(a,rand(),0,0);
-        BN_pseudo_rand(b,rand(),0,0);
+        BN_pseudo_rand(a,Rand(),0,0);
+        BN_pseudo_rand(b,Rand(),0,0);
         if (BN_is_zero(b)) continue;
 
         BN_RECP_CTX_set(recp,b,ctx);
diff --git a/src/lib/libcrypto/bn/exptest.c b/src/lib/libcrypto/bn/exptest.c
index 5ca570d1a8..b09cf88705 100644
--- a/src/lib/libcrypto/bn/exptest.c
+++ b/src/lib/libcrypto/bn/exptest.c
@@ -59,13 +59,13 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+
+#include "../e_os.h"
+
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
 
 #define NUM_BITS        (BN_BITS*2)
 
@@ -86,7 +86,7 @@ int main(int argc, char *argv[])
         ERR_load_BN_strings();
 
         ctx=BN_CTX_new();
-        if (ctx == NULL) exit(1);
+        if (ctx == NULL) EXIT(1);
         r_mont=BN_new();
         r_recp=BN_new();
         r_simple=BN_new();
@@ -99,7 +99,7 @@ int main(int argc, char *argv[])
 
         out=BIO_new(BIO_s_file());
 
-        if (out == NULL) exit(1);
+        if (out == NULL) EXIT(1);
         BIO_set_fp(out,stdout,BIO_NOCLOSE);
 
         for (i=0; i<200; i++)
@@ -124,7 +124,7 @@ int main(int argc, char *argv[])
                         {
                         printf("BN_mod_exp_mont() problems\n");
                         ERR_print_errors(out);
-                        exit(1);
+                        EXIT(1);
                         }
 
                 ret=BN_mod_exp_recp(r_recp,a,b,m,ctx);
@@ -132,7 +132,7 @@ int main(int argc, char *argv[])
                         {
                         printf("BN_mod_exp_recp() problems\n");
                         ERR_print_errors(out);
-                        exit(1);
+                        EXIT(1);
                         }
 
                 ret=BN_mod_exp_simple(r_simple,a,b,m,ctx);
@@ -140,7 +140,7 @@ int main(int argc, char *argv[])
                         {
                         printf("BN_mod_exp_simple() problems\n");
                         ERR_print_errors(out);
-                        exit(1);
+                        EXIT(1);
                         }
 
                 if (BN_cmp(r_simple, r_mont) == 0
@@ -163,7 +163,7 @@ int main(int argc, char *argv[])
                         printf("\nrecp     ="); BN_print(out,r_recp);
                         printf("\nmont     ="); BN_print(out,r_mont);
                         printf("\n");
-                        exit(1);
+                        EXIT(1);
                         }
                 }
         BN_free(r_mont);
@@ -177,11 +177,11 @@ int main(int argc, char *argv[])
         CRYPTO_mem_leaks(out);
         BIO_free(out);
         printf(" done\n");
-        exit(0);
+        EXIT(0);
 err:
         ERR_load_crypto_strings();
         ERR_print_errors(out);
-        exit(1);
+        EXIT(1);
         return(1);
         }
 
diff --git a/src/lib/libcrypto/cast/casttest.c b/src/lib/libcrypto/cast/casttest.c
index 099e790886..83e5a16c73 100644
--- a/src/lib/libcrypto/cast/casttest.c
+++ b/src/lib/libcrypto/cast/casttest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_CAST
 int main(int argc, char *argv[])
 {
@@ -224,7 +226,7 @@ int main(int argc, char *argv[])
       }
 #endif
 
-    exit(err);
+    EXIT(err);
     return(err);
     }
 #endif
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index dfcff11860..39e78c69e5 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -21,22 +21,10 @@ $!    		LIBRARY    To just compile the [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library.
 $!              APPS       To just compile the [.xxx.EXE.CRYPTO]*.EXE
 $!              ALL        To do both LIBRARY and APPS
 $!
-$!  Specify RSAREF as P2 to compile with the RSAREF library instead of
-$!  the regular one.  If you specify NORSAREF it will compile with the
-$!  regular RSAREF routines.  (Note: If you are in the United States
-$!  you MUST compile with RSAREF unless you have a license from RSA).
-$!
-$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
-$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
-$!        get the ".tar-Z" file as the ".zip" file dosen't have the
-$!        directory structure stored.  You have to extract the file
-$!        into the [.RSAREF] directory under the root directory as that
-$!        is where the scripts will look for the files.
-$!
-$!  Specify DEBUG or NODEBUG as P3 to compile with or without debugger
+$!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P4 to try to compile under.
+$!  Specify which compiler at P3 to try to compile under.
 $!
 $!         VAXC  For VAX C.
 $!         DECC  For DEC C.
@@ -45,16 +33,16 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P5, if defined, sets a TCP/IP library to use, through one of the following
+$!  P4, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!      UCX             for UCX
 $!      TCPIP           for TCPIP (post UCX)
 $!      SOCKETSHR       for SOCKETSHR+NETLIB
 $!
-$!  P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
-$!  P7, if defined, sets a choice of crypto methods to compile.
+$!  P6, if defined, sets a choice of crypto methods to compile.
 $!  WARNING: this should only be done to recompile some part of an already
 $!  fully compiled library.
 $!
@@ -93,7 +81,6 @@ $ ENCRYPT_TYPES = "Basic,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,"+ -
                   "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ -
                   "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
                   "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5"
-$ ENCRYPT_PROGRAMS = "DES,PKCS7"
 $!
 $! Check To Make Sure We Have Valid Command Line Parameters.
 $!
@@ -149,10 +136,6 @@ $! Define The CRYPTO-LIB We Are To Use.
 $!
 $ CRYPTO_LIB := 'EXE_DIR'LIBCRYPTO.OLB
 $!
-$! Define The RSAREF-LIB We Are To Use.
-$!
-$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
-$!
 $! Check To See If We Already Have A "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library...
 $!
 $ IF (F$SEARCH(LIB_NAME).EQS."")
@@ -175,7 +158,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
+$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
@@ -216,7 +199,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
         "tb_rsa,tb_dsa,tb_dh,tb_rand,tb_cipher,tb_digest,"+ -
         "eng_openssl,eng_dyn,eng_cnf,"+ -
         "hw_atalla,hw_cswift,hw_ncipher,hw_nuron,hw_ubsec,"+ -
-        "hw_openbsd_dev_crypto,hw_aep,hw_sureware,hw_4758_cca"
+        "hw_cryptodev,hw_aep,hw_sureware,hw_4758_cca"
 $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,aes_ctr"
 $ LIB_BUFFER = "buffer,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
@@ -287,86 +270,6 @@ $ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,"
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
 $!
-$! Check To See If We Are Going To Use RSAREF.
-$!
-$ IF (RSAREF.EQS."TRUE" .AND. ENCRYPT_TYPES - "RSA".NES.ENCRYPT_TYPES -
-      .AND. (BUILDALL .EQS. "TRUE" .OR. BUILDALL .EQS. "LIBRARY"))
-$ THEN
-$!
-$!  Check To See If The File [-.RSAREF]RSAREF.C Is Actually There.
-$!
-$   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAREF.C").EQS."")
-$   THEN
-$!
-$!    Tell The User That The File Doesn't Exist.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Doesn't Exist."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Exit The Build.
-$!
-$     GOTO EXIT
-$!
-$!  End The [-.RSAREF]RSAREF.C Check.
-$!
-$   ENDIF
-$!
-$!  Tell The User We Are Compiling The [-.RSAREF]RSAREF File.
-$!
-$   WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAREF File."
-$!
-$!  Compile [-.RSAREF]RSAREF.C
-$!
-$   CC/OBJECT='OBJ_DIR'RSAREF.OBJ SYS$DISK:[-.RSAREF]RSAREF.C
-$!
-$!  Add It To The Library.
-$!
-$   LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAREF.OBJ
-$!
-$!  Delete The Object File.
-$!
-$   DELETE 'OBJ_DIR'RSAREF.OBJ;*
-$!
-$!  Check To See If The File [-.RSAREF]RSAR_ERR.C Is Actually There.
-$!
-$   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAR_ERR.C").EQS."")
-$   THEN
-$!
-$!    Tell The User That The File Doesn't Exist.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Doesn't Exist."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Exit The Build.
-$!
-$     GOTO EXIT
-$!
-$!  End The [-.RSAREF]RSAR_ERR.C File Check.
-$!
-$   ENDIF
-$!
-$!  Tell The User We Are Compiling The [-.RSAREF]RSAR_ERR File.
-$!
-$   WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAR_ERR File."
-$!
-$!  Compile [-.RSAREF]RSAR_ERR.C
-$!
-$   CC/OBJECT='OBJ_DIR'RSAR_ERR.OBJ SYS$DISK:[-.RSAREF]RSAR_ERR.C
-$!
-$!  Add It To The Library.
-$!
-$   LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAR_ERR.OBJ
-$!
-$!  Delete The Object File.
-$!
-$   DELETE 'OBJ_DIR'RSAR_ERR.OBJ;*
-$!
-$! End The RSAREF Check.
-$!
-$ ENDIF
-$!
 $! Figure Out What Other Modules We Are To Build.
 $!
 $ BUILD_SET:
@@ -639,74 +542,34 @@ $! Tell the user what happens
 $!
 $   WRITE SYS$OUTPUT "  ",APPLICATION,".exe"
 $!
-$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$! Link The Program.
 $!
 $   ON ERROR THEN GOTO NEXT_APPLICATION
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
-$     IF (TCPIP_LIB.NES."")
-$     THEN
-$!
-$!    Link With The RSAREF Library And A Specific TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS', -
-            'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-            'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!    Else...
-$!
-$     ELSE
-$!
-$!      Link With The RSAREF Library And NO TCP/IP Library.
+$   IF (TCPIP_LIB.NES."")
+$   THEN
 $!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS', -
-            'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-            'OPT_FILE'/OPTION
+$!    Link With A TCP/IP Library.
 $!
-$!    End The TCP/IP Library Check.
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+          'OBJ_DIR''APPLICATION_OBJECTS', -
+          'CRYPTO_LIB'/LIBRARY, -
+          'TCPIP_LIB','OPT_FILE'/OPTION
 $!
-$     ENDIF
-$!
-$!   Else...
+$! Else...
 $!
 $   ELSE
 $!
-$!    Don't Link With The RSAREF Routines.
-$!
-$!
-$!    Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$     IF (TCPIP_LIB.NES."")
-$     THEN
-$!
-$!      Don't Link With The RSAREF Routines And TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS', -
-            'CRYPTO_LIB'/LIBRARY, -
-            'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!    Else...
-$!
-$     ELSE
-$!
-$!      Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS',-
-            'CRYPTO_LIB'/LIBRARY, -
-            'OPT_FILE'/OPTION
+$!    Don't Link With A TCP/IP Library.
 $!
-$!    End The TCP/IP Library Check.
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+          'OBJ_DIR''APPLICATION_OBJECTS',-
+          'CRYPTO_LIB'/LIBRARY, -
+          'OPT_FILE'/OPTION
 $!
-$     ENDIF
-$!
-$!   End The RSAREF Link Check.
+$! End The TCP/IP Library Check.
 $!
 $   ENDIF
 $   GOTO NEXT_APPLICATION
@@ -912,75 +775,10 @@ $ ENDIF
 $!
 $! Check To See If P2 Is Blank.
 $!
-$ P2 = "NORSAREF"
-$ IF (P2.EQS."NORSAREF")
+$ IF (P2.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NORSAREF, So Compile With The Regular RSA Libraries.
-$!
-$    RSAREF = "FALSE"
-$ ELSE
-$!
-$!  Check To See If We Are To Use The RSAREF Library.
-$!
-$   IF (P2.EQS."RSAREF")
-$   THEN
-$!
-$!    Check To Make Sure We Have The RSAREF Source Code Directory.
-$!
-$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
-$     THEN
-$!
-$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
-$!      User This.
-$!
-$       WRITE SYS$OUTPUT ""
-$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
-$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
-$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file doesn't have the"
-$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
-$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
-$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
-$       WRITE SYS$OUTPUT ""
-$!
-$!      Time To Exit.
-$!
-$       EXIT
-$!
-$!    Else, Compile Using The RSAREF Library.
-$!
-$     ELSE
-$       RSAREF = "TRUE"
-$     ENDIF
-$   ELSE 
-$!
-$!    They Entered An Invalid Option..
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
-$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Time To EXIT.
-$!
-$     EXIT
-$!
-$!  End The Valid Arguement Check.
-$!
-$   ENDIF
-$!
-$! End The P2 Check.
-$!
-$ ENDIF
-$!
-$! Check To See If P3 Is Blank.
-$!
-$ IF (P3.EQS."NODEBUG")
-$ THEN
-$!
-$!   P3 Is NODEBUG, So Compile Without The Debugger Information.
+$!   P2 Is NODEBUG, So Compile Without The Debugger Information.
 $!
 $    DEBUGGER = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -993,7 +791,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P3.EQS."DEBUG")
+$   IF (P2.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -1010,7 +808,7 @@ $!
 $!    They Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "     DEBUG   :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "     NODEBUG :  Compile Without The Debugger Information."
@@ -1024,7 +822,7 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P3 Check.
+$! End The P2 Check.
 $!
 $ ENDIF
 $!
@@ -1034,9 +832,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P6.
+$! Check To See If We Have A Option For P5.
 $!
-$ IF (P6.EQS."")
+$ IF (P5.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -1058,13 +856,13 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P6 Check.
+$! End The P5 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P4 Is Blank.
+$! Check To See If P3 Is Blank.
 $!
-$ IF (P4.EQS."")
+$ IF (P3.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -1077,7 +875,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P4 = "GNUC"
+$     P3 = "GNUC"
 $!
 $!  Else...
 $!
@@ -1090,7 +888,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P4 = "DECC"
+$       P3 = "DECC"
 $!
 $!    Else...
 $!
@@ -1098,7 +896,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P4 = "VAXC"
+$       P3 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -1112,9 +910,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P4.
 $!
-$ IF (P5.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -1124,7 +922,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P5 = "SOCKETSHR"
+$     P4 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -1144,7 +942,7 @@ $     THEN
 $!
 $!      Last resort: a UCX or UCX-compatible library
 $!
-$       P5 = "UCX"
+$       P4 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -1158,7 +956,7 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "TCPIP_TYPE_''P5',DSO_VMS"
+$ CCDEFS = "TCPIP_TYPE_''P4',DSO_VMS"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
@@ -1168,12 +966,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC")
+$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
 $ THEN
 $!
 $!    Check To See If The User Wanted DECC.
 $!
-$   IF (P4.EQS."DECC")
+$   IF (P3.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -1204,7 +1002,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P4.EQS."VAXC")
+$   IF (P3.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -1243,7 +1041,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P4.EQS."GNUC")
+$   IF (P3.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -1272,31 +1070,6 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
-$!  Check To See If We Are To Compile With RSAREF Routines.
-$!
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
-$!
-$!    Compile With RSAREF.
-$!
-$     CCDEFS = CCDEFS + ",""RSAref=1"""
-$!
-$!    Tell The User This.
-$!
-$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
-$!
-$!    Else, We Don't Care.  Compile Without The RSAREF Library.
-$!
-$   ELSE
-$!
-$!    Tell The User We Are Compile Without The RSAREF Routines.
-$!
-$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
-$!
-$!  End The RSAREF Check.
-$!
-$   ENDIF
-$!
 $!  Finish up the definition of CC.
 $!
 $   IF COMPILER .EQS. "DECC"
@@ -1315,7 +1088,7 @@ $     CC4DISABLEWARNINGS = ""
 $   ENDIF
 $   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
 $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
-$   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P3 .NES. "DEBUG"
+$   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P2 .NES. "DEBUG"
 $   THEN
 $     CC5 = CC + "/OPTIMIZE=NODISJOINT"
 $   ELSE
@@ -1334,7 +1107,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -1360,13 +1133,13 @@ $   WRITE/SYMBOL SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX" -
-     .OR. P5.EQS."TCPIP" .OR. P5.EQS."NONE"
+$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
+     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P5.EQS."SOCKETSHR"
+$   IF P4.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
@@ -1379,12 +1152,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P5.EQS."MULTINET"
+$   IF P4.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UCX emulation.
 $!
-$     P5 = "UCX"
+$     P4 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -1392,7 +1165,7 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P5.EQS."UCX"
+$   IF P4.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
@@ -1412,7 +1185,7 @@ $   ENDIF
 $!
 $!  Check to see if TCPIP was chosen
 $!
-$   IF P5.EQS."TCPIP"
+$   IF P4.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
@@ -1425,7 +1198,7 @@ $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
-$   IF P5.EQS."NONE"
+$   IF P4.EQS."NONE"
 $   THEN
 $!
 $!    Do not use a TCPIP library.
@@ -1447,7 +1220,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P5," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
@@ -1465,10 +1238,9 @@ $!
 $! Check if the user wanted to compile just a subset of all the encryption
 $! methods.
 $!
-$ IF P7 .NES. ""
+$ IF P6 .NES. ""
 $ THEN
-$   ENCRYPT_TYPES = P7
-$! NYI:   ENCRYPT_PROGRAMS = P7
+$   ENCRYPT_TYPES = P6
 $ ENDIF
 $!
 $!  Time To RETURN...
diff --git a/src/lib/libcrypto/des/FILES0 b/src/lib/libcrypto/des/FILES0
new file mode 100644
index 0000000000..4c7ea2de7a
--- /dev/null
+++ b/src/lib/libcrypto/des/FILES0
@@ -0,0 +1,96 @@
+/* General stuff */
+COPYRIGHT       - Copyright info.
+MODES.DES       - A description of the features of the different modes of DES.
+FILES           - This file.
+INSTALL         - How to make things compile.
+Imakefile       - For use with kerberos.
+README          - What this package is.
+VERSION         - Which version this is and what was changed.
+KERBEROS        - Kerberos version 4 notes.
+Makefile.PL     - An old makefile to build with perl5, not current.
+Makefile.ssl    - The SSLeay makefile
+Makefile.uni    - The normal unix makefile.
+GNUmakefile     - The makefile for use with glibc.
+makefile.bc     - A Borland C makefile
+times           - Some outputs from 'speed' on some machines.
+vms.com         - For use when compiling under VMS
+
+/* My SunOS des(1) replacement */
+des.c           - des(1) source code.
+des.man         - des(1) manual.
+
+/* Testing and timing programs. */
+destest.c       - Source for libdes.a test program.
+speed.c         - Source for libdes.a timing program.
+rpw.c           - Source for libdes.a testing password reading routines.
+
+/* libdes.a source code */
+des_crypt.man   - libdes.a manual page.
+des.h           - Public libdes.a header file.
+ecb_enc.c       - des_ecb_encrypt() source, this contains the basic DES code.
+ecb3_enc.c      - des_ecb3_encrypt() source.
+cbc_ckm.c       - des_cbc_cksum() source.
+cbc_enc.c       - des_cbc_encrypt() source.
+ncbc_enc.c      - des_cbc_encrypt() that is 'normal' in that it copies
+                  the new iv values back in the passed iv vector.
+ede_enc.c       - des_ede3_cbc_encrypt() cbc mode des using triple DES.
+cbc3_enc.c      - des_3cbc_encrypt() source, don't use this function.
+cfb_enc.c       - des_cfb_encrypt() source.
+cfb64enc.c      - des_cfb64_encrypt() cfb in 64 bit mode but setup to be
+                  used as a stream cipher.
+cfb64ede.c      - des_ede3_cfb64_encrypt() cfb in 64 bit mode but setup to be
+                  used as a stream cipher and using triple DES.
+ofb_enc.c       - des_cfb_encrypt() source.
+ofb64_enc.c     - des_ofb_encrypt() ofb in 64 bit mode but setup to be
+                  used as a stream cipher.
+ofb64ede.c      - des_ede3_ofb64_encrypt() ofb in 64 bit mode but setup to be
+                  used as a stream cipher and using triple DES.
+enc_read.c      - des_enc_read() source.
+enc_writ.c      - des_enc_write() source.
+pcbc_enc.c      - des_pcbc_encrypt() source.
+qud_cksm.c      - quad_cksum() source.
+rand_key.c      - des_random_key() source.
+read_pwd.c      - Source for des_read_password() plus related functions.
+set_key.c       - Source for des_set_key().
+str2key.c       - Covert a string of any length into a key.
+fcrypt.c        - A small, fast version of crypt(3).
+des_locl.h      - Internal libdes.a header file.
+podd.h          - Odd parity tables - used in des_set_key().
+sk.h            - Lookup tables used in des_set_key().
+spr.h           - What is left of the S tables - used in ecb_encrypt().
+des_ver.h       - header file for the external definition of the
+                  version string.
+des.doc         - SSLeay documentation for the library.
+
+/* The perl scripts - you can ignore these files they are only
+ * included for the curious */
+des.pl          - des in perl anyone? des_set_key and des_ecb_encrypt
+                  both done in a perl library.
+testdes.pl      - Testing program for des.pl
+doIP            - Perl script used to develop IP xor/shift code.
+doPC1           - Perl script used to develop PC1 xor/shift code.
+doPC2           - Generates sk.h.
+PC1             - Output of doPC1 should be the same as output from PC1.
+PC2             - used in development of doPC2.
+shifts.pl       - Perl library used by my perl scripts.
+
+/* I started making a perl5 dynamic library for libdes
+ * but did not fully finish, these files are part of that effort. */
+DES.pm
+DES.pod
+DES.xs
+t
+typemap
+
+/* The following are for use with sun RPC implementaions. */
+rpc_des.h
+rpc_enc.c
+
+/* The following are contibuted by Mark Murray <mark@grondar.za>.  They
+ * are not normally built into libdes due to machine specific routines
+ * contained in them.  They are for use in the most recent incarnation of
+ * export kerberos v 4 (eBones). */
+supp.c
+new_rkey.c
+
+
diff --git a/src/lib/libcrypto/des/des.c b/src/lib/libcrypto/des/des.c
index d8c846b23d..343135ff9e 100644
--- a/src/lib/libcrypto/des/des.c
+++ b/src/lib/libcrypto/des/des.c
@@ -427,7 +427,7 @@ void doencryption(void)
                                 k2[i-8]=k;
                         }
                 DES_set_key_unchecked(&k2,&ks2);
-                memset(k2,0,sizeof(k2));
+                OPENSSL_cleanse(k2,sizeof(k2));
                 }
         else if (longk || flag3)
                 {
@@ -435,7 +435,7 @@ void doencryption(void)
                         {
                         DES_string_to_2keys(key,&kk,&k2);
                         DES_set_key_unchecked(&k2,&ks2);
-                        memset(k2,0,sizeof(k2));
+                        OPENSSL_cleanse(k2,sizeof(k2));
                         }
                 else
                         DES_string_to_key(key,&kk);
@@ -457,8 +457,8 @@ void doencryption(void)
                         }
 
         DES_set_key_unchecked(&kk,&ks);
-        memset(key,0,sizeof(key));
-        memset(kk,0,sizeof(kk));
+        OPENSSL_cleanse(key,sizeof(key));
+        OPENSSL_cleanse(kk,sizeof(kk));
         /* woops - A bug that does not showup under unix :-( */
         memset(iv,0,sizeof(iv));
         memset(iv2,0,sizeof(iv2));
@@ -666,18 +666,18 @@ void doencryption(void)
                 if (l) fclose(CKSUM_OUT);
                 }
 problems:
-        memset(buf,0,sizeof(buf));
-        memset(obuf,0,sizeof(obuf));
-        memset(&ks,0,sizeof(ks));
-        memset(&ks2,0,sizeof(ks2));
-        memset(iv,0,sizeof(iv));
-        memset(iv2,0,sizeof(iv2));
-        memset(kk,0,sizeof(kk));
-        memset(k2,0,sizeof(k2));
-        memset(uubuf,0,sizeof(uubuf));
-        memset(b,0,sizeof(b));
-        memset(bb,0,sizeof(bb));
-        memset(cksum,0,sizeof(cksum));
+        OPENSSL_cleanse(buf,sizeof(buf));
+        OPENSSL_cleanse(obuf,sizeof(obuf));
+        OPENSSL_cleanse(&ks,sizeof(ks));
+        OPENSSL_cleanse(&ks2,sizeof(ks2));
+        OPENSSL_cleanse(iv,sizeof(iv));
+        OPENSSL_cleanse(iv2,sizeof(iv2));
+        OPENSSL_cleanse(kk,sizeof(kk));
+        OPENSSL_cleanse(k2,sizeof(k2));
+        OPENSSL_cleanse(uubuf,sizeof(uubuf));
+        OPENSSL_cleanse(b,sizeof(b));
+        OPENSSL_cleanse(bb,sizeof(bb));
+        OPENSSL_cleanse(cksum,sizeof(cksum));
         if (Exit) EXIT(Exit);
         }
 
diff --git a/src/lib/libcrypto/des/des_old.h b/src/lib/libcrypto/des/des_old.h
index 51b987422a..1d840b474a 100644
--- a/src/lib/libcrypto/des/des_old.h
+++ b/src/lib/libcrypto/des/des_old.h
@@ -88,14 +88,14 @@
  *
  */
 
-#ifndef HEADER_DES_OLD_H
-#define HEADER_DES_OLD_H
+#ifndef HEADER_DES_H
+#define HEADER_DES_H
 
 #ifdef OPENSSL_NO_DES
 #error DES is disabled.
 #endif
 
-#ifndef HEADER_DES_H
+#ifndef HEADER_NEW_DES_H
 #error You must include des.h, not des_old.h directly.
 #endif
 
@@ -173,10 +173,12 @@ typedef struct _ossl_old_des_ks_struct
         DES_fcrypt((b),(s),(r))
 #define des_crypt(b,s)\
         DES_crypt((b),(s))
+#if 0
 #if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__)
 #define crypt(b,s)\
         DES_crypt((b),(s))
 #endif
+#endif
 #define des_ofb_encrypt(i,o,n,l,k,iv)\
         DES_ofb_encrypt((i),(o),(n),(l),&(k),(iv))
 #define des_pcbc_encrypt(i,o,l,k,iv,e)\
@@ -274,8 +276,10 @@ typedef struct _ossl_old_des_ks_struct
         _ossl_old_des_fcrypt((b),(s),(r))
 #define des_crypt(b,s)\
         _ossl_old_des_crypt((b),(s))
+#if 0
 #define crypt(b,s)\
         _ossl_old_crypt((b),(s))
+#endif
 #define des_ofb_encrypt(i,o,n,l,k,iv)\
         _ossl_old_des_ofb_encrypt((i),(o),(n),(l),(k),(iv))
 #define des_pcbc_encrypt(i,o,l,k,iv,e)\
diff --git a/src/lib/libcrypto/des/destest.c b/src/lib/libcrypto/des/destest.c
index 58e8c35dcb..687c00c792 100644
--- a/src/lib/libcrypto/des/destest.c
+++ b/src/lib/libcrypto/des/destest.c
@@ -84,9 +84,7 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/des.h>
 
-#if defined(PERL5) || defined(__FreeBSD__) || defined(NeXT)
 #define crypt(c,s) (des_crypt((c),(s)))
-#endif
 
 /* tisk tisk - the test keys don't all have odd parity :-( */
 /* test data */
@@ -322,7 +320,11 @@ static unsigned char ofb_cipher[24]=
         0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3
         };
 
+#if 0
 static DES_LONG cbc_cksum_ret=0xB462FEF7L;
+#else
+static DES_LONG cbc_cksum_ret=0xF7FE62B4L;
+#endif
 static unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
 
 static char *pt(unsigned char *p);
diff --git a/src/lib/libcrypto/des/read2pwd.c b/src/lib/libcrypto/des/read2pwd.c
index b4720c3a98..3a63c4016c 100644
--- a/src/lib/libcrypto/des/read2pwd.c
+++ b/src/lib/libcrypto/des/read2pwd.c
@@ -120,8 +120,8 @@ int DES_read_password(DES_cblock *key, const char *prompt, int verify)
 
         if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
                 DES_string_to_key(buf,key);
-        memset(buf,0,BUFSIZ);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buf,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ok);
         }
 
@@ -133,7 +133,7 @@ int DES_read_2passwords(DES_cblock *key1, DES_cblock *key2, const char *prompt,
 
         if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
                 DES_string_to_2keys(buf,key1,key2);
-        memset(buf,0,BUFSIZ);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buf,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ok);
         }
diff --git a/src/lib/libcrypto/des/read_pwd.c b/src/lib/libcrypto/des/read_pwd.c
index 9061935f21..ce5fa00a37 100644
--- a/src/lib/libcrypto/des/read_pwd.c
+++ b/src/lib/libcrypto/des/read_pwd.c
@@ -101,8 +101,10 @@
 
 #ifdef WIN_CONSOLE_BUG
 #include <windows.h>
+#ifndef OPENSSL_SYS_WINCE
 #include <wincon.h>
 #endif
+#endif
 
 
 /* There are 5 types of terminal interface supported,
@@ -133,7 +135,7 @@
 #define SGTTY
 #endif
 
-#if defined(OPENSSL_SYS_VSWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
 #undef TERMIOS
 #undef TERMIO
 #undef SGTTY
@@ -167,7 +169,7 @@
 #include <sys/ioctl.h>
 #endif
 
-#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__)
+#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__) && !defined(OPENSSL_SYS_WINCE)
 #include <conio.h>
 #define fgets(a,b,c) noecho_fgets(a,b,c)
 #endif
@@ -218,11 +220,29 @@ int des_read_pw_string(char *buf, int length, const char *prompt,
         int ret;
 
         ret=des_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ret);
         }
 
-#ifndef OPENSSL_SYS_WIN16
+#ifdef OPENSSL_SYS_WINCE
+
+int des_read_pw(char *buf, char *buff, int size, const char *prompt, int verify)
+        { 
+        memset(buf,0,size);
+        memset(buff,0,size);
+        return(0);
+        }
+
+#elif defined(OPENSSL_SYS_WIN16)
+
+int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify)
+        { 
+        memset(buf,0,size);
+        memset(buff,0,size);
+        return(0);
+        }
+
+#else /* !OPENSSL_SYS_WINCE && !OPENSSL_SYS_WIN16 */
 
 static void read_till_nl(FILE *in)
         {
@@ -274,7 +294,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
 #ifdef OPENSSL_SYS_MSDOS
         if ((tty=fopen("con","r")) == NULL)
                 tty=stdin;
-#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VSWORKS)
+#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VXWORKS)
         tty=stdin;
 #else
 #ifndef OPENSSL_SYS_MPE
@@ -393,17 +413,6 @@ error:
         return(!ok);
         }
 
-#else /* OPENSSL_SYS_WIN16 */
-
-int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify)
-        { 
-        memset(buf,0,size);
-        memset(buff,0,size);
-        return(0);
-        }
-
-#endif
-
 static void pushsig(void)
         {
         int i;
@@ -466,7 +475,7 @@ static void recsig(int i)
 #endif
         }
 
-#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+#ifdef OPENSSL_SYS_MSDOS
 static int noecho_fgets(char *buf, int size, FILE *tty)
         {
         int i;
@@ -509,3 +518,4 @@ static int noecho_fgets(char *buf, int size, FILE *tty)
         return(strlen(buf));
         }
 #endif
+#endif /* !OPENSSL_SYS_WINCE && !WIN16 */
diff --git a/src/lib/libcrypto/dh/dhtest.c b/src/lib/libcrypto/dh/dhtest.c
index 34894ced73..d75077f9fa 100644
--- a/src/lib/libcrypto/dh/dhtest.c
+++ b/src/lib/libcrypto/dh/dhtest.c
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c" 
-#endif
+
+#include "../e_os.h"
+
 #include <openssl/crypto.h>
 #include <openssl/bio.h>
 #include <openssl/bn.h>
@@ -84,10 +84,6 @@ int main(int argc, char *argv[])
 #endif
 
 static void MS_CALLBACK cb(int p, int n, void *arg);
-#ifdef OPENSSL_NO_STDIO
-#define APPS_WIN16
-#include "bss_file.c"
-#endif
 
 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
 
@@ -111,7 +107,7 @@ int main(int argc, char *argv[])
         RAND_seed(rnd_seed, sizeof rnd_seed);
 
         out=BIO_new(BIO_s_file());
-        if (out == NULL) exit(1);
+        if (out == NULL) EXIT(1);
         BIO_set_fp(out,stdout,BIO_NOCLOSE);
 
         a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
@@ -195,7 +191,7 @@ err:
         CRYPTO_cleanup_all_ex_data();
         ERR_remove_state(0);
         CRYPTO_mem_leaks_fp(stderr);
-        exit(ret);
+        EXIT(ret);
         return(ret);
         }
 
diff --git a/src/lib/libcrypto/dsa/dsagen.c b/src/lib/libcrypto/dsa/dsagen.c
index a0b0976640..1b6a1cca0f 100644
--- a/src/lib/libcrypto/dsa/dsagen.c
+++ b/src/lib/libcrypto/dsa/dsagen.c
@@ -103,7 +103,7 @@ main()
                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
         memcpy(seed_buf,seed,20);
-        dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb);
+        dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb,bio_err);
 
         if (dsa == NULL)
                 DSA_print(bio_err,dsa,0);
diff --git a/src/lib/libcrypto/dsa/dsatest.c b/src/lib/libcrypto/dsa/dsatest.c
index 12da64f9f4..4734ce4af8 100644
--- a/src/lib/libcrypto/dsa/dsatest.c
+++ b/src/lib/libcrypto/dsa/dsatest.c
@@ -61,14 +61,13 @@
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+
+#include "../e_os.h"
+
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/engine.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
 
 #ifdef OPENSSL_NO_DSA
 int main(int argc, char *argv[])
@@ -212,10 +211,16 @@ end:
                 BIO_free(bio_err);
                 bio_err = NULL;
                 }
-        exit(!ret);
+        EXIT(!ret);
         return(0);
         }
 
+static int cb_exit(int ec)
+        {
+        EXIT(ec);
+        return(0);              /* To keep some compilers quiet */
+        }
+
 static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
         {
         char c='*';
@@ -231,7 +236,7 @@ static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
         if (!ok && (p == 0) && (num > 1))
                 {
                 BIO_printf((BIO *)arg,"error in dsatest\n");
-                exit(1);
+                cb_exit(1);
                 }
         }
 #endif
diff --git a/src/lib/libcrypto/dso/dso_dl.c b/src/lib/libcrypto/dso/dso_dl.c
index 195717e993..79d2cb4d8c 100644
--- a/src/lib/libcrypto/dso/dso_dl.c
+++ b/src/lib/libcrypto/dso/dso_dl.c
@@ -126,7 +126,7 @@ static int dl_load(DSO *dso)
                 DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME);
                 goto err;
                 }
-        ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, NULL);
+        ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, 0L);
         if(ptr == NULL)
                 {
                 DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED);
diff --git a/src/lib/libcrypto/dso/dso_win32.c b/src/lib/libcrypto/dso/dso_win32.c
index af8586d754..6c30deb250 100644
--- a/src/lib/libcrypto/dso/dso_win32.c
+++ b/src/lib/libcrypto/dso/dso_win32.c
@@ -61,7 +61,7 @@
 #include "cryptlib.h"
 #include <openssl/dso.h>
 
-#ifndef OPENSSL_SYS_WIN32
+#if !defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
 DSO_METHOD *DSO_METHOD_win32(void)
         {
         return NULL;
diff --git a/src/lib/libcrypto/ec/ectest.c b/src/lib/libcrypto/ec/ectest.c
index eab46cc080..345d3e4289 100644
--- a/src/lib/libcrypto/ec/ectest.c
+++ b/src/lib/libcrypto/ec/ectest.c
@@ -55,6 +55,11 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#ifdef FLAT_INC
+#include "e_os.h"
+#else
+#include "../e_os.h"
+#endif
 #include <string.h>
 #include <time.h>
 
@@ -65,14 +70,16 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur
 
 
 #include <openssl/ec.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/err.h>
 
 #define ABORT do { \
         fflush(stdout); \
         fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
         ERR_print_errors_fp(stderr); \
-        exit(1); \
+        EXIT(1); \
 } while (0)
 
 #if 0
@@ -623,7 +630,9 @@ int main(int argc, char *argv[])
         if (P_384) EC_GROUP_free(P_384);
         if (P_521) EC_GROUP_free(P_521);
 
+#ifndef OPENSSL_NO_ENGINE
         ENGINE_cleanup();
+#endif
         CRYPTO_cleanup_all_ex_data();
         ERR_free_strings();
         ERR_remove_state(0);
diff --git a/src/lib/libcrypto/engine/enginetest.c b/src/lib/libcrypto/engine/enginetest.c
index 87fa8c57b7..c2d0297392 100644
--- a/src/lib/libcrypto/engine/enginetest.c
+++ b/src/lib/libcrypto/engine/enginetest.c
@@ -56,9 +56,17 @@
  *
  */
 
-#include <openssl/e_os2.h>
 #include <stdio.h>
 #include <string.h>
+
+#ifdef OPENSSL_NO_ENGINE
+int main(int argc, char *argv[])
+{
+    printf("No ENGINE support\n");
+    return(0);
+}
+#else
+#include <openssl/e_os2.h>
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
 #include <openssl/engine.h>
@@ -272,3 +280,4 @@ end:
         CRYPTO_mem_leaks_fp(stderr);
         return to_return;
         }
+#endif
diff --git a/src/lib/libcrypto/engine/hw_4758_cca.c b/src/lib/libcrypto/engine/hw_4758_cca.c
index bfb80968e2..4f5ae8a46d 100644
--- a/src/lib/libcrypto/engine/hw_4758_cca.c
+++ b/src/lib/libcrypto/engine/hw_4758_cca.c
@@ -223,6 +223,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_4758_cca(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -244,6 +245,7 @@ void ENGINE_load_4758cca(void)
         ENGINE_free(e_4758);
         ERR_clear_error();   
         }
+#endif
 
 static int ibm_4758_cca_destroy(ENGINE *e)
         {
@@ -715,7 +717,7 @@ static int cca_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
 
         if (type == NID_sha1 || type == NID_md5)
                 {
-                memset(hashBuffer, keyLength+1, 0);
+                OPENSSL_cleanse(hashBuffer, keyLength+1);
                 OPENSSL_free(hashBuffer);
                 }
 
@@ -838,7 +840,7 @@ static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
 
         if (type == NID_sha1 || type == NID_md5)
                 {
-                memset(hashBuffer, keyLength+1, 0);
+                OPENSSL_cleanse(hashBuffer, keyLength+1);
                 OPENSSL_free(hashBuffer);
                 }
 
diff --git a/src/lib/libcrypto/engine/hw_atalla.c b/src/lib/libcrypto/engine/hw_atalla.c
index 6151c46902..e9eff9fad1 100644
--- a/src/lib/libcrypto/engine/hw_atalla.c
+++ b/src/lib/libcrypto/engine/hw_atalla.c
@@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_atalla(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -264,6 +265,7 @@ void ENGINE_load_atalla(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the Atalla library. NB: This is only set (or unset) during an
diff --git a/src/lib/libcrypto/engine/hw_cryptodev.c b/src/lib/libcrypto/engine/hw_cryptodev.c
index 7c3728f395..40af97ac24 100644
--- a/src/lib/libcrypto/engine/hw_cryptodev.c
+++ b/src/lib/libcrypto/engine/hw_cryptodev.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (c) 2002 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2002 Theo de Raadt
+ * Copyright (c) 2002 Markus Friedl
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28,33 +29,85 @@
  *
  */
 
-#include <sys/types.h>
+#include <openssl/objects.h>
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+
+#if (defined(__unix__) || defined(unix)) && !defined(USG)
 #include <sys/param.h>
+# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
+# define HAVE_CRYPTODEV
+# endif
+# if (OpenBSD >= 200110)
+# define HAVE_SYSLOG_R
+# endif
+#endif
+
+#ifndef HAVE_CRYPTODEV
+
+void
+ENGINE_load_cryptodev(void)
+{
+        /* This is a NOP on platforms without /dev/crypto */
+        return;
+}
+
+#else 
+
+#include <sys/types.h>
 #include <crypto/cryptodev.h>
 #include <sys/ioctl.h>
 #include <errno.h>
 #include <stdio.h>
 #include <unistd.h>
 #include <fcntl.h>
-#include <syslog.h>
 #include <stdarg.h>
-#include <ssl/objects.h>
-#include <ssl/engine.h>
-#include <ssl/evp.h>
+#include <syslog.h>
+#include <errno.h>
+#include <string.h>
 
-static int cryptodev_fd = -1;
-static int cryptodev_sessions = 0;
-static u_int32_t cryptodev_symfeat = 0;
+struct dev_crypto_state {
+        struct session_op d_sess;
+        int d_fd;
+};
 
+static u_int32_t cryptodev_asymfeat = 0;
+
+static int get_asym_dev_crypto(void);
+static int open_dev_crypto(void);
+static int get_dev_crypto(void);
+static int cryptodev_max_iv(int cipher);
+static int cryptodev_key_length_valid(int cipher, int len);
+static int cipher_nid_to_cryptodev(int nid);
+static int get_cryptodev_ciphers(const int **cnids);
+static int get_cryptodev_digests(const int **cnids);
+static int cryptodev_usable_ciphers(const int **nids);
+static int cryptodev_usable_digests(const int **nids);
+static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+    const unsigned char *in, unsigned int inl);
+static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+    const unsigned char *iv, int enc);
+static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx);
+static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+    const int **nids, int nid);
+static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
+    const int **nids, int nid);
 static int bn2crparam(const BIGNUM *a, struct crparam *crp);
 static int crparam2bn(struct crparam *crp, BIGNUM *a);
 static void zapparams(struct crypt_kop *kop);
+static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r,
+    int slen, BIGNUM *s);
 
-static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
 static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
+    RSA *rsa);
+static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
 static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g,
+    BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p,
+    BN_CTX *ctx, BN_MONT_CTX *mont);
 static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst,
     int dlen, DSA *dsa);
 static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
@@ -64,6 +117,9 @@ static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
     BN_MONT_CTX *m_ctx);
 static int cryptodev_dh_compute_key(unsigned char *key,
     const BIGNUM *pub_key, DH *dh);
+static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
+    void (*f)());
+void ENGINE_load_cryptodev(void);
 
 static const ENGINE_CMD_DEFN cryptodev_defns[] = {
         { 0, NULL, NULL, 0 }
@@ -77,11 +133,10 @@ static struct {
 } ciphers[] = {
         { CRYPTO_DES_CBC,               NID_des_cbc,            8,       8, },
         { CRYPTO_3DES_CBC,              NID_des_ede3_cbc,       8,      24, },
-        { CRYPTO_AES_CBC,               NID_undef,              8,      24, },
+        { CRYPTO_AES_CBC,               NID_aes_128_cbc,        16,     16, },
         { CRYPTO_BLF_CBC,               NID_bf_cbc,             8,      16, },
-        { CRYPTO_CAST_CBC,              NID_cast5_cbc,          8,       8, },
+        { CRYPTO_CAST_CBC,              NID_cast5_cbc,          8,      16, },
         { CRYPTO_SKIPJACK_CBC,          NID_undef,              0,       0, },
-        { CRYPTO_ARC4,                  NID_rc4,                8,      16, },
         { 0,                            NID_undef,              0,       0, },
 };
 
@@ -99,33 +154,53 @@ static struct {
 };
 
 /*
- * Return 1 if /dev/crypto seems usable, 0 otherwise , also
- * does most of the work of initting the device, if not already
- * done.. This should leave is with global fd initialized with CRIOGET.
+ * Return a fd if /dev/crypto seems usable, 0 otherwise.
  */
 static int
-check_dev_crypto()
+open_dev_crypto(void)
 {
-        int fd;
+        static int fd = -1;
 
-        if (cryptodev_fd == -1) {
+        if (fd == -1) {
                 if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1)
-                        return (0);
-                if (ioctl(fd, CRIOGET, &cryptodev_fd) == -1) {
-                        close(fd);
-                        return (0);
-                }
-                close(fd);
+                        return (-1);
                 /* close on exec */
-                if (fcntl(cryptodev_fd, F_SETFD, 1) == -1) {
-                        close(cryptodev_fd);
-                        cryptodev_fd = -1;
-                        return (0);
+                if (fcntl(fd, F_SETFD, 1) == -1) {
+                        close(fd);
+                        fd = -1;
+                        return (-1);
                 }
         }
-        ioctl(cryptodev_fd, CIOCSYMFEAT, &cryptodev_symfeat);
+        return (fd);
+}
 
-        return (1);
+static int
+get_dev_crypto(void)
+{
+        int fd, retfd;
+
+        if ((fd = open_dev_crypto()) == -1)
+                return (-1);
+        if (ioctl(fd, CRIOGET, &retfd) == -1)
+                return (-1);
+
+        /* close on exec */
+        if (fcntl(retfd, F_SETFD, 1) == -1) {
+                close(retfd);
+                return (-1);
+        }
+        return (retfd);
+}
+
+/* Caching version for asym operations */
+static int
+get_asym_dev_crypto(void)
+{
+        static int fd = -1;
+
+        if (fd == -1)
+                fd = get_dev_crypto();
+        return fd;
 }
 
 /*
@@ -183,8 +258,12 @@ get_cryptodev_ciphers(const int **cnids)
 {
         static int nids[CRYPTO_ALGORITHM_MAX];
         struct session_op sess;
-        int i, count = 0;
+        int fd, i, count = 0;
 
+        if ((fd = get_dev_crypto()) < 0) {
+                *nids = NULL;
+                return (0);
+        }
         memset(&sess, 0, sizeof(sess));
         sess.key = (caddr_t)"123456781234567812345678";
 
@@ -194,10 +273,12 @@ get_cryptodev_ciphers(const int **cnids)
                 sess.cipher = ciphers[i].id;
                 sess.keylen = ciphers[i].keylen;
                 sess.mac = 0;
-                if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 &&
-                    ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1)
+                if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
+                    ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
                         nids[count++] = ciphers[i].nid;
         }
+        close(fd);
+
         if (count > 0)
                 *cnids = nids;
         else
@@ -216,18 +297,24 @@ get_cryptodev_digests(const int **cnids)
 {
         static int nids[CRYPTO_ALGORITHM_MAX];
         struct session_op sess;
-        int i, count = 0;
+        int fd, i, count = 0;
 
+        if ((fd = get_dev_crypto()) < 0) {
+                *nids = NULL;
+                return (0);
+        }
         memset(&sess, 0, sizeof(sess));
         for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
                 if (digests[i].nid == NID_undef)
                         continue;
                 sess.mac = digests[i].id;
                 sess.cipher = 0;
-                if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 &&
-                    ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1)
+                if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
+                    ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
                         nids[count++] = digests[i].nid;
         }
+        close(fd);
+
         if (count > 0)
                 *cnids = nids;
         else
@@ -256,25 +343,15 @@ get_cryptodev_digests(const int **cnids)
  * want most of the decisions made about what we actually want
  * to use from /dev/crypto.
  */
-int
+static int
 cryptodev_usable_ciphers(const int **nids)
 {
-        if (!check_dev_crypto()) {
-                *nids = NULL;
-                return (0);
-        }
-
-        /* find what the device can do. Unfortunately, we don't
-         * necessarily want all of these yet, because we aren't
-         * yet set up to do them
-         */
         return (get_cryptodev_ciphers(nids));
 }
 
-int
+static int
 cryptodev_usable_digests(const int **nids)
 {
-#if 1
         /*
          * XXXX just disable all digests for now, because it sucks.
          * we need a better way to decide this - i.e. I may not
@@ -289,29 +366,19 @@ cryptodev_usable_digests(const int **nids)
          */
         *nids = NULL;
         return (0);
-#endif
-
-        if (!check_dev_crypto()) {
-                *nids = NULL;
-                return (0);
-        }
-        return (get_cryptodev_digests(nids));
 }
 
-
-int
+static int
 cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     const unsigned char *in, unsigned int inl)
 {
         struct crypt_op cryp;
-        struct session_op *sess = ctx->cipher_data;
+        struct dev_crypto_state *state = ctx->cipher_data;
+        struct session_op *sess = &state->d_sess;
         void *iiv;
         unsigned char save_iv[EVP_MAX_IV_LENGTH];
-        struct syslog_data sd = SYSLOG_DATA_INIT;
 
-        if (cryptodev_fd == -1)
-                return (0);
-        if (sess == NULL)
+        if (state->d_fd < 0)
                 return (0);
         if (!inl)
                 return (1);
@@ -338,11 +405,10 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         } else
                 cryp.iv = NULL;
 
-        if (ioctl(cryptodev_fd, CIOCCRYPT, &cryp) == -1) {
+        if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) {
                 /* XXX need better errror handling
                  * this can fail for a number of different reasons.
                  */
-                syslog_r(LOG_ERR, &sd, "CIOCCRYPT failed (%m)");
                 return (0);
         }
 
@@ -356,20 +422,17 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         return (1);
 }
 
-int
+static int
 cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     const unsigned char *iv, int enc)
 {
-        struct session_op *sess = ctx->cipher_data;
-        struct syslog_data sd = SYSLOG_DATA_INIT;
+        struct dev_crypto_state *state = ctx->cipher_data;
+        struct session_op *sess = &state->d_sess;
         int cipher;
 
         if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef)
                 return (0);
 
-        if (!check_dev_crypto())
-                return (0);
-
         if (ctx->cipher->iv_len > cryptodev_max_iv(cipher))
                 return (0);
 
@@ -378,15 +441,18 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 
         memset(sess, 0, sizeof(struct session_op));
 
+        if ((state->d_fd = get_dev_crypto()) < 0)
+                return (0);
+
         sess->key = (unsigned char *)key;
         sess->keylen = ctx->key_len;
         sess->cipher = cipher;
 
-        if (ioctl(cryptodev_fd, CIOCGSESSION, sess) == -1) {
-                syslog_r(LOG_ERR, &sd, "CIOCGSESSION failed (%m)");
+        if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
+                close(state->d_fd);
+                state->d_fd = -1;
                 return (0);
         }
-        cryptodev_sessions++;
         return (1);
 }
 
@@ -394,14 +460,14 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  * free anything we allocated earlier when initting a
  * session, and close the session.
  */
-int
+static int
 cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
 {
         int ret = 0;
-        struct session_op *sess = ctx->cipher_data;
-        struct syslog_data sd = SYSLOG_DATA_INIT;
+        struct dev_crypto_state *state = ctx->cipher_data;
+        struct session_op *sess = &state->d_sess;
 
-        if (sess == NULL)
+        if (state->d_fd < 0)
                 return (0);
 
         /* XXX if this ioctl fails, someting's wrong. the invoker
@@ -415,17 +481,14 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
          * print messages to users of the library. hmm..
          */
 
-        if (ioctl(cryptodev_fd, CIOCFSESSION, &sess->ses) == -1) {
-                syslog_r(LOG_ERR, &sd, "CIOCFSESSION failed (%m)");
+        if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) {
                 ret = 0;
         } else {
-                cryptodev_sessions--;
                 ret = 1;
         }
-        if (cryptodev_sessions == 0 && cryptodev_fd != -1 ) {
-                close(cryptodev_fd); /* XXX should this be closed? */
-                cryptodev_fd = -1;
-        }
+        close(state->d_fd);
+        state->d_fd = -1;
+
         return (ret);
 }
 
@@ -434,20 +497,6 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
  * gets called when libcrypto requests a cipher NID.
  */
 
-/* ARC4 (16 byte key) */
-const EVP_CIPHER cryptodev_arc4_cipher = {
-        NID_rc4,
-        1, 16, 0,
-        EVP_CIPH_VARIABLE_LENGTH,
-        cryptodev_init_key,
-        cryptodev_cipher,
-        cryptodev_cleanup,
-        sizeof(struct session_op),
-        NULL,
-        NULL,
-        NULL
-};
-
 /* DES CBC EVP */
 const EVP_CIPHER cryptodev_des_cbc = {
         NID_des_cbc,
@@ -456,7 +505,7 @@ const EVP_CIPHER cryptodev_des_cbc = {
         cryptodev_init_key,
         cryptodev_cipher,
         cryptodev_cleanup,
-        sizeof(struct session_op),
+        sizeof(struct dev_crypto_state),
         EVP_CIPHER_set_asn1_iv,
         EVP_CIPHER_get_asn1_iv,
         NULL
@@ -470,19 +519,57 @@ const EVP_CIPHER cryptodev_3des_cbc = {
         cryptodev_init_key,
         cryptodev_cipher,
         cryptodev_cleanup,
-        sizeof(struct session_op),
+        sizeof(struct dev_crypto_state),
+        EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+        NULL
+};
+
+const EVP_CIPHER cryptodev_bf_cbc = {
+        NID_bf_cbc,
+        8, 16, 8,
+        EVP_CIPH_CBC_MODE,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct dev_crypto_state),
+        EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+        NULL
+};
+
+const EVP_CIPHER cryptodev_cast_cbc = {
+        NID_cast5_cbc,
+        8, 16, 8,
+        EVP_CIPH_CBC_MODE,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct dev_crypto_state),
         EVP_CIPHER_set_asn1_iv,
         EVP_CIPHER_get_asn1_iv,
         NULL
 };
 
+const EVP_CIPHER cryptodev_aes_cbc = {
+        NID_aes_128_cbc,
+        16, 16, 16,
+        EVP_CIPH_CBC_MODE,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct dev_crypto_state),
+        EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+        NULL
+};
 
 /*
  * Registered by the ENGINE when used to find out how to deal with
  * a particular NID in the ENGINE. this says what we'll do at the
  * top level - note, that list is restricted by what we answer with
  */
-int
+static int
 cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
     const int **nids, int nid)
 {
@@ -490,15 +577,21 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
                 return (cryptodev_usable_ciphers(nids));
 
         switch (nid) {
-        case NID_rc4:
-                *cipher = &cryptodev_arc4_cipher;
-                break;
         case NID_des_ede3_cbc:
                 *cipher = &cryptodev_3des_cbc;
                 break;
         case NID_des_cbc:
                 *cipher = &cryptodev_des_cbc;
                 break;
+        case NID_bf_cbc:
+                *cipher = &cryptodev_bf_cbc;
+                break;
+        case NID_cast5_cbc:
+                *cipher = &cryptodev_cast_cbc;
+                break;
+        case NID_aes_128_cbc:
+                *cipher = &cryptodev_aes_cbc;
+                break;
         default:
                 *cipher = NULL;
                 break;
@@ -506,7 +599,7 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
         return (*cipher != NULL);
 }
 
-int
+static int
 cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
     const int **nids, int nid)
 {
@@ -524,7 +617,6 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
         return (*digest != NULL);
 }
 
-
 /*
  * Convert a BIGNUM to the representation that /dev/crypto needs.
  * Upon completion of use, the caller is responsible for freeing
@@ -533,7 +625,7 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
 static int
 bn2crparam(const BIGNUM *a, struct crparam *crp)
 {
-        int i, j, n;
+        int i, j, k;
         ssize_t words, bytes, bits;
         u_char *b;
 
@@ -550,17 +642,13 @@ bn2crparam(const BIGNUM *a, struct crparam *crp)
         crp->crp_p = b;
         crp->crp_nbits = bits;
 
-        words = (bits + BN_BITS2 - 1) / BN_BITS2;
-
-        n = 0;
-        for (i = 0; i < words && n < bytes; i++) {
-                BN_ULONG word;
-
-                word = a->d[i];
-                for (j = 0 ; j < BN_BYTES && n < bytes; j++, n++) {
-                        *b++ = (word & 0xff);
-                        word >>= 8;
+        for (i = 0, j = 0; i < a->top; i++) {
+                for (k = 0; k < BN_BITS2 / 8; k++) {
+                        if ((j + k) >= bytes)
+                                return (0);
+                        b[j + k] = a->d[i] >> (k * 8);
                 }
+                j += BN_BITS2 / 8;
         }
         return (0);
 }
@@ -569,15 +657,22 @@ bn2crparam(const BIGNUM *a, struct crparam *crp)
 static int
 crparam2bn(struct crparam *crp, BIGNUM *a)
 {
+        u_int8_t *pd;
         int i, bytes;
 
-        bytes = (crp->crp_nbits + 7)/8;
+        bytes = (crp->crp_nbits + 7) / 8;
 
-        BN_zero(a);
-        for (i = bytes - 1; i >= 0; i--) {
-                BN_lshift(a, a, 8);
-                BN_add_word(a, (u_char)crp->crp_p[i]);
-        }
+        if (bytes == 0)
+                return (-1);
+
+        if ((pd = (u_int8_t *) malloc(bytes)) == NULL)
+                return (-1);
+
+        for (i = 0; i < bytes; i++)
+                pd[i] = crp->crp_p[bytes - i - 1];
+
+        BN_bin2bn(pd, bytes, a);
+        free(pd);
 
         return (0);
 }
@@ -596,25 +691,32 @@ zapparams(struct crypt_kop *kop)
 }
 
 static int
-cryptodev_sym(struct crypt_kop *kop, BIGNUM *r, BIGNUM *s)
+cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s)
 {
-        int ret = -1;
+        int fd, ret = -1;
+
+        if ((fd = get_asym_dev_crypto()) < 0)
+                return (ret);
 
         if (r) {
-                kop->crk_param[kop->crk_iparams].crp_p = malloc(256);
-                kop->crk_param[kop->crk_iparams].crp_nbits = 256 * 8;
+                kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char));
+                kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8;
                 kop->crk_oparams++;
         }
         if (s) {
-                kop->crk_param[kop->crk_iparams+1].crp_p = malloc(256);
-                kop->crk_param[kop->crk_iparams+1].crp_nbits = 256 * 8;
+                kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char));
+                kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8;
                 kop->crk_oparams++;
         }
 
-        if (ioctl(cryptodev_fd, CIOCKEY, &kop) == 0) {
-                crparam2bn(&kop->crk_param[3], r);
+        if (ioctl(fd, CIOCKEY, kop) == 0) {
+                if (r)
+                        crparam2bn(&kop->crk_param[kop->crk_iparams], r);
+                if (s)
+                        crparam2bn(&kop->crk_param[kop->crk_iparams+1], s);
                 ret = 0;
         }
+
         return (ret);
 }
 
@@ -623,38 +725,58 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
 {
         struct crypt_kop kop;
-        int ret = 0;
+        int ret = 1;
+
+        /* Currently, we know we can do mod exp iff we can do any
+         * asymmetric operations at all.
+         */
+        if (cryptodev_asymfeat == 0) {
+                ret = BN_mod_exp(r, a, p, m, ctx);
+                return (ret);
+        }
 
         memset(&kop, 0, sizeof kop);
         kop.crk_op = CRK_MOD_EXP;
 
-        /* inputs: a m p */
+        /* inputs: a^p % m */
         if (bn2crparam(a, &kop.crk_param[0]))
                 goto err;
-        if (bn2crparam(m, &kop.crk_param[1]))
+        if (bn2crparam(p, &kop.crk_param[1]))
                 goto err;
-        if (bn2crparam(p, &kop.crk_param[2]))
+        if (bn2crparam(m, &kop.crk_param[2]))
                 goto err;
         kop.crk_iparams = 3;
 
-        if (cryptodev_sym(&kop, r, NULL) == -1) {
-                ret = BN_mod_exp(r, a, p, m, ctx);
+        if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) {
+                const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+                ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
         }
 err:
         zapparams(&kop);
         return (ret);
 }
 
+static int
+cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+{
+        int r;
+        BN_CTX *ctx;
+
+        ctx = BN_CTX_new();
+        r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
+        BN_CTX_free(ctx);
+        return (r);
+}
 
 static int
 cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 {
         struct crypt_kop kop;
-        int ret = 0;
+        int ret = 1;
 
         if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) {
                 /* XXX 0 means failure?? */
-                goto err;
+                return (0);
         }
 
         memset(&kop, 0, sizeof kop);
@@ -674,9 +796,8 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
                 goto err;
         kop.crk_iparams = 6;
 
-        if (cryptodev_sym(&kop, r0, NULL) == -1) {
+        if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) {
                 const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
-
                 ret = (*meth->rsa_mod_exp)(r0, I, rsa);
         }
 err:
@@ -690,8 +811,8 @@ static RSA_METHOD cryptodev_rsa = {
         NULL,                           /* rsa_pub_dec */
         NULL,                           /* rsa_priv_enc */
         NULL,                           /* rsa_priv_dec */
-        cryptodev_rsa_mod_exp,          /* rsa_mod_exp */
-        cryptodev_bn_mod_exp,           /* bn_mod_exp */
+        NULL,
+        NULL,
         NULL,                           /* init */
         NULL,                           /* finish */
         0,                              /* flags */
@@ -707,6 +828,38 @@ cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
         return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx));
 }
 
+static int
+cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g,
+    BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p,
+    BN_CTX *ctx, BN_MONT_CTX *mont)
+{
+        BIGNUM t2;
+        int ret = 0;
+
+        BN_init(&t2);
+
+        /* v = ( g^u1 * y^u2 mod p ) mod q */
+        /* let t1 = g ^ u1 mod p */
+        ret = 0;
+
+        if (!dsa->meth->bn_mod_exp(dsa,t1,dsa->g,u1,dsa->p,ctx,mont))
+                goto err;
+
+        /* let t2 = y ^ u2 mod p */
+        if (!dsa->meth->bn_mod_exp(dsa,&t2,dsa->pub_key,u2,dsa->p,ctx,mont))
+                goto err;
+        /* let u1 = t1 * t2 mod p */
+        if (!BN_mod_mul(u1,t1,&t2,dsa->p,ctx))
+                goto err;
+
+        BN_copy(t1,u1);
+
+        ret = 1;
+err:
+        BN_free(&t2);
+        return(ret);
+}
+
 static DSA_SIG *
 cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 {
@@ -721,6 +874,7 @@ cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
                 goto err;
         }
 
+        printf("bar\n");
         memset(&kop, 0, sizeof kop);
         kop.crk_op = CRK_DSA_SIGN;
 
@@ -737,13 +891,13 @@ cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
                 goto err;
         kop.crk_iparams = 5;
 
-        if (cryptodev_sym(&kop, r, s) == 0) {
+        if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r,
+            BN_num_bytes(dsa->q), s) == 0) {
                 dsaret = DSA_SIG_new();
                 dsaret->r = r;
                 dsaret->s = s;
         } else {
                 const DSA_METHOD *meth = DSA_OpenSSL();
-
                 BN_free(r);
                 BN_free(s);
                 dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa);
@@ -759,7 +913,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
     DSA_SIG *sig, DSA *dsa)
 {
         struct crypt_kop kop;
-        int dsaret = 0;
+        int dsaret = 1;
 
         memset(&kop, 0, sizeof kop);
         kop.crk_op = CRK_DSA_VERIFY;
@@ -781,7 +935,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
                 goto err;
         kop.crk_iparams = 7;
 
-        if (cryptodev_sym(&kop, NULL, NULL) == 0) {
+        if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
                 dsaret = kop.crk_status;
         } else {
                 const DSA_METHOD *meth = DSA_OpenSSL();
@@ -796,11 +950,11 @@ err:
 
 static DSA_METHOD cryptodev_dsa = {
         "cryptodev DSA method",
-        cryptodev_dsa_do_sign,
+        NULL,
         NULL,                           /* dsa_sign_setup */
-        cryptodev_dsa_verify,
+        NULL,
         NULL,                           /* dsa_mod_exp */
-        cryptodev_dsa_bn_mod_exp,       /* bn_mod_exp */
+        NULL,
         NULL,                           /* init */
         NULL,                           /* finish */
         0,      /* flags */
@@ -819,8 +973,14 @@ static int
 cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 {
         struct crypt_kop kop;
-        int dhret = 0;
-        int keylen;
+        int dhret = 1;
+        int fd, keylen;
+
+        if ((fd = get_asym_dev_crypto()) < 0) {
+                const DH_METHOD *meth = DH_OpenSSL();
+
+                return ((meth->compute_key)(key, pub_key, dh));
+        }
 
         keylen = BN_num_bits(dh->p);
 
@@ -840,7 +1000,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         kop.crk_param[3].crp_nbits = keylen * 8;
         kop.crk_oparams = 1;
 
-        if (ioctl(cryptodev_fd, CIOCKEY, &kop) == -1) {
+        if (ioctl(fd, CIOCKEY, &kop) == -1) {
                 const DH_METHOD *meth = DH_OpenSSL();
 
                 dhret = (meth->compute_key)(key, pub_key, dh);
@@ -854,8 +1014,8 @@ err:
 static DH_METHOD cryptodev_dh = {
         "cryptodev DH method",
         NULL,                           /* cryptodev_dh_generate_key */
-        cryptodev_dh_compute_key,
-        cryptodev_mod_exp_dh,
+        NULL,
+        NULL,
         NULL,
         NULL,
         0,      /* flags */
@@ -869,12 +1029,18 @@ static DH_METHOD cryptodev_dh = {
 static int
 cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
 {
+#ifdef HAVE_SYSLOG_R
         struct syslog_data sd = SYSLOG_DATA_INIT;
+#endif
 
         switch (cmd) {
         default:
+#ifdef HAVE_SYSLOG_R
                 syslog_r(LOG_ERR, &sd,
                     "cryptodev_ctrl: unknown command %d", cmd);
+#else
+                syslog(LOG_ERR, "cryptodev_ctrl: unknown command %d", cmd);
+#endif
                 break;
         }
         return (1);
@@ -884,14 +1050,24 @@ void
 ENGINE_load_cryptodev(void)
 {
         ENGINE *engine = ENGINE_new();
-        const RSA_METHOD *rsa_meth;
-        const DH_METHOD *dh_meth;
+        int fd;
 
         if (engine == NULL)
                 return;
+        if ((fd = get_dev_crypto()) < 0)
+                return;
+
+        /*
+         * find out what asymmetric crypto algorithms we support
+         */
+        if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) {
+                close(fd);
+                return;
+        }
+        close(fd);
 
         if (!ENGINE_set_id(engine, "cryptodev") ||
-            !ENGINE_set_name(engine, "OpenBSD cryptodev engine") ||
+            !ENGINE_set_name(engine, "BSD cryptodev engine") ||
             !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
             !ENGINE_set_digests(engine, cryptodev_engine_digests) ||
             !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
@@ -900,27 +1076,57 @@ ENGINE_load_cryptodev(void)
                 return;
         }
 
-        if ((cryptodev_symfeat & CRSFEAT_RSA) &&
-            ENGINE_set_RSA(engine, &cryptodev_rsa)) {
-                rsa_meth = RSA_PKCS1_SSLeay();
+        if (ENGINE_set_RSA(engine, &cryptodev_rsa)) {
+                const RSA_METHOD *rsa_meth = RSA_PKCS1_SSLeay();
+
+                cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp;
+                cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp;
                 cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc;
                 cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec;
-                cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_dec;
+                cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc;
                 cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec;
+                if (cryptodev_asymfeat & CRF_MOD_EXP) {
+                        cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp;
+                        if (cryptodev_asymfeat & CRF_MOD_EXP_CRT)
+                                cryptodev_rsa.rsa_mod_exp =
+                                    cryptodev_rsa_mod_exp;
+                        else
+                                cryptodev_rsa.rsa_mod_exp =
+                                    cryptodev_rsa_nocrt_mod_exp;
+                }
         }
 
-        if ((cryptodev_symfeat & CRSFEAT_DSA) &&
-            ENGINE_set_DSA(engine, &cryptodev_dsa)) {
+        if (ENGINE_set_DSA(engine, &cryptodev_dsa)) {
+                const DSA_METHOD *meth = DSA_OpenSSL();
+
+                memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD));
+                if (cryptodev_asymfeat & CRF_DSA_SIGN)
+                        cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign;
+                if (cryptodev_asymfeat & CRF_MOD_EXP) {
+                        cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp;
+                        cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp;
+                }
+                if (cryptodev_asymfeat & CRF_DSA_VERIFY)
+                        cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify;
         }
 
-        if ((cryptodev_symfeat & CRSFEAT_DH) &&
-            ENGINE_set_DH(engine, &cryptodev_dh)) {
-                dh_meth = DH_OpenSSL();
+        if (ENGINE_set_DH(engine, &cryptodev_dh)){
+                const DH_METHOD *dh_meth = DH_OpenSSL();
+
                 cryptodev_dh.generate_key = dh_meth->generate_key;
                 cryptodev_dh.compute_key = dh_meth->compute_key;
+                cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp;
+                if (cryptodev_asymfeat & CRF_MOD_EXP) {
+                        cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh;
+                        if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY)
+                                cryptodev_dh.compute_key =
+                                    cryptodev_dh_compute_key;
+                }
         }
 
         ENGINE_add(engine);
         ENGINE_free(engine);
         ERR_clear_error();
 }
+
+#endif /* HAVE_CRYPTODEV */
diff --git a/src/lib/libcrypto/engine/hw_cswift.c b/src/lib/libcrypto/engine/hw_cswift.c
index f5c897bdbb..f128ee5a68 100644
--- a/src/lib/libcrypto/engine/hw_cswift.c
+++ b/src/lib/libcrypto/engine/hw_cswift.c
@@ -121,6 +121,10 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 #endif
 
+/* RAND stuff */
+static int cswift_rand_bytes(unsigned char *buf, int num);
+static int cswift_rand_status(void);
+
 /* The definitions for control commands specific to this engine */
 #define CSWIFT_CMD_SO_PATH              ENGINE_CMD_BASE
 static const ENGINE_CMD_DEFN cswift_cmd_defns[] = {
@@ -183,6 +187,18 @@ static DH_METHOD cswift_dh =
         };
 #endif
 
+static RAND_METHOD cswift_random =
+    {
+    /* "CryptoSwift RAND method", */
+    NULL,
+    cswift_rand_bytes,
+    NULL,
+    NULL,
+    cswift_rand_bytes,
+    cswift_rand_status,
+    };
+
+
 /* Constants used when creating the ENGINE */
 static const char *engine_cswift_id = "cswift";
 static const char *engine_cswift_name = "CryptoSwift hardware engine support";
@@ -208,6 +224,7 @@ static int bind_helper(ENGINE *e)
 #ifndef OPENSSL_NO_DH
                         !ENGINE_set_DH(e, &cswift_dh) ||
 #endif
+                        !ENGINE_set_RAND(e, &cswift_random) ||
                         !ENGINE_set_destroy_function(e, cswift_destroy) ||
                         !ENGINE_set_init_function(e, cswift_init) ||
                         !ENGINE_set_finish_function(e, cswift_finish) ||
@@ -242,6 +259,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_cswift(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -264,6 +282,7 @@ void ENGINE_load_cswift(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the CryptoSwift library. NB: This is only set (or unset) during an
@@ -905,6 +924,60 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
         }
 #endif
 
+/* Random bytes are good */
+static int cswift_rand_bytes(unsigned char *buf, int num)
+{
+        SW_CONTEXT_HANDLE hac;
+        SW_STATUS swrc;
+        SW_LARGENUMBER largenum;
+        size_t nbytes = 0;
+        int acquired = 0;
+        int to_return = 0; /* assume failure */
+
+        if (!get_context(&hac))
+        {
+                CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_UNIT_FAILURE);
+                goto err;
+        }
+        acquired = 1;
+
+        while (nbytes < (size_t)num)
+        {
+                /* tell CryptoSwift how many bytes we want and where we want it.
+                 * Note: - CryptoSwift cannot do more than 4096 bytes at a time.
+                 *       - CryptoSwift can only do multiple of 32-bits. */
+                largenum.value = (SW_BYTE *) buf + nbytes;
+                if (4096 > num - nbytes)
+                        largenum.nbytes = num - nbytes;
+                else
+                        largenum.nbytes = 4096;
+
+                swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
+                if (swrc != SW_OK)
+                {
+                        char tmpbuf[20];
+                        CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_REQUEST_FAILED);
+                        sprintf(tmpbuf, "%ld", swrc);
+                        ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
+                        goto err;
+                }
+
+                nbytes += largenum.nbytes;
+        }
+        to_return = 1;  /* success */
+
+err:
+        if (acquired)
+                release_context(hac);
+        return to_return;
+}
+
+static int cswift_rand_status(void)
+{
+        return 1;
+}
+
+
 /* This stuff is needed if this ENGINE is being compiled into a self-contained
  * shared-library. */
 #ifdef ENGINE_DYNAMIC_SUPPORT
diff --git a/src/lib/libcrypto/engine/hw_ncipher.c b/src/lib/libcrypto/engine/hw_ncipher.c
index a43d4360f2..0d1c6b8df0 100644
--- a/src/lib/libcrypto/engine/hw_ncipher.c
+++ b/src/lib/libcrypto/engine/hw_ncipher.c
@@ -91,11 +91,19 @@ static int hwcrhk_init(ENGINE *e);
 static int hwcrhk_finish(ENGINE *e);
 static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); 
 
-/* Functions to handle mutexes */
+/* Functions to handle mutexes if have dynamic locks */
 static int hwcrhk_mutex_init(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext*);
 static int hwcrhk_mutex_lock(HWCryptoHook_Mutex*);
 static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex*);
 static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*);
+#if 1 /* This is a HACK which will disappear in 0.9.8 */
+/* Functions to handle mutexes if only have static locks */
+static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m,
+                                    HWCryptoHook_CallerContext *c);
+static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m);
+static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m);
+static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m);
+#endif
 
 /* BIGNUM stuff */
 static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -373,6 +381,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_ncipher(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -395,6 +404,7 @@ void ENGINE_load_chil(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the HWCryptoHook library. NB: This is only set (or unset) during an
@@ -558,15 +568,31 @@ static int hwcrhk_init(ENGINE *e)
 
         /* Check if the application decided to support dynamic locks,
            and if it does, use them. */
-        if (disable_mutex_callbacks == 0 &&
-                CRYPTO_get_dynlock_create_callback() != NULL &&
-                CRYPTO_get_dynlock_lock_callback() != NULL &&
-                CRYPTO_get_dynlock_destroy_callback() != NULL)
+        if (disable_mutex_callbacks == 0)
                 {
-                hwcrhk_globals.mutex_init = hwcrhk_mutex_init;
-                hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock;
-                hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock;
-                hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy;
+                if (CRYPTO_get_dynlock_create_callback() != NULL &&
+                        CRYPTO_get_dynlock_lock_callback() != NULL &&
+                        CRYPTO_get_dynlock_destroy_callback() != NULL)
+                        {
+                        hwcrhk_globals.mutex_init = hwcrhk_mutex_init;
+                        hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock;
+                        hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock;
+                        hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy;
+                        }
+                else if (CRYPTO_get_locking_callback() != NULL)
+                        {
+                        HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DYNAMIC_LOCKING_MISSING);
+                        ERR_add_error_data(1,"You HAVE to add dynamic locking callbacks via CRYPTO_set_dynlock_{create,lock,destroy}_callback()");
+#if 1 /* This is a HACK which will disappear in 0.9.8 */
+                        hwcrhk_globals.maxmutexes    = 1; /* Only have one lock */
+                        hwcrhk_globals.mutex_init    = hwcrhk_static_mutex_init;
+                        hwcrhk_globals.mutex_acquire = hwcrhk_static_mutex_lock;
+                        hwcrhk_globals.mutex_release = hwcrhk_static_mutex_unlock;
+                        hwcrhk_globals.mutex_destroy = hwcrhk_static_mutex_destroy;
+#else
+                        goto err;
+#endif
+                        }
                 }
 
         /* Try and get a context - if not, we may have a DSO but no
@@ -1020,7 +1046,7 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
 
                 /* Perform the operation */
                 ret = p_hwcrhk_ModExpCRT(hwcrhk_context, m_a, m_p, m_q,
-                        m_dmp1, m_dmq1, m_iqmp, &m_r, NULL);
+                        m_dmp1, m_dmq1, m_iqmp, &m_r, &rmsg);
 
                 /* Convert the response */
                 r->top = m_r.size / sizeof(BN_ULONG);
@@ -1171,6 +1197,26 @@ static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex *mt)
         CRYPTO_destroy_dynlockid(mt->lockid);
         }
 
+/* Mutex upcalls to use if the application does not support dynamic locks */
+
+static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m,
+        HWCryptoHook_CallerContext *c)
+        {
+        return 0;
+        }
+static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_HWCRHK);
+        return 0;
+        }
+static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m)
+        {
+        CRYPTO_w_unlock(CRYPTO_LOCK_HWCRHK);
+        }
+static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m)
+        {
+        }
+
 static int hwcrhk_get_pass(const char *prompt_info,
         int *len_io, char *buf,
         HWCryptoHook_PassphraseContext *ppctx,
@@ -1318,7 +1364,7 @@ static void hwcrhk_log_message(void *logstr, const char *message)
                 lstream=*(BIO **)logstr;
         if (lstream)
                 {
-                BIO_write(lstream, message, strlen(message));
+                BIO_printf(lstream, "%s\n", message);
                 }
         CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
         }
diff --git a/src/lib/libcrypto/engine/hw_ncipher_err.c b/src/lib/libcrypto/engine/hw_ncipher_err.c
index 24024cfc6f..5bc94581b7 100644
--- a/src/lib/libcrypto/engine/hw_ncipher_err.c
+++ b/src/lib/libcrypto/engine/hw_ncipher_err.c
@@ -1,6 +1,6 @@
 /* hw_ncipher_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -86,6 +86,7 @@ static ERR_STRING_DATA HWCRHK_str_reasons[]=
 {HWCRHK_R_CHIL_ERROR                     ,"chil error"},
 {HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
 {HWCRHK_R_DSO_FAILURE                    ,"dso failure"},
+{HWCRHK_R_DYNAMIC_LOCKING_MISSING        ,"dynamic locking missing"},
 {HWCRHK_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
 {HWCRHK_R_NOT_INITIALISED                ,"not initialised"},
 {HWCRHK_R_NOT_LOADED                     ,"not loaded"},
diff --git a/src/lib/libcrypto/engine/hw_ncipher_err.h b/src/lib/libcrypto/engine/hw_ncipher_err.h
index 4d65b1d470..d232d02319 100644
--- a/src/lib/libcrypto/engine/hw_ncipher_err.h
+++ b/src/lib/libcrypto/engine/hw_ncipher_err.h
@@ -84,6 +84,7 @@ static void ERR_HWCRHK_error(int function, int reason, char *file, int line);
 #define HWCRHK_R_CHIL_ERROR                              102
 #define HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED            103
 #define HWCRHK_R_DSO_FAILURE                             104
+#define HWCRHK_R_DYNAMIC_LOCKING_MISSING                 114
 #define HWCRHK_R_MISSING_KEY_COMPONENTS                  105
 #define HWCRHK_R_NOT_INITIALISED                         106
 #define HWCRHK_R_NOT_LOADED                              107
diff --git a/src/lib/libcrypto/engine/hw_nuron.c b/src/lib/libcrypto/engine/hw_nuron.c
index 130b6d8b40..fb9188bfe5 100644
--- a/src/lib/libcrypto/engine/hw_nuron.c
+++ b/src/lib/libcrypto/engine/hw_nuron.c
@@ -374,6 +374,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_nuron(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -396,6 +397,7 @@ void ENGINE_load_nuron(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This stuff is needed if this ENGINE is being compiled into a self-contained
  * shared-library. */      
diff --git a/src/lib/libcrypto/engine/hw_sureware.c b/src/lib/libcrypto/engine/hw_sureware.c
new file mode 100644
index 0000000000..fca467e690
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_sureware.c
@@ -0,0 +1,1039 @@
+/* Written by Corinne Dive-Reclus(cdive@baltimore.com)
+* 
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions
+* are met:
+*
+* 1. Redistributions of source code must retain the above copyright
+*    notice, this list of conditions and the following disclaimer. 
+*
+* 2. Redistributions in binary form must reproduce the above copyright
+*    notice, this list of conditions and the following disclaimer in
+*    the documentation and/or other materials provided with the
+*    distribution.
+*
+* 3. All advertising materials mentioning features or use of this
+*    software must display the following acknowledgment:
+*    "This product includes software developed by the OpenSSL Project
+*    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+*
+* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+*    endorse or promote products derived from this software without
+*    prior written permission. For written permission, please contact
+*    licensing@OpenSSL.org.
+*
+* 5. Products derived from this software may not be called "OpenSSL"
+*    nor may "OpenSSL" appear in their names without prior written
+*    permission of the OpenSSL Project.
+*
+* 6. Redistributions of any form whatsoever must retain the following
+*    acknowledgment:
+*    "This product includes software developed by the OpenSSL Project
+*    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+*
+* Written by Corinne Dive-Reclus(cdive@baltimore.com)
+*
+* Copyright@2001 Baltimore Technologies Ltd.
+* All right Reserved.
+*                                                                                                                                                                                               *       
+*               THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND                                                                                                                                                   *
+*               ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE                                   * 
+*               IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE                              *
+*               ARE DISCLAIMED.  IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE                                             *
+*               FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL                              *
+*               DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS                                 *
+*               OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)                                   *
+*               HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT                              *
+*               LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY                               *
+*               OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF                                  *
+*               SUCH DAMAGE.                                                                                                                                                    *
+====================================================================*/
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include <openssl/dso.h>
+#include "eng_int.h"
+#include "engine.h"
+#include <openssl/engine.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_SUREWARE
+
+#ifdef FLAT_INC
+#include "sureware.h"
+#else
+#include "vendor_defns/sureware.h"
+#endif
+
+#define SUREWARE_LIB_NAME "sureware engine"
+#include "hw_sureware_err.c"
+
+static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+static int surewarehk_destroy(ENGINE *e);
+static int surewarehk_init(ENGINE *e);
+static int surewarehk_finish(ENGINE *e);
+static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx);
+
+/* RSA stuff */
+static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to,
+                        RSA *rsa,int padding);
+static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to,
+                            RSA *rsa,int padding);
+
+/* RAND stuff */
+static int surewarehk_rand_bytes(unsigned char *buf, int num);
+static void surewarehk_rand_seed(const void *buf, int num);
+static void surewarehk_rand_add(const void *buf, int num, double entropy);
+
+/* KM stuff */
+static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data);
+static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data);
+static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+        int idx,long argl, void *argp);
+#if 0
+static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+        int idx,long argl, void *argp);
+#endif
+
+#ifndef OPENSSL_NO_RSA
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int surewarehk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+        return surewarehk_modexp(r, a, p, m, ctx);
+}
+
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD surewarehk_rsa =
+        {
+        "SureWare RSA method",
+        NULL, /* pub_enc*/
+        NULL, /* pub_dec*/
+        surewarehk_rsa_sign, /* our rsa_sign is OpenSSL priv_enc*/
+        surewarehk_rsa_priv_dec, /* priv_dec*/
+        NULL, /*mod_exp*/
+        surewarehk_mod_exp_mont, /*mod_exp_mongomery*/
+        NULL, /* init*/
+        NULL, /* finish*/
+        0,      /* RSA flag*/
+        NULL, 
+        NULL, /* OpenSSL sign*/
+        NULL  /* OpenSSL verify*/
+        };
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int surewarehk_modexp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+        const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+        return surewarehk_modexp(r, a, p, m, ctx);
+}
+
+static DH_METHOD surewarehk_dh =
+        {
+        "SureWare DH method",
+        NULL,/*gen_key*/
+        NULL,/*agree,*/
+        surewarehk_modexp_dh, /*dh mod exp*/
+        NULL, /* init*/
+        NULL, /* finish*/
+        0,    /* flags*/
+        NULL 
+        };
+#endif
+
+static RAND_METHOD surewarehk_rand =
+        {
+        /* "SureWare RAND method", */
+        surewarehk_rand_seed,
+        surewarehk_rand_bytes,
+        NULL,/*cleanup*/
+        surewarehk_rand_add,
+        surewarehk_rand_bytes,
+        NULL,/*rand_status*/
+        };
+
+#ifndef OPENSSL_NO_DSA
+/* DSA stuff */
+static  DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int surewarehk_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+                BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+        BIGNUM t;
+        int to_return = 0;
+        BN_init(&t);
+        /* let rr = a1 ^ p1 mod m */
+        if (!surewarehk_modexp(rr,a1,p1,m,ctx)) goto end;
+        /* let t = a2 ^ p2 mod m */
+        if (!surewarehk_modexp(&t,a2,p2,m,ctx)) goto end;
+        /* let rr = rr * t mod m */
+        if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+        to_return = 1;
+end:
+        BN_free(&t);
+        return to_return;
+}
+
+static DSA_METHOD surewarehk_dsa =
+        {
+         "SureWare DSA method", 
+        surewarehk_dsa_do_sign,
+        NULL,/*sign setup*/
+        NULL,/*verify,*/
+        surewarehk_dsa_mod_exp,/*mod exp*/
+        NULL,/*bn mod exp*/
+        NULL, /*init*/
+        NULL,/*finish*/
+        0,
+        NULL,
+        };
+#endif
+
+static const char *engine_sureware_id = "sureware";
+static const char *engine_sureware_name = "SureWare hardware engine support";
+
+/* Now, to our own code */
+
+/* As this is only ever called once, there's no need for locking
+ * (indeed - the lock will already be held by our caller!!!) */
+static int bind_sureware(ENGINE *e)
+{
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+        const DSA_METHOD *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+        const DH_METHOD *meth3;
+#endif
+
+        if(!ENGINE_set_id(e, engine_sureware_id) ||
+           !ENGINE_set_name(e, engine_sureware_name) ||
+#ifndef OPENSSL_NO_RSA
+           !ENGINE_set_RSA(e, &surewarehk_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+           !ENGINE_set_DSA(e, &surewarehk_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+           !ENGINE_set_DH(e, &surewarehk_dh) ||
+#endif
+           !ENGINE_set_RAND(e, &surewarehk_rand) ||
+           !ENGINE_set_destroy_function(e, surewarehk_destroy) ||
+           !ENGINE_set_init_function(e, surewarehk_init) ||
+           !ENGINE_set_finish_function(e, surewarehk_finish) ||
+           !ENGINE_set_ctrl_function(e, surewarehk_ctrl) ||
+           !ENGINE_set_load_privkey_function(e, surewarehk_load_privkey) ||
+           !ENGINE_set_load_pubkey_function(e, surewarehk_load_pubkey))
+          return 0;
+
+#ifndef OPENSSL_NO_RSA
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the cswift-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */ 
+        meth1 = RSA_PKCS1_SSLeay();
+        if (meth1)
+        {
+                surewarehk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+                surewarehk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+        }
+#endif
+
+#ifndef OPENSSL_NO_DSA
+        /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+         * bits. */
+        meth2 = DSA_OpenSSL();
+        if (meth2)
+        {
+                surewarehk_dsa.dsa_do_verify = meth2->dsa_do_verify;
+        }
+#endif
+
+#ifndef OPENSSL_NO_DH
+        /* Much the same for Diffie-Hellman */
+        meth3 = DH_OpenSSL();
+        if (meth3)
+        {
+                surewarehk_dh.generate_key = meth3->generate_key;
+                surewarehk_dh.compute_key = meth3->compute_key;
+        }
+#endif
+
+        /* Ensure the sureware error handling is set up */
+        ERR_load_SUREWARE_strings();
+        return 1;
+}
+
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_helper(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_sureware_id) != 0))
+                return 0;
+        if(!bind_sureware(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
+#else
+static ENGINE *engine_sureware(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_sureware(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_sureware(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_sureware();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+#endif
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the SureWareHook library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *surewarehk_dso = NULL;
+#ifndef OPENSSL_NO_RSA
+static int rsaHndidx = -1;      /* Index for KM handle.  Not really used yet. */
+#endif
+#ifndef OPENSSL_NO_DSA
+static int dsaHndidx = -1;      /* Index for KM handle.  Not really used yet. */
+#endif
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static SureWareHook_Init_t *p_surewarehk_Init = NULL;
+static SureWareHook_Finish_t *p_surewarehk_Finish = NULL;
+static SureWareHook_Rand_Bytes_t *p_surewarehk_Rand_Bytes = NULL;
+static SureWareHook_Rand_Seed_t *p_surewarehk_Rand_Seed = NULL;
+static SureWareHook_Load_Privkey_t *p_surewarehk_Load_Privkey = NULL;
+static SureWareHook_Info_Pubkey_t *p_surewarehk_Info_Pubkey = NULL;
+static SureWareHook_Load_Rsa_Pubkey_t *p_surewarehk_Load_Rsa_Pubkey = NULL;
+static SureWareHook_Load_Dsa_Pubkey_t *p_surewarehk_Load_Dsa_Pubkey = NULL;
+static SureWareHook_Free_t *p_surewarehk_Free=NULL;
+static SureWareHook_Rsa_Priv_Dec_t *p_surewarehk_Rsa_Priv_Dec=NULL;
+static SureWareHook_Rsa_Sign_t *p_surewarehk_Rsa_Sign=NULL;
+static SureWareHook_Dsa_Sign_t *p_surewarehk_Dsa_Sign=NULL;
+static SureWareHook_Mod_Exp_t *p_surewarehk_Mod_Exp=NULL;
+
+/* Used in the DSO operations. */
+static const char *surewarehk_LIBNAME = "SureWareHook";
+static const char *n_surewarehk_Init = "SureWareHook_Init";
+static const char *n_surewarehk_Finish = "SureWareHook_Finish";
+static const char *n_surewarehk_Rand_Bytes="SureWareHook_Rand_Bytes";
+static const char *n_surewarehk_Rand_Seed="SureWareHook_Rand_Seed";
+static const char *n_surewarehk_Load_Privkey="SureWareHook_Load_Privkey";
+static const char *n_surewarehk_Info_Pubkey="SureWareHook_Info_Pubkey";
+static const char *n_surewarehk_Load_Rsa_Pubkey="SureWareHook_Load_Rsa_Pubkey";
+static const char *n_surewarehk_Load_Dsa_Pubkey="SureWareHook_Load_Dsa_Pubkey";
+static const char *n_surewarehk_Free="SureWareHook_Free";
+static const char *n_surewarehk_Rsa_Priv_Dec="SureWareHook_Rsa_Priv_Dec";
+static const char *n_surewarehk_Rsa_Sign="SureWareHook_Rsa_Sign";
+static const char *n_surewarehk_Dsa_Sign="SureWareHook_Dsa_Sign";
+static const char *n_surewarehk_Mod_Exp="SureWareHook_Mod_Exp";
+static BIO *logstream = NULL;
+
+/* SureWareHook library functions and mechanics - these are used by the
+ * higher-level functions further down. NB: As and where there's no
+ * error checking, take a look lower down where these functions are
+ * called, the checking and error handling is probably down there. 
+*/
+static int threadsafe=1;
+static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+{
+        int to_return = 1;
+
+        switch(cmd)
+        {
+                case ENGINE_CTRL_SET_LOGSTREAM:
+                {
+                        BIO *bio = (BIO *)p;
+                        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                        if (logstream)
+                        {
+                                BIO_free(logstream);
+                                logstream = NULL;
+                        }
+                        if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1)
+                                logstream = bio;
+                        else
+                                SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL,SUREWARE_R_BIO_WAS_FREED);
+                }
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                break;
+        /* This will prevent the initialisation function from "installing"
+         * the mutex-handling callbacks, even if they are available from
+         * within the library (or were provided to the library from the
+         * calling application). This is to remove any baggage for
+         * applications not using multithreading. */
+        case ENGINE_CTRL_CHIL_NO_LOCKING:
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                threadsafe = 0;
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                break;
+
+        /* The command isn't understood by this engine */
+        default:
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL,
+                        ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+                to_return = 0;
+                break;
+                }
+
+        return to_return;
+}
+
+/* Destructor (complements the "ENGINE_surewarehk()" constructor) */
+static int surewarehk_destroy(ENGINE *e)
+{
+        ERR_unload_SUREWARE_strings();
+        return 1;
+}
+
+/* (de)initialisation functions. */
+static int surewarehk_init(ENGINE *e)
+{
+        char msg[64]="ENGINE_init";
+        SureWareHook_Init_t *p1=NULL;
+        SureWareHook_Finish_t *p2=NULL;
+        SureWareHook_Rand_Bytes_t *p3=NULL;
+        SureWareHook_Rand_Seed_t *p4=NULL;
+        SureWareHook_Load_Privkey_t *p5=NULL;
+        SureWareHook_Load_Rsa_Pubkey_t *p6=NULL;
+        SureWareHook_Free_t *p7=NULL;
+        SureWareHook_Rsa_Priv_Dec_t *p8=NULL;
+        SureWareHook_Rsa_Sign_t *p9=NULL;
+        SureWareHook_Dsa_Sign_t *p12=NULL;
+        SureWareHook_Info_Pubkey_t *p13=NULL;
+        SureWareHook_Load_Dsa_Pubkey_t *p14=NULL;
+        SureWareHook_Mod_Exp_t *p15=NULL;
+
+        if(surewarehk_dso != NULL)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_ALREADY_LOADED);
+                goto err;
+        }
+        /* Attempt to load libsurewarehk.so/surewarehk.dll/whatever. */
+        surewarehk_dso = DSO_load(NULL, surewarehk_LIBNAME, NULL, 0);
+        if(surewarehk_dso == NULL)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE);
+                goto err;
+        }
+        if(!(p1=(SureWareHook_Init_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Init)) ||
+           !(p2=(SureWareHook_Finish_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Finish)) ||
+           !(p3=(SureWareHook_Rand_Bytes_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Bytes)) ||
+           !(p4=(SureWareHook_Rand_Seed_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Seed)) ||
+           !(p5=(SureWareHook_Load_Privkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Privkey)) ||
+           !(p6=(SureWareHook_Load_Rsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Rsa_Pubkey)) ||
+           !(p7=(SureWareHook_Free_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Free)) ||
+           !(p8=(SureWareHook_Rsa_Priv_Dec_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Priv_Dec)) ||
+           !(p9=(SureWareHook_Rsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Sign)) ||
+           !(p12=(SureWareHook_Dsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Dsa_Sign)) ||
+           !(p13=(SureWareHook_Info_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Info_Pubkey)) ||
+           !(p14=(SureWareHook_Load_Dsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Dsa_Pubkey)) ||
+           !(p15=(SureWareHook_Mod_Exp_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Mod_Exp)))
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE);
+                goto err;
+        }
+        /* Copy the pointers */
+        p_surewarehk_Init = p1;
+        p_surewarehk_Finish = p2;
+        p_surewarehk_Rand_Bytes = p3;
+        p_surewarehk_Rand_Seed = p4;
+        p_surewarehk_Load_Privkey = p5;
+        p_surewarehk_Load_Rsa_Pubkey = p6;
+        p_surewarehk_Free = p7;
+        p_surewarehk_Rsa_Priv_Dec = p8;
+        p_surewarehk_Rsa_Sign = p9;
+        p_surewarehk_Dsa_Sign = p12;
+        p_surewarehk_Info_Pubkey = p13;
+        p_surewarehk_Load_Dsa_Pubkey = p14;
+        p_surewarehk_Mod_Exp = p15;
+        /* Contact the hardware and initialises it. */
+        if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE);
+                goto err;
+        }
+        if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE);
+                goto err;
+        }
+        /* try to load the default private key, if failed does not return a failure but
+           wait for an explicit ENGINE_load_privakey */
+        surewarehk_load_privkey(e,NULL,NULL,NULL);
+
+        /* Everything's fine. */
+#ifndef OPENSSL_NO_RSA
+        if (rsaHndidx == -1)
+                rsaHndidx = RSA_get_ex_new_index(0,
+                                                "SureWareHook RSA key handle",
+                                                NULL, NULL, surewarehk_ex_free);
+#endif
+#ifndef OPENSSL_NO_DSA
+        if (dsaHndidx == -1)
+                dsaHndidx = DSA_get_ex_new_index(0,
+                                                "SureWareHook DSA key handle",
+                                                NULL, NULL, surewarehk_ex_free);
+#endif
+
+        return 1;
+err:
+        if(surewarehk_dso)
+                DSO_free(surewarehk_dso);
+        surewarehk_dso = NULL;
+        p_surewarehk_Init = NULL;
+        p_surewarehk_Finish = NULL;
+        p_surewarehk_Rand_Bytes = NULL;
+        p_surewarehk_Rand_Seed = NULL;
+        p_surewarehk_Load_Privkey = NULL;
+        p_surewarehk_Load_Rsa_Pubkey = NULL;
+        p_surewarehk_Free = NULL;
+        p_surewarehk_Rsa_Priv_Dec = NULL;
+        p_surewarehk_Rsa_Sign = NULL;
+        p_surewarehk_Dsa_Sign = NULL;
+        p_surewarehk_Info_Pubkey = NULL;
+        p_surewarehk_Load_Dsa_Pubkey = NULL;
+        p_surewarehk_Mod_Exp = NULL;
+        return 0;
+}
+
+static int surewarehk_finish(ENGINE *e)
+{
+        int to_return = 1;
+        if(surewarehk_dso == NULL)
+                {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_NOT_LOADED);
+                to_return = 0;
+                goto err;
+                }
+        p_surewarehk_Finish();
+        if(!DSO_free(surewarehk_dso))
+                {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_DSO_FAILURE);
+                to_return = 0;
+                goto err;
+                }
+ err:
+        if (logstream)
+                BIO_free(logstream);
+        surewarehk_dso = NULL;
+        p_surewarehk_Init = NULL;
+        p_surewarehk_Finish = NULL;
+        p_surewarehk_Rand_Bytes = NULL;
+        p_surewarehk_Rand_Seed = NULL;
+        p_surewarehk_Load_Privkey = NULL;
+        p_surewarehk_Load_Rsa_Pubkey = NULL;
+        p_surewarehk_Free = NULL;
+        p_surewarehk_Rsa_Priv_Dec = NULL;
+        p_surewarehk_Rsa_Sign = NULL;
+        p_surewarehk_Dsa_Sign = NULL;
+        p_surewarehk_Info_Pubkey = NULL;
+        p_surewarehk_Load_Dsa_Pubkey = NULL;
+        p_surewarehk_Mod_Exp = NULL;
+        return to_return;
+}
+
+static void surewarehk_error_handling(char *const msg,int func,int ret)
+{
+        switch (ret)
+        {
+                case SUREWAREHOOK_ERROR_UNIT_FAILURE:
+                        ENGINEerr(func,SUREWARE_R_UNIT_FAILURE);
+                        break;
+                case SUREWAREHOOK_ERROR_FALLBACK:
+                        ENGINEerr(func,SUREWARE_R_REQUEST_FALLBACK);
+                        break;
+                case SUREWAREHOOK_ERROR_DATA_SIZE:
+                        ENGINEerr(func,SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                        break;
+                case SUREWAREHOOK_ERROR_INVALID_PAD:
+                        ENGINEerr(func,RSA_R_PADDING_CHECK_FAILED);
+                        break;
+                default:
+                        ENGINEerr(func,SUREWARE_R_REQUEST_FAILED);
+                        break;
+                case 1:/*nothing*/
+                        msg[0]='\0';
+        }
+        if (*msg)
+        {
+                ERR_add_error_data(1,msg);
+                if (logstream)
+                {
+                        CRYPTO_w_lock(CRYPTO_LOCK_BIO);
+                        BIO_write(logstream, msg, strlen(msg));
+                        CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
+                }
+        }
+}
+
+static int surewarehk_rand_bytes(unsigned char *buf, int num)
+{
+        int ret=0;
+        char msg[64]="ENGINE_rand_bytes";
+        if(!p_surewarehk_Rand_Bytes)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_BYTES,ENGINE_R_NOT_INITIALISED);
+        }
+        else
+        {
+                ret = p_surewarehk_Rand_Bytes(msg,buf, num);
+                surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_BYTES,ret);
+        }
+        return ret==1 ? 1 : 0;
+}
+
+static void surewarehk_rand_seed(const void *buf, int num)
+{
+        int ret=0;
+        char msg[64]="ENGINE_rand_seed";
+        if(!p_surewarehk_Rand_Seed)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_SEED,ENGINE_R_NOT_INITIALISED);
+        }
+        else
+        {
+                ret = p_surewarehk_Rand_Seed(msg,buf, num);
+                surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_SEED,ret);
+        }
+}
+
+static void surewarehk_rand_add(const void *buf, int num, double entropy)
+{
+        surewarehk_rand_seed(buf,num);
+}
+
+static EVP_PKEY* sureware_load_public(ENGINE *e,const char *key_id,char *hptr,unsigned long el,char keytype)
+{
+        EVP_PKEY *res = NULL;
+#ifndef OPENSSL_NO_RSA
+        RSA *rsatmp = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
+        DSA *dsatmp=NULL;
+#endif
+        char msg[64]="sureware_load_public";
+        int ret=0;
+        if(!p_surewarehk_Load_Rsa_Pubkey || !p_surewarehk_Load_Dsa_Pubkey)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED);
+                goto err;
+        }
+        switch (keytype)
+        {
+#ifndef OPENSSL_NO_RSA
+        case 1: /*RSA*/
+                /* set private external reference */
+                rsatmp = RSA_new_method(e);
+                RSA_set_ex_data(rsatmp,rsaHndidx,hptr);
+                rsatmp->flags |= RSA_FLAG_EXT_PKEY;
+
+                /* set public big nums*/
+                rsatmp->e = BN_new();
+                rsatmp->n = BN_new();
+                bn_expand2(rsatmp->e, el/sizeof(BN_ULONG));
+                bn_expand2(rsatmp->n, el/sizeof(BN_ULONG));
+                if (!rsatmp->e || rsatmp->e->dmax!=(int)(el/sizeof(BN_ULONG))|| 
+                        !rsatmp->n || rsatmp->n->dmax!=(int)(el/sizeof(BN_ULONG)))
+                        goto err;
+                ret=p_surewarehk_Load_Rsa_Pubkey(msg,key_id,el,
+                                                 (unsigned long *)rsatmp->n->d,
+                                                 (unsigned long *)rsatmp->e->d);
+                surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret);
+                if (ret!=1)
+                {
+                        SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+                        goto err;
+                }
+                /* normalise pub e and pub n */
+                rsatmp->e->top=el/sizeof(BN_ULONG);
+                bn_fix_top(rsatmp->e);
+                rsatmp->n->top=el/sizeof(BN_ULONG);
+                bn_fix_top(rsatmp->n);
+                /* create an EVP object: engine + rsa key */
+                res = EVP_PKEY_new();
+                EVP_PKEY_assign_RSA(res, rsatmp);
+                break;
+#endif
+
+#ifndef OPENSSL_NO_DSA
+        case 2:/*DSA*/
+                /* set private/public external reference */
+                dsatmp = DSA_new_method(e);
+                DSA_set_ex_data(dsatmp,dsaHndidx,hptr);
+                /*dsatmp->flags |= DSA_FLAG_EXT_PKEY;*/
+
+                /* set public key*/
+                dsatmp->pub_key = BN_new();
+                dsatmp->p = BN_new();
+                dsatmp->q = BN_new();
+                dsatmp->g = BN_new();
+                bn_expand2(dsatmp->pub_key, el/sizeof(BN_ULONG));
+                bn_expand2(dsatmp->p, el/sizeof(BN_ULONG));
+                bn_expand2(dsatmp->q, 20/sizeof(BN_ULONG));
+                bn_expand2(dsatmp->g, el/sizeof(BN_ULONG));
+                if (!dsatmp->pub_key || dsatmp->pub_key->dmax!=(int)(el/sizeof(BN_ULONG))|| 
+                        !dsatmp->p || dsatmp->p->dmax!=(int)(el/sizeof(BN_ULONG)) ||
+                        !dsatmp->q || dsatmp->q->dmax!=20/sizeof(BN_ULONG) ||
+                        !dsatmp->g || dsatmp->g->dmax!=(int)(el/sizeof(BN_ULONG)))
+                        goto err;
+
+                ret=p_surewarehk_Load_Dsa_Pubkey(msg,key_id,el,
+                                                 (unsigned long *)dsatmp->pub_key->d, 
+                                                 (unsigned long *)dsatmp->p->d,
+                                                 (unsigned long *)dsatmp->q->d,
+                                                 (unsigned long *)dsatmp->g->d);
+                surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret);
+                if (ret!=1)
+                {
+                        SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+                        goto err;
+                }
+                /* set parameters */
+                /* normalise pubkey and parameters in case of */
+                dsatmp->pub_key->top=el/sizeof(BN_ULONG);
+                bn_fix_top(dsatmp->pub_key);
+                dsatmp->p->top=el/sizeof(BN_ULONG);
+                bn_fix_top(dsatmp->p);
+                dsatmp->q->top=20/sizeof(BN_ULONG);
+                bn_fix_top(dsatmp->q);
+                dsatmp->g->top=el/sizeof(BN_ULONG);
+                bn_fix_top(dsatmp->g);
+
+                /* create an EVP object: engine + rsa key */
+                res = EVP_PKEY_new();
+                EVP_PKEY_assign_DSA(res, dsatmp);
+                break;
+#endif
+
+        default:
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+                goto err;
+        }
+        return res;
+ err:
+        if (res)
+                EVP_PKEY_free(res);
+#ifndef OPENSSL_NO_RSA
+        if (rsatmp)
+                RSA_free(rsatmp);
+#endif
+#ifndef OPENSSL_NO_DSA
+        if (dsatmp)
+                DSA_free(dsatmp);
+#endif
+        return NULL;
+}
+
+static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id,
+                                         UI_METHOD *ui_method, void *callback_data)
+{
+        EVP_PKEY *res = NULL;
+        int ret=0;
+        unsigned long el=0;
+        char *hptr=NULL;
+        char keytype=0;
+        char msg[64]="ENGINE_load_privkey";
+
+        if(!p_surewarehk_Load_Privkey)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_NOT_INITIALISED);
+        }
+        else
+        {
+                ret=p_surewarehk_Load_Privkey(msg,key_id,&hptr,&el,&keytype);
+                if (ret!=1)
+                {
+                        SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+                        ERR_add_error_data(1,msg);              
+                }
+                else
+                        res=sureware_load_public(e,key_id,hptr,el,keytype);
+        }
+        return res;
+}
+
+static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id,
+                                         UI_METHOD *ui_method, void *callback_data)
+{
+        EVP_PKEY *res = NULL;
+        int ret=0;
+        unsigned long el=0;
+        char *hptr=NULL;
+        char keytype=0;
+        char msg[64]="ENGINE_load_pubkey";
+
+        if(!p_surewarehk_Info_Pubkey)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED);
+        }
+        else
+        {
+                /* call once to identify if DSA or RSA */
+                ret=p_surewarehk_Info_Pubkey(msg,key_id,&el,&keytype);
+                if (ret!=1)
+                {
+                        SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+                        ERR_add_error_data(1,msg);
+                }
+                else
+                        res=sureware_load_public(e,key_id,hptr,el,keytype);
+        }
+        return res;
+}
+
+/* This cleans up an RSA/DSA KM key(do not destroy the key into the hardware)
+, called when ex_data is freed */
+static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+        int idx,long argl, void *argp)
+{
+        if(!p_surewarehk_Free)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED);
+        }
+        else
+                p_surewarehk_Free((char *)item,0);
+}
+
+#if 0
+/* This cleans up an DH KM key (destroys the key into hardware), 
+called when ex_data is freed */
+static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+        int idx,long argl, void *argp)
+{
+        if(!p_surewarehk_Free)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED);
+        }
+        else
+                p_surewarehk_Free((char *)item,1);
+}
+#endif
+
+/*
+* return number of decrypted bytes
+*/
+#ifndef OPENSSL_NO_RSA
+static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to,
+                        RSA *rsa,int padding)
+{
+        int ret=0,tlen;
+        char *buf=NULL,*hptr=NULL;
+        char msg[64]="ENGINE_rsa_priv_dec";
+        if (!p_surewarehk_Rsa_Priv_Dec)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ENGINE_R_NOT_INITIALISED);
+        }
+        /* extract ref to private key */
+        else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx)))
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,SUREWARE_R_MISSING_KEY_COMPONENTS);
+                goto err;
+        }
+        /* analyse what padding we can do into the hardware */
+        if (padding==RSA_PKCS1_PADDING)
+        {
+                /* do it one shot */
+                ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD);
+                surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret);
+                if (ret!=1)
+                        goto err;
+                ret=tlen;
+        }
+        else /* do with no padding into hardware */
+        {
+                ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_NO_PAD);
+                surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret);
+                if (ret!=1)
+                        goto err;
+                /* intermediate buffer for padding */
+                if ((buf=OPENSSL_malloc(tlen)) == NULL)
+                {
+                        RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                memcpy(buf,to,tlen);/* transfert to into buf */
+                switch (padding) /* check padding in software */
+                {
+#ifndef OPENSSL_NO_SHA
+                case RSA_PKCS1_OAEP_PADDING:
+                        ret=RSA_padding_check_PKCS1_OAEP(to,tlen,(unsigned char *)buf,tlen,tlen,NULL,0);
+                        break;
+#endif
+                case RSA_SSLV23_PADDING:
+                        ret=RSA_padding_check_SSLv23(to,tlen,(unsigned char *)buf,flen,tlen);
+                        break;
+                case RSA_NO_PADDING:
+                        ret=RSA_padding_check_none(to,tlen,(unsigned char *)buf,flen,tlen);
+                        break;
+                default:
+                        RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_UNKNOWN_PADDING_TYPE);
+                        goto err;
+                }
+                if (ret < 0)
+                        RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_PADDING_CHECK_FAILED);
+        }
+err:
+        if (buf)
+        {
+                OPENSSL_cleanse(buf,tlen);
+                OPENSSL_free(buf);
+        }
+        return ret;
+}
+
+/*
+* Does what OpenSSL rsa_priv_enc does.
+*/
+static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to,
+                            RSA *rsa,int padding)
+{
+        int ret=0,tlen;
+        char *hptr=NULL;
+        char msg[64]="ENGINE_rsa_sign";
+        if (!p_surewarehk_Rsa_Sign)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,ENGINE_R_NOT_INITIALISED);
+        }
+        /* extract ref to private key */
+        else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx)))
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,SUREWARE_R_MISSING_KEY_COMPONENTS);
+        }
+        else
+        {
+                switch (padding)
+                {
+                case RSA_PKCS1_PADDING: /* do it in one shot */
+                        ret=p_surewarehk_Rsa_Sign(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD);
+                        surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,ret);
+                        break;
+                case RSA_NO_PADDING:
+                default:
+                        RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,RSA_R_UNKNOWN_PADDING_TYPE);
+                }
+        }
+        return ret==1 ? tlen : ret;
+}
+
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* DSA sign and verify */
+static  DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *from, int flen, DSA *dsa)
+{
+        int ret=0;
+        char *hptr=NULL;
+        DSA_SIG *psign=NULL;
+        char msg[64]="ENGINE_dsa_do_sign";
+        if (!p_surewarehk_Dsa_Sign)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ENGINE_R_NOT_INITIALISED);
+        }
+        /* extract ref to private key */
+        else if (!(hptr=DSA_get_ex_data(dsa, dsaHndidx)))
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,SUREWARE_R_MISSING_KEY_COMPONENTS);
+        }
+        else
+        {
+                if((psign = DSA_SIG_new()) == NULL)
+                {
+                        SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                psign->r=BN_new();
+                psign->s=BN_new();
+                bn_expand2(psign->r, 20/sizeof(BN_ULONG));
+                bn_expand2(psign->s, 20/sizeof(BN_ULONG));
+                if (!psign->r || psign->r->dmax!=20/sizeof(BN_ULONG) ||
+                        !psign->s || psign->s->dmax!=20/sizeof(BN_ULONG))
+                        goto err;
+                ret=p_surewarehk_Dsa_Sign(msg,flen,from,
+                                          (unsigned long *)psign->r->d,
+                                          (unsigned long *)psign->s->d,
+                                          hptr);
+                surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ret);
+        }
+        psign->r->top=20/sizeof(BN_ULONG);
+        bn_fix_top(psign->r);
+        psign->s->top=20/sizeof(BN_ULONG);
+        bn_fix_top(psign->s);
+
+err:    
+        if (psign)
+        {
+                DSA_SIG_free(psign);
+                psign=NULL;
+        }
+        return psign;
+}
+#endif
+
+static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                             const BIGNUM *m, BN_CTX *ctx)
+{
+        int ret=0;
+        char msg[64]="ENGINE_modexp";
+        if (!p_surewarehk_Mod_Exp)
+        {
+                SUREWAREerr(SUREWARE_F_SUREWAREHK_MOD_EXP,ENGINE_R_NOT_INITIALISED);
+        }
+        else
+        {
+                bn_expand2(r,m->top);
+                if (r && r->dmax==m->top)
+                {
+                        /* do it*/
+                        ret=p_surewarehk_Mod_Exp(msg,
+                                                 m->top*sizeof(BN_ULONG),
+                                                 (unsigned long *)m->d,
+                                                 p->top*sizeof(BN_ULONG),
+                                                 (unsigned long *)p->d,
+                                                 a->top*sizeof(BN_ULONG),
+                                                 (unsigned long *)a->d,
+                                                 (unsigned long *)r->d);
+                        surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_MOD_EXP,ret);
+                        if (ret==1)
+                        {
+                                /* normalise result */
+                                r->top=m->top;
+                                bn_fix_top(r);
+                        }
+                }
+        }
+        return ret;
+}
+#endif /* !OPENSSL_NO_HW_SureWare */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libcrypto/engine/hw_ubsec.c b/src/lib/libcrypto/engine/hw_ubsec.c
index ed8401ec16..6286dd851c 100644
--- a/src/lib/libcrypto/engine/hw_ubsec.c
+++ b/src/lib/libcrypto/engine/hw_ubsec.c
@@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_ubsec(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -264,6 +265,7 @@ void ENGINE_load_ubsec(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the UBSEC library. NB: This is only set (or unset) during an
diff --git a/src/lib/libcrypto/engine/vendor_defns/hw_ubsec.h b/src/lib/libcrypto/engine/vendor_defns/hw_ubsec.h
new file mode 100644
index 0000000000..b6619d40f2
--- /dev/null
+++ b/src/lib/libcrypto/engine/vendor_defns/hw_ubsec.h
@@ -0,0 +1,100 @@
+/******************************************************************************
+ *
+ *  Copyright 2000
+ *  Broadcom Corporation
+ *  16215 Alton Parkway
+ *  PO Box 57013
+ *  Irvine CA 92619-7013
+ *
+ *****************************************************************************/
+/* 
+ * Broadcom Corporation uBSec SDK 
+ */
+/*
+ * Character device header file.
+ */
+/*
+ * Revision History:
+ *
+ * October 2000 JTT Created.
+ */
+
+#define MAX_PUBLIC_KEY_BITS (1024)
+#define MAX_PUBLIC_KEY_BYTES (1024/8)
+#define SHA_BIT_SIZE  (160)
+#define MAX_CRYPTO_KEY_LENGTH 24
+#define MAX_MAC_KEY_LENGTH 64
+#define UBSEC_CRYPTO_DEVICE_NAME ((unsigned char *)"/dev/ubscrypt")
+#define UBSEC_KEY_DEVICE_NAME ((unsigned char *)"/dev/ubskey")
+
+/* Math command types. */
+#define UBSEC_MATH_MODADD 0x0001
+#define UBSEC_MATH_MODSUB 0x0002
+#define UBSEC_MATH_MODMUL 0x0004
+#define UBSEC_MATH_MODEXP 0x0008
+#define UBSEC_MATH_MODREM 0x0010
+#define UBSEC_MATH_MODINV 0x0020
+
+typedef long ubsec_MathCommand_t;
+typedef long ubsec_RNGCommand_t;
+
+typedef struct ubsec_crypto_context_s {
+        unsigned int    flags;
+        unsigned char   crypto[MAX_CRYPTO_KEY_LENGTH];
+        unsigned char   auth[MAX_MAC_KEY_LENGTH];
+} ubsec_crypto_context_t, *ubsec_crypto_context_p;
+
+/* 
+ * Predeclare the function pointer types that we dynamically load from the DSO.
+ */
+
+typedef int t_UBSEC_ubsec_bytes_to_bits(unsigned char *n, int bytes);
+
+typedef int t_UBSEC_ubsec_bits_to_bytes(int bits);
+
+typedef int t_UBSEC_ubsec_open(unsigned char *device);
+
+typedef int t_UBSEC_ubsec_close(int fd);
+
+typedef int t_UBSEC_diffie_hellman_generate_ioctl (int fd,
+        unsigned char *x, int *x_len, unsigned char *y, int *y_len, 
+        unsigned char *g, int g_len, unsigned char *m, int m_len,
+        unsigned char *userX, int userX_len, int random_bits);
+
+typedef int t_UBSEC_diffie_hellman_agree_ioctl (int fd,
+        unsigned char *x, int x_len, unsigned char *y, int y_len, 
+        unsigned char *m, int m_len, unsigned char *k, int *k_len);
+
+typedef int t_UBSEC_rsa_mod_exp_ioctl (int fd,
+        unsigned char *x, int x_len, unsigned char *m, int m_len,
+        unsigned char *e, int e_len, unsigned char *y, int *y_len);
+
+typedef int t_UBSEC_rsa_mod_exp_crt_ioctl (int fd,
+        unsigned char *x, int x_len, unsigned char *qinv, int qinv_len,
+        unsigned char *edq, int edq_len, unsigned char *q, int q_len,
+        unsigned char *edp, int edp_len, unsigned char *p, int p_len,
+        unsigned char *y, int *y_len);
+
+typedef int t_UBSEC_dsa_sign_ioctl (int fd,
+        int hash, unsigned char *data, int data_len, 
+        unsigned char *rndom, int random_len, 
+        unsigned char *p, int p_len, unsigned char *q, int q_len,
+        unsigned char *g, int g_len, unsigned char *key, int key_len,
+        unsigned char *r, int *r_len, unsigned char *s, int *s_len);
+
+typedef int t_UBSEC_dsa_verify_ioctl (int fd,
+        int hash, unsigned char *data, int data_len,
+        unsigned char *p, int p_len, unsigned char *q, int q_len,
+        unsigned char *g, int g_len, unsigned char *key, int key_len,
+        unsigned char *r, int r_len, unsigned char *s, int s_len,
+        unsigned char *v, int *v_len);
+
+typedef int t_UBSEC_math_accelerate_ioctl(int fd, ubsec_MathCommand_t command,
+        unsigned char *ModN, int *ModN_len, unsigned char *ExpE, int *ExpE_len, 
+        unsigned char *ParamA, int *ParamA_len, unsigned char *ParamB, int *ParamB_len,
+        unsigned char *Result, int *Result_len);
+
+typedef int t_UBSEC_rng_ioctl(int fd, ubsec_RNGCommand_t command,
+        unsigned char *Result, int *Result_len);
+
+typedef int t_UBSEC_max_key_len_ioctl(int fd, int *max_key_len);
diff --git a/src/lib/libcrypto/engine/vendor_defns/hwcryptohook.h b/src/lib/libcrypto/engine/vendor_defns/hwcryptohook.h
new file mode 100644
index 0000000000..aaa4d4575e
--- /dev/null
+++ b/src/lib/libcrypto/engine/vendor_defns/hwcryptohook.h
@@ -0,0 +1,486 @@
+/*
+ * ModExp / RSA (with/without KM) plugin API
+ *
+ * The application will load a dynamic library which
+ * exports entrypoint(s) defined in this file.
+ *
+ * This set of entrypoints provides only a multithreaded,
+ * synchronous-within-each-thread, facility.
+ *
+ *
+ * This file is Copyright 1998-2000 nCipher Corporation Limited.
+ *
+ * Redistribution and use in source and binary forms, with opr without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the copyright notice,
+ *    this list of conditions, and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above
+ *    copyright notice, this list of conditions, and the following
+ *    disclaimer, in the documentation and/or other materials provided
+ *    with the distribution
+ *
+ * IN NO EVENT SHALL NCIPHER CORPORATION LIMITED (`NCIPHER') AND/OR
+ * ANY OTHER AUTHORS OR DISTRIBUTORS OF THIS FILE BE LIABLE for any
+ * damages arising directly or indirectly from this file, its use or
+ * this licence.  Without prejudice to the generality of the
+ * foregoing: all liability shall be excluded for direct, indirect,
+ * special, incidental, consequential or other damages or any loss of
+ * profits, business, revenue goodwill or anticipated savings;
+ * liability shall be excluded even if nCipher or anyone else has been
+ * advised of the possibility of damage.  In any event, if the
+ * exclusion of liability is not effective, the liability of nCipher
+ * or any author or distributor shall be limited to the lesser of the
+ * price paid and 1,000 pounds sterling. This licence only fails to
+ * exclude or limit liability for death or personal injury arising out
+ * of negligence, and only to the extent that such an exclusion or
+ * limitation is not effective.
+ *
+ * NCIPHER AND THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ALL
+ * AND ANY WARRANTIES (WHETHER EXPRESS OR IMPLIED), including, but not
+ * limited to, any implied warranties of merchantability, fitness for
+ * a particular purpose, satisfactory quality, and/or non-infringement
+ * of any third party rights.
+ *
+ * US Government use: This software and documentation is Commercial
+ * Computer Software and Computer Software Documentation, as defined in
+ * sub-paragraphs (a)(1) and (a)(5) of DFAR 252.227-7014, "Rights in
+ * Noncommercial Computer Software and Noncommercial Computer Software
+ * Documentation."  Use, duplication or disclosure by the Government is
+ * subject to the terms and conditions specified here.
+ *
+ * By using or distributing this file you will be accepting these
+ * terms and conditions, including the limitation of liability and
+ * lack of warranty.  If you do not wish to accept these terms and
+ * conditions, DO NOT USE THE FILE.
+ *
+ *
+ * The actual dynamically loadable plugin, and the library files for
+ * static linking, which are also provided in some distributions, are
+ * not covered by the licence described above.  You should have
+ * received a separate licence with terms and conditions for these
+ * library files; if you received the library files without a licence,
+ * please contact nCipher.
+ *
+ *
+ * $Id: hwcryptohook.h,v 1.1.1.1 2003/05/11 21:35:16 markus Exp $
+ */
+
+#ifndef HWCRYPTOHOOK_H
+#define HWCRYPTOHOOK_H
+
+#include <sys/types.h>
+#include <stdio.h>
+
+#ifndef HWCRYPTOHOOK_DECLARE_APPTYPES
+#define HWCRYPTOHOOK_DECLARE_APPTYPES 1
+#endif
+
+#define HWCRYPTOHOOK_ERROR_FAILED   -1
+#define HWCRYPTOHOOK_ERROR_FALLBACK -2
+#define HWCRYPTOHOOK_ERROR_MPISIZE  -3
+
+#if HWCRYPTOHOOK_DECLARE_APPTYPES
+
+/* These structs are defined by the application and opaque to the
+ * crypto plugin.  The application may define these as it sees fit.
+ * Default declarations are provided here, but the application may
+ *  #define HWCRYPTOHOOK_DECLARE_APPTYPES 0
+ * to prevent these declarations, and instead provide its own
+ * declarations of these types.  (Pointers to them must still be
+ * ordinary pointers to structs or unions, or the resulting combined
+ * program will have a type inconsistency.)
+ */
+typedef struct HWCryptoHook_MutexValue HWCryptoHook_Mutex;
+typedef struct HWCryptoHook_CondVarValue HWCryptoHook_CondVar;
+typedef struct HWCryptoHook_PassphraseContextValue HWCryptoHook_PassphraseContext;
+typedef struct HWCryptoHook_CallerContextValue HWCryptoHook_CallerContext;
+
+#endif /* HWCRYPTOHOOK_DECLARE_APPTYPES */
+
+/* These next two structs are opaque to the application.  The crypto
+ * plugin will return pointers to them; the caller simply manipulates
+ * the pointers.
+ */
+typedef struct HWCryptoHook_Context *HWCryptoHook_ContextHandle;
+typedef struct HWCryptoHook_RSAKey *HWCryptoHook_RSAKeyHandle;
+
+typedef struct {
+  char *buf;
+  size_t size;
+} HWCryptoHook_ErrMsgBuf;
+/* Used for error reporting.  When a HWCryptoHook function fails it
+ * will return a sentinel value (0 for pointer-valued functions, or a
+ * negative number, usually HWCRYPTOHOOK_ERROR_FAILED, for
+ * integer-valued ones).  It will, if an ErrMsgBuf is passed, also put
+ * an error message there.
+ * 
+ * size is the size of the buffer, and will not be modified.  If you
+ * pass 0 for size you must pass 0 for buf, and nothing will be
+ * recorded (just as if you passed 0 for the struct pointer).
+ * Messages written to the buffer will always be null-terminated, even
+ * when truncated to fit within size bytes.
+ *
+ * The contents of the buffer are not defined if there is no error.
+ */
+
+typedef struct HWCryptoHook_MPIStruct {
+  unsigned char *buf;
+  size_t size;
+} HWCryptoHook_MPI;
+/* When one of these is returned, a pointer is passed to the function.
+ * At call, size is the space available.  Afterwards it is updated to
+ * be set to the actual length (which may be more than the space available,
+ * if there was not enough room and the result was truncated).
+ * buf (the pointer) is not updated.
+ *
+ * size is in bytes and may be zero at call or return, but must be a
+ * multiple of the limb size.  Zero limbs at the MS end are not
+ * permitted.
+ */
+
+#define HWCryptoHook_InitFlags_FallbackModExp    0x0002UL
+#define HWCryptoHook_InitFlags_FallbackRSAImmed  0x0004UL
+/* Enable requesting fallback to software in case of problems with the
+ * hardware support.  This indicates to the crypto provider that the
+ * application is prepared to fall back to software operation if the
+ * ModExp* or RSAImmed* functions return HWCRYPTOHOOK_ERROR_FALLBACK.
+ * Without this flag those calls will never return
+ * HWCRYPTOHOOK_ERROR_FALLBACK.  The flag will also cause the crypto
+ * provider to avoid repeatedly attempting to contact dead hardware
+ * within a short interval, if appropriate.
+ */
+
+#define HWCryptoHook_InitFlags_SimpleForkCheck   0x0010UL
+/* Without _SimpleForkCheck the library is allowed to assume that the
+ * application will not fork and call the library in the child(ren).
+ *
+ * When it is specified, this is allowed.  However, after a fork
+ * neither parent nor child may unload any loaded keys or call
+ * _Finish.  Instead, they should call exit (or die with a signal)
+ * without calling _Finish.  After all the children have died the
+ * parent may unload keys or call _Finish.
+ *
+ * This flag only has any effect on UN*X platforms.
+ */
+
+typedef struct {
+  unsigned long flags;
+  void *logstream; /* usually a FILE*.  See below. */
+
+  size_t limbsize; /* bignum format - size of radix type, must be power of 2 */
+  int mslimbfirst; /* 0 or 1 */
+  int msbytefirst; /* 0 or 1; -1 = native */
+
+  /* All the callback functions should return 0 on success, or a
+   * nonzero integer (whose value will be visible in the error message
+   * put in the buffer passed to the call).
+   *
+   * If a callback is not available pass a null function pointer.
+   *
+   * The callbacks may not call down again into the crypto plugin.
+   */
+  
+  /* For thread-safety.  Set everything to 0 if you promise only to be
+   * singlethreaded.  maxsimultaneous is the number of calls to
+   * ModExp[Crt]/RSAImmed{Priv,Pub}/RSA.  If you don't know what to
+   * put there then say 0 and the hook library will use a default.
+   *
+   * maxmutexes is a small limit on the number of simultaneous mutexes
+   * which will be requested by the library.  If there is no small
+   * limit, set it to 0.  If the crypto plugin cannot create the
+   * advertised number of mutexes the calls to its functions may fail.
+   * If a low number of mutexes is advertised the plugin will try to
+   * do the best it can.  Making larger numbers of mutexes available
+   * may improve performance and parallelism by reducing contention
+   * over critical sections.  Unavailability of any mutexes, implying
+   * single-threaded operation, should be indicated by the setting
+   * mutex_init et al to 0.
+   */
+  int maxmutexes;
+  int maxsimultaneous;
+  size_t mutexsize;
+  int (*mutex_init)(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext *cactx);
+  int (*mutex_acquire)(HWCryptoHook_Mutex*);
+  void (*mutex_release)(HWCryptoHook_Mutex*);
+  void (*mutex_destroy)(HWCryptoHook_Mutex*);
+
+  /* For greater efficiency, can use condition vars internally for
+   * synchronisation.  In this case maxsimultaneous is ignored, but
+   * the other mutex stuff must be available.  In singlethreaded
+   * programs, set everything to 0.
+   */
+  size_t condvarsize;
+  int (*condvar_init)(HWCryptoHook_CondVar*, HWCryptoHook_CallerContext *cactx);
+  int (*condvar_wait)(HWCryptoHook_CondVar*, HWCryptoHook_Mutex*);
+  void (*condvar_signal)(HWCryptoHook_CondVar*);
+  void (*condvar_broadcast)(HWCryptoHook_CondVar*);
+  void (*condvar_destroy)(HWCryptoHook_CondVar*);
+  
+  /* The semantics of acquiring and releasing mutexes and broadcasting
+   * and waiting on condition variables are expected to be those from
+   * POSIX threads (pthreads).  The mutexes may be (in pthread-speak)
+   * fast mutexes, recursive mutexes, or nonrecursive ones.
+   * 
+   * The _release/_signal/_broadcast and _destroy functions must
+   * always succeed when given a valid argument; if they are given an
+   * invalid argument then the program (crypto plugin + application)
+   * has an internal error, and they should abort the program.
+   */
+
+  int (*getpassphrase)(const char *prompt_info,
+                       int *len_io, char *buf,
+                       HWCryptoHook_PassphraseContext *ppctx,
+                       HWCryptoHook_CallerContext *cactx);
+  /* Passphrases and the prompt_info, if they contain high-bit-set
+   * characters, are UTF-8.  The prompt_info may be a null pointer if
+   * no prompt information is available (it should not be an empty
+   * string).  It will not contain text like `enter passphrase';
+   * instead it might say something like `Operator Card for John
+   * Smith' or `SmartCard in nFast Module #1, Slot #1'.
+   *
+   * buf points to a buffer in which to return the passphrase; on
+   * entry *len_io is the length of the buffer.  It should be updated
+   * by the callback.  The returned passphrase should not be
+   * null-terminated by the callback.
+   */
+  
+  int (*getphystoken)(const char *prompt_info,
+                      const char *wrong_info,
+                      HWCryptoHook_PassphraseContext *ppctx,
+                      HWCryptoHook_CallerContext *cactx);
+  /* Requests that the human user physically insert a different
+   * smartcard, DataKey, etc.  The plugin should check whether the
+   * currently inserted token(s) are appropriate, and if they are it
+   * should not make this call.
+   *
+   * prompt_info is as before.  wrong_info is a description of the
+   * currently inserted token(s) so that the user is told what
+   * something is.  wrong_info, like prompt_info, may be null, but
+   * should not be an empty string.  Its contents should be
+   * syntactically similar to that of prompt_info. 
+   */
+  
+  /* Note that a single LoadKey operation might cause several calls to
+   * getpassphrase and/or requestphystoken.  If requestphystoken is
+   * not provided (ie, a null pointer is passed) then the plugin may
+   * not support loading keys for which authorisation by several cards
+   * is required.  If getpassphrase is not provided then cards with
+   * passphrases may not be supported.
+   *
+   * getpassphrase and getphystoken do not need to check that the
+   * passphrase has been entered correctly or the correct token
+   * inserted; the crypto plugin will do that.  If this is not the
+   * case then the crypto plugin is responsible for calling these
+   * routines again as appropriate until the correct token(s) and
+   * passphrase(s) are supplied as required, or until any retry limits
+   * implemented by the crypto plugin are reached.
+   *
+   * In either case, the application must allow the user to say `no'
+   * or `cancel' to indicate that they do not know the passphrase or
+   * have the appropriate token; this should cause the callback to
+   * return nonzero indicating error.
+   */
+
+  void (*logmessage)(void *logstream, const char *message);
+  /* A log message will be generated at least every time something goes
+   * wrong and an ErrMsgBuf is filled in (or would be if one was
+   * provided).  Other diagnostic information may be written there too,
+   * including more detailed reasons for errors which are reported in an
+   * ErrMsgBuf.
+   *
+   * When a log message is generated, this callback is called.  It
+   * should write a message to the relevant logging arrangements.
+   *
+   * The message string passed will be null-terminated and may be of arbitrary
+   * length.  It will not be prefixed by the time and date, nor by the
+   * name of the library that is generating it - if this is required,
+   * the logmessage callback must do it.  The message will not have a
+   * trailing newline (though it may contain internal newlines).
+   *
+   * If a null pointer is passed for logmessage a default function is
+   * used.  The default function treats logstream as a FILE* which has
+   * been converted to a void*.  If logstream is 0 it does nothing.
+   * Otherwise it prepends the date and time and library name and
+   * writes the message to logstream.  Each line will be prefixed by a
+   * descriptive string containing the date, time and identity of the
+   * crypto plugin.  Errors on the logstream are not reported
+   * anywhere, and the default function doesn't flush the stream, so
+   * the application must set the buffering how it wants it.
+   *
+   * The crypto plugin may also provide a facility to have copies of
+   * log messages sent elsewhere, and or for adjusting the verbosity
+   * of the log messages; any such facilities will be configured by
+   * external means.
+   */
+
+} HWCryptoHook_InitInfo;
+
+typedef
+HWCryptoHook_ContextHandle HWCryptoHook_Init_t(const HWCryptoHook_InitInfo *initinfo,
+                                               size_t initinfosize,
+                                               const HWCryptoHook_ErrMsgBuf *errors,
+                                               HWCryptoHook_CallerContext *cactx);
+extern HWCryptoHook_Init_t HWCryptoHook_Init;
+
+/* Caller should set initinfosize to the size of the HWCryptoHook struct,
+ * so it can be extended later.
+ *
+ * On success, a message for display or logging by the server,
+ * including the name and version number of the plugin, will be filled
+ * in into *errors; on failure *errors is used for error handling, as
+ * usual.
+ */
+
+/* All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED
+ * on most failures.  HWCRYPTOHOOK_ERROR_MPISIZE means at least one of
+ * the output MPI buffer(s) was too small; the sizes of all have been
+ * set to the desired size (and for those where the buffer was large
+ * enough, the value may have been copied in), and no error message
+ * has been recorded.
+ *
+ * You may pass 0 for the errors struct.  In any case, unless you set
+ * _NoStderr at init time then messages may be reported to stderr.
+ */
+
+/* The RSAImmed* functions (and key managed RSA) only work with
+ * modules which have an RSA patent licence - currently that means KM
+ * units; the ModExp* ones work with all modules, so you need a patent
+ * licence in the software in the US.  They are otherwise identical.
+ */
+
+typedef
+void HWCryptoHook_Finish_t(HWCryptoHook_ContextHandle hwctx);
+extern HWCryptoHook_Finish_t HWCryptoHook_Finish;
+/* You must not have any calls going or keys loaded when you call this. */
+
+typedef
+int HWCryptoHook_RandomBytes_t(HWCryptoHook_ContextHandle hwctx,
+                               unsigned char *buf, size_t len,
+                               const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RandomBytes_t HWCryptoHook_RandomBytes;
+
+typedef
+int HWCryptoHook_ModExp_t(HWCryptoHook_ContextHandle hwctx,
+                          HWCryptoHook_MPI a,
+                          HWCryptoHook_MPI p,
+                          HWCryptoHook_MPI n,
+                          HWCryptoHook_MPI *r,
+                          const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_ModExp_t HWCryptoHook_ModExp;
+
+typedef
+int HWCryptoHook_RSAImmedPub_t(HWCryptoHook_ContextHandle hwctx,
+                               HWCryptoHook_MPI m,
+                               HWCryptoHook_MPI e,
+                               HWCryptoHook_MPI n,
+                               HWCryptoHook_MPI *r,
+                               const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSAImmedPub_t HWCryptoHook_RSAImmedPub;
+
+typedef
+int HWCryptoHook_ModExpCRT_t(HWCryptoHook_ContextHandle hwctx,
+                             HWCryptoHook_MPI a,
+                             HWCryptoHook_MPI p,
+                             HWCryptoHook_MPI q,
+                             HWCryptoHook_MPI dmp1,
+                             HWCryptoHook_MPI dmq1,
+                             HWCryptoHook_MPI iqmp,
+                             HWCryptoHook_MPI *r,
+                             const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_ModExpCRT_t HWCryptoHook_ModExpCRT;
+
+typedef
+int HWCryptoHook_RSAImmedPriv_t(HWCryptoHook_ContextHandle hwctx,
+                                HWCryptoHook_MPI m,
+                                HWCryptoHook_MPI p,
+                                HWCryptoHook_MPI q,
+                                HWCryptoHook_MPI dmp1,
+                                HWCryptoHook_MPI dmq1,
+                                HWCryptoHook_MPI iqmp,
+                                HWCryptoHook_MPI *r,
+                                const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSAImmedPriv_t HWCryptoHook_RSAImmedPriv;
+
+/* The RSAImmed* and ModExp* functions may return E_FAILED or
+ * E_FALLBACK for failure.
+ *
+ * E_FAILED means the failure is permanent and definite and there
+ *    should be no attempt to fall back to software.  (Eg, for some
+ *    applications, which support only the acceleration-only
+ *    functions, the `key material' may actually be an encoded key
+ *    identifier, and doing the operation in software would give wrong
+ *    answers.)
+ *
+ * E_FALLBACK means that doing the computation in software would seem
+ *    reasonable.  If an application pays attention to this and is
+ *    able to fall back, it should also set the Fallback init flags.
+ */
+
+typedef
+int HWCryptoHook_RSALoadKey_t(HWCryptoHook_ContextHandle hwctx,
+                              const char *key_ident,
+                              HWCryptoHook_RSAKeyHandle *keyhandle_r,
+                              const HWCryptoHook_ErrMsgBuf *errors,
+                              HWCryptoHook_PassphraseContext *ppctx);
+extern HWCryptoHook_RSALoadKey_t HWCryptoHook_RSALoadKey;
+/* The key_ident is a null-terminated string configured by the
+ * user via the application's usual configuration mechanisms.
+ * It is provided to the user by the crypto provider's key management
+ * system.  The user must be able to enter at least any string of between
+ * 1 and 1023 characters inclusive, consisting of printable 7-bit
+ * ASCII characters.  The provider should avoid using
+ * any characters except alphanumerics and the punctuation
+ * characters  _ - + . / @ ~  (the user is expected to be able
+ * to enter these without quoting).  The string may be case-sensitive.
+ * The application may allow the user to enter other NULL-terminated strings,
+ * and the provider must cope (returning an error if the string is not
+ * valid).
+ *
+ * If the key does not exist, no error is recorded and 0 is returned;
+ * keyhandle_r will be set to 0 instead of to a key handle.
+ */
+
+typedef
+int HWCryptoHook_RSAGetPublicKey_t(HWCryptoHook_RSAKeyHandle k,
+                                   HWCryptoHook_MPI *n,
+                                   HWCryptoHook_MPI *e,
+                                   const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSAGetPublicKey_t HWCryptoHook_RSAGetPublicKey;
+/* The crypto plugin will not store certificates.
+ *
+ * Although this function for acquiring the public key value is
+ * provided, it is not the purpose of this API to deal fully with the
+ * handling of the public key.
+ *
+ * It is expected that the crypto supplier's key generation program
+ * will provide general facilities for producing X.509
+ * self-certificates and certificate requests in PEM format.  These
+ * will be given to the user so that they can configure them in the
+ * application, send them to CAs, or whatever.
+ *
+ * In case this kind of certificate handling is not appropriate, the
+ * crypto supplier's key generation program should be able to be
+ * configured not to generate such a self-certificate or certificate
+ * request.  Then the application will need to do all of this, and
+ * will need to store and handle the public key and certificates
+ * itself.
+ */
+
+typedef
+int HWCryptoHook_RSAUnloadKey_t(HWCryptoHook_RSAKeyHandle k,
+                                const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSAUnloadKey_t HWCryptoHook_RSAUnloadKey;
+/* Might fail due to locking problems, or other serious internal problems. */
+
+typedef
+int HWCryptoHook_RSA_t(HWCryptoHook_MPI m,
+                       HWCryptoHook_RSAKeyHandle k,
+                       HWCryptoHook_MPI *r,
+                       const HWCryptoHook_ErrMsgBuf *errors);
+extern HWCryptoHook_RSA_t HWCryptoHook_RSA;
+/* RSA private key operation (sign or decrypt) - raw, unpadded. */
+
+#endif /*HWCRYPTOHOOK_H*/
diff --git a/src/lib/libcrypto/engine/vendor_defns/sureware.h b/src/lib/libcrypto/engine/vendor_defns/sureware.h
new file mode 100644
index 0000000000..1d3789219d
--- /dev/null
+++ b/src/lib/libcrypto/engine/vendor_defns/sureware.h
@@ -0,0 +1,239 @@
+/*
+* Written by Corinne Dive-Reclus(cdive@baltimore.com)
+*
+* Copyright@2001 Baltimore Technologies Ltd.
+*                                                                                                                                                                                               *       
+*               THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND                                                                                                                                                   *
+*               ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE                                   * 
+*               IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE                              *
+*               ARE DISCLAIMED.  IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE                                             *
+*               FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL                              *
+*               DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS                                 *
+*               OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)                                   *
+*               HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT                              *
+*               LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY                               *
+*               OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF                                  *
+*               SUCH DAMAGE.                                                                                                                                                    *
+*
+* 
+*/
+#ifdef WIN32
+#define SW_EXPORT       __declspec ( dllexport )
+#else
+#define SW_EXPORT
+#endif
+
+/*
+*       List of exposed SureWare errors
+*/
+#define SUREWAREHOOK_ERROR_FAILED               -1
+#define SUREWAREHOOK_ERROR_FALLBACK             -2
+#define SUREWAREHOOK_ERROR_UNIT_FAILURE -3
+#define SUREWAREHOOK_ERROR_DATA_SIZE -4
+#define SUREWAREHOOK_ERROR_INVALID_PAD -5
+/*
+* -----------------WARNING-----------------------------------
+* In all the following functions:
+* msg is a string with at least 24 bytes free.
+* A 24 bytes string will be concatenated to the existing content of msg. 
+*/
+/*
+*       SureWare Initialisation function
+*       in param threadsafe, if !=0, thread safe enabled
+*       return SureWareHOOK_ERROR_UNIT_FAILURE if failure, 1 if success
+*/
+typedef int SureWareHook_Init_t(char*const msg,int threadsafe);
+extern SW_EXPORT SureWareHook_Init_t SureWareHook_Init;
+/*
+*       SureWare Finish function
+*/
+typedef void SureWareHook_Finish_t();
+extern SW_EXPORT SureWareHook_Finish_t SureWareHook_Finish;
+/*
+*        PRE_CONDITION:
+*               DO NOT CALL ANY OF THE FOLLOWING FUNCTIONS IN CASE OF INIT FAILURE
+*/
+/*
+*       SureWare RAND Bytes function
+*       In case of failure, the content of buf is unpredictable.
+*       return 1 if success
+*                       SureWareHOOK_ERROR_FALLBACK if function not available in hardware
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*                       SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*                       SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*       in/out param buf : a num bytes long buffer where random bytes will be put
+*       in param num : the number of bytes into buf
+*/
+typedef int SureWareHook_Rand_Bytes_t(char*const msg,unsigned char *buf, int num);
+extern SW_EXPORT SureWareHook_Rand_Bytes_t SureWareHook_Rand_Bytes;
+
+/*
+*       SureWare RAND Seed function
+*       Adds some seed to the Hardware Random Number Generator
+*       return 1 if success
+*                       SureWareHOOK_ERROR_FALLBACK if function not available in hardware
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*                       SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*                       SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*       in param buf : the seed to add into the HRNG
+*       in param num : the number of bytes into buf
+*/
+typedef int SureWareHook_Rand_Seed_t(char*const msg,const void *buf, int num);
+extern SW_EXPORT SureWareHook_Rand_Seed_t SureWareHook_Rand_Seed;
+
+/*
+*       SureWare Load Private Key function
+*       return 1 if success
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*       No hardware is contact for this function.
+*
+*       in param key_id :the name of the private protected key file without the extension
+                                                ".sws"
+*       out param hptr : a pointer to a buffer allocated by SureWare_Hook
+*       out param num: the effective key length in bytes
+*       out param keytype: 1 if RSA 2 if DSA
+*/
+typedef int SureWareHook_Load_Privkey_t(char*const msg,const char *key_id,char **hptr,unsigned long *num,char *keytype);
+extern SW_EXPORT SureWareHook_Load_Privkey_t SureWareHook_Load_Privkey;
+
+/*
+*       SureWare Info Public Key function
+*       return 1 if success
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*       No hardware is contact for this function.
+*
+*       in param key_id :the name of the private protected key file without the extension
+                                                ".swp"
+*       out param hptr : a pointer to a buffer allocated by SureWare_Hook
+*       out param num: the effective key length in bytes
+*       out param keytype: 1 if RSA 2 if DSA
+*/
+typedef int SureWareHook_Info_Pubkey_t(char*const msg,const char *key_id,unsigned long *num,
+                                                                                char *keytype);
+extern SW_EXPORT SureWareHook_Info_Pubkey_t SureWareHook_Info_Pubkey;
+
+/*
+*       SureWare Load Public Key function
+*       return 1 if success
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*       No hardware is contact for this function.
+*
+*       in param key_id :the name of the public protected key file without the extension
+                                                ".swp"
+*       in param num : the bytes size of n and e
+*       out param n: where to write modulus in bn format
+*       out param e: where to write exponent in bn format
+*/
+typedef int SureWareHook_Load_Rsa_Pubkey_t(char*const msg,const char *key_id,unsigned long num,
+                                                                                unsigned long *n, unsigned long *e);
+extern SW_EXPORT SureWareHook_Load_Rsa_Pubkey_t SureWareHook_Load_Rsa_Pubkey;
+
+/*
+*       SureWare Load DSA Public Key function
+*       return 1 if success
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*       No hardware is contact for this function.
+*
+*       in param key_id :the name of the public protected key file without the extension
+                                                ".swp"
+*       in param num : the bytes size of n and e
+*       out param pub: where to write pub key in bn format
+*       out param p: where to write prime in bn format
+*       out param q: where to write sunprime (length 20 bytes) in bn format
+*       out param g: where to write base in bn format
+*/
+typedef int SureWareHook_Load_Dsa_Pubkey_t(char*const msg,const char *key_id,unsigned long num,
+                                                                                unsigned long *pub, unsigned long *p,unsigned long*q,
+                                                                                unsigned long *g);
+extern SW_EXPORT SureWareHook_Load_Dsa_Pubkey_t SureWareHook_Load_Dsa_Pubkey;
+
+/*
+*       SureWare Free function
+*       Destroy the key into the hardware if destroy==1
+*/
+typedef void SureWareHook_Free_t(char *p,int destroy);
+extern SW_EXPORT SureWareHook_Free_t SureWareHook_Free;
+
+#define SUREWARE_PKCS1_PAD 1
+#define SUREWARE_ISO9796_PAD 2
+#define SUREWARE_NO_PAD 0
+/*
+* SureWare RSA Private Decryption
+* return 1 if success
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*                       SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*                       SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*       in param flen : byte size of from and to
+*       in param from : encrypted data buffer, should be a not-null valid pointer
+*       out param tlen: byte size of decrypted data, if error, unexpected value
+*       out param to : decrypted data buffer, should be a not-null valid pointer
+*   in param prsa: a protected key pointer, should be a not-null valid pointer
+*   int padding: padding id as follow
+*                                       SUREWARE_PKCS1_PAD
+*                                       SUREWARE_NO_PAD
+*
+*/
+typedef int SureWareHook_Rsa_Priv_Dec_t(char*const msg,int flen,unsigned char *from,
+                                                                                int *tlen,unsigned char *to,
+                                                                                char *prsa,int padding);
+extern SW_EXPORT SureWareHook_Rsa_Priv_Dec_t SureWareHook_Rsa_Priv_Dec;
+/*
+* SureWare RSA Signature
+* return 1 if success
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*                       SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*                       SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*       in param flen : byte size of from and to
+*       in param from : encrypted data buffer, should be a not-null valid pointer
+*       out param tlen: byte size of decrypted data, if error, unexpected value
+*       out param to : decrypted data buffer, should be a not-null valid pointer
+*   in param prsa: a protected key pointer, should be a not-null valid pointer
+*   int padding: padding id as follow
+*                                       SUREWARE_PKCS1_PAD
+*                                       SUREWARE_ISO9796_PAD
+*
+*/
+typedef int SureWareHook_Rsa_Sign_t(char*const msg,int flen,unsigned char *from,
+                                                                                int *tlen,unsigned char *to,
+                                                                                char *prsa,int padding);
+extern SW_EXPORT SureWareHook_Rsa_Sign_t SureWareHook_Rsa_Sign;
+/*
+* SureWare DSA Signature
+* return 1 if success
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*                       SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*                       SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*       in param flen : byte size of from and to
+*       in param from : encrypted data buffer, should be a not-null valid pointer
+*       out param to : decrypted data buffer, should be a 40bytes valid pointer
+*   in param pdsa: a protected key pointer, should be a not-null valid pointer
+*
+*/
+typedef int SureWareHook_Dsa_Sign_t(char*const msg,int flen,const unsigned char *from,
+                                                                                unsigned long *r,unsigned long *s,char *pdsa);
+extern SW_EXPORT SureWareHook_Dsa_Sign_t SureWareHook_Dsa_Sign;
+
+
+/*
+* SureWare Mod Exp
+* return 1 if success
+*                       SureWareHOOK_ERROR_FAILED if error while processing
+*                       SureWareHOOK_ERROR_UNIT_FAILURE if hardware failure
+*                       SUREWAREHOOK_ERROR_DATA_SIZE wrong size for buf
+*
+*       mod and res are mlen bytes long.
+*       exp is elen bytes long
+*       data is dlen bytes long
+*       mlen,elen and dlen are all multiple of sizeof(unsigned long)
+*/
+typedef int SureWareHook_Mod_Exp_t(char*const msg,int mlen,const unsigned long *mod,
+                                                                        int elen,const unsigned long *exp,
+                                                                        int dlen,unsigned long *data,
+                                                                        unsigned long *res);
+extern SW_EXPORT SureWareHook_Mod_Exp_t SureWareHook_Mod_Exp;
+
diff --git a/src/lib/libcrypto/evp/bio_ok.c b/src/lib/libcrypto/evp/bio_ok.c
index 3cbc6e7848..530ab937ce 100644
--- a/src/lib/libcrypto/evp/bio_ok.c
+++ b/src/lib/libcrypto/evp/bio_ok.c
@@ -211,7 +211,7 @@ static int ok_free(BIO *a)
         {
         if (a == NULL) return(0);
         EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md);
-        memset(a->ptr,0,sizeof(BIO_OK_CTX));
+        OPENSSL_cleanse(a->ptr,sizeof(BIO_OK_CTX));
         OPENSSL_free(a->ptr);
         a->ptr=NULL;
         a->init=0;
diff --git a/src/lib/libcrypto/evp/evp_acnf.c b/src/lib/libcrypto/evp/evp_acnf.c
index a68b979bdb..ff3e311cc5 100644
--- a/src/lib/libcrypto/evp/evp_acnf.c
+++ b/src/lib/libcrypto/evp/evp_acnf.c
@@ -59,7 +59,6 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/conf.h>
-#include <openssl/engine.h>
 
 
 /* Load all algorithms and configure OpenSSL.
diff --git a/src/lib/libcrypto/evp/evp_test.c b/src/lib/libcrypto/evp/evp_test.c
index 90294ef686..28460173f7 100644
--- a/src/lib/libcrypto/evp/evp_test.c
+++ b/src/lib/libcrypto/evp/evp_test.c
@@ -49,8 +49,14 @@
 
 #include <stdio.h>
 #include <string.h>
+
+#include "../e_os.h"
+
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
+#include <openssl/err.h>
 #include <openssl/conf.h>
 
 static void hexdump(FILE *f,const char *title,const unsigned char *s,int l)
@@ -78,7 +84,7 @@ static int convert(unsigned char *s)
         if(!s[1])
             {
             fprintf(stderr,"Odd number of hex digits!");
-            exit(4);
+            EXIT(4);
             }
         sscanf((char *)s,"%2x",&n);
         *d=(unsigned char)n;
@@ -120,6 +126,12 @@ static char *sstrsep(char **string, const char *delim)
 static unsigned char *ustrsep(char **p,const char *sep)
     { return (unsigned char *)sstrsep(p,sep); }
 
+static int test1_exit(int ec)
+        {
+        EXIT(ec);
+        return(0);              /* To keep some compilers quiet */
+        }
+
 static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
                   const unsigned char *iv,int in,
                   const unsigned char *plaintext,int pn,
@@ -142,7 +154,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
         {
         fprintf(stderr,"Key length doesn't match, got %d expected %d\n",kn,
                 c->key_len);
-        exit(5);
+        test1_exit(5);
         }
     EVP_CIPHER_CTX_init(&ctx);
     if (encdec != 0)
@@ -150,26 +162,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
         if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
             {
             fprintf(stderr,"EncryptInit failed\n");
-            exit(10);
+            test1_exit(10);
             }
         EVP_CIPHER_CTX_set_padding(&ctx,0);
 
         if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn))
             {
             fprintf(stderr,"Encrypt failed\n");
-            exit(6);
+            test1_exit(6);
             }
         if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2))
             {
             fprintf(stderr,"EncryptFinal failed\n");
-            exit(7);
+            test1_exit(7);
             }
 
         if(outl+outl2 != cn)
             {
             fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n",
                     outl+outl2,cn);
-            exit(8);
+            test1_exit(8);
             }
 
         if(memcmp(out,ciphertext,cn))
@@ -177,7 +189,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
             fprintf(stderr,"Ciphertext mismatch\n");
             hexdump(stderr,"Got",out,cn);
             hexdump(stderr,"Expected",ciphertext,cn);
-            exit(9);
+            test1_exit(9);
             }
         }
 
@@ -186,26 +198,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
         if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
             {
             fprintf(stderr,"DecryptInit failed\n");
-            exit(11);
+            test1_exit(11);
             }
         EVP_CIPHER_CTX_set_padding(&ctx,0);
 
         if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn))
             {
             fprintf(stderr,"Decrypt failed\n");
-            exit(6);
+            test1_exit(6);
             }
         if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2))
             {
             fprintf(stderr,"DecryptFinal failed\n");
-            exit(7);
+            test1_exit(7);
             }
 
         if(outl+outl2 != cn)
             {
             fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
                     outl+outl2,cn);
-            exit(8);
+            test1_exit(8);
             }
 
         if(memcmp(out,plaintext,cn))
@@ -213,7 +225,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
             fprintf(stderr,"Plaintext mismatch\n");
             hexdump(stderr,"Got",out,cn);
             hexdump(stderr,"Expected",plaintext,cn);
-            exit(9);
+            test1_exit(9);
             }
         }
 
@@ -260,24 +272,24 @@ static int test_digest(const char *digest,
     if(!EVP_DigestInit_ex(&ctx,d, NULL))
         {
         fprintf(stderr,"DigestInit failed\n");
-        exit(100);
+        EXIT(100);
         }
     if(!EVP_DigestUpdate(&ctx,plaintext,pn))
         {
         fprintf(stderr,"DigestUpdate failed\n");
-        exit(101);
+        EXIT(101);
         }
     if(!EVP_DigestFinal_ex(&ctx,md,&mdn))
         {
         fprintf(stderr,"DigestFinal failed\n");
-        exit(101);
+        EXIT(101);
         }
     EVP_MD_CTX_cleanup(&ctx);
 
     if(mdn != cn)
         {
         fprintf(stderr,"Digest length mismatch, got %d expected %d\n",mdn,cn);
-        exit(102);
+        EXIT(102);
         }
 
     if(memcmp(md,ciphertext,cn))
@@ -285,7 +297,7 @@ static int test_digest(const char *digest,
         fprintf(stderr,"Digest mismatch\n");
         hexdump(stderr,"Got",md,cn);
         hexdump(stderr,"Expected",ciphertext,cn);
-        exit(103);
+        EXIT(103);
         }
 
     printf("\n");
@@ -303,7 +315,7 @@ int main(int argc,char **argv)
     if(argc != 2)
         {
         fprintf(stderr,"%s <test file>\n",argv[0]);
-        exit(1);
+        EXIT(1);
         }
     CRYPTO_malloc_debug_init();
     CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
@@ -315,17 +327,20 @@ int main(int argc,char **argv)
     if(!f)
         {
         perror(szTestFile);
-        exit(2);
+        EXIT(2);
         }
 
     /* Load up the software EVP_CIPHER and EVP_MD definitions */
     OpenSSL_add_all_ciphers();
     OpenSSL_add_all_digests();
+#ifndef OPENSSL_NO_ENGINE
     /* Load all compiled-in ENGINEs */
     ENGINE_load_builtin_engines();
+#endif
 #if 0
     OPENSSL_config();
 #endif
+#ifndef OPENSSL_NO_ENGINE
     /* Register all available ENGINE implementations of ciphers and digests.
      * This could perhaps be changed to "ENGINE_register_all_complete()"? */
     ENGINE_register_all_ciphers();
@@ -334,6 +349,7 @@ int main(int argc,char **argv)
      * It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if
      * they weren't already initialised. */
     /* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */
+#endif
 
     for( ; ; )
         {
@@ -371,11 +387,13 @@ int main(int argc,char **argv)
            && !test_digest(cipher,plaintext,pn,ciphertext,cn))
             {
             fprintf(stderr,"Can't find %s\n",cipher);
-            exit(3);
+            EXIT(3);
             }
         }
 
+#ifndef OPENSSL_NO_ENGINE
     ENGINE_cleanup();
+#endif
     EVP_cleanup();
     CRYPTO_cleanup_all_ex_data();
     ERR_remove_state(0);
diff --git a/src/lib/libcrypto/hmac/hmactest.c b/src/lib/libcrypto/hmac/hmactest.c
index 96d3beb8e6..1b906b81af 100644
--- a/src/lib/libcrypto/hmac/hmactest.c
+++ b/src/lib/libcrypto/hmac/hmactest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_HMAC
 int main(int argc, char *argv[])
 {
@@ -68,12 +70,15 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/hmac.h>
+#ifndef OPENSSL_NO_MD5
 #include <openssl/md5.h>
+#endif
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
 #endif
 
+#ifndef OPENSSL_NO_MD5
 static struct test_st
         {
         unsigned char key[16];
@@ -113,13 +118,20 @@ static struct test_st
                 (unsigned char *)"56be34521d144c88dbb8c733f0e8b3f6",
         },
         };
-
+#endif
 
 static char *pt(unsigned char *md);
 int main(int argc, char *argv[])
         {
-        int i,err=0;
+#ifndef OPENSSL_NO_MD5
+        int i;
         char *p;
+#endif
+        int err=0;
+
+#ifdef OPENSSL_NO_MD5
+        printf("test skipped: MD5 disabled\n");
+#else
 
 #ifdef CHARSET_EBCDIC
         ebcdic2ascii(test[0].data, test[0].data, test[0].data_len);
@@ -144,10 +156,12 @@ int main(int argc, char *argv[])
                 else
                         printf("test %d ok\n",i);
                 }
-        exit(err);
+#endif /* OPENSSL_NO_MD5 */
+        EXIT(err);
         return(0);
         }
 
+#ifndef OPENSSL_NO_MD5
 static char *pt(unsigned char *md)
         {
         int i;
@@ -158,3 +172,4 @@ static char *pt(unsigned char *md)
         return(buf);
         }
 #endif
+#endif
diff --git a/src/lib/libcrypto/idea/version b/src/lib/libcrypto/idea/version
new file mode 100644
index 0000000000..3f22293795
--- /dev/null
+++ b/src/lib/libcrypto/idea/version
@@ -0,0 +1,12 @@
+1.1 07/12/95 - eay
+        Many thanks to Rhys Weatherley <rweather@us.oracle.com>
+        for pointing out that I was assuming little endian byte
+        order for all quantities what idea actually used
+        bigendian.  No where in the spec does it mention
+        this, it is all in terms of 16 bit numbers and even the example
+        does not use byte streams for the input example :-(.
+        If you byte swap each pair of input, keys and iv, the functions
+        would produce the output as the old version :-(.
+
+1.0 ??/??/95 - eay
+        First version.
diff --git a/src/lib/libcrypto/md2/md2_dgst.c b/src/lib/libcrypto/md2/md2_dgst.c
index e25dd00e02..ecb64f0ec4 100644
--- a/src/lib/libcrypto/md2/md2_dgst.c
+++ b/src/lib/libcrypto/md2/md2_dgst.c
@@ -61,6 +61,7 @@
 #include <string.h>
 #include <openssl/md2.h>
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
 
 const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
 
@@ -118,9 +119,9 @@ const char *MD2_options(void)
 int MD2_Init(MD2_CTX *c)
         {
         c->num=0;
-        memset(c->state,0,MD2_BLOCK*sizeof(MD2_INT));
-        memset(c->cksm,0,MD2_BLOCK*sizeof(MD2_INT));
-        memset(c->data,0,MD2_BLOCK);
+        memset(c->state,0,sizeof c->state);
+        memset(c->cksm,0,sizeof c->cksm);
+        memset(c->data,0,sizeof c->data);
         return 1;
         }
 
@@ -196,7 +197,7 @@ static void md2_block(MD2_CTX *c, const unsigned char *d)
                 t=(t+i)&0xff;
                 }
         memcpy(sp1,state,16*sizeof(MD2_INT));
-        memset(state,0,48*sizeof(MD2_INT));
+        OPENSSL_cleanse(state,48*sizeof(MD2_INT));
         }
 
 int MD2_Final(unsigned char *md, MD2_CTX *c)
diff --git a/src/lib/libcrypto/md2/md2_one.c b/src/lib/libcrypto/md2/md2_one.c
index b12c37ce4d..835160ef56 100644
--- a/src/lib/libcrypto/md2/md2_one.c
+++ b/src/lib/libcrypto/md2/md2_one.c
@@ -88,6 +88,6 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
         }
 #endif
         MD2_Final(md,&c);
-        memset(&c,0,sizeof(c)); /* Security consideration */
+        OPENSSL_cleanse(&c,sizeof(c));  /* Security consideration */
         return(md);
         }
diff --git a/src/lib/libcrypto/md2/md2test.c b/src/lib/libcrypto/md2/md2test.c
index 7d3664faf5..901d0a7d8e 100644
--- a/src/lib/libcrypto/md2/md2test.c
+++ b/src/lib/libcrypto/md2/md2test.c
@@ -61,6 +61,8 @@
 #include <string.h>
 #include <openssl/md2.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_MD2
 int main(int argc, char *argv[])
 {
@@ -122,8 +124,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
-        return(0);
+        EXIT(err);
         }
 
 static char *pt(unsigned char *md)
diff --git a/src/lib/libcrypto/md4/md4.c b/src/lib/libcrypto/md4/md4.c
index e4b0aac011..141415ad4d 100644
--- a/src/lib/libcrypto/md4/md4.c
+++ b/src/lib/libcrypto/md4/md4.c
@@ -64,7 +64,7 @@
 
 void do_fp(FILE *f);
 void pt(unsigned char *md);
-#ifndef _OSD_POSIX
+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
 int read(int, void *, unsigned int);
 #endif
 
@@ -108,7 +108,7 @@ void do_fp(FILE *f)
         MD4_Init(&c);
         for (;;)
                 {
-                i=read(fd,buf,BUFSIZE);
+                i=read(fd,buf,sizeof buf);
                 if (i <= 0) break;
                 MD4_Update(&c,buf,(unsigned long)i);
                 }
diff --git a/src/lib/libcrypto/md4/md4test.c b/src/lib/libcrypto/md4/md4test.c
index e0fdc42282..21a77d96f7 100644
--- a/src/lib/libcrypto/md4/md4test.c
+++ b/src/lib/libcrypto/md4/md4test.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_MD4
 int main(int argc, char *argv[])
 {
@@ -118,7 +120,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libcrypto/md5/md5.c b/src/lib/libcrypto/md5/md5.c
index 7ed0024ae1..563733abc5 100644
--- a/src/lib/libcrypto/md5/md5.c
+++ b/src/lib/libcrypto/md5/md5.c
@@ -64,7 +64,7 @@
 
 void do_fp(FILE *f);
 void pt(unsigned char *md);
-#ifndef _OSD_POSIX
+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
 int read(int, void *, unsigned int);
 #endif
 
diff --git a/src/lib/libcrypto/md5/md5test.c b/src/lib/libcrypto/md5/md5test.c
index 862b89658a..bfd62629ed 100644
--- a/src/lib/libcrypto/md5/md5test.c
+++ b/src/lib/libcrypto/md5/md5test.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_MD5
 int main(int argc, char *argv[])
 {
@@ -118,7 +120,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libcrypto/mdc2/mdc2test.c b/src/lib/libcrypto/mdc2/mdc2test.c
new file mode 100644
index 0000000000..c9abe99d92
--- /dev/null
+++ b/src/lib/libcrypto/mdc2/mdc2test.c
@@ -0,0 +1,146 @@
+/* crypto/mdc2/mdc2test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../e_os.h"
+
+#if defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_MDC2)
+#define OPENSSL_NO_MDC2
+#endif
+
+#ifdef OPENSSL_NO_MDC2
+int main(int argc, char *argv[])
+{
+    printf("No MDC2 support\n");
+    return(0);
+}
+#else
+#include <openssl/evp.h>
+#include <openssl/mdc2.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+static unsigned char pad1[16]={
+        0x42,0xE5,0x0C,0xD2,0x24,0xBA,0xCE,0xBA,
+        0x76,0x0B,0xDD,0x2B,0xD4,0x09,0x28,0x1A
+        };
+
+static unsigned char pad2[16]={
+        0x2E,0x46,0x79,0xB5,0xAD,0xD9,0xCA,0x75,
+        0x35,0xD8,0x7A,0xFE,0xAB,0x33,0xBE,0xE2
+        };
+
+int main(int argc, char *argv[])
+        {
+        int ret=0;
+        unsigned char md[MDC2_DIGEST_LENGTH];
+        int i;
+        EVP_MD_CTX c;
+        static char *text="Now is the time for all ";
+
+#ifdef CHARSET_EBCDIC
+        ebcdic2ascii(text,text,strlen(text));
+#endif
+
+        EVP_MD_CTX_init(&c);
+        EVP_DigestInit_ex(&c,EVP_mdc2(), NULL);
+        EVP_DigestUpdate(&c,(unsigned char *)text,strlen(text));
+        EVP_DigestFinal_ex(&c,&(md[0]),NULL);
+
+        if (memcmp(md,pad1,MDC2_DIGEST_LENGTH) != 0)
+                {
+                for (i=0; i<MDC2_DIGEST_LENGTH; i++)
+                        printf("%02X",md[i]);
+                printf(" <- generated\n");
+                for (i=0; i<MDC2_DIGEST_LENGTH; i++)
+                        printf("%02X",pad1[i]);
+                printf(" <- correct\n");
+                ret=1;
+                }
+        else
+                printf("pad1 - ok\n");
+
+        EVP_DigestInit_ex(&c,EVP_mdc2(), NULL);
+        /* FIXME: use a ctl function? */
+        ((MDC2_CTX *)c.md_data)->pad_type=2;
+        EVP_DigestUpdate(&c,(unsigned char *)text,strlen(text));
+        EVP_DigestFinal_ex(&c,&(md[0]),NULL);
+
+        if (memcmp(md,pad2,MDC2_DIGEST_LENGTH) != 0)
+                {
+                for (i=0; i<MDC2_DIGEST_LENGTH; i++)
+                        printf("%02X",md[i]);
+                printf(" <- generated\n");
+                for (i=0; i<MDC2_DIGEST_LENGTH; i++)
+                        printf("%02X",pad2[i]);
+                printf(" <- correct\n");
+                ret=1;
+                }
+        else
+                printf("pad2 - ok\n");
+
+        EVP_MD_CTX_cleanup(&c);
+        EXIT(ret);
+        return(ret);
+        }
+#endif
diff --git a/src/lib/libcrypto/mem.c b/src/lib/libcrypto/mem.c
index a7826908e6..29df7d35b2 100644
--- a/src/lib/libcrypto/mem.c
+++ b/src/lib/libcrypto/mem.c
@@ -250,6 +250,9 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
 void *CRYPTO_malloc_locked(int num, const char *file, int line)
         {
         void *ret = NULL;
+        extern unsigned char cleanse_ctr;
+
+        if (num < 0) return NULL;
 
         allow_customize = 0;
         if (malloc_debug_func != NULL)
@@ -264,6 +267,12 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line)
         if (malloc_debug_func != NULL)
                 malloc_debug_func(ret, num, file, line, 1);
 
+        /* Create a dependency on the value of 'cleanse_ctr' so our memory
+         * sanitisation function can't be optimised out. NB: We only do
+         * this for >2Kb so the overhead doesn't bother us. */
+        if(ret && (num > 2048))
+                ((unsigned char *)ret)[0] = cleanse_ctr;
+
         return ret;
         }
 
@@ -282,6 +291,9 @@ void CRYPTO_free_locked(void *str)
 void *CRYPTO_malloc(int num, const char *file, int line)
         {
         void *ret = NULL;
+        extern unsigned char cleanse_ctr;
+
+        if (num < 0) return NULL;
 
         allow_customize = 0;
         if (malloc_debug_func != NULL)
@@ -296,6 +308,12 @@ void *CRYPTO_malloc(int num, const char *file, int line)
         if (malloc_debug_func != NULL)
                 malloc_debug_func(ret, num, file, line, 1);
 
+        /* Create a dependency on the value of 'cleanse_ctr' so our memory
+         * sanitisation function can't be optimised out. NB: We only do
+         * this for >2Kb so the overhead doesn't bother us. */
+        if(ret && (num > 2048))
+                ((unsigned char *)ret)[0] = cleanse_ctr;
+
         return ret;
         }
 
@@ -306,6 +324,8 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
         if (str == NULL)
                 return CRYPTO_malloc(num, file, line);
 
+        if (num < 0) return NULL;
+ 
         if (realloc_debug_func != NULL)
                 realloc_debug_func(str, NULL, num, file, line, 0);
         ret = realloc_ex_func(str,num,file,line);
@@ -318,6 +338,32 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
         return ret;
         }
 
+void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
+                           int line)
+        {
+        void *ret = NULL;
+
+        if (str == NULL)
+                return CRYPTO_malloc(num, file, line);
+ 
+        if (num < 0) return NULL;
+ 
+        if (realloc_debug_func != NULL)
+                realloc_debug_func(str, NULL, num, file, line, 0);
+        ret=malloc_ex_func(num,file,line);
+        if(ret)
+                memcpy(ret,str,old_len);
+        OPENSSL_cleanse(str,old_len);
+        free_func(str);
+#ifdef LEVITTE_DEBUG_MEM
+        fprintf(stderr, "LEVITTE_DEBUG_MEM:         | 0x%p -> 0x%p (%d)\n", str, ret, num);
+#endif
+        if (realloc_debug_func != NULL)
+                realloc_debug_func(str, ret, num, file, line, 1);
+
+        return ret;
+        }
+
 void CRYPTO_free(void *str)
         {
         if (free_debug_func != NULL)
@@ -337,7 +383,6 @@ void *CRYPTO_remalloc(void *a, int num, const char *file, int line)
         return(a);
         }
 
-
 void CRYPTO_set_mem_debug_options(long bits)
         {
         if (set_debug_options_func != NULL)
diff --git a/src/lib/libcrypto/objects/obj_dat.h b/src/lib/libcrypto/objects/obj_dat.h
index 30812c8aa6..969b18a341 100644
--- a/src/lib/libcrypto/objects/obj_dat.h
+++ b/src/lib/libcrypto/objects/obj_dat.h
@@ -62,12 +62,12 @@
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 645
-#define NUM_SN 641
-#define NUM_LN 641
-#define NUM_OBJ 615
+#define NUM_NID 650
+#define NUM_SN 643
+#define NUM_LN 643
+#define NUM_OBJ 617
 
-static unsigned char lvalues[4435]={
+static unsigned char lvalues[4455]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -683,6 +683,8 @@ static unsigned char lvalues[4435]={
 0x67,0x2A,0x08,0xAE,0x7B,                    /* [4412] OBJ_set_brand_Novus */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x0A,     /* [4417] OBJ_des_cdmf */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x06,/* [4425] OBJ_rsaOAEPEncryptionSET */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [4434] OBJ_ms_smartcard_login */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4444] OBJ_ms_upn */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -824,7 +826,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"RSA-MDC2","mdc2WithRSA",NID_mdc2WithRSA,4,&(lvalues[531]),0},
 {"RC4-40","rc4-40",NID_rc4_40,0,NULL},
 {"RC2-40-CBC","rc2-40-cbc",NID_rc2_40_cbc,0,NULL},
-{"gn","givenName",NID_givenName,3,&(lvalues[535]),0},
+{"GN","givenName",NID_givenName,3,&(lvalues[535]),0},
 {"SN","surname",NID_surname,3,&(lvalues[538]),0},
 {"initials","initials",NID_initials,3,&(lvalues[541]),0},
 {NULL,NULL,NID_undef,0,NULL},
@@ -1719,6 +1721,13 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"DES-CDMF","des-cdmf",NID_des_cdmf,8,&(lvalues[4417]),0},
 {"rsaOAEPEncryptionSET","rsaOAEPEncryptionSET",
         NID_rsaOAEPEncryptionSET,9,&(lvalues[4425]),0},
+{NULL,NULL,NID_undef,0,NULL},
+{NULL,NULL,NID_undef,0,NULL},
+{NULL,NULL,NID_undef,0,NULL},
+{"msSmartcardLogin","Microsoft Smartcardlogin",NID_ms_smartcard_login,
+        10,&(lvalues[4434]),0},
+{"msUPN","Microsoft Universal Principal Name",NID_ms_upn,10,
+        &(lvalues[4444]),0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -1771,6 +1780,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[70]),/* "DSA-SHA1-old" */
 &(nid_objs[67]),/* "DSA-old" */
 &(nid_objs[297]),/* "DVCS" */
+&(nid_objs[99]),/* "GN" */
 &(nid_objs[381]),/* "IANA" */
 &(nid_objs[34]),/* "IDEA-CBC" */
 &(nid_objs[35]),/* "IDEA-CFB" */
@@ -1917,7 +1927,6 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[490]),/* "friendlyCountryName" */
 &(nid_objs[156]),/* "friendlyName" */
 &(nid_objs[509]),/* "generationQualifier" */
-&(nid_objs[99]),/* "gn" */
 &(nid_objs[163]),/* "hmacWithSHA1" */
 &(nid_objs[432]),/* "holdInstructionCallIssuer" */
 &(nid_objs[430]),/* "holdInstructionCode" */
@@ -2127,6 +2136,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[138]),/* "msEFS" */
 &(nid_objs[171]),/* "msExtReq" */
 &(nid_objs[137]),/* "msSGC" */
+&(nid_objs[648]),/* "msSmartcardLogin" */
+&(nid_objs[649]),/* "msUPN" */
 &(nid_objs[481]),/* "nSRecord" */
 &(nid_objs[173]),/* "name" */
 &(nid_objs[369]),/* "noCheck" */
@@ -2401,7 +2412,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[171]),/* "Microsoft Extension Request" */
 &(nid_objs[134]),/* "Microsoft Individual Code Signing" */
 &(nid_objs[137]),/* "Microsoft Server Gated Crypto" */
+&(nid_objs[648]),/* "Microsoft Smartcardlogin" */
 &(nid_objs[136]),/* "Microsoft Trust List Signing" */
+&(nid_objs[649]),/* "Microsoft Universal Principal Name" */
 &(nid_objs[72]),/* "Netscape Base Url" */
 &(nid_objs[76]),/* "Netscape CA Policy Url" */
 &(nid_objs[74]),/* "Netscape CA Revocation Url" */
@@ -3557,6 +3570,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[136]),/* OBJ_ms_ctl_sign                  1 3 6 1 4 1 311 10 3 1 */
 &(nid_objs[137]),/* OBJ_ms_sgc                       1 3 6 1 4 1 311 10 3 3 */
 &(nid_objs[138]),/* OBJ_ms_efs                       1 3 6 1 4 1 311 10 3 4 */
+&(nid_objs[648]),/* OBJ_ms_smartcard_login           1 3 6 1 4 1 311 20 2 2 */
+&(nid_objs[649]),/* OBJ_ms_upn                       1 3 6 1 4 1 311 20 2 3 */
 &(nid_objs[196]),/* OBJ_id_smime_mod_cms             1 2 840 113549 1 9 16 0 1 */
 &(nid_objs[197]),/* OBJ_id_smime_mod_ess             1 2 840 113549 1 9 16 0 2 */
 &(nid_objs[198]),/* OBJ_id_smime_mod_oid             1 2 840 113549 1 9 16 0 3 */
diff --git a/src/lib/libcrypto/objects/obj_mac.h b/src/lib/libcrypto/objects/obj_mac.h
index 899db8325c..7645012298 100644
--- a/src/lib/libcrypto/objects/obj_mac.h
+++ b/src/lib/libcrypto/objects/obj_mac.h
@@ -850,6 +850,16 @@
 #define NID_ms_efs              138
 #define OBJ_ms_efs              1L,3L,6L,1L,4L,1L,311L,10L,3L,4L
 
+#define SN_ms_smartcard_login           "msSmartcardLogin"
+#define LN_ms_smartcard_login           "Microsoft Smartcardlogin"
+#define NID_ms_smartcard_login          648
+#define OBJ_ms_smartcard_login          1L,3L,6L,1L,4L,1L,311L,20L,2L,2L
+
+#define SN_ms_upn               "msUPN"
+#define LN_ms_upn               "Microsoft Universal Principal Name"
+#define NID_ms_upn              649
+#define OBJ_ms_upn              1L,3L,6L,1L,4L,1L,311L,20L,2L,3L
+
 #define SN_idea_cbc             "IDEA-CBC"
 #define LN_idea_cbc             "idea-cbc"
 #define NID_idea_cbc            34
@@ -1632,7 +1642,7 @@
 #define NID_name                173
 #define OBJ_name                OBJ_X509,41L
 
-#define SN_givenName            "gn"
+#define SN_givenName            "GN"
 #define LN_givenName            "givenName"
 #define NID_givenName           99
 #define OBJ_givenName           OBJ_X509,42L
diff --git a/src/lib/libcrypto/opensslconf.h b/src/lib/libcrypto/opensslconf.h
index c9756e47a3..492041bc7c 100644
--- a/src/lib/libcrypto/opensslconf.h
+++ b/src/lib/libcrypto/opensslconf.h
@@ -69,7 +69,7 @@
 #endif
 #endif
 
-#if (defined(HEADER_DES_H) || defined(HEADER_DES_OLD_H)) && !defined(DES_LONG)
+#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
  * %20 speed up (longs are 8 bytes, int's are 4). */
 #ifndef DES_LONG
diff --git a/src/lib/libcrypto/opensslconf.h.in b/src/lib/libcrypto/opensslconf.h.in
index 9082a16c46..685e83b7a3 100644
--- a/src/lib/libcrypto/opensslconf.h.in
+++ b/src/lib/libcrypto/opensslconf.h.in
@@ -47,7 +47,7 @@
 #endif
 #endif
 
-#if (defined(HEADER_DES_H) || defined(HEADER_DES_OLD_H)) && !defined(DES_LONG)
+#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
  * %20 speed up (longs are 8 bytes, int's are 4). */
 #ifndef DES_LONG
diff --git a/src/lib/libcrypto/perlasm/x86ms.pl b/src/lib/libcrypto/perlasm/x86ms.pl
index 206452341d..35f1a4ddb9 100644
--- a/src/lib/libcrypto/perlasm/x86ms.pl
+++ b/src/lib/libcrypto/perlasm/x86ms.pl
@@ -92,6 +92,8 @@ sub get_mem
                 $addr="_$addr";
                 }
 
+        if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; }
+
         $reg1="$regs{$reg1}" if defined($regs{$reg1});
         $reg2="$regs{$reg2}" if defined($regs{$reg2});
         if (($addr ne "") && ($addr ne 0))
@@ -111,6 +113,7 @@ sub get_mem
                 {
                 $ret.="[$reg1$post]"
                 }
+        $ret =~ s/\[\]//;       # in case $addr was the only argument
         return($ret);
         }
 
@@ -151,7 +154,7 @@ sub main'push	{ &out1("push",@_); $stack+=4; }
 sub main'pop    { &out1("pop",@_); $stack-=4; }
 sub main'bswap  { &out1("bswap",@_); &using486(); }
 sub main'not    { &out1("not",@_); }
-sub main'call   { &out1("call",'_'.$_[0]); }
+sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
 
@@ -338,7 +341,7 @@ sub main'set_label
         {
         if (!defined($label{$_[0]}))
                 {
-                $label{$_[0]}="${label}${_[0]}";
+                $label{$_[0]}="\$${label}${_[0]}";
                 $label++;
                 }
         if((defined $_[2]) && ($_[2] == 1))
@@ -363,3 +366,11 @@ sub out1p
 
         push(@out,"\t$name\t ".&conv($p1)."\n");
         }
+
+sub main'picmeup
+        {
+        local($dst,$sym)=@_;
+        &main'lea($dst,&main'DWP($sym));
+        }
+
+sub main'blindpop { &out1("pop",@_); }
diff --git a/src/lib/libcrypto/perlasm/x86nasm.pl b/src/lib/libcrypto/perlasm/x86nasm.pl
index 519d8a5867..f30b7466d4 100644
--- a/src/lib/libcrypto/perlasm/x86nasm.pl
+++ b/src/lib/libcrypto/perlasm/x86nasm.pl
@@ -98,6 +98,8 @@ sub get_mem
                 $addr="_$addr";
                 }
 
+        if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; }
+
         $reg1="$regs{$reg1}" if defined($regs{$reg1});
         $reg2="$regs{$reg2}" if defined($regs{$reg2});
         if (($addr ne "") && ($addr ne 0))
@@ -117,6 +119,7 @@ sub get_mem
                 {
                 $ret.="$reg1$post]"
                 }
+        $ret =~ s/\+\]/]/; # in case $addr was the only argument
         return($ret);
         }
 
@@ -160,7 +163,7 @@ sub main'push	{ &out1("push",@_); $stack+=4; }
 sub main'pop    { &out1("pop",@_); $stack-=4; }
 sub main'bswap  { &out1("bswap",@_); &using486(); }
 sub main'not    { &out1("not",@_); }
-sub main'call   { &out1("call",'_'.$_[0]); }
+sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
 
@@ -322,7 +325,7 @@ sub main'set_label
         {
         if (!defined($label{$_[0]}))
                 {
-                $label{$_[0]}="${label}${_[0]}";
+                $label{$_[0]}="\$${label}${_[0]}";
                 $label++;
                 }
         push(@out,"$label{$_[0]}:\n");
@@ -340,3 +343,11 @@ sub out1p
 
         push(@out,"\t$name\t ".&conv($p1)."\n");
         }
+
+sub main'picmeup
+        {
+        local($dst,$sym)=@_;
+        &main'lea($dst,&main'DWP($sym));
+        }
+
+sub main'blindpop { &out1("pop",@_); }
diff --git a/src/lib/libcrypto/perlasm/x86unix.pl b/src/lib/libcrypto/perlasm/x86unix.pl
index 9ceabf0705..72bde061c5 100644
--- a/src/lib/libcrypto/perlasm/x86unix.pl
+++ b/src/lib/libcrypto/perlasm/x86unix.pl
@@ -87,12 +87,12 @@ sub main'DWP
         $ret.=$addr if ($addr ne "") && ($addr ne 0);
         if ($reg2 ne "")
                 {
-                if($idx ne "")
+                if($idx ne "" && $idx != 0)
                     { $ret.="($reg1,$reg2,$idx)"; }
                 else
                     { $ret.="($reg1,$reg2)"; }
                 }
-        else
+        elsif ($reg1 ne "")
                 { $ret.="($reg1)" }
         return($ret);
         }
@@ -167,7 +167,7 @@ sub main'pop	{ &out1("popl",@_); $stack-=4; }
 sub main'pushf  { &out0("pushf"); $stack+=4; }
 sub main'popf   { &out0("popf"); $stack-=4; }
 sub main'not    { &out1("notl",@_); }
-sub main'call   { &out1("call",$under.$_[0]); }
+sub main'call   { &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
 
@@ -345,15 +345,15 @@ sub main'function_end
         popl    %ebx
         popl    %ebp
         ret
-.${func}_end:
+.L_${func}_end:
 EOF
         push(@out,$tmp);
 
         if ($main'cpp)
-                { push(@out,"\tSIZE($func,.${func}_end-$func)\n"); }
+                { push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); }
         elsif ($main'gaswin)
                 { $tmp=push(@out,"\t.align 4\n"); }
-        else    { push(@out,"\t.size\t$func,.${func}_end-$func\n"); }
+        else    { push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); }
         push(@out,".ident       \"$func\"\n");
         $stack=0;
         %label=();
@@ -426,6 +426,11 @@ sub main'swtmp
 
 sub main'comment
         {
+        if ($main'elf)  # GNU and SVR4 as'es use different comment delimiters,
+                {       # so we just skip comments...
+                push(@out,"\n");
+                return;
+                }
         foreach (@_)
                 {
                 if (/^\s*$/)
@@ -542,3 +547,39 @@ sub popvars
         &main'pop("edx");
         &main'popf();
         }
+
+sub main'picmeup
+        {
+        local($dst,$sym)=@_;
+        if ($main'cpp)
+                {
+                local($tmp)=<<___;
+#if (defined(ELF) || defined(SOL)) && defined(PIC)
+        .align  8
+        call    1f
+1:      popl    $regs{$dst}
+        addl    \$_GLOBAL_OFFSET_TABLE_+[.-1b],$regs{$dst}
+        movl    $sym\@GOT($regs{$dst}),$regs{$dst}
+#else
+        leal    $sym,$regs{$dst}
+#endif
+___
+                push(@out,$tmp);
+                }
+        elsif ($main'pic && ($main'elf || $main'aout))
+                {
+                push(@out,"\t.align\t8\n");
+                &main'call(&main'label("PIC_me_up"));
+                &main'set_label("PIC_me_up");
+                &main'blindpop($dst);
+                &main'add($dst,"\$$under"."_GLOBAL_OFFSET_TABLE_+[.-".
+                                &main'label("PIC_me_up") . "]");
+                &main'mov($dst,&main'DWP($sym."\@GOT",$dst));
+                }
+        else
+                {
+                &main'lea($dst,&main'DWP($sym));
+                }
+        }
+
+sub main'blindpop { &out1("popl",@_); }
diff --git a/src/lib/libcrypto/pkcs7/bio_ber.c b/src/lib/libcrypto/pkcs7/bio_ber.c
index 42331f7ab0..895a91177b 100644
--- a/src/lib/libcrypto/pkcs7/bio_ber.c
+++ b/src/lib/libcrypto/pkcs7/bio_ber.c
@@ -145,7 +145,7 @@ static int ber_free(BIO *a)
 
         if (a == NULL) return(0);
         b=(BIO_BER_CTX *)a->ptr;
-        memset(a->ptr,0,sizeof(BIO_BER_CTX));
+        OPENSSL_cleanse(a->ptr,sizeof(BIO_BER_CTX));
         OPENSSL_free(a->ptr);
         a->ptr=NULL;
         a->init=0;
diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c
index a00ed70718..eeffc0df4c 100644
--- a/src/lib/libcrypto/rand/md_rand.c
+++ b/src/lib/libcrypto/rand/md_rand.c
@@ -177,10 +177,10 @@ RAND_METHOD *RAND_SSLeay(void)
 
 static void ssleay_rand_cleanup(void)
         {
-        memset(state,0,sizeof(state));
+        OPENSSL_cleanse(state,sizeof(state));
         state_num=0;
         state_index=0;
-        memset(md,0,MD_DIGEST_LENGTH);
+        OPENSSL_cleanse(md,MD_DIGEST_LENGTH);
         md_count[0]=0;
         md_count[1]=0;
         entropy=0;
diff --git a/src/lib/libcrypto/rand/rand_egd.c b/src/lib/libcrypto/rand/rand_egd.c
index abc3ac27d5..1f168221e3 100644
--- a/src/lib/libcrypto/rand/rand_egd.c
+++ b/src/lib/libcrypto/rand/rand_egd.c
@@ -94,7 +94,7 @@
  *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
  */
 
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(__DJGPP__)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS)
 int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
         {
         return(-1);
@@ -114,7 +114,7 @@ int RAND_egd_bytes(const char *path,int bytes)
 #include <sys/types.h>
 #include <sys/socket.h>
 #ifndef NO_SYS_UN_H
-# ifdef OPENSSL_SYS_VSWORKS
+# ifdef OPENSSL_SYS_VXWORKS
 #   include <streams/un.h>
 # else
 #   include <sys/un.h>
@@ -143,7 +143,7 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
 
         memset(&addr, 0, sizeof(addr));
         addr.sun_family = AF_UNIX;
-        if (strlen(path) > sizeof(addr.sun_path))
+        if (strlen(path) >= sizeof(addr.sun_path))
                 return (-1);
         strcpy(addr.sun_path,path);
         len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
diff --git a/src/lib/libcrypto/rand/rand_unix.c b/src/lib/libcrypto/rand/rand_unix.c
index ec09d74603..a776e52243 100644
--- a/src/lib/libcrypto/rand/rand_unix.c
+++ b/src/lib/libcrypto/rand/rand_unix.c
@@ -115,7 +115,7 @@
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2))
+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS))
 
 #include <sys/types.h>
 #include <sys/time.h>
@@ -215,7 +215,7 @@ int RAND_poll(void)
         if (n > 0)
                 {
                 RAND_add(tmpbuf,sizeof tmpbuf,n);
-                memset(tmpbuf,0,n);
+                OPENSSL_cleanse(tmpbuf,n);
                 }
 #endif
 
@@ -236,3 +236,10 @@ int RAND_poll(void)
 }
 
 #endif
+
+#if defined(OPENSSL_SYS_VXWORKS)
+int RAND_poll(void)
+{
+    return 0;
+}
+#endif
diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c
index c1b955b06f..113b58678f 100644
--- a/src/lib/libcrypto/rand/rand_win.c
+++ b/src/lib/libcrypto/rand/rand_win.c
@@ -125,7 +125,7 @@
  * http://developer.intel.com/design/security/rng/redist_license.htm
  */
 #define PROV_INTEL_SEC 22
-#define INTEL_DEF_PROV "Intel Hardware Cryptographic Service Provider"
+#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider")
 
 static void readtimer(void);
 static void readscreen(void);
@@ -170,7 +170,9 @@ typedef BOOL (WINAPI *THREAD32)(HANDLE, LPTHREADENTRY32);
 typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32);
 
 #include <lmcons.h>
+#ifndef OPENSSL_SYS_WINCE
 #include <lmstats.h>
+#endif
 #if 1 /* The NET API is Unicode only.  It requires the use of the UNICODE
        * macro.  When UNICODE is defined LPTSTR becomes LPWSTR.  LMSTR was
        * was added to the Platform SDK to allow the NET API to be used in
@@ -209,20 +211,32 @@ int RAND_poll(void)
         osverinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ;
         GetVersionEx( &osverinfo ) ;
 
+#if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO
+        /* poll the CryptoAPI PRNG */
+        /* The CryptoAPI returns sizeof(buf) bytes of randomness */
+        if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
+                {
+                if (CryptGenRandom(hProvider, sizeof(buf), buf))
+                        RAND_add(buf, sizeof(buf), sizeof(buf));
+                CryptReleaseContext(hProvider, 0); 
+                }
+#endif
+
         /* load functions dynamically - not available on all systems */
-        advapi = LoadLibrary("ADVAPI32.DLL");
-        kernel = LoadLibrary("KERNEL32.DLL");
-        user = LoadLibrary("USER32.DLL");
-        netapi = LoadLibrary("NETAPI32.DLL");
+        advapi = LoadLibrary(TEXT("ADVAPI32.DLL"));
+        kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
+        user = LoadLibrary(TEXT("USER32.DLL"));
+        netapi = LoadLibrary(TEXT("NETAPI32.DLL"));
 
+#ifndef OPENSSL_SYS_WINCE
 #if 1 /* There was previously a problem with NETSTATGET.  Currently, this
        * section is still experimental, but if all goes well, this conditional
        * will be removed
        */
         if (netapi)
                 {
-                netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet");
-                netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree");
+                netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet"));
+                netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree"));
                 }
 
         if (netstatget && netfree)
@@ -249,7 +263,9 @@ int RAND_poll(void)
         if (netapi)
                 FreeLibrary(netapi);
 #endif /* 1 */
+#endif /* !OPENSSL_SYS_WINCE */
  
+#ifndef OPENSSL_SYS_WINCE
         /* It appears like this can cause an exception deep within ADVAPI32.DLL
          * at random times on Windows 2000.  Reported by Jeffrey Altman.  
          * Only use it on NT.
@@ -280,30 +296,40 @@ int RAND_poll(void)
                         bufsz += 8192;
 
                         length = bufsz;
-                        rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, "Global",
+                        rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, TEXT("Global"),
                                 NULL, NULL, buf, &length);
                         }
                 if (rc == ERROR_SUCCESS)
                         {
                         /* For entropy count assume only least significant
                          * byte of each DWORD is random.
-                         */
+                         */
                         RAND_add(&length, sizeof(length), 0);
                         RAND_add(buf, length, length / 4.0);
+
+                        /* Close the Registry Key to allow Windows to cleanup/close
+                         * the open handle
+                         * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened
+                         *       when the RegQueryValueEx above is done.  However, if
+                         *       it is not explicitly closed, it can cause disk
+                         *       partition manipulation problems.
+                         */
+                        RegCloseKey(HKEY_PERFORMANCE_DATA);
                         }
                 if (buf)
                         free(buf);
                 }
 #endif
+#endif /* !OPENSSL_SYS_WINCE */
 
         if (advapi)
                 {
                 acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi,
-                        "CryptAcquireContextA");
+                        TEXT("CryptAcquireContextA"));
                 gen = (CRYPTGENRANDOM) GetProcAddress(advapi,
-                        "CryptGenRandom");
+                        TEXT("CryptGenRandom"));
                 release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi,
-                        "CryptReleaseContext");
+                        TEXT("CryptReleaseContext"));
                 }
 
         if (acquire && gen && release)
@@ -357,9 +383,9 @@ int RAND_poll(void)
                 GETFOREGROUNDWINDOW win;
                 GETQUEUESTATUS queue;
 
-                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow");
-                cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo");
-                queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus");
+                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow"));
+                cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo"));
+                queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus"));
 
                 if (win)
                         {
@@ -430,17 +456,17 @@ int RAND_poll(void)
                 MODULEENTRY32 m;
 
                 snap = (CREATETOOLHELP32SNAPSHOT)
-                        GetProcAddress(kernel, "CreateToolhelp32Snapshot");
-                heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First");
-                heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next");
-                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst");
-                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext");
-                process_first = (PROCESS32) GetProcAddress(kernel, "Process32First");
-                process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next");
-                thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First");
-                thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next");
-                module_first = (MODULE32) GetProcAddress(kernel, "Module32First");
-                module_next = (MODULE32) GetProcAddress(kernel, "Module32Next");
+                        GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot"));
+                heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First"));
+                heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next"));
+                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst"));
+                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext"));
+                process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First"));
+                process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next"));
+                thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First"));
+                thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next"));
+                module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First"));
+                module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next"));
 
                 if (snap && heap_first && heap_next && heaplist_first &&
                         heaplist_next && process_first && process_next &&
@@ -575,7 +601,7 @@ static void readtimer(void)
         DWORD w;
         LARGE_INTEGER l;
         static int have_perfc = 1;
-#ifdef _MSC_VER
+#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
         static int have_tsc = 1;
         DWORD cyclecount;
 
@@ -628,6 +654,7 @@ static void readtimer(void)
 
 static void readscreen(void)
 {
+#ifndef OPENSSL_SYS_WINCE
   HDC           hScrDC;         /* screen DC */
   HDC           hMemDC;         /* memory DC */
   HBITMAP       hBitmap;        /* handle for our bitmap */
@@ -641,7 +668,7 @@ static void readscreen(void)
   int           n = 16;         /* number of screen lines to grab at a time */
 
   /* Create a screen DC and a memory DC compatible to screen DC */
-  hScrDC = CreateDC("DISPLAY", NULL, NULL, NULL);
+  hScrDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL);
   hMemDC = CreateCompatibleDC(hScrDC);
 
   /* Get screen resolution */
@@ -688,6 +715,7 @@ static void readscreen(void)
   DeleteObject(hBitmap);
   DeleteDC(hMemDC);
   DeleteDC(hScrDC);
+#endif /* !OPENSSL_SYS_WINCE */
 }
 
 #endif
diff --git a/src/lib/libcrypto/rand/randtest.c b/src/lib/libcrypto/rand/randtest.c
index b64de616db..701932e6ee 100644
--- a/src/lib/libcrypto/rand/randtest.c
+++ b/src/lib/libcrypto/rand/randtest.c
@@ -60,6 +60,8 @@
 #include <stdlib.h>
 #include <openssl/rand.h>
 
+#include "../e_os.h"
+
 /* some FIPS 140-1 random number test */
 /* some simple tests */
 
@@ -209,6 +211,6 @@ int main()
         printf("test 4 done\n");
  err:
         err=((err)?1:0);
-        exit(err);
+        EXIT(err);
         return(err);
         }
diff --git a/src/lib/libcrypto/rc2/rc2test.c b/src/lib/libcrypto/rc2/rc2test.c
index d9a2a0a1cb..b67bafb49f 100644
--- a/src/lib/libcrypto/rc2/rc2test.c
+++ b/src/lib/libcrypto/rc2/rc2test.c
@@ -63,6 +63,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_RC2
 int main(int argc, char *argv[])
 {
@@ -203,7 +205,7 @@ int main(int argc, char *argv[])
                 printf("ok\n");
 #endif
 
-        exit(err);
+        EXIT(err);
         return(err);
         }
 
diff --git a/src/lib/libcrypto/rc4/rc4.c b/src/lib/libcrypto/rc4/rc4.c
index c2165b0b75..b39c070292 100644
--- a/src/lib/libcrypto/rc4/rc4.c
+++ b/src/lib/libcrypto/rc4/rc4.c
@@ -155,7 +155,7 @@ bad:
                 i=EVP_read_pw_string(buf,BUFSIZ,"Enter RC4 password:",0);
                 if (i != 0)
                         {
-                        memset(buf,0,BUFSIZ);
+                        OPENSSL_cleanse(buf,BUFSIZ);
                         fprintf(stderr,"bad password read\n");
                         exit(1);
                         }
@@ -163,7 +163,7 @@ bad:
                 }
 
         EVP_Digest((unsigned char *)keystr,(unsigned long)strlen(keystr),md,NULL,EVP_md5());
-        memset(keystr,0,strlen(keystr));
+        OPENSSL_cleanse(keystr,strlen(keystr));
         RC4_set_key(&key,MD5_DIGEST_LENGTH,md);
         
         for(;;)
diff --git a/src/lib/libcrypto/rc4/rc4test.c b/src/lib/libcrypto/rc4/rc4test.c
index a28d457c8d..b9d8f20975 100644
--- a/src/lib/libcrypto/rc4/rc4test.c
+++ b/src/lib/libcrypto/rc4/rc4test.c
@@ -60,6 +60,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_RC4
 int main(int argc, char *argv[])
 {
@@ -195,7 +197,7 @@ int main(int argc, char *argv[])
                         }
                 }
         printf("done\n");
-        exit(err);
+        EXIT(err);
         return(0);
         }
 #endif
diff --git a/src/lib/libcrypto/rc5/rc5s.cpp b/src/lib/libcrypto/rc5/rc5s.cpp
new file mode 100644
index 0000000000..1c5518bc80
--- /dev/null
+++ b/src/lib/libcrypto/rc5/rc5s.cpp
@@ -0,0 +1,70 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+               : "=eax" (tsc)
+               :
+               : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/rc5.h>
+
+void main(int argc,char *argv[])
+        {
+        RC5_32_KEY key;
+        unsigned long s1,s2,e1,e2;
+        unsigned long data[2];
+        int i,j;
+        static unsigned char d[16]={0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF};
+
+        RC5_32_set_key(&key, 16,d,12);
+
+        for (j=0; j<6; j++)
+                {
+                for (i=0; i<1000; i++) /**/
+                        {
+                        RC5_32_encrypt(&data[0],&key);
+                        GetTSC(s1);
+                        RC5_32_encrypt(&data[0],&key);
+                        RC5_32_encrypt(&data[0],&key);
+                        RC5_32_encrypt(&data[0],&key);
+                        GetTSC(e1);
+                        GetTSC(s2);
+                        RC5_32_encrypt(&data[0],&key);
+                        RC5_32_encrypt(&data[0],&key);
+                        RC5_32_encrypt(&data[0],&key);
+                        RC5_32_encrypt(&data[0],&key);
+                        GetTSC(e2);
+                        RC5_32_encrypt(&data[0],&key);
+                        }
+
+                printf("cast %d %d (%d)\n",
+                        e1-s1,e2-s2,((e2-s2)-(e1-s1)));
+                }
+        }
+
diff --git a/src/lib/libcrypto/ripemd/rmd160.c b/src/lib/libcrypto/ripemd/rmd160.c
index 4f8b88a18a..b0ec574498 100644
--- a/src/lib/libcrypto/ripemd/rmd160.c
+++ b/src/lib/libcrypto/ripemd/rmd160.c
@@ -64,7 +64,7 @@
 
 void do_fp(FILE *f);
 void pt(unsigned char *md);
-#ifndef _OSD_POSIX
+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
 int read(int, void *, unsigned int);
 #endif
 
diff --git a/src/lib/libcrypto/ripemd/rmdtest.c b/src/lib/libcrypto/ripemd/rmdtest.c
index be1fb8b1f6..d4c709e646 100644
--- a/src/lib/libcrypto/ripemd/rmdtest.c
+++ b/src/lib/libcrypto/ripemd/rmdtest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_RIPEMD
 int main(int argc, char *argv[])
 {
@@ -127,7 +129,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libcrypto/rsa/rsa_test.c b/src/lib/libcrypto/rsa/rsa_test.c
index b8b462d33b..924e9ad1f6 100644
--- a/src/lib/libcrypto/rsa/rsa_test.c
+++ b/src/lib/libcrypto/rsa/rsa_test.c
@@ -16,7 +16,6 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/rsa.h>
-#include <openssl/engine.h>
 
 #define SetKey \
   key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
diff --git a/src/lib/libcrypto/sha/sha1test.c b/src/lib/libcrypto/sha/sha1test.c
index 499a1cf5af..4f2e4ada2d 100644
--- a/src/lib/libcrypto/sha/sha1test.c
+++ b/src/lib/libcrypto/sha/sha1test.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_SHA
 int main(int argc, char *argv[])
 {
@@ -155,7 +157,7 @@ int main(int argc, char *argv[])
                 }
         else
                 printf("test 3 ok\n");
-        exit(err);
+        EXIT(err);
         EVP_MD_CTX_cleanup(&c);
         return(0);
         }
diff --git a/src/lib/libcrypto/sha/sha_one.c b/src/lib/libcrypto/sha/sha_one.c
index 5426faae4a..e61c63f3e9 100644
--- a/src/lib/libcrypto/sha/sha_one.c
+++ b/src/lib/libcrypto/sha/sha_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/sha.h>
+#include <openssl/crypto.h>
 
 #ifndef OPENSSL_NO_SHA0
 unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
         SHA_Init(&c);
         SHA_Update(&c,d,n);
         SHA_Final(md,&c);
-        memset(&c,0,sizeof(c));
+        OPENSSL_cleanse(&c,sizeof(c));
         return(md);
         }
 #endif
diff --git a/src/lib/libcrypto/sha/shatest.c b/src/lib/libcrypto/sha/shatest.c
index 331294a74f..5d2b1d3b1a 100644
--- a/src/lib/libcrypto/sha/shatest.c
+++ b/src/lib/libcrypto/sha/shatest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_SHA
 int main(int argc, char *argv[])
 {
@@ -156,7 +158,7 @@ int main(int argc, char *argv[])
         else
                 printf("test 3 ok\n");
         EVP_MD_CTX_cleanup(&c);
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libcrypto/threads/mttest.c b/src/lib/libcrypto/threads/mttest.c
index 7142e4edc7..54d598565d 100644
--- a/src/lib/libcrypto/threads/mttest.c
+++ b/src/lib/libcrypto/threads/mttest.c
@@ -86,11 +86,6 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
-#ifdef OPENSSL_NO_FP_API
-#define APPS_WIN16
-#include "../buffer/bss_file.c"
-#endif
-
 #define TEST_SERVER_CERT "../../apps/server.pem"
 #define TEST_CLIENT_CERT "../../apps/client.pem"
 
diff --git a/src/lib/libcrypto/tmdiff.c b/src/lib/libcrypto/tmdiff.c
index 7ebf2b202a..307523ebba 100644
--- a/src/lib/libcrypto/tmdiff.c
+++ b/src/lib/libcrypto/tmdiff.c
@@ -59,13 +59,16 @@
 #include <stdlib.h>
 #include "cryptlib.h"
 #include <openssl/tmdiff.h>
+#if !defined(OPENSSL_SYS_MSDOS)
+#include OPENSSL_UNISTD
+#endif
 
 #ifdef TIMEB
 #undef OPENSSL_SYS_WIN32
 #undef TIMES
 #endif
 
-#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) || defined(__DECC) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_VXWORKS)
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !(defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX_RHAPSODY) && !defined(OPENSSL_SYS_VXWORKS)
 # define TIMES
 #endif
 
@@ -101,14 +104,19 @@
 
 /* The following if from times(3) man page.  It may need to be changed */
 #ifndef HZ
-# ifndef CLK_TCK
-#  ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
-#   define HZ  100.0
-#  else /* _BSD_CLK_TCK_ */
-#   define HZ ((double)_BSD_CLK_TCK_)
+# if defined(_SC_CLK_TCK) \
+     && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000)
+#  define HZ ((double)sysconf(_SC_CLK_TCK))
+# else
+#  ifndef CLK_TCK
+#   ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
+#    define HZ  100.0
+#   else /* _BSD_CLK_TCK_ */
+#    define HZ ((double)_BSD_CLK_TCK_)
+#   endif
+#  else /* CLK_TCK */
+#   define HZ ((double)CLK_TCK)
 #  endif
-# else /* CLK_TCK */
-#  define HZ ((double)CLK_TCK)
 # endif
 #endif
 
@@ -121,7 +129,7 @@ typedef struct ms_tm
         HANDLE thread_id;
         FILETIME ms_win32;
 #  else
-#    ifdef OPENSSL_SYS_VSWORKS
+#    ifdef OPENSSL_SYS_VXWORKS
           unsigned long ticks;
 #    else
         struct timeb ms_timeb;
@@ -163,7 +171,7 @@ void ms_time_get(char *a)
 #  ifdef OPENSSL_SYS_WIN32
         GetThreadTimes(tm->thread_id,&tmpa,&tmpb,&tmpc,&(tm->ms_win32));
 #  else
-#    ifdef OPENSSL_SYS_VSWORKS
+#    ifdef OPENSSL_SYS_VXWORKS
         tm->ticks = tickGet();
 #    else
         ftime(&tm->ms_timeb);
@@ -197,7 +205,7 @@ double ms_time_diff(char *ap, char *bp)
         ret=((double)(lb-la))/1e7;
         }
 # else
-#  ifdef OPENSSL_SYS_VSWORKS
+#  ifdef OPENSSL_SYS_VXWORKS
         ret = (double)(b->ticks - a->ticks) / (double)sysClkRateGet();
 #  else
         ret=     (double)(b->ms_timeb.time-a->ms_timeb.time)+
@@ -222,7 +230,7 @@ int ms_time_cmp(char *ap, char *bp)
         d =(b->ms_win32.dwHighDateTime&0x000fffff)*10+b->ms_win32.dwLowDateTime/1e7;
         d-=(a->ms_win32.dwHighDateTime&0x000fffff)*10+a->ms_win32.dwLowDateTime/1e7;
 # else
-#  ifdef OPENSSL_SYS_VSWORKS
+#  ifdef OPENSSL_SYS_VXWORKS
         d = (b->ticks - a->ticks);
 #  else
         d=       (double)(b->ms_timeb.time-a->ms_timeb.time)+
diff --git a/src/lib/libcrypto/uid.c b/src/lib/libcrypto/uid.c
index d3d249c36f..73205a4baa 100644
--- a/src/lib/libcrypto/uid.c
+++ b/src/lib/libcrypto/uid.c
@@ -65,7 +65,7 @@ int OPENSSL_issetugid(void)
         return issetugid();
         }
 
-#elif defined(OPENSSL_SYS_WIN32)
+#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)
 
 int OPENSSL_issetugid(void)
         {
diff --git a/src/lib/libcrypto/util/bat.sh b/src/lib/libcrypto/util/bat.sh
index c6f48e8a7b..4d9a8287d0 100644
--- a/src/lib/libcrypto/util/bat.sh
+++ b/src/lib/libcrypto/util/bat.sh
@@ -62,6 +62,7 @@ sub var_add
         local($dir,$val)=@_;
         local(@a,$_,$ret);
 
+        return("") if $no_engine && $dir =~ /\/engine/;
         return("") if $no_idea && $dir =~ /\/idea/;
         return("") if $no_rc2  && $dir =~ /\/rc2/;
         return("") if $no_rc4  && $dir =~ /\/rc4/;
@@ -116,6 +117,7 @@ sub var_add
         @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1;
         @a=grep(!/_mdc2$/,@a) if $no_mdc2;
 
+        @a=grep(!/^engine$/,@a) if $no_engine;
         @a=grep(!/(^rsa$)|(^genrsa$)|(^req$)|(^ca$)/,@a) if $no_rsa;
         @a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa;
         @a=grep(!/^gendsa$/,@a) if $no_sha1;
diff --git a/src/lib/libcrypto/util/cygwin.sh b/src/lib/libcrypto/util/cygwin.sh
index b607399b02..930f766b4f 100644
--- a/src/lib/libcrypto/util/cygwin.sh
+++ b/src/lib/libcrypto/util/cygwin.sh
@@ -96,6 +96,8 @@ fi
 
 get_openssl_version
 
+make depend || exit 1
+
 make || exit 1
 
 base_install
diff --git a/src/lib/libcrypto/util/domd b/src/lib/libcrypto/util/domd
index 8cbe383c16..49310bbdd1 100644
--- a/src/lib/libcrypto/util/domd
+++ b/src/lib/libcrypto/util/domd
@@ -15,9 +15,14 @@ cp Makefile.ssl Makefile.save
 # fake the presence of Kerberos
 touch $TOP/krb5.h
 if [ "$MAKEDEPEND" = "gcc" ]; then
+    args=""
+    while [ $# -gt 0 ]; do
+        if [ "$1" != "--" ]; then args="$args $1"; fi
+        shift
+    done
     sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp
     echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
-    gcc -D OPENSSL_DOING_MAKEDEPEND -M $@ >> Makefile.tmp
+    gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp
     ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
     rm -f Makefile.tmp
 else
diff --git a/src/lib/libcrypto/util/extract-names.pl b/src/lib/libcrypto/util/extract-names.pl
new file mode 100644
index 0000000000..d413a045cc
--- /dev/null
+++ b/src/lib/libcrypto/util/extract-names.pl
@@ -0,0 +1,22 @@
+#!/usr/bin/perl
+
+$/ = "";                        # Eat a paragraph at once.
+while(<STDIN>) {
+    chop;
+    s/\n/ /gm;
+    if (/^=head1 /) {
+        $name = 0;
+    } elsif ($name) {
+        if (/ - /) {
+            s/ - .*//;
+            s/[ \t,]+/ /g;
+            push @words, split ' ';
+        }
+    }
+    if (/^=head1 *NAME *$/) {
+        $name = 1;
+    }
+}
+
+print join("\n", @words),"\n";
+
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 7e5728495f..f5c8c0be8a 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -980,7 +980,7 @@ BN_mul_word                             999	EXIST::FUNCTION:
 BN_sub_word                             1000    EXIST::FUNCTION:
 BN_dec2bn                               1001    EXIST::FUNCTION:
 BN_bn2dec                               1002    EXIST::FUNCTION:
-BIO_ghbn_ctrl                           1003    EXIST::FUNCTION:
+BIO_ghbn_ctrl                           1003    NOEXIST::FUNCTION:
 CRYPTO_free_ex_data                     1004    EXIST::FUNCTION:
 CRYPTO_get_ex_data                      1005    EXIST::FUNCTION:
 CRYPTO_set_ex_data                      1007    EXIST::FUNCTION:
@@ -1881,72 +1881,72 @@ BIO_f_linebuffer                        2463	EXIST:VMS:FUNCTION:
 BN_bntest_rand                          2464    EXIST::FUNCTION:
 OPENSSL_issetugid                       2465    EXIST::FUNCTION:
 BN_rand_range                           2466    EXIST::FUNCTION:
-ERR_load_ENGINE_strings                 2467    EXIST::FUNCTION:
-ENGINE_set_DSA                          2468    EXIST::FUNCTION:
-ENGINE_get_finish_function              2469    EXIST::FUNCTION:
-ENGINE_get_default_RSA                  2470    EXIST::FUNCTION:
+ERR_load_ENGINE_strings                 2467    EXIST::FUNCTION:ENGINE
+ENGINE_set_DSA                          2468    EXIST::FUNCTION:ENGINE
+ENGINE_get_finish_function              2469    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_RSA                  2470    EXIST::FUNCTION:ENGINE
 ENGINE_get_BN_mod_exp                   2471    NOEXIST::FUNCTION:
 DSA_get_default_openssl_method          2472    NOEXIST::FUNCTION:
-ENGINE_set_DH                           2473    EXIST::FUNCTION:
+ENGINE_set_DH                           2473    EXIST::FUNCTION:ENGINE
 ENGINE_set_def_BN_mod_exp_crt           2474    NOEXIST::FUNCTION:
 ENGINE_set_default_BN_mod_exp_crt       2474    NOEXIST::FUNCTION:
-ENGINE_init                             2475    EXIST::FUNCTION:
+ENGINE_init                             2475    EXIST::FUNCTION:ENGINE
 DH_get_default_openssl_method           2476    NOEXIST::FUNCTION:
 RSA_set_default_openssl_method          2477    NOEXIST::FUNCTION:
-ENGINE_finish                           2478    EXIST::FUNCTION:
-ENGINE_load_public_key                  2479    EXIST::FUNCTION:
-ENGINE_get_DH                           2480    EXIST::FUNCTION:
-ENGINE_ctrl                             2481    EXIST::FUNCTION:
-ENGINE_get_init_function                2482    EXIST::FUNCTION:
-ENGINE_set_init_function                2483    EXIST::FUNCTION:
-ENGINE_set_default_DSA                  2484    EXIST::FUNCTION:
-ENGINE_get_name                         2485    EXIST::FUNCTION:
-ENGINE_get_last                         2486    EXIST::FUNCTION:
-ENGINE_get_prev                         2487    EXIST::FUNCTION:
-ENGINE_get_default_DH                   2488    EXIST::FUNCTION:
-ENGINE_get_RSA                          2489    EXIST::FUNCTION:
-ENGINE_set_default                      2490    EXIST::FUNCTION:
-ENGINE_get_RAND                         2491    EXIST::FUNCTION:
-ENGINE_get_first                        2492    EXIST::FUNCTION:
-ENGINE_by_id                            2493    EXIST::FUNCTION:
-ENGINE_set_finish_function              2494    EXIST::FUNCTION:
+ENGINE_finish                           2478    EXIST::FUNCTION:ENGINE
+ENGINE_load_public_key                  2479    EXIST::FUNCTION:ENGINE
+ENGINE_get_DH                           2480    EXIST::FUNCTION:ENGINE
+ENGINE_ctrl                             2481    EXIST::FUNCTION:ENGINE
+ENGINE_get_init_function                2482    EXIST::FUNCTION:ENGINE
+ENGINE_set_init_function                2483    EXIST::FUNCTION:ENGINE
+ENGINE_set_default_DSA                  2484    EXIST::FUNCTION:ENGINE
+ENGINE_get_name                         2485    EXIST::FUNCTION:ENGINE
+ENGINE_get_last                         2486    EXIST::FUNCTION:ENGINE
+ENGINE_get_prev                         2487    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_DH                   2488    EXIST::FUNCTION:ENGINE
+ENGINE_get_RSA                          2489    EXIST::FUNCTION:ENGINE
+ENGINE_set_default                      2490    EXIST::FUNCTION:ENGINE
+ENGINE_get_RAND                         2491    EXIST::FUNCTION:ENGINE
+ENGINE_get_first                        2492    EXIST::FUNCTION:ENGINE
+ENGINE_by_id                            2493    EXIST::FUNCTION:ENGINE
+ENGINE_set_finish_function              2494    EXIST::FUNCTION:ENGINE
 ENGINE_get_def_BN_mod_exp_crt           2495    NOEXIST::FUNCTION:
 ENGINE_get_default_BN_mod_exp_crt       2495    NOEXIST::FUNCTION:
 RSA_get_default_openssl_method          2496    NOEXIST::FUNCTION:
-ENGINE_set_RSA                          2497    EXIST::FUNCTION:
-ENGINE_load_private_key                 2498    EXIST::FUNCTION:
-ENGINE_set_default_RAND                 2499    EXIST::FUNCTION:
+ENGINE_set_RSA                          2497    EXIST::FUNCTION:ENGINE
+ENGINE_load_private_key                 2498    EXIST::FUNCTION:ENGINE
+ENGINE_set_default_RAND                 2499    EXIST::FUNCTION:ENGINE
 ENGINE_set_BN_mod_exp                   2500    NOEXIST::FUNCTION:
-ENGINE_remove                           2501    EXIST::FUNCTION:
-ENGINE_free                             2502    EXIST::FUNCTION:
+ENGINE_remove                           2501    EXIST::FUNCTION:ENGINE
+ENGINE_free                             2502    EXIST::FUNCTION:ENGINE
 ENGINE_get_BN_mod_exp_crt               2503    NOEXIST::FUNCTION:
-ENGINE_get_next                         2504    EXIST::FUNCTION:
-ENGINE_set_name                         2505    EXIST::FUNCTION:
-ENGINE_get_default_DSA                  2506    EXIST::FUNCTION:
+ENGINE_get_next                         2504    EXIST::FUNCTION:ENGINE
+ENGINE_set_name                         2505    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_DSA                  2506    EXIST::FUNCTION:ENGINE
 ENGINE_set_default_BN_mod_exp           2507    NOEXIST::FUNCTION:
-ENGINE_set_default_RSA                  2508    EXIST::FUNCTION:
-ENGINE_get_default_RAND                 2509    EXIST::FUNCTION:
+ENGINE_set_default_RSA                  2508    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_RAND                 2509    EXIST::FUNCTION:ENGINE
 ENGINE_get_default_BN_mod_exp           2510    NOEXIST::FUNCTION:
-ENGINE_set_RAND                         2511    EXIST::FUNCTION:
-ENGINE_set_id                           2512    EXIST::FUNCTION:
+ENGINE_set_RAND                         2511    EXIST::FUNCTION:ENGINE
+ENGINE_set_id                           2512    EXIST::FUNCTION:ENGINE
 ENGINE_set_BN_mod_exp_crt               2513    NOEXIST::FUNCTION:
-ENGINE_set_default_DH                   2514    EXIST::FUNCTION:
-ENGINE_new                              2515    EXIST::FUNCTION:
-ENGINE_get_id                           2516    EXIST::FUNCTION:
+ENGINE_set_default_DH                   2514    EXIST::FUNCTION:ENGINE
+ENGINE_new                              2515    EXIST::FUNCTION:ENGINE
+ENGINE_get_id                           2516    EXIST::FUNCTION:ENGINE
 DSA_set_default_openssl_method          2517    NOEXIST::FUNCTION:
-ENGINE_add                              2518    EXIST::FUNCTION:
+ENGINE_add                              2518    EXIST::FUNCTION:ENGINE
 DH_set_default_openssl_method           2519    NOEXIST::FUNCTION:
-ENGINE_get_DSA                          2520    EXIST::FUNCTION:
-ENGINE_get_ctrl_function                2521    EXIST::FUNCTION:
-ENGINE_set_ctrl_function                2522    EXIST::FUNCTION:
+ENGINE_get_DSA                          2520    EXIST::FUNCTION:ENGINE
+ENGINE_get_ctrl_function                2521    EXIST::FUNCTION:ENGINE
+ENGINE_set_ctrl_function                2522    EXIST::FUNCTION:ENGINE
 BN_pseudo_rand_range                    2523    EXIST::FUNCTION:
 X509_STORE_CTX_set_verify_cb            2524    EXIST::FUNCTION:
 ERR_load_COMP_strings                   2525    EXIST::FUNCTION:
 PKCS12_item_decrypt_d2i                 2526    EXIST::FUNCTION:
 ASN1_UTF8STRING_it                      2527    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_UTF8STRING_it                      2527    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_unregister_ciphers               2528    EXIST::FUNCTION:
-ENGINE_get_ciphers                      2529    EXIST::FUNCTION:
+ENGINE_unregister_ciphers               2528    EXIST::FUNCTION:ENGINE
+ENGINE_get_ciphers                      2529    EXIST::FUNCTION:ENGINE
 d2i_OCSP_BASICRESP                      2530    EXIST::FUNCTION:
 KRB5_CHECKSUM_it                        2531    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_CHECKSUM_it                        2531    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -1959,15 +1959,15 @@ X509V3_add1_i2d                         2536	EXIST::FUNCTION:
 PKCS7_ENVELOPE_it                       2537    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS7_ENVELOPE_it                       2537    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_add_input_boolean                    2538    EXIST::FUNCTION:
-ENGINE_unregister_RSA                   2539    EXIST::FUNCTION:
+ENGINE_unregister_RSA                   2539    EXIST::FUNCTION:ENGINE
 X509V3_EXT_nconf                        2540    EXIST::FUNCTION:
 ASN1_GENERALSTRING_free                 2541    EXIST::FUNCTION:
 d2i_OCSP_CERTSTATUS                     2542    EXIST::FUNCTION:
 X509_REVOKED_set_serialNumber           2543    EXIST::FUNCTION:
 X509_print_ex                           2544    EXIST::FUNCTION:BIO
 OCSP_ONEREQ_get1_ext_d2i                2545    EXIST::FUNCTION:
-ENGINE_register_all_RAND                2546    EXIST::FUNCTION:
-ENGINE_load_dynamic                     2547    EXIST::FUNCTION:
+ENGINE_register_all_RAND                2546    EXIST::FUNCTION:ENGINE
+ENGINE_load_dynamic                     2547    EXIST::FUNCTION:ENGINE
 PBKDF2PARAM_it                          2548    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PBKDF2PARAM_it                          2548    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 EXTENDED_KEY_USAGE_new                  2549    EXIST::FUNCTION:
@@ -1987,7 +1987,7 @@ X509_STORE_set_purpose                  2559	EXIST::FUNCTION:
 i2d_ASN1_GENERALSTRING                  2560    EXIST::FUNCTION:
 OCSP_response_status                    2561    EXIST::FUNCTION:
 i2d_OCSP_SERVICELOC                     2562    EXIST::FUNCTION:
-ENGINE_get_digest_engine                2563    EXIST::FUNCTION:
+ENGINE_get_digest_engine                2563    EXIST::FUNCTION:ENGINE
 EC_GROUP_set_curve_GFp                  2564    EXIST::FUNCTION:EC
 OCSP_REQUEST_get_ext_by_OBJ             2565    EXIST::FUNCTION:
 _ossl_old_des_random_key                2566    EXIST::FUNCTION:DES
@@ -2011,7 +2011,7 @@ _shadow_DES_rw_mode                     2581	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 _shadow_DES_rw_mode                     2581    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DES
 asn1_do_adb                             2582    EXIST::FUNCTION:
 ASN1_template_i2d                       2583    EXIST::FUNCTION:
-ENGINE_register_DH                      2584    EXIST::FUNCTION:
+ENGINE_register_DH                      2584    EXIST::FUNCTION:ENGINE
 UI_construct_prompt                     2585    EXIST::FUNCTION:
 X509_STORE_set_trust                    2586    EXIST::FUNCTION:
 UI_dup_input_string                     2587    EXIST::FUNCTION:
@@ -2039,7 +2039,7 @@ OCSP_resp_find                          2605	EXIST::FUNCTION:
 BN_nnmod                                2606    EXIST::FUNCTION:
 X509_CRL_sort                           2607    EXIST::FUNCTION:
 X509_REVOKED_set_revocationDate         2608    EXIST::FUNCTION:
-ENGINE_register_RAND                    2609    EXIST::FUNCTION:
+ENGINE_register_RAND                    2609    EXIST::FUNCTION:ENGINE
 OCSP_SERVICELOC_new                     2610    EXIST::FUNCTION:
 EC_POINT_set_affine_coordinates_GFp     2611    EXIST:!VMS:FUNCTION:EC
 EC_POINT_set_affine_coords_GFp          2611    EXIST:VMS:FUNCTION:EC
@@ -2049,11 +2049,11 @@ SXNET_it                                2613	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 UI_dup_input_boolean                    2614    EXIST::FUNCTION:
 PKCS12_add_CSPName_asc                  2615    EXIST::FUNCTION:
 EC_POINT_is_at_infinity                 2616    EXIST::FUNCTION:EC
-ENGINE_load_openbsd_dev_crypto          2617    EXIST::FUNCTION:
+ENGINE_load_cryptodev                   2617    EXIST::FUNCTION:ENGINE
 DSO_convert_filename                    2618    EXIST::FUNCTION:
 POLICYQUALINFO_it                       2619    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 POLICYQUALINFO_it                       2619    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_register_ciphers                 2620    EXIST::FUNCTION:
+ENGINE_register_ciphers                 2620    EXIST::FUNCTION:ENGINE
 BN_mod_lshift_quick                     2621    EXIST::FUNCTION:
 DSO_set_filename                        2622    EXIST::FUNCTION:
 ASN1_item_free                          2623    EXIST::FUNCTION:
@@ -2062,7 +2062,7 @@ AUTHORITY_KEYID_it                      2625	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 AUTHORITY_KEYID_it                      2625    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 KRB5_APREQBODY_new                      2626    EXIST::FUNCTION:
 X509V3_EXT_REQ_add_nconf                2627    EXIST::FUNCTION:
-ENGINE_ctrl_cmd_string                  2628    EXIST::FUNCTION:
+ENGINE_ctrl_cmd_string                  2628    EXIST::FUNCTION:ENGINE
 i2d_OCSP_RESPDATA                       2629    EXIST::FUNCTION:
 EVP_MD_CTX_init                         2630    EXIST::FUNCTION:
 EXTENDED_KEY_USAGE_free                 2631    EXIST::FUNCTION:
@@ -2071,8 +2071,8 @@ PKCS7_ATTR_SIGN_it                      2632	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 UI_add_error_string                     2633    EXIST::FUNCTION:
 KRB5_CHECKSUM_free                      2634    EXIST::FUNCTION:
 OCSP_REQUEST_get_ext                    2635    EXIST::FUNCTION:
-ENGINE_load_ubsec                       2636    EXIST::FUNCTION:
-ENGINE_register_all_digests             2637    EXIST::FUNCTION:
+ENGINE_load_ubsec                       2636    EXIST::FUNCTION:ENGINE
+ENGINE_register_all_digests             2637    EXIST::FUNCTION:ENGINE
 PKEY_USAGE_PERIOD_it                    2638    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKEY_USAGE_PERIOD_it                    2638    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 PKCS12_unpack_authsafes                 2639    EXIST::FUNCTION:
@@ -2098,16 +2098,16 @@ OCSP_CERTSTATUS_free                    2653	EXIST::FUNCTION:
 _ossl_old_des_crypt                     2654    EXIST::FUNCTION:DES
 ASN1_item_i2d                           2655    EXIST::FUNCTION:
 EVP_DecryptFinal_ex                     2656    EXIST::FUNCTION:
-ENGINE_load_openssl                     2657    EXIST::FUNCTION:
-ENGINE_get_cmd_defns                    2658    EXIST::FUNCTION:
-ENGINE_set_load_privkey_function        2659    EXIST:!VMS:FUNCTION:
-ENGINE_set_load_privkey_fn              2659    EXIST:VMS:FUNCTION:
+ENGINE_load_openssl                     2657    EXIST::FUNCTION:ENGINE
+ENGINE_get_cmd_defns                    2658    EXIST::FUNCTION:ENGINE
+ENGINE_set_load_privkey_function        2659    EXIST:!VMS:FUNCTION:ENGINE
+ENGINE_set_load_privkey_fn              2659    EXIST:VMS:FUNCTION:ENGINE
 EVP_EncryptFinal_ex                     2660    EXIST::FUNCTION:
-ENGINE_set_default_digests              2661    EXIST::FUNCTION:
+ENGINE_set_default_digests              2661    EXIST::FUNCTION:ENGINE
 X509_get0_pubkey_bitstr                 2662    EXIST::FUNCTION:
 asn1_ex_i2c                             2663    EXIST::FUNCTION:
-ENGINE_register_RSA                     2664    EXIST::FUNCTION:
-ENGINE_unregister_DSA                   2665    EXIST::FUNCTION:
+ENGINE_register_RSA                     2664    EXIST::FUNCTION:ENGINE
+ENGINE_unregister_DSA                   2665    EXIST::FUNCTION:ENGINE
 _ossl_old_des_key_sched                 2666    EXIST::FUNCTION:DES
 X509_EXTENSION_it                       2667    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_EXTENSION_it                       2667    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2120,7 +2120,7 @@ PKCS12_certbag2x509                     2672	EXIST::FUNCTION:
 _ossl_old_des_ofb64_encrypt             2673    EXIST::FUNCTION:DES
 d2i_EXTENDED_KEY_USAGE                  2674    EXIST::FUNCTION:
 ERR_print_errors_cb                     2675    EXIST::FUNCTION:
-ENGINE_set_ciphers                      2676    EXIST::FUNCTION:
+ENGINE_set_ciphers                      2676    EXIST::FUNCTION:ENGINE
 d2i_KRB5_APREQBODY                      2677    EXIST::FUNCTION:
 UI_method_get_flusher                   2678    EXIST::FUNCTION:
 X509_PUBKEY_it                          2679    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2156,7 +2156,7 @@ NCONF_get_number_e                      2704	EXIST::FUNCTION:
 _ossl_old_des_decrypt3                  2705    EXIST::FUNCTION:DES
 X509_signature_print                    2706    EXIST::FUNCTION:EVP
 OCSP_SINGLERESP_free                    2707    EXIST::FUNCTION:
-ENGINE_load_builtin_engines             2708    EXIST::FUNCTION:
+ENGINE_load_builtin_engines             2708    EXIST::FUNCTION:ENGINE
 i2d_OCSP_ONEREQ                         2709    EXIST::FUNCTION:
 OCSP_REQUEST_add_ext                    2710    EXIST::FUNCTION:
 OCSP_RESPBYTES_new                      2711    EXIST::FUNCTION:
@@ -2184,7 +2184,7 @@ X509_CERT_AUX_it                        2727	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 CERTIFICATEPOLICIES_it                  2728    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 CERTIFICATEPOLICIES_it                  2728    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 _ossl_old_des_ede3_cbc_encrypt          2729    EXIST::FUNCTION:DES
-RAND_set_rand_engine                    2730    EXIST::FUNCTION:
+RAND_set_rand_engine                    2730    EXIST::FUNCTION:ENGINE
 DSO_get_loaded_filename                 2731    EXIST::FUNCTION:
 X509_ATTRIBUTE_it                       2732    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_ATTRIBUTE_it                       2732    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2206,7 +2206,7 @@ i2d_OCSP_BASICRESP                      2744	EXIST::FUNCTION:
 i2d_OCSP_RESPBYTES                      2745    EXIST::FUNCTION:
 PKCS12_unpack_p7encdata                 2746    EXIST::FUNCTION:
 HMAC_CTX_init                           2747    EXIST::FUNCTION:HMAC
-ENGINE_get_digest                       2748    EXIST::FUNCTION:
+ENGINE_get_digest                       2748    EXIST::FUNCTION:ENGINE
 OCSP_RESPONSE_print                     2749    EXIST::FUNCTION:
 KRB5_TKTBODY_it                         2750    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_TKTBODY_it                         2750    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2219,16 +2219,16 @@ PBE2PARAM_it                            2753	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 PKCS12_certbag2x509crl                  2754    EXIST::FUNCTION:
 PKCS7_SIGNED_it                         2755    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS7_SIGNED_it                         2755    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_cipher                       2756    EXIST::FUNCTION:
+ENGINE_get_cipher                       2756    EXIST::FUNCTION:ENGINE
 i2d_OCSP_CRLID                          2757    EXIST::FUNCTION:
 OCSP_SINGLERESP_new                     2758    EXIST::FUNCTION:
-ENGINE_cmd_is_executable                2759    EXIST::FUNCTION:
+ENGINE_cmd_is_executable                2759    EXIST::FUNCTION:ENGINE
 RSA_up_ref                              2760    EXIST::FUNCTION:RSA
 ASN1_GENERALSTRING_it                   2761    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_GENERALSTRING_it                   2761    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_register_DSA                     2762    EXIST::FUNCTION:
+ENGINE_register_DSA                     2762    EXIST::FUNCTION:ENGINE
 X509V3_EXT_add_nconf_sk                 2763    EXIST::FUNCTION:
-ENGINE_set_load_pubkey_function         2764    EXIST::FUNCTION:
+ENGINE_set_load_pubkey_function         2764    EXIST::FUNCTION:ENGINE
 PKCS8_decrypt                           2765    EXIST::FUNCTION:
 PEM_bytes_read_bio                      2766    EXIST::FUNCTION:BIO
 DIRECTORYSTRING_it                      2767    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2265,7 +2265,7 @@ UI_method_set_flusher                   2789	EXIST::FUNCTION:
 X509_ocspid_print                       2790    EXIST::FUNCTION:BIO
 KRB5_ENCDATA_it                         2791    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_ENCDATA_it                         2791    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_load_pubkey_function         2792    EXIST::FUNCTION:
+ENGINE_get_load_pubkey_function         2792    EXIST::FUNCTION:ENGINE
 UI_add_user_data                        2793    EXIST::FUNCTION:
 OCSP_REQUEST_delete_ext                 2794    EXIST::FUNCTION:
 UI_get_method                           2795    EXIST::FUNCTION:
@@ -2289,16 +2289,16 @@ ASN1_FBOOLEAN_it                        2806	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 ASN1_FBOOLEAN_it                        2806    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_set_ex_data                          2807    EXIST::FUNCTION:
 _ossl_old_des_string_to_key             2808    EXIST::FUNCTION:DES
-ENGINE_register_all_RSA                 2809    EXIST::FUNCTION:
+ENGINE_register_all_RSA                 2809    EXIST::FUNCTION:ENGINE
 d2i_KRB5_PRINCNAME                      2810    EXIST::FUNCTION:
 OCSP_RESPBYTES_it                       2811    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_RESPBYTES_it                       2811    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 X509_CINF_it                            2812    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_CINF_it                            2812    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_unregister_digests               2813    EXIST::FUNCTION:
+ENGINE_unregister_digests               2813    EXIST::FUNCTION:ENGINE
 d2i_EDIPARTYNAME                        2814    EXIST::FUNCTION:
 d2i_OCSP_SERVICELOC                     2815    EXIST::FUNCTION:
-ENGINE_get_digests                      2816    EXIST::FUNCTION:
+ENGINE_get_digests                      2816    EXIST::FUNCTION:ENGINE
 _ossl_old_des_set_odd_parity            2817    EXIST::FUNCTION:DES
 OCSP_RESPDATA_free                      2818    EXIST::FUNCTION:
 d2i_KRB5_TICKET                         2819    EXIST::FUNCTION:
@@ -2309,7 +2309,7 @@ d2i_ASN1_GENERALSTRING                  2822	EXIST::FUNCTION:
 X509_CRL_set_version                    2823    EXIST::FUNCTION:
 BN_mod_sub                              2824    EXIST::FUNCTION:
 OCSP_SINGLERESP_get_ext_by_NID          2825    EXIST::FUNCTION:
-ENGINE_get_ex_new_index                 2826    EXIST::FUNCTION:
+ENGINE_get_ex_new_index                 2826    EXIST::FUNCTION:ENGINE
 OCSP_REQUEST_free                       2827    EXIST::FUNCTION:
 OCSP_REQUEST_add1_ext_i2d               2828    EXIST::FUNCTION:
 X509_VAL_it                             2829    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2343,7 +2343,7 @@ EC_POINT_method_of                      2852	EXIST::FUNCTION:EC
 i2d_KRB5_APREQBODY                      2853    EXIST::FUNCTION:
 _ossl_old_des_ecb3_encrypt              2854    EXIST::FUNCTION:DES
 CRYPTO_get_mem_ex_functions             2855    EXIST::FUNCTION:
-ENGINE_get_ex_data                      2856    EXIST::FUNCTION:
+ENGINE_get_ex_data                      2856    EXIST::FUNCTION:ENGINE
 UI_destroy_method                       2857    EXIST::FUNCTION:
 ASN1_item_i2d_bio                       2858    EXIST::FUNCTION:BIO
 OCSP_ONEREQ_get_ext_by_OBJ              2859    EXIST::FUNCTION:
@@ -2367,7 +2367,7 @@ PKCS12_SAFEBAGS_it                      2872	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 PKCS12_SAFEBAGS_it                      2872    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 d2i_OCSP_SIGNATURE                      2873    EXIST::FUNCTION:
 OCSP_request_add1_nonce                 2874    EXIST::FUNCTION:
-ENGINE_set_cmd_defns                    2875    EXIST::FUNCTION:
+ENGINE_set_cmd_defns                    2875    EXIST::FUNCTION:ENGINE
 OCSP_SERVICELOC_free                    2876    EXIST::FUNCTION:
 EC_GROUP_free                           2877    EXIST::FUNCTION:EC
 ASN1_BIT_STRING_it                      2878    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2384,7 +2384,7 @@ EC_GROUP_new_curve_GFp                  2885	EXIST::FUNCTION:EC
 OCSP_REQUEST_get1_ext_d2i               2886    EXIST::FUNCTION:
 PKCS12_item_pack_safebag                2887    EXIST::FUNCTION:
 asn1_ex_c2i                             2888    EXIST::FUNCTION:
-ENGINE_register_digests                 2889    EXIST::FUNCTION:
+ENGINE_register_digests                 2889    EXIST::FUNCTION:ENGINE
 i2d_OCSP_REVOKEDINFO                    2890    EXIST::FUNCTION:
 asn1_enc_restore                        2891    EXIST::FUNCTION:
 UI_free                                 2892    EXIST::FUNCTION:
@@ -2395,7 +2395,7 @@ EC_POINT_invert                         2896	EXIST::FUNCTION:EC
 OCSP_basic_sign                         2897    EXIST::FUNCTION:
 i2d_OCSP_RESPID                         2898    EXIST::FUNCTION:
 OCSP_check_nonce                        2899    EXIST::FUNCTION:
-ENGINE_ctrl_cmd                         2900    EXIST::FUNCTION:
+ENGINE_ctrl_cmd                         2900    EXIST::FUNCTION:ENGINE
 d2i_KRB5_ENCKEY                         2901    EXIST::FUNCTION:
 OCSP_parse_url                          2902    EXIST::FUNCTION:
 OCSP_SINGLERESP_get_ext                 2903    EXIST::FUNCTION:
@@ -2403,12 +2403,12 @@ OCSP_CRLID_free                         2904	EXIST::FUNCTION:
 OCSP_BASICRESP_get1_ext_d2i             2905    EXIST::FUNCTION:
 RSAPrivateKey_it                        2906    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
 RSAPrivateKey_it                        2906    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
-ENGINE_register_all_DH                  2907    EXIST::FUNCTION:
+ENGINE_register_all_DH                  2907    EXIST::FUNCTION:ENGINE
 i2d_EDIPARTYNAME                        2908    EXIST::FUNCTION:
 EC_POINT_get_affine_coordinates_GFp     2909    EXIST:!VMS:FUNCTION:EC
 EC_POINT_get_affine_coords_GFp          2909    EXIST:VMS:FUNCTION:EC
 OCSP_CRLID_new                          2910    EXIST::FUNCTION:
-ENGINE_get_flags                        2911    EXIST::FUNCTION:
+ENGINE_get_flags                        2911    EXIST::FUNCTION:ENGINE
 OCSP_ONEREQ_it                          2912    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_ONEREQ_it                          2912    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_process                              2913    EXIST::FUNCTION:
@@ -2416,8 +2416,8 @@ ASN1_INTEGER_it                         2914	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 ASN1_INTEGER_it                         2914    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 EVP_CipherInit_ex                       2915    EXIST::FUNCTION:
 UI_get_string_type                      2916    EXIST::FUNCTION:
-ENGINE_unregister_DH                    2917    EXIST::FUNCTION:
-ENGINE_register_all_DSA                 2918    EXIST::FUNCTION:
+ENGINE_unregister_DH                    2917    EXIST::FUNCTION:ENGINE
+ENGINE_register_all_DSA                 2918    EXIST::FUNCTION:ENGINE
 OCSP_ONEREQ_get_ext_by_critical         2919    EXIST::FUNCTION:
 bn_dup_expand                           2920    EXIST::FUNCTION:
 OCSP_cert_id_new                        2921    EXIST::FUNCTION:
@@ -2438,11 +2438,11 @@ BN_mod_sub_quick                        2933	EXIST::FUNCTION:
 OCSP_ONEREQ_add_ext                     2934    EXIST::FUNCTION:
 OCSP_request_sign                       2935    EXIST::FUNCTION:
 EVP_DigestFinal_ex                      2936    EXIST::FUNCTION:
-ENGINE_set_digests                      2937    EXIST::FUNCTION:
+ENGINE_set_digests                      2937    EXIST::FUNCTION:ENGINE
 OCSP_id_issuer_cmp                      2938    EXIST::FUNCTION:
 OBJ_NAME_do_all                         2939    EXIST::FUNCTION:
 EC_POINTs_mul                           2940    EXIST::FUNCTION:EC
-ENGINE_register_complete                2941    EXIST::FUNCTION:
+ENGINE_register_complete                2941    EXIST::FUNCTION:ENGINE
 X509V3_EXT_nconf_nid                    2942    EXIST::FUNCTION:
 ASN1_SEQUENCE_it                        2943    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_SEQUENCE_it                        2943    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2451,7 +2451,7 @@ RAND_query_egd_bytes                    2945	EXIST::FUNCTION:
 UI_method_get_writer                    2946    EXIST::FUNCTION:
 UI_OpenSSL                              2947    EXIST::FUNCTION:
 PEM_def_callback                        2948    EXIST::FUNCTION:
-ENGINE_cleanup                          2949    EXIST::FUNCTION:
+ENGINE_cleanup                          2949    EXIST::FUNCTION:ENGINE
 DIST_POINT_it                           2950    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 DIST_POINT_it                           2950    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 OCSP_SINGLERESP_it                      2951    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2475,7 +2475,7 @@ OCSP_RESPID_new                         2967	EXIST::FUNCTION:
 OCSP_RESPDATA_it                        2968    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_RESPDATA_it                        2968    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 d2i_OCSP_RESPDATA                       2969    EXIST::FUNCTION:
-ENGINE_register_all_complete            2970    EXIST::FUNCTION:
+ENGINE_register_all_complete            2970    EXIST::FUNCTION:ENGINE
 OCSP_check_validity                     2971    EXIST::FUNCTION:
 PKCS12_BAGS_it                          2972    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS12_BAGS_it                          2972    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2487,7 +2487,7 @@ KRB5_AUTHENTBODY_it                     2976	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 X509_supported_extension                2977    EXIST::FUNCTION:
 i2d_KRB5_AUTHDATA                       2978    EXIST::FUNCTION:
 UI_method_get_opener                    2979    EXIST::FUNCTION:
-ENGINE_set_ex_data                      2980    EXIST::FUNCTION:
+ENGINE_set_ex_data                      2980    EXIST::FUNCTION:ENGINE
 OCSP_REQUEST_print                      2981    EXIST::FUNCTION:
 CBIGNUM_it                              2982    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 CBIGNUM_it                              2982    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2501,7 +2501,7 @@ OCSP_single_get0_status                 2989	EXIST::FUNCTION:
 BN_swap                                 2990    EXIST::FUNCTION:
 POLICYINFO_it                           2991    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 POLICYINFO_it                           2991    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_set_destroy_function             2992    EXIST::FUNCTION:
+ENGINE_set_destroy_function             2992    EXIST::FUNCTION:ENGINE
 asn1_enc_free                           2993    EXIST::FUNCTION:
 OCSP_RESPID_it                          2994    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_RESPID_it                          2994    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2523,8 +2523,8 @@ EDIPARTYNAME_it                         3005	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 NETSCAPE_SPKI_it                        3006    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 NETSCAPE_SPKI_it                        3006    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_get0_test_string                     3007    EXIST::FUNCTION:
-ENGINE_get_cipher_engine                3008    EXIST::FUNCTION:
-ENGINE_register_all_ciphers             3009    EXIST::FUNCTION:
+ENGINE_get_cipher_engine                3008    EXIST::FUNCTION:ENGINE
+ENGINE_register_all_ciphers             3009    EXIST::FUNCTION:ENGINE
 EC_POINT_copy                           3010    EXIST::FUNCTION:EC
 BN_kronecker                            3011    EXIST::FUNCTION:
 _ossl_old_des_ede3_ofb64_encrypt        3012    EXIST:!VMS:FUNCTION:DES
@@ -2545,9 +2545,9 @@ OCSP_RESPONSE_new                       3023	EXIST::FUNCTION:
 AES_set_encrypt_key                     3024    EXIST::FUNCTION:AES
 OCSP_resp_count                         3025    EXIST::FUNCTION:
 KRB5_CHECKSUM_new                       3026    EXIST::FUNCTION:
-ENGINE_load_cswift                      3027    EXIST::FUNCTION:
+ENGINE_load_cswift                      3027    EXIST::FUNCTION:ENGINE
 OCSP_onereq_get0_id                     3028    EXIST::FUNCTION:
-ENGINE_set_default_ciphers              3029    EXIST::FUNCTION:
+ENGINE_set_default_ciphers              3029    EXIST::FUNCTION:ENGINE
 NOTICEREF_it                            3030    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 NOTICEREF_it                            3030    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 X509V3_EXT_CRL_add_nconf                3031    EXIST::FUNCTION:
@@ -2565,7 +2565,7 @@ AES_decrypt                             3040	EXIST::FUNCTION:AES
 asn1_enc_init                           3041    EXIST::FUNCTION:
 UI_get_result_maxsize                   3042    EXIST::FUNCTION:
 OCSP_CERTID_new                         3043    EXIST::FUNCTION:
-ENGINE_unregister_RAND                  3044    EXIST::FUNCTION:
+ENGINE_unregister_RAND                  3044    EXIST::FUNCTION:ENGINE
 UI_method_get_closer                    3045    EXIST::FUNCTION:
 d2i_KRB5_ENCDATA                        3046    EXIST::FUNCTION:
 OCSP_request_onereq_count               3047    EXIST::FUNCTION:
@@ -2576,7 +2576,7 @@ ASN1_primitive_free                     3051	EXIST::FUNCTION:
 i2d_EXTENDED_KEY_USAGE                  3052    EXIST::FUNCTION:
 i2d_OCSP_SIGNATURE                      3053    EXIST::FUNCTION:
 asn1_enc_save                           3054    EXIST::FUNCTION:
-ENGINE_load_nuron                       3055    EXIST::FUNCTION:
+ENGINE_load_nuron                       3055    EXIST::FUNCTION:ENGINE
 _ossl_old_des_pcbc_encrypt              3056    EXIST::FUNCTION:DES
 PKCS12_MAC_DATA_it                      3057    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS12_MAC_DATA_it                      3057    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2598,15 +2598,15 @@ ASN1_item_d2i_bio                       3069	EXIST::FUNCTION:BIO
 EC_POINT_dbl                            3070    EXIST::FUNCTION:EC
 asn1_get_choice_selector                3071    EXIST::FUNCTION:
 i2d_KRB5_CHECKSUM                       3072    EXIST::FUNCTION:
-ENGINE_set_table_flags                  3073    EXIST::FUNCTION:
+ENGINE_set_table_flags                  3073    EXIST::FUNCTION:ENGINE
 AES_options                             3074    EXIST::FUNCTION:AES
-ENGINE_load_chil                        3075    EXIST::FUNCTION:
+ENGINE_load_chil                        3075    EXIST::FUNCTION:ENGINE
 OCSP_id_cmp                             3076    EXIST::FUNCTION:
 OCSP_BASICRESP_new                      3077    EXIST::FUNCTION:
 OCSP_REQUEST_get_ext_by_NID             3078    EXIST::FUNCTION:
 KRB5_APREQ_it                           3079    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_APREQ_it                           3079    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_destroy_function             3080    EXIST::FUNCTION:
+ENGINE_get_destroy_function             3080    EXIST::FUNCTION:ENGINE
 CONF_set_nconf                          3081    EXIST::FUNCTION:
 ASN1_PRINTABLE_free                     3082    EXIST::FUNCTION:
 OCSP_BASICRESP_get_ext_by_NID           3083    EXIST::FUNCTION:
@@ -2667,7 +2667,7 @@ OCSP_CRLID_it                           3127	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 OCSP_CRLID_it                           3127    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 i2d_KRB5_AUTHENTBODY                    3128    EXIST::FUNCTION:
 OCSP_REQUEST_get_ext_count              3129    EXIST::FUNCTION:
-ENGINE_load_atalla                      3130    EXIST::FUNCTION:
+ENGINE_load_atalla                      3130    EXIST::FUNCTION:ENGINE
 X509_NAME_it                            3131    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_NAME_it                            3131    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 USERNOTICE_it                           3132    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2685,7 +2685,7 @@ UI_method_set_opener                    3140	EXIST::FUNCTION:
 ASN1_item_ex_free                       3141    EXIST::FUNCTION:
 ASN1_BOOLEAN_it                         3142    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_BOOLEAN_it                         3142    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_table_flags                  3143    EXIST::FUNCTION:
+ENGINE_get_table_flags                  3143    EXIST::FUNCTION:ENGINE
 UI_create_method                        3144    EXIST::FUNCTION:
 OCSP_ONEREQ_add1_ext_i2d                3145    EXIST::FUNCTION:
 _shadow_DES_check_key                   3146    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DES
@@ -2709,7 +2709,7 @@ PKCS7_it                                3160	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 PKCS7_it                                3160    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 OCSP_REQUEST_get_ext_by_critical        3161    EXIST:!VMS:FUNCTION:
 OCSP_REQUEST_get_ext_by_crit            3161    EXIST:VMS:FUNCTION:
-ENGINE_set_flags                        3162    EXIST::FUNCTION:
+ENGINE_set_flags                        3162    EXIST::FUNCTION:ENGINE
 _ossl_old_des_ecb_encrypt               3163    EXIST::FUNCTION:DES
 OCSP_response_get1_basic                3164    EXIST::FUNCTION:
 EVP_Digest                              3165    EXIST::FUNCTION:
@@ -2721,8 +2721,8 @@ ASN1_TIME_to_generalizedtime            3169	EXIST::FUNCTION:
 BIGNUM_it                               3170    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 BIGNUM_it                               3170    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 AES_cbc_encrypt                         3171    EXIST::FUNCTION:AES
-ENGINE_get_load_privkey_function        3172    EXIST:!VMS:FUNCTION:
-ENGINE_get_load_privkey_fn              3172    EXIST:VMS:FUNCTION:
+ENGINE_get_load_privkey_function        3172    EXIST:!VMS:FUNCTION:ENGINE
+ENGINE_get_load_privkey_fn              3172    EXIST:VMS:FUNCTION:ENGINE
 OCSP_RESPONSE_free                      3173    EXIST::FUNCTION:
 UI_method_set_reader                    3174    EXIST::FUNCTION:
 i2d_ASN1_T61STRING                      3175    EXIST::FUNCTION:
@@ -2736,7 +2736,7 @@ OCSP_crlID_new                          3181	EXIST:!OS2,!VMS,!WIN16:FUNCTION:
 OCSP_crlID2_new                         3181    EXIST:OS2,VMS,WIN16:FUNCTION:
 CONF_modules_load_file                  3182    EXIST::FUNCTION:
 CONF_imodule_set_usr_data               3183    EXIST::FUNCTION:
-ENGINE_set_default_string               3184    EXIST::FUNCTION:
+ENGINE_set_default_string               3184    EXIST::FUNCTION:ENGINE
 CONF_module_get_usr_data                3185    EXIST::FUNCTION:
 ASN1_add_oid_module                     3186    EXIST::FUNCTION:
 CONF_modules_finish                     3187    EXIST::FUNCTION:
@@ -2754,7 +2754,7 @@ CONF_imodule_get_name                   3198	EXIST::FUNCTION:
 ERR_peek_top_error                      3199    NOEXIST::FUNCTION:
 CONF_imodule_get_usr_data               3200    EXIST::FUNCTION:
 CONF_imodule_set_flags                  3201    EXIST::FUNCTION:
-ENGINE_add_conf_module                  3202    EXIST::FUNCTION:
+ENGINE_add_conf_module                  3202    EXIST::FUNCTION:ENGINE
 ERR_peek_last_error_line                3203    EXIST::FUNCTION:
 ERR_peek_last_error_line_data           3204    EXIST::FUNCTION:
 ERR_peek_last_error                     3205    EXIST::FUNCTION:
@@ -2762,8 +2762,8 @@ DES_read_2passwords                     3206	EXIST::FUNCTION:DES
 DES_read_password                       3207    EXIST::FUNCTION:DES
 UI_UTIL_read_pw                         3208    EXIST::FUNCTION:
 UI_UTIL_read_pw_string                  3209    EXIST::FUNCTION:
-ENGINE_load_aep                         3210    EXIST::FUNCTION:
-ENGINE_load_sureware                    3211    EXIST::FUNCTION:
+ENGINE_load_aep                         3210    EXIST::FUNCTION:ENGINE
+ENGINE_load_sureware                    3211    EXIST::FUNCTION:ENGINE
 OPENSSL_add_all_algorithms_noconf       3212    EXIST:!VMS:FUNCTION:
 OPENSSL_add_all_algo_noconf             3212    EXIST:VMS:FUNCTION:
 OPENSSL_add_all_algorithms_conf         3213    EXIST:!VMS:FUNCTION:
@@ -2772,7 +2772,7 @@ OPENSSL_load_builtin_modules            3214	EXIST::FUNCTION:
 AES_ofb128_encrypt                      3215    EXIST::FUNCTION:AES
 AES_ctr128_encrypt                      3216    EXIST::FUNCTION:AES
 AES_cfb128_encrypt                      3217    EXIST::FUNCTION:AES
-ENGINE_load_4758cca                     3218    EXIST::FUNCTION:
+ENGINE_load_4758cca                     3218    EXIST::FUNCTION:ENGINE
 _ossl_096_des_random_seed               3219    EXIST::FUNCTION:DES
 EVP_aes_256_ofb                         3220    EXIST::FUNCTION:AES
 EVP_aes_192_ofb                         3221    EXIST::FUNCTION:AES
@@ -2793,3 +2793,11 @@ ASN1_UNIVERSALSTRING_it                 3234	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 d2i_ASN1_UNIVERSALSTRING                3235    EXIST::FUNCTION:
 EVP_des_ede3_ecb                        3236    EXIST::FUNCTION:DES
 X509_REQ_print_ex                       3237    EXIST::FUNCTION:BIO
+ENGINE_up_ref                           3238    EXIST::FUNCTION:ENGINE
+BUF_MEM_grow_clean                      3239    EXIST::FUNCTION:
+CRYPTO_realloc_clean                    3240    EXIST::FUNCTION:
+BUF_strlcat                             3241    EXIST::FUNCTION:
+BIO_indent                              3242    EXIST::FUNCTION:
+BUF_strlcpy                             3243    EXIST::FUNCTION:
+OpenSSLDie                              3244    EXIST::FUNCTION:
+OPENSSL_cleanse                         3245    EXIST::FUNCTION:
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index c9271bbffe..c538f9dffb 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -24,6 +24,7 @@ $infile="MINFO";
 
 %ops=(
         "VC-WIN32",   "Microsoft Visual C++ [4-6] - Windows NT or 9X",
+        "VC-CE",   "Microsoft eMbedded Visual C++ 3.0 - Windows CE ONLY",
         "VC-NT",   "Microsoft Visual C++ [4-6] - Windows NT ONLY",
         "VC-W31-16",  "Microsoft Visual C++ 1.52 - Windows 3.1 - 286",
         "VC-WIN16",   "Alias for VC-W31-32",
@@ -63,6 +64,8 @@ and [options] can be one of
         no-asm                                  - No x86 asm
         no-krb5                                 - No KRB5
         no-ec                                   - No EC
+        no-engine                               - No engine
+        no-hw                                   - No hw
         nasm                                    - Use NASM for x86 asm
         gaswin                                  - Use GNU as with Mingw32
         no-socks                                - No socket code
@@ -137,6 +140,10 @@ elsif (($platform eq "VC-WIN32") || ($platform eq "VC-NT"))
         $NT = 1 if $platform eq "VC-NT";
         require 'VC-32.pl';
         }
+elsif ($platform eq "VC-CE")
+        {
+        require 'VC-CE.pl';
+        }
 elsif ($platform eq "Mingw32")
         {
         require 'Mingw32.pl';
@@ -213,7 +220,7 @@ $cflags.=" -DOPENSSL_NO_MD4"  if $no_md4;
 $cflags.=" -DOPENSSL_NO_MD5"  if $no_md5;
 $cflags.=" -DOPENSSL_NO_SHA"  if $no_sha;
 $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1;
-$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_rmd160;
+$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd;
 $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2;
 $cflags.=" -DOPENSSL_NO_BF"  if $no_bf;
 $cflags.=" -DOPENSSL_NO_CAST" if $no_cast;
@@ -227,6 +234,8 @@ $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
 $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
+$cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
+$cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
 #$cflags.=" -DRSAref"  if $rsaref ne "";
 
 ## if ($unix)
@@ -266,6 +275,17 @@ $defs= <<"EOF";
 # The one monster makefile better suits building in non-unix
 # environments.
 
+EOF
+
+if ($platform eq "VC-CE")
+        {
+        $defs.= <<"EOF";
+!INCLUDE <\$(WCECOMPAT)/wcedefs.mak>
+
+EOF
+        }
+
+$defs.= <<"EOF";
 INSTALLTOP=$INSTALLTOP
 
 # Set your compiler options
@@ -632,6 +652,8 @@ sub var_add
         local($dir,$val)=@_;
         local(@a,$_,$ret);
 
+        return("") if $no_engine && $dir =~ /\/engine/;
+        return("") if $no_hw   && $dir =~ /\/hw/;
         return("") if $no_idea && $dir =~ /\/idea/;
         return("") if $no_aes  && $dir =~ /\/aes/;
         return("") if $no_rc2  && $dir =~ /\/rc2/;
@@ -641,6 +663,7 @@ sub var_add
         return("") if $no_rsa  && $dir =~ /^rsaref/;
         return("") if $no_dsa  && $dir =~ /\/dsa/;
         return("") if $no_dh   && $dir =~ /\/dh/;
+        return("") if $no_ec   && $dir =~ /\/ec/;
         if ($no_des && $dir =~ /\/des/)
                 {
                 if ($val =~ /read_pwd/)
@@ -675,7 +698,7 @@ sub var_add
         @a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2;
         @a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4;
         @a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5;
-        @a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160;
+        @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd;
 
         @a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa;
         @a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa;
@@ -692,6 +715,8 @@ sub var_add
         @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1;
         @a=grep(!/_mdc2$/,@a) if $no_mdc2;
 
+        @a=grep(!/^engine$/,@a) if $no_engine;
+        @a=grep(!/^hw$/,@a) if $no_hw;
         @a=grep(!/(^rsa$)|(^genrsa$)/,@a) if $no_rsa;
         @a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa;
         @a=grep(!/^gendsa$/,@a) if $no_sha1;
@@ -885,10 +910,12 @@ sub read_options
         elsif (/^no-sock$/)     { $no_sock=1; }
         elsif (/^no-krb5$/)     { $no_krb5=1; }
         elsif (/^no-ec$/)       { $no_ec=1; }
+        elsif (/^no-engine$/)   { $no_engine=1; }
+        elsif (/^no-hw$/)       { $no_hw=1; }
 
         elsif (/^just-ssl$/)    { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1;
                                   $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1;
-                                  $no_ssl2=$no_err=$no_rmd160=$no_rc5=1;
+                                  $no_ssl2=$no_err=$no_ripemd=$no_rc5=1;
                                   $no_aes=1; }
 
         elsif (/^rsaref$/)      { }
diff --git a/src/lib/libcrypto/util/mkcerts.sh b/src/lib/libcrypto/util/mkcerts.sh
index 5f8a1dae73..0184fcb70e 100644
--- a/src/lib/libcrypto/util/mkcerts.sh
+++ b/src/lib/libcrypto/util/mkcerts.sh
@@ -1,4 +1,4 @@
-#!bin/sh
+#!/bin/sh
 
 # This script will re-make all the required certs.
 # cd apps
@@ -12,8 +12,8 @@
 #
  
 CAbits=1024
-SSLEAY="../apps/ssleay"
-CONF="-config ../apps/ssleay.cnf"
+SSLEAY="../apps/openssl"
+CONF="-config ../apps/openssl.cnf"
 
 # create pca request.
 echo creating $CAbits bit PCA cert request
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index adfd447dd3..cdd2164c4e 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -91,7 +91,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                          "BIO", "COMP", "BUFFER", "LHASH", "STACK", "ERR",
                          "LOCKING",
                          # External "algorithms"
-                         "FP_API", "STDIO", "SOCK", "KRB5" );
+                         "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" );
 
 my $options="";
 open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
@@ -107,7 +107,7 @@ my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
 my $no_cast;
 my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
 my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
-my $no_ec;
+my $no_ec; my $no_engine; my $no_hw;
 my $no_fp_api;
 
 foreach (@ARGV, split(/ /, $options))
@@ -176,6 +176,8 @@ foreach (@ARGV, split(/ /, $options))
         elsif (/^no-comp$/)     { $no_comp=1; }
         elsif (/^no-dso$/)      { $no_dso=1; }
         elsif (/^no-krb5$/)     { $no_krb5=1; }
+        elsif (/^no-engine$/)   { $no_engine=1; }
+        elsif (/^no-hw$/)       { $no_hw=1; }
         }
 
 
@@ -235,7 +237,7 @@ $crypto.=" crypto/dh/dh.h" ; # unless $no_dh;
 $crypto.=" crypto/ec/ec.h" ; # unless $no_ec;
 $crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac;
 
-$crypto.=" crypto/engine/engine.h";
+$crypto.=" crypto/engine/engine.h"; # unless $no_engine;
 $crypto.=" crypto/stack/stack.h" ; # unless $no_stack;
 $crypto.=" crypto/buffer/buffer.h" ; # unless $no_buffer;
 $crypto.=" crypto/bio/bio.h" ; # unless $no_bio;
@@ -438,7 +440,12 @@ sub do_defs
                         }
 
                         s/\/\*.*?\*\///gs;                   # ignore comments
+                        if (/\/\*/) {                        # if we have part
+                                $line = $_;                  # of a comment,
+                                next;                        # continue reading
+                        }
                         s/{[^{}]*}//gs;                      # ignore {} blocks
+                        print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne "";
                         print STDERR "DEBUG: \$_=\"$_\"\n" if $debug;
                         if (/^\#\s*ifndef\s+(.*)/) {
                                 push(@tag,"-");
@@ -812,14 +819,14 @@ sub do_defs
                         } elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) {
                                 $s = $1;
                                 print STDERR "DEBUG: found ANSI C function $s\n" if $debug;
-                        } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s) {
+                        } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s) {
                                 # K&R C
                                 print STDERR "DEBUG: found K&R C function $s\n" if $debug;
                                 next;
-                        } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)$/s) {
-                                while (not /\(\)$/s) {
-                                        s/[^\(\)]*\)$/\)/s;
-                                        s/\([^\(\)]*\)\)$/\)/s;
+                        } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                                while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                                        s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
+                                        s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
                                 }
                                 s/\(void\)//;
                                 /(\w+(\{[0-9]+\})?)\W*\(\)/s;
@@ -1052,6 +1059,8 @@ sub is_valid
                         if ($keyword eq "COMP" && $no_comp) { return 0; }
                         if ($keyword eq "DSO" && $no_dso) { return 0; }
                         if ($keyword eq "KRB5" && $no_krb5) { return 0; }
+                        if ($keyword eq "ENGINE" && $no_engine) { return 0; }
+                        if ($keyword eq "HW" && $no_hw) { return 0; }
                         if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
 
                         # Nothing recognise as true
diff --git a/src/lib/libcrypto/util/pl/BC-32.pl b/src/lib/libcrypto/util/pl/BC-32.pl
index bd7a9d9301..e83b336190 100644
--- a/src/lib/libcrypto/util/pl/BC-32.pl
+++ b/src/lib/libcrypto/util/pl/BC-32.pl
@@ -51,9 +51,9 @@ $lfile='';
 $shlib_ex_obj="";
 $app_ex_obj="c0x32.obj"; 
 
-$asm='nasmw';
+$asm='nasmw -f obj';
 $asm.=" /Zi" if $debug;
-$afile='-f obj -o';
+$afile='-o';
 
 $bn_mulw_obj='';
 $bn_mulw_src='';
diff --git a/src/lib/libcrypto/util/pl/Mingw32.pl b/src/lib/libcrypto/util/pl/Mingw32.pl
index 45ab685974..043a3a53ee 100644
--- a/src/lib/libcrypto/util/pl/Mingw32.pl
+++ b/src/lib/libcrypto/util/pl/Mingw32.pl
@@ -1,17 +1,17 @@
 #!/usr/local/bin/perl
 #
-# Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools) 
+# Mingw32.pl -- Mingw
 #
 
 $o='/';
 $cp='cp';
-$rm='rem'; # use 'rm -f' if using GNU file utilities
+$rm='rm -f';
 $mkdir='gmkdir';
 
-# gcc wouldn't accept backslashes in paths
-#$o='\\';
-#$cp='copy';
-#$rm='del';
+$o='\\';
+$cp='copy';
+$rm='del';
+$mkdir='mkdir';
 
 # C compiler stuff
 
@@ -19,29 +19,29 @@ $cc='gcc';
 if ($debug)
         { $cflags="-DL_ENDIAN -DDSO_WIN32 -g2 -ggdb"; }
 else
-        { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -m486 -Wall"; }
+        { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; }
 
 if ($gaswin and !$no_asm)
         {
-        $bn_asm_obj='$(OBJ_D)/bn-win32.o';
+        $bn_asm_obj='$(OBJ_D)\bn-win32.o';
         $bn_asm_src='crypto/bn/asm/bn-win32.s';
-        $bnco_asm_obj='$(OBJ_D)/co-win32.o';
+        $bnco_asm_obj='$(OBJ_D)\co-win32.o';
         $bnco_asm_src='crypto/bn/asm/co-win32.s';
-        $des_enc_obj='$(OBJ_D)/d-win32.o $(OBJ_D)/y-win32.o';
+        $des_enc_obj='$(OBJ_D)\d-win32.o $(OBJ_D)\y-win32.o';
         $des_enc_src='crypto/des/asm/d-win32.s crypto/des/asm/y-win32.s';
-        $bf_enc_obj='$(OBJ_D)/b-win32.o';
+        $bf_enc_obj='$(OBJ_D)\b-win32.o';
         $bf_enc_src='crypto/bf/asm/b-win32.s';
-#       $cast_enc_obj='$(OBJ_D)/c-win32.o';
+#       $cast_enc_obj='$(OBJ_D)\c-win32.o';
 #       $cast_enc_src='crypto/cast/asm/c-win32.s';
-        $rc4_enc_obj='$(OBJ_D)/r4-win32.o';
+        $rc4_enc_obj='$(OBJ_D)\r4-win32.o';
         $rc4_enc_src='crypto/rc4/asm/r4-win32.s';
-        $rc5_enc_obj='$(OBJ_D)/r5-win32.o';
+        $rc5_enc_obj='$(OBJ_D)\r5-win32.o';
         $rc5_enc_src='crypto/rc5/asm/r5-win32.s';
-        $md5_asm_obj='$(OBJ_D)/m5-win32.o';
+        $md5_asm_obj='$(OBJ_D)\m5-win32.o';
         $md5_asm_src='crypto/md5/asm/m5-win32.s';
-        $rmd160_asm_obj='$(OBJ_D)/rm-win32.o';
+        $rmd160_asm_obj='$(OBJ_D)\rm-win32.o';
         $rmd160_asm_src='crypto/ripemd/asm/rm-win32.s';
-        $sha1_asm_obj='$(OBJ_D)/s1-win32.o';
+        $sha1_asm_obj='$(OBJ_D)\s1-win32.o';
         $sha1_asm_src='crypto/sha/asm/s1-win32.s';
         $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM";
         }
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index d6e3a11530..285990c589 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -91,7 +91,7 @@ if ($shlib)
         {
         $mlflags.=" $lflags /dll";
 #       $cflags =~ s| /MD| /MT|;
-        $lib_cflag=" -D_WINDLL -D_DLL";
+        $lib_cflag=" -D_WINDLL";
         $out_def="out32dll";
         $tmp_def="tmp32dll";
         }
diff --git a/src/lib/libcrypto/util/pl/VC-CE.pl b/src/lib/libcrypto/util/pl/VC-CE.pl
new file mode 100644
index 0000000000..1805ef9d97
--- /dev/null
+++ b/src/lib/libcrypto/util/pl/VC-CE.pl
@@ -0,0 +1,111 @@
+#!/usr/local/bin/perl
+# VC-CE.pl - the file for eMbedded Visual C++ 3.0 for windows CE, static libraries
+#
+
+$ssl=   "ssleay32";
+$crypto="libeay32";
+$RSAref="RSAref32";
+
+$o='\\';
+$cp='copy nul+';        # Timestamps get stuffed otherwise
+$rm='del';
+
+# C compiler stuff
+$cc='$(CC)';
+$cflags=' /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo $(WCETARGETDEFS) -DUNICODE -D_UNICODE -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -I$(WCECOMPAT)/include';
+$lflags='/nologo /subsystem:windowsce,$(WCELDVERSION) /machine:$(WCELDMACHINE) /opt:ref';
+$mlflags='';
+
+$out_def='out32_$(TARGETCPU)';
+$tmp_def='tmp32_$(TARGETCPU)';
+$inc_def="inc32";
+
+if ($debug)
+        {
+        $cflags=" /MDd /W3 /WX /Zi /Yd /Od /nologo -DWIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32";
+        $lflags.=" /debug";
+        $mlflags.=' /debug';
+        }
+
+$obj='.obj';
+$ofile="/Fo";
+
+# EXE linking stuff
+$link="link";
+$efile="/out:";
+$exep='.exe';
+if ($no_sock)
+        { $ex_libs=""; }
+else    { $ex_libs='winsock.lib $(WCECOMPAT)/lib/wcecompatex.lib $(WCELDFLAGS)'; }
+
+# static library stuff
+$mklib='lib';
+$ranlib='';
+$plib="";
+$libp=".lib";
+$shlibp=($shlib)?".dll":".lib";
+$lfile='/out:';
+
+$shlib_ex_obj="";
+#$app_ex_obj="setargv.obj";
+$app_ex_obj="";
+
+$bn_asm_obj='';
+$bn_asm_src='';
+$des_enc_obj='';
+$des_enc_src='';
+$bf_enc_obj='';
+$bf_enc_src='';
+
+if ($shlib)
+        {
+        $mlflags.=" $lflags /dll";
+#       $cflags =~ s| /MD| /MT|;
+        $lib_cflag=" -D_WINDLL -D_DLL";
+        $out_def='out32dll_$(TARGETCPU)';
+        $tmp_def='tmp32dll_$(TARGETCPU)';
+        }
+
+$cflags.=" /Fd$out_def";
+
+sub do_lib_rule
+        {
+        local($objs,$target,$name,$shlib)=@_;
+        local($ret,$Name);
+
+        $taget =~ s/\//$o/g if $o ne '/';
+        ($Name=$name) =~ tr/a-z/A-Z/;
+
+#       $target="\$(LIB_D)$o$target";
+        $ret.="$target: $objs\n";
+        if (!$shlib)
+                {
+#               $ret.="\t\$(RM) \$(O_$Name)\n";
+                $ex =' ';
+                $ret.="\t\$(MKLIB) $lfile$target @<<\n  $objs $ex\n<<\n";
+                }
+        else
+                {
+                local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
+#               $ex.=' winsock.lib coredll.lib $(WCECOMPAT)/lib/wcecompatex.lib';
+                $ex.=' winsock.lib $(WCECOMPAT)/lib/wcecompatex.lib';
+                $ret.="\t\$(LINK) \$(MLFLAGS) $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+                }
+        $ret.="\n";
+        return($ret);
+        }
+
+sub do_link_rule
+        {
+        local($target,$files,$dep_libs,$libs)=@_;
+        local($ret,$_);
+        
+        $file =~ s/\//$o/g if $o ne '/';
+        $n=&bname($targer);
+        $ret.="$target: $files $dep_libs\n";
+        $ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n";
+        $ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n\n";
+        return($ret);
+        }
+
+1;
diff --git a/src/lib/libcrypto/util/ssleay.num b/src/lib/libcrypto/util/ssleay.num
index fdea47205d..46e38a131f 100644
--- a/src/lib/libcrypto/util/ssleay.num
+++ b/src/lib/libcrypto/util/ssleay.num
@@ -169,7 +169,7 @@ SSL_add_file_cert_subjects_to_stack     185	EXIST:!VMS:FUNCTION:STDIO
 SSL_add_file_cert_subjs_to_stk          185     EXIST:VMS:FUNCTION:STDIO
 SSL_set_tmp_rsa_callback                186     EXIST::FUNCTION:RSA
 SSL_set_tmp_dh_callback                 187     EXIST::FUNCTION:DH
-SSL_add_dir_cert_subjects_to_stack      188     EXIST:!VMS,!WIN32:FUNCTION:STDIO
+SSL_add_dir_cert_subjects_to_stack      188     EXIST:!VMS:FUNCTION:STDIO
 SSL_add_dir_cert_subjs_to_stk           188     NOEXIST::FUNCTION:
 SSL_set_session_id_context              189     EXIST::FUNCTION:
 SSL_CTX_use_certificate_chain_file      222     EXIST:!VMS:FUNCTION:STDIO
diff --git a/src/lib/libcrypto/x509v3/v3conf.c b/src/lib/libcrypto/x509v3/v3conf.c
index 67ee14f334..00cf5b4a5b 100644
--- a/src/lib/libcrypto/x509v3/v3conf.c
+++ b/src/lib/libcrypto/x509v3/v3conf.c
@@ -118,7 +118,7 @@ int main(int argc, char **argv)
                 printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
                 if(ext->critical) printf(",critical:\n");
                 else printf(":\n");
-                X509V3_EXT_print_fp(stdout, ext, 0);
+                X509V3_EXT_print_fp(stdout, ext, 0, 0);
                 printf("\n");
                 
         }